Zum Hauptmenü Zum Inhalt

Wave of warnings Google Fonts – Much ado about nothing?

What happened?

In recent weeks, many thousands of companies have received warning letters from a lawyer in Lower Austria for allegedly illegal use of “Google Fonts” on their website. In this letter, they are accused of the fact that the IP address of the always same website visitor was forwarded to the Google servers in the US through the integration of this service, resulting in a so-called loss of control of their personal data.

For this behavior, the website visitor claimed damages as well as compensation for the costs of her lawyer’s intervention. In this context, a settlement offer was made: If EUR 190.00 was paid, no further claims would be asserted and the request for information that was asserted at the same time would also be waived.

What is Google Fonts?

Google Fonts is an interactive web directory with over 1,400 fonts, provided by Google LLC for free use. Google offers the option of using fonts on one’s own website without having to upload them to one’s own server. In this case, the fonts are reloaded via a Google server when a user calls up the website. This external call-up causes website visitor data, such as the IP address, to be forwarded to Google.

Relevance of the use of IP addresses under data protection law

According to the case law of the European Court of Justice (ECJ), IP addresses, even if they are assigned dynamically, constitute personal data if the person responsible (in the present constellation this is usually the website operator) has “legal and factual means” at their disposal that enable them – also with the involvement of third parties (so primarily through the Internet service provider) – to identify the natural person (i.e., the visitor to the website).

From a data protection point of view, the US is an unsafe third country due to the invalidity of the Privacy Shield by the ECJ, which is why the explicit consent of the data subject is required for the transfer of personal data to the USA.

However, the existence of a personal reference is not mandatory for IP addresses. Visiting many thousands of websites within a very short period of time raises the suspicion that this was not done by a person themselves, but by means of software (such as a so-called “web crawler“). Since such a software usually runs on a company’s server, there is much to suggest that the IP address is not subject to the protection of the General Data Protection Regulation (GDPR). In addition, due to the sparse information in the warning letter, it is questionable whether the IP address provided is actually linked to the person concerned. 

Is the claim for damages justified?

A claim for damages generally requires concrete damage. In the warning letters, this is justified with a loss of control over the data. In concreto, it is argued that this has caused the person concerned considerable discomfort and that such violations are “massively annoying”. In fact, in a much-criticized decision, the Munich Regional Court awarded a data subject non-pecuniary damages in the amount of EUR 100.00 for the loss of control caused by the transfer of an IP address. However, the question of liability for damages in a comparable case was submitted to the ECJ for a preliminary ruling by another German court. The question has therefore not been finally settled.

In Austria, this question has not yet been dealt with, but the Supreme Court has recently emphasized that compensation for non-pecuniary damage under the GDPR requires concrete evidence of non-material damage. This is precisely what is lacking in the blanket assertion of discomfort and disturbance made in the warning letters. Moreover, the automated and deliberate access to the websites themselves, which is obvious as a result of visiting many thousands of websites within a short period of time, speaks against the awarding of damages.

Finally, it is questionable whether the party concerned is entitled to damages in the amount claimed for each website visit, which would mean that the person concerned would ultimately be entitled to several million euros in damages. This result would conflict the purpose of compensation.

Is the request for information to be answered in any case?

According to Art 12 of the GDPR, requests for information must be answered within one month. This also applies if no personal data was processed. In such cases, a negative report (i.e., the information that no personal data of the person was processed) must be provided. The data protection authority also emphasized this obligation in its announcement on the wave of warnings.

What can you do if you have already paid the requested amount of money?

As a result of the wave of warning letters, not only was a statement of the facts of the case submitted to the competent public prosecutor’s office on the grounds of fraud and disciplinary proceedings initiated ex officio by the Lower Austrian Bar Association, but several lawsuits were also filed against the lawyer under civil law.

If you have any questions on this topic or want to make sure that your company is compliant with data protection, our data protection team is always at your disposal. Our lawyer Thomas Riesz has already commented on the warning letters in the daily newspaper “Die Presse”.

Disclaimer

This article is for general information only and does not replace legal advice. Haslinger / Nagele Rechtsanwälte GmbH assumes no liability for the content and correctness of this article.

 

13. September 2022

 
Go back to News
  • JUVE Top Arbeitgeber 2024
  • Referenz | Haslinger / Nagele, Logo: JUVE Awards
  • JUVE Top 20 Wirtschaftskanzlei-Oesterreich
  • Promoting the best. Women in Law Award