LG München I - 4 O 13063/22

From GDPRhub
Revision as of 07:43, 5 June 2023 by Mg (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LG München I |Court_Original_Name=Landgericht München I |Court_English_Name=Regional Court Munich I |Court_With_Country=LG München I (Germany) |Case_Number_Name=4 O 13063/22 |ECLI= |Original_Source_Name_1=LG München I (Germany) |Original_Source_Link_1=https://www.gesetze-bayern.de/Content/Document/Y-300-Z-GRURRS-B-2023-N-6354?hl=true |Original_Source_Language_1...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
LG München I - 4 O 13063/22
Courts logo1.png
Court: LG München I (Germany)
Jurisdiction: Germany
Relevant Law: Article 82 GDPR
Decided: 30.03.2023
Published:
Parties:
National Case Number/Name: 4 O 13063/22
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: LG München I (Germany) (in German)
Initial Contributor: mg

The Regional Court of Munich stated that the use of web crawlers to identify GDPR violations rules out any infringement of the data subject’s personality rights and any claim for damages under Article 82 GDPR.

English Summary

Facts

The controller embedded Google Fonts on its website. When a user visited the website, their personal data were transferred to Google Inc. in the US. Considering that the controller violated Chapter V of the GDPR, a data protection association deployed an automated system – so-called “web crawler” – to detect data transfers through Google Fonts tools. Then, the association representing the data subjects contacted the controller and asked for non-material damages under Article 82 GDPR. Meanwhile, the controller had updated its website and removed the Google Fonts. The controller argued that the claim for damages was part of a broader initiative involving hundreds of thousands of controllers in Germany. The controller stressed that the individual data subjects represented by the data protection association never directly visited its website. The controller brought action against the association and asked the Regional Court of Munich (LG Münich) to declare the association’s claims unlawful.

Holding

The German Court upheld the controller’s arguments. The court did not consider whether the controller violated the GDPR by undertaking data transfers to the US, nor whether the data subjects implicitly consented to such transfers by accepting to use the web crawlers. Instead, the court focused on the fact that a person that did not directly visited a website could not feel annoyance or uncertainty with regard to the transfer of their personal data to a third country. From this perspective, the use of web crawlers played a major role in ruling out an actual infringement of data subjects’ data personality rights. The court also stated that, even imaging that the use of web crawlers was compatible with a violation of the data subject’s informational self-determination, the data subject provoked the situation against which they complained. In light of the above, the Court adopted a decision declaring the lack of legal basis for any claim for damages under Article 82 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Title:
Unfounded injunctive relief due to the dynamic integration of so-called Google fonts
chains of standards:
BGB Section 242, Section 823 Paragraph 1, Section 1004
GDPR Art. 82
Guiding principles:
1. The dynamic integration of Google fonts and the transmission of the IP address - without a compelling technical reason and without consent - in the USA to Google can represent a violation of the right to informational self-determination. However, a violation of the right to informational self-determination as part of the general right of personality presupposes that there is actually a personal concern. (Rn. 26 - 30) (editorial guiding principle)
2. In case law, it is disputed to what extent feelings of fear or uncertainty are sufficient in themselves to justify a claim for damages under Art. 82 GDPR. However, this question was not relevant in the present case. Because if you don't even know which websites are being visited "in your name", you can't think individually that the transmission of your IP address could cause you inconveniences. (Rn. 35) (editorial guiding principle)
tags:
Injunctive relief, Google fonts, dynamic integration, IP address, website, web crawlers, right to informational self-determination
Source:
GRUR-RS 2023, 6354


tenor

1. It is established that the defendant has no claim against the plaintiff for an injunction to embed Google fonts on the website...at, as alleged in the defendant's letter to the plaintiff dated October 20, 2022.

2. It is established that the defendant has no claim against the plaintiff for payment of compensation for pain and suffering due to the embedding of Google fonts on the website... as alleged in the defendant's letter to the plaintiff dated 10/20/2022.

3. The defendant has to bear the costs of the legal dispute.

4. With regard to item 3, the judgment is provisionally enforceable for the plaintiff against security of 110% of the amount to be enforced.

The value in dispute is set at €10,000.00.

facts

1
By way of a negative declaratory action, the parties are arguing about a claim for injunctive relief by the defendant against the plaintiff because of the integration of so-called Google fonts and other claims.

