LG München - 3 O 17493/20

From GDPRhub
LG München - 3 O 17493/20
Courts logo1.png
Court: LG München (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(f) GDPR
Article 82(1) GDPR
§ 1004 BGB
§ 823 (1) BGB
Decided: 20.01.2022
Published:
Parties:
National Case Number/Name: 3 O 17493/20
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Bayern.Recht (in German)
Initial Contributor: n/a

The Regional Court of Munich awarded a data subject €100 in damages after a controller unlawfully transferred their IP address to Google LLC via the use of Google Fonts.

English Summary

Facts

The data subject is a private person who visited the website of the controller. The controller used Google Fonts in a way that the dynamic IP address of the data subject was automatically transferred to Google's server in the USA. Google Fonts is a library which includes over 1300 different fonts and can be embedded in a website by its operator.

Holding

The Regional Court of Munich (Landgericht München - LG München) held that the transfer to