For event agencies, marketing/HR and the public agencies

First ruling exposes Google's spying program strategy

Michael
23/02/2024

In use millions of times - Google's spying programs on websites

Whether Google Fonts, Google Maps or YouTube videos - none of this is legal

In January 2022, the Munich Regional Court (3rd Civil Chamber) ruled that the unauthorized disclosure of dynamic IP addresses to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination pursuant to Section 823 (1) BGB. The plaintiff is entitled to injunctive relief and damages due to the disclosure of IP addresses to Google through the use of Google fonts. The defendant was ordered to pay 100 euros in damages (Munich Regional Court ruling: 3 O 17493/20 of 20/01/2022)

What exactly is it about: Google provides a large selection of fonts under Google Fonts, which can be used free of charge and which make it possible to display texts on a website.

There is a static or dynamic version for integration into your own website. With the static variant, no connection is established to Google servers, which means that this variant is harmless in terms of data protection and personal rights. The dynamic variant is different. In this case, a connection is established to the Google server and at least the IP address is transmitted to Google.

In this case, the defendant had integrated dynamic Google fonts into its website. It did not obtain consent for this in advance from its visitors via a consent banner. The plaintiff felt disturbed by this. He demanded compensation and injunctive relief from the website operator.

The Munich Regional Court ruled in favor of the plaintiff.

The unauthorized disclosure of the plaintiff's dynamic IP address to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination pursuant to Section 823 (1) BGB. In addition, the plaintiff is entitled to a claim for injunctive relief against the disclosure of his IP addresses to Google under Section 823 para. 1 in conjunction with Section 1004 BGB. § 1004 BGB analogously.

The dynamic address provides the website operator with an abstract means of identifying the person concerned on the basis of the stored IP addresses. It does not matter whether the defendant or Google has the concrete possibility of linking the IP address to the plaintiff.

By forwarding the dynamic IP address to Google when the plaintiff accessed the website, the defendant violated the plaintiff's right to informational self-determination. In addition, the automatic forwarding of the IP address constitutes an infringement of the plaintiff's general right to privacy that is not permitted under data protection law. The interference is also unjustified, as the defendant has no legitimate interest. The plaintiff was also not obliged to encrypt his own IP address, e.g. by using a VPN, as such an obligation would restrict him in the exercise of his rights.

The court also affirmed a risk of repetition, which can only be eliminated by a cease-and-desist declaration with a penalty clause.

The plaintiff is entitled to information under Art. 15, Art. 4 No. 2 GDPR. The claim for damages arises from Art. 82 para. 1 GDPR, whereby immaterial damage is also sufficient. In this case, this consists of the plaintiff's loss of control over his data and the discomfort he feels as a result. Liability under Art. 82 (1) GDPR is intended to create an incentive for security measures and prevent further breaches.

Giving away free services is a strategy. Unsuspecting website operators unwittingly become data thieves

The dynamic IP address is also passed on when Google Analytics, Google Maps and YouTube videos are integrated. Vimeo videos cannot be used legally either.

It should also be noted, and here the court is wrong, that even obtaining consent via a consent banner cannot prevent the IP address from being passed on because the services are already loaded before or at the same time as the consent banner, meaning that the infringement has already occurred without the user's consent. In the case of fonts, the website would be without text and therefore not recognizable as such. In the case of embedded videos, the player component is loaded beforehand and the IP address is therefore transmitted. A consent banner cannot prevent this. There is therefore no choice but to remove all US services from the website and replace them with services that respect data protection and privacy: Matomo (instead of Google Analytics), Open Street Map (instead of Google Maps) Google Fonts self-hosting (instead of Google hosted fonts) Video.Taxi (instead of YouTube or Vimeo).

Only the IP address - my ass

Each time the visitor's IP address is transmitted, a whole package of sensitive information is transmitted. This is the following information:

  • Rough location
  • Detailed location
  • Contact information
  • physical address
  • E-mail address
  • Name
  • Phone number
  • Search history
  • Browsing history
  • Identifiers
  • User ID
  • Device ID
  • Usage data
  • Product interaction
  • Advertising data

This data is never deleted and forms a building block in the construction of the user's digital compulsion. Money is then made from this information without the owner of the data being paid for it. They will probably not even know what is happening to their property.

 

en_USEnglish