... an internet presence. Fonts provided by Google were "dynamically" integrated on this website until October 2022 in such a way that when the website was visited, the IP address of the visitor was transmitted to Google in the USA. This is based on an offer from Google to website operators in the form of the provision of so-called Google fonts with dynamic integration. From a technical point of view, it would also have been possible to integrate the Google fonts locally, so that when the website was accessed, the visitor's IP address was not transmitted to Google in the USA.

2
The defendant used an automated system, a so-called "crawler", to identify websites on which a dynamic integration of Google fonts was programmed. In a disputed number of cases between the parties, but in any case at least a higher two-digit number (cf. the lists submitted by the plaintiff on warning cases of the defendant; in the hearing dated March 9th, 2023, the plaintiff’s legal representative, who was heard for information purposes, spoke of a low six-digit number), the defendant then had R. send "warning letters" to the operators of corresponding websites with dynamic integration of Google fonts.

3
On October 20, 2022, R. sent a letter to the plaintiff "in the name of and on behalf of" the defendant entitled "Violation of personal rights data protection Google Fonts, here: Warning". The letter first states:

“Our client is part of the data protection interest group; in short: IG data protection (www.igdatenschutz.de). IG Datenschutz is dedicated to defending and enforcing data protection through civil law. IG data protection has noticed that you are using Google Fonts on your website. Google Fonts is installed on your website in such a way that, among other things, the IP address of the visitor to your website is forwarded to Google in the USA. At the request of our client, this process was technically secured with their IP address, as shown, whereby the forwarding to Google from the highlighted link is confirmed.

4
After legal explanations that the unauthorized disclosure of the IP address constitutes a violation of general personal rights, the following is further explained:

"Due to the violation, our clients have a right to injunctive relief against you, among other things. In the last two years, German courts have awarded those affected by a wide variety of data protection violations compensation for pain and suffering up to a maximum of €2,500.00 (example: LG Munich I, judgment of December 9th, 2021 – 31 O 16606/20 (€2,500.00); LAG Hamm, judgment of December 14, 2021 - 17 Sa 1185/20 (€2,000.00); LAG Hanover, judgment of October 22, 2021 - 16 Sa 761/20 (€1,250.00); LG Lüneburg, judgment of July 14, 2020 - 9 O 145/19 (€1,000.00), AG Hildesheim, judgment of October 5, 2020 - 43 C 145/19 (€800.00); AG Pfaffenhofen/Ilm, judgment of September 9, 2021 - 2 C 133/21 (€300.00); LAG Cologne, judgment of September 14, 2020 - 2 Sa 358/20 (€300.00); LG Munich, judgment of January 20, 2022 - 3 O 17493/29 (€100.00).

In the event of the immediate termination of the violation and payment of an amount of

to our trustee client account at […] until

ready to let the matter rest. Power of attorney to receive money is available as attached."

5
According to the attachment to the letter, the plaintiff's website was visited on September 17, 2022. With regard to the exact content of the letter, reference is made to Annex K1.

6
The plaintiff has meanwhile changed the way Google fonts are integrated on his website.

7
The plaintiff argues that the defendant is running the "so far most powerful warning wave" in Germany. He has had lawyers ... send automated warning letters in the six or even seven-digit range since late summer 2022. The letters claim that the defendant has visited the respective website of the person who has been warned and that the defendant therefore feels that his rights have been violated. In fact, the defendant did not personally visit any websites and therefore could not have felt any personal concern. The file numbers assigned by RA ... already showed that the number of warning letters sent was already in the six or seven-digit range. The warning letters would also be sent automatically. Errors in the warnings, such as the warning of website operators whose dynamic integration of Google fonts was not active at all or who used other fonts, show that the processes are actually not checked manually at all.

8th
The plaintiff is of the legal opinion that the defendant is committing a criminally relevant act of deception with the "warning letter". In the warning letters, the defendant suggested that he personally visited the respective website. None of the claims listed in the warning letter existed. In the absence of a violation of rights, the defendant has no right to injunctive relief against the plaintiff under §§ 823 Para. 1, 1004 BGD and Art. 82 DS-GVO or on any other legal basis. If a crawler is used, there can be no violation of general personal rights.

9
The plaintiff requests:

I. It is established that the defendant has no claim against the plaintiff for an injunction to embed Google fonts on the website ... as alleged in the warning letter dated October 20, 2022.

II. It is established that the defendant has no claim against the plaintiff for payment of an imaginary compensation for pain and suffering due to the embedding of Google fonts on the website ... as alleged in the warning letter dated October 20th, 2022.

10
The defendant requested

11
The defendant argues that his main interest in the warnings was to draw attention to the topic of Google Fonts. This was not possible only by means of an information letter without any consequences. The fearful Internet created by the use of Google Fonts with the participation of the plaintiff causes him pain.

12
The defendant further argues that he did not demand the payment of €170, but instead made a negotiable settlement offer to those who had been warned. The web crawler used was set up by him on a laptop, the IP address used was the IP address dynamically assigned to him by the provider.

13
The defendant is of the legal opinion that the plaintiff has already overlooked the fact that he did not attempt any integration of fonts, but only an integration by forwarding his IP address to Google in the USA. There was also no provocation on his part, because the website was not compliant with data protection just before the visit and the warning. His actions are also not illegal.

14
The plaintiff replies that the defendant cannot simply deny the number of warnings that he submits, but may have to deny this in a qualified manner. The defendant has a secondary burden of proof. The warnings were sent fully automatically. There is already insufficient proof that an IP address of the defendant was actually transferred to the USA.

15
During the oral hearing on March 9th, 2023, the court heard the defendant, represented by his legal representative, for information. With regard to the result of the informational hearing, reference is made to the minutes of the oral hearing of March 9, 2023.

16
To supplement the facts, reference is made to the written pleadings exchanged between the parties and the annexes as well as the minutes of the oral hearing of March 9th, 2023.

Reasons for decision

17
The admissible action is well founded.

18
The lawsuit is admissible. In particular, there is the necessary determination interest (§ 256 ZPO) for the desired determinations that the defendant is not entitled to any claims against the plaintiff.

19
In the letter dated October 20, 2022, the defendant claims a claim for injunctive relief against the plaintiff. The defendant's offer not to pursue "claims" any further if the plaintiff was willing to pay a settlement of €170, after legal statements that German courts had awarded damages for pain and suffering of up to €2,500 in recent years due to data protection violations, is objective Recipient horizon (§§ 133, 157 BGB) to be understood in the sense that the defendant also claims an existing corresponding claim for compensation for pain and suffering. The letter, written by a lawyer, is deliberately worded in such a way that an average reader is given the impression that the defendant is also entitled to payment, the amount of which could be between €100 and €2,500. Even if it is not immediately announced that a claim for injunctive relief and compensation for pain and suffering will be asserted in court in the event of non-payment of the €170, the entire presentation of the letter - sent by a lawyer, designation as a warning letter, reference to court decisions that have been issued, naming a specific payment amount - is suitable to give the recipient the impression that the defendant sees a claim for injunctive relief and compensation for pain and suffering, the enforcement of which is also threatened. According to the court, it was precisely this threatening effect that was intended by the defendant.

20
The fact that the "warning" that was sent does not meet all the requirements for a warning letter that were established by the higher court's case law is irrelevant to the question of the defendant's boasting of the claims in question. Crucial to the present lawsuit is the question of what impression the defendant made on the recipients of his letters based on the objective recipient horizon, not the fulfillment of requirements for warning letters in order to obtain reimbursement of pre-court attorney's fees for these. In this respect, no replacement is required in the warning Annex K1.

21
Deviating from the legal opinion of the defendant, the court does not assume that the plaintiff with the tenor of the application - which the court has adopted in this respect - regards any integration of Google fonts on his website as being attacked by the defendant. It is clear from the warning in Appendix K1 that the defendant is opposed to the dynamic integration of Google fonts and the plaintiff's reference to the letter of October 20, 2022 in the application sufficiently defines the subject matter of the negative declaratory action.

22
The lawsuit is also well founded. The plaintiff can request a declaration that the defendant has no claim for injunctive relief or compensation for pain and suffering.

23
I. The defendant had no claim for injunctive relief against the plaintiff, so that the plaintiff can demand the non-existence of a corresponding injunctive relief based on the defendant's boasting in the letter dated October 20, 2022.

24
1. It can remain open whether the dynamic integration of Google fonts that previously existed on the plaintiff's website violated the GDPR. It also does not have to be decided whether, when using a web crawler to find websites on which Google fonts are dynamically integrated, the consent of the user of the web crawler to the transmission of his IP address to the USA could be assumed, precisely because with violations of the GDPR alleged by the web crawler should be identified and documented.

25
2. In any case, the requirements of the defendant's famous (see above) injunctive relief are missing. In the letter dated October 20, 2022, the defendant alleges a violation of his general personality rights in the form of the right to informational self-determination according to Section 823 (1) BGB. However, there is no such violation of the general right of personality here.

26
a) In the starting point, the court also shares the defendant's view that if the dynamic integration of Google fonts violates the GDPR and his IP address is transmitted to Google in the USA without a compelling technical reason and without his consent, this may represent a violation of the right to informational self-determination.

27
b) However, a violation of the right to informational self-determination as part of the general right of personality presupposes that there is actually a personal concern. According to the explanations in the pleadings of the parties as well as the further content of the files and the declarations of the parties in the hearing at the hearing, the court is convinced that such a personal concern did not exist here. It cannot be assumed - and at the latest since the date of the oral hearing on March 9th, 2023 it has probably been undisputed - that the defendant actually personally visited the plaintiff's website or the websites of other people who had been warned. Rather, an automated program (so-called crawler) was used to find websites on which Google fonts were dynamically integrated. Already the wording "at the request of our clients, this process was technically secured with their IP address, as shown here" is incomprehensible in this respect. What does "secured" mean exactly? Has a violation by an allegedly different "IG data protection" been determined by the plaintiff and then the website was automatically visited without the involvement of the defendant, allegedly using his IP address? Or did the defendant personally determine the dynamic integration with a crawler, but without having personally visited the websites - the latter would not have been possible in view of the large number of pages within the available time. Irrespective of which of the variants mentioned actually happened - the statements made by the defendant's legal representative at the hearing on March 9, 2023 in this respect did not give the court any certainty as to who exactly did what - in all cases there is no personal involvement of the defendant Defendant as a prerequisite for a violation of his right to informational self-determination. Anyone who does not visit websites personally cannot feel any irritation or uncertainty about the transmission of their IP address to Google in the USA.

28
c) However, even if it were assumed that an automated visit to a website, which leads to the transmission of the user's IP address, would in principle be suitable for justifying a violation of the right to informational self-determination, the defendant's claim for injunctive relief against the plaintiff under point of view of provocation. The crawler allegedly used by the defendant was supposed to find websites with dynamic Google Fonts integration. The transfer of the IP address to the USA was then also a mandatory requirement in order to assert a claim for injunctive relief at all. However, anyone who consciously and purposefully enters a situation in which he is threatened with a violation of his personality rights, precisely in order to experience the violation of his personality rights in order to then base claims on it, is not in need of protection.

29
The situation in this respect cannot be compared with that of a test purchase in cases of unfair competition law. The test purchase cases are about documenting violations of competition by entrepreneurs on bona fide customers. The individual mystery shopper knows about the imminent violation of competition law or at least suspects one. However, he does not want this violation himself, but wants the anti-competitive behavior to be stopped in the future. Even if the defendant were to be granted that he too was concerned with documenting widespread violations of the GDPR when integrating Google fonts in order to protect other Internet users, such an attitude of the defendant – which the court had not seen anyway in any case find their limit in the fact that claims are excluded if the clear overriding motive is to make a profit due to corresponding data protection violations. However, this is to be assumed here. The number of cases documented by the plaintiff in the case lists is already high, albeit by no means a six- or seven-digit number. During the oral hearing, the defendant's attorney-in-fact, who was heard for information purposes instead of the defendant who had been summoned but did not appear in person, stated that the number of warnings was in the low six-digit range. This would mean at least 100,000 warnings. However, having a lawyer send at least 100,000 warning letters and sending them themselves means considerable expenditure, both in terms of time and money, at least if these warning letters are not created and sent completely automatically. The court considers it hardly conceivable that a private individual would take on the effort associated with sending at least 100,000 warning letters just out of annoyance at what they consider to be a widespread data protection violation by website operators, just to to draw attention to the deficiencies in data protection that have been seen. In addition, the defendant did not just send or have sent information letters to the addressees of his “warnings”, but expressly described them as “warnings”. The letters were not sent by the defendant personally, but by a lawyer in his name ... The targeted involvement of a lawyer and the designation as a "warning" was intended to increase the level of threats towards the recipients of the "warnings" in order to convince the court. In addition, the lack of prosecution of the alleged claims in court must be taken into account. In contrast to a test purchase in unfair competition law constellations, the court assumes, based on the defendant's own statements, that the defendant never intended to bring a significant number of cases to court compared to the number of warnings. For this, the defendant would have had to raise considerable financial resources because of the court costs advance to be paid by him, without there being any indication that the defendant would have such as previously court-appointed supervisors at his disposal.

