Google Fonts Warning Wave: BGH Sends IP Questions to ECJ

Contents

The legal dispute over the dynamic integration of Google Fonts is entering its next and decisive round. The Federal Court of Justice (BGH) has suspended proceedings with a recent decision to submit three central questions to the European Court of Justice (ECJ) for a preliminary ruling. The case, with file number VI ZR 258/24, could mean the end for a business model that has kept thousands of website operators on edge lately: the systematic provocation of data protection violations for the purpose of mass warnings.

The BGH explains: The defendant used a web crawler "to automatically check numerous websites for the dynamic integration of Google Fonts." Among other things, he achieved a "hit" on the plaintiff's website. With the help of further software developed specifically for this purpose, a visit by the defendant to the plaintiff's homepage was automated. The dynamic IP address assigned to the defendant during this process was forwarded to Google in the USA.

The first question that the ECJ is now to clarify, according to the decision published on August 28, concerns a cornerstone of data protection: When exactly is information "personal data" within the meaning of Article 4 of the General Data Protection Regulation (GDPR)? The appellate court, the Regional Court of Hanover, had previously argued that the dynamically assigned IP address in this specific case was not personal data. Reason: The US company Google did not have the legal means to identify the visitor with the help of their internet service provider.

"Loss of Control" Deliberately Induced

The BGH expresses doubts here. It wants to know whether a "relative standard" applies. This would mean that it would depend on whether the recipient of the data can generally identify the person. If, on the other hand, an "objective standard" applies, a dynamic IP address would already be considered personal data if anyone, such as the provider, can establish a connection to the person. Should the ECJ follow this "objective" approach, the hurdle for data protection violations when transmitting IP addresses would be significantly lower than previously assumed by many courts.

The second preliminary ruling question, which deals with the concept of non-material damage under Article 82 of the GDPR, is even more complex. Previously, courts often saw damage as an "involuntary loss." In the present case, however, the defendant deliberately and actively caused the violation to document and financially claim it.

Here, the BGH wants to know whether non-material damage can even exist if an affected person does not involuntarily cede control over their data, but deliberately stages the "loss of control." This is particularly true when such violations are automatically triggered in large numbers. While the ECJ has repeatedly emphasized in the past that the concept of damage is to be interpreted broadly, an answer to the question of deliberate provocation is still pending.

Hint at Data Protection Problems?

The third question bridges to abuse of rights. Even if lawyers affirmed a violation and a formal damage, a claim could be excluded according to good faith. The BGH asks for clarification: Can a claim for damages be denied if the affected person has artificially created the conditions for this claim to gain a financial advantage?

It is crucial whether the acquisition of a sum of money must be the sole motivation or whether it is sufficient if this financial interest was clearly in the foreground. The appellate court could not rule out in the matter that the defendant might also have pursued the goal of pointing out data protection problems.

Skepticism Towards Mass Warnings

The ECJ's decision is likely to be groundbreaking for the digital economy. On the one hand, it is about whether the GDPR continues to serve as a sharp sword for the protection of privacy, IT lawyer Jens Ferner knows. On the other hand, it must be prevented from becoming a tool for automated litigation industries. While the appellate court classified the defendant's conduct as immoral intentional damage under Section 826 of the German Civil Code (BGB) because claims were deliberately provoked, the ECJ must now finally illuminate the component of EU law.

For website operators, the situation remains uncertain until the ruling from Luxembourg, which is likely to be issued in a few months or years. However, the BGH's referral signals that the Karlsruhe judges are highly skeptical of the mass warning practice. The era of easy profits from automated crawler visits could soon be over.

As early as 2016, the ECJ ruled: Pseudonymized data – such as a dynamic IP address – are not automatically anonymous. As long as it is possible to restore the identity of the person through "additional information," the personal reference remains. The crucial aspect here is whether the data controller has the means for re-identification. This includes the option of cooperation with third parties such as internet providers or authorities.

(nen)