On January 19, 2022, the LG Munich ruled that a plaintiff was entitled to injunctive relief and damages in the amount of €100 against a website operator because he had passed on the visitor’s IP address to Google by using Google Fonts. After that, the blogs and newsletters were full of excited reports concerning a wave of cease-and-desist letters, and the Händlerbund also offered its help. But is the wave rolling or not rolling now? We asked the experts at Härting Rechtsanwälte for their opinion. Tiphaine Chellabi and Sebastian Schulz calmly summarized what is at stake and what needs to be done.
What is at stake?
Google Fonts are fonts that are provided by Google free of charge for websites. The standard integration of Google Fonts means that information about website visitors, such as the IP address of the end device used, is transmitted to Google servers located in the USA. Even if other Google services, such as Google Maps or reCAPTCHA, are integrated into websites, this leads to the loading of Google Fonts in the background, including the transmission of data to the USA.
According to the prevailing legal opinion, the prior consent of the website visitor is required for this transfer. Different approaches are used to justify this: Following the so-called Schrems II ruling of the European Court of Justice, for example, data transfer to recipients based in the USA is now only possible with consent. A data transfer was also not to be expected by the website visitors. In addition, the necessity of the processing is lacking.
In its ruling of January 20, 2022, the LG München (Munich Regional Court) agreed with this legal opinion, which is also held by the majority of data protection supervisory authorities, and considered the use of Google Fonts without the consent of the website visitor to be a violation of the general right of privacy and the provisions of the GDPR. In a recent press release, the Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI) now points out that “according to media sources” a wave of warnings is currently rolling because of the non-consent-based integration of Google Fonts. The TLfDI also “regularly receives complaints of this content against website operators”.
From the work of the law firm, it can be confirmed that these clients have also been the recipients of such letters, always combined with a demand for payment of compensation for pain and suffering.
What to do?
How to deal with warning letters and demands for payment of damages for pain and suffering can only be decided on a case-by-case basis and only in view of the specific facts of the case. The spectrum of conceivable options for action ranges from payment of the demanded compensation for pain and suffering to a “counterattack” aimed at having the warning party compelled by a court to refrain from its assertion of an infringement of rights. Which of the conceivable options is ultimately chosen depends on several factors and needs to be well considered.
Website operators must be aware that the native integration of Google Fonts in websites is fraught with legal risks due to the associated data transfer to the USA. Only then can a company’s internal risk assessment be made as to whether Google Fonts should be integrated at all, and if so, in what form. If it proves necessary to integrate Google Fonts, the fonts should be hosted locally on the website operator’s servers. Native integration, which involves additional data processing, in this case: data transfer to Google servers, is then no longer “necessary” (cf. above). The website operator must then ensure that the files are updated at regular intervals. From discussions with representatives of public authorities, the law firm knows that the (slight) losses in website performance provoked in this way are not accepted as an argument in favor of native integration of Google Fonts.
The TLfDI also recommends this procedure in its current press release. The Austrian data protection supervisory authority also recommends carrying out this check and questioning whether Google is really necessary for the website or whether, as is often the case, it has been integrated by default without the website operator’s involvement.
In view of the compensation demanded by the attacker, website operators should first ask themselves whether the accusation is actually true. If this is the case, strategic considerations must be made as to whether the claim should nevertheless be rejected or settled – or whether the letter should simply be ignored (but the integration of Google Fonts should nevertheless be adjusted). It is unlikely that the other party will take legal action to claim compensation for pain and suffering, given the low amount of the claim (usually 100 to 200 EUR).
Whether – if demanded by the other party – a cease-and-desist declaration should be submitted at the same time or alternatively can only be answered in individual cases. In the event that a cease-and-desist declaration is issued, the submitting company contractually undertakes not to carry out a certain behavior, in this case: the native integration of Google Fonts, in the future. This contractual obligation to cease and desist is secured by an independent claim under the law of obligations for payment of the agreed contractual penalty or a contractual penalty yet to be determined by a court (so-called “Hamburg custom”) in the event of a violation. The contractual penalty to be paid therefore always goes into the pocket of the cease-and-desist creditor. This is the only reason why the warning party has a high interest in obtaining a cease-and-desist declaration.
In practice, the issue of issuing a cease-and-desist declaration is regularly subject to caution. Any promise to cease and desist would have to be complied with in full in order to avoid forfeiture of the contractual penalty. If the warned company cannot guarantee this, no cease-and-desist declaration should be issued. The other party then only has the option of obtaining a court order. If the content of the accusation is correct, the company warned will be ordered to cease and desist. In the event of violations of this obligation to cease and desist, a fine will be threatened at the same time. If the condemned company then violates the obligation to cease and desist again, an administrative fine in the specific amount or substitute custody will be imposed by order of the trial court at the request of the cease and desist creditor. The fine is paid to the state treasury and not to the cease-and-desist creditor – a procedure that is not particularly appealing to those issuing cease-and-desist letters.
Born in the dotcom boom, HÄRTING has made it its business to provide comprehensive advice and answers to clients on issues ranging from consumer protection, privacy, IT security, liability, competition and antitrust law to the handling of data, blockchain and artificial intelligence and the structuring of transactions, far beyond traditional legal advice.