30
The fact that the defendant, represented by his legal counsel, did not want to answer the court's question about the actual income generated from the mailing through payments from other recipients of comparable letters - that he was unable to do so is evident from the statement "I only have the information from Public prosecutor's office" clearly not -, further proves for the court that the defendant was concerned with receiving the demanded €170 from the person who had been warned and thereby establishing a source of income of not inconsiderable importance over a not short period of time. It can be assumed that the vast majority of the website operators contacted did not pay. Apparently, individual people who were written to have negotiated down the sum of €170 – which the court is quite demanding. But even if only a number of people paid in the single-digit percentage range of those addressed, the amount obviously goes far beyond the expenses for programming the web crawler, its technical operation and the sending of warning letters. In addition, the amount of €340,000, which the defendant's attorney-in-fact called (with uncertainty upwards), would also be a significant amount compared to the costs presumably incurred for the use of the web crawler and the warnings. After that, around 2,000 people would have paid the required amount. Assuming 100,000 warnings (as a minimum), this would be 2%, which the court believes is probably too low.

31
3. Insofar as the defendant, in particular in the pleading of March 23, 2023, extensively addresses the question of possible deception of the persons he has written to, this is irrelevant for the court. In the present legal dispute it is not necessary to decide whether the cover letter constitutes a criminal attempt at fraud (or, in the case of a payment, a completed fraud). The public prosecutor's office has to decide on this question in the criminal investigation proceedings it is conducting. The question of deception is irrelevant for the present civil law decision, which is based on the fact that the defendant has no claim for injunctive relief or damages due to a lack of personal concern and the exclusion of any existing claims due to abuse of rights.

32
4. Whether the defendant would have had a claim for injunctive relief for reasons other than the alleged violation of his general personality rights in the form of the right to informational self-determination, for example directly from the GDPR or in connection with Section 1004 BGB, does not require a decision in the present case. For the negative declaratory action, it is relevant which claim the defendant claims. This is a claim for injunctive relief due to the violation of the right to informational self-determination, not on any other legal basis.

33
However, the above considerations on abuse of rights would also apply to any claims for injunctive relief based on the GDPR or this in conjunction with § 1004 BGB.

34
II. The defendant also had no claim for damages against the plaintiff, so that the plaintiff can demand a declaration that the famous claim (see above) does not exist.

35
1. The prerequisites for a claim under Art. 82 GDPR are already missing. This presupposes damage, possibly also immaterial, to the claimant. Such damage was obviously not present here. It is disputed in the case law to what extent feelings of fear or uncertainty are sufficient in themselves to justify a claim for damages under Art. 82 GDPR. However, this question is not relevant here, because the defendant cannot actually have had such feelings due to the use of an automated program: Anyone who does not even know which websites are visited "in his name" cannot think individually at all make it possible for him to experience inconveniences from the transmission of his IP address.

36
2. Otherwise, any claim for damages based on Art. 82 GDPR or Section 823 Para. 1 BGB or on another legal basis, also due to abuse of rights, Section 242 BGB, would be excluded. The defendant had the crawler visit websites specifically to substantiate alleged violations of his general personality rights. However, it is not the purpose of the general right of personality or the data protection requirements according to the GDPR to provide people with a source of income because of alleged violations of their general right of personality. Anyone who deliberately provokes a violation of his or her personal rights in order to subsequently justify claims violates the prohibition on self-contradictory behavior.

37
The decision on the costs was made according to § 91 ZPO. The minor linguistic change in the tenor compared to the application does not constitute a partial dismissal of the complaint and therefore does not have a disadvantageous effect on the costs for the plaintiff. The provisional enforceability had to be decided according to § 709 ZPO.