Germany Update: Google Fonts and no end in sight

Starting situation

Currently, many companies receive warning letters because of the data protection violation of the integration of Google Fonts on the company’s own website. These letters are accompanied by request for payment of up to EUR 200. The starting point of the warnings is a decision of the Munich Regional Court of January 2022 (LG Munich, judgment of 20.01.2022 – Az. 3 O 17493/20).

In the decision, the Regional Court of Munich sentenced a company to cease and desist, provide information and pay non-material damages in the amount of 100 euros for the integration of Google Fonts in violation of data protection. In the contested decision, Google Fonts was dynamically integrated without obtaining the consent of website visitors for its use.

Initially, there were a large number of warnings, especially in Austria. But even in Germany, a wave of warnings has been rampant for some time. With the rather low demand for a compensation payment, the warning parties seem to want to create an incentive for the warned party to be able to end the matter quickly and comparatively cheaply.

What are Google Fonts?

Google Fonts provide an easy way to embed fonts on a web page. Google Fonts are free and allow you to choose from several hundred fonts. There are two different ways to use them: Either they are stored locally, i.e. uploaded to a separate server and retrieved from there, or the Google Fonts are dynamically integrated and loaded via the Google API. However, dynamic integration has the consequence that the IP address of the website visitors and other data are automatically forwarded to Google.

Guidance

Companies should check as soon as possible whether Google Fonts are dynamically integrated into their website. In the case of dynamic integration, website operators should either completely dispense with the integration of Google Fonts or switch to local integration of the fonts.

In case of doubt, companies should contact the website developer or the data protection officer.

If companies have already received a warning, legal advice should be consulted. In many cases, warning letters can be countered with good arguments. Not infrequently, the letters already have formal deficiencies. In addition, parts of the warning parties are suspected of acting abusively, as these are potentially mass warnings. It is reasonable to assume that the warned websites were targeted in order to provoke a data protection violation. In addition, there is also the suspicion that not the data subjects themselves have accessed the websites, but that they were visited by means of so-called web crawlers, so there could therefore be a lack of injury to the person concerned.

Also, it has not yet been clarified by the highest court whether an alleged loss of control over data can justify damage at all. In the Opinion on Case C-300/21 published on 6 October 2022, the Advocate General at the European Court of Justice clarified that the mere violation of the provisions of the GDPR does not give rise to a claim for damages. Rather, the person concerned must demonstrate and prove material and/or non-material damage. “Anger” about a violation of the GDPR is just not sufficient for the assumption of non-material damage.

Beware of the right to information

Even if one can counter the warning in case of doubt with good arguments, caution is advised with associated claims for information. Often the warning letters also contain a request for information according to Art. 15 GDPR. In principle, this is always considerable and needs to be provided. However, if the request for information is asserted by a lawyer, it can be rejected in the opinion of the OLG Stuttgart in the absence of an original power of attorney (OLG Stuttgart, judgment of 31.03.2021 – Az.: 9 U 34/21). Again, you should seek legal advice.

By MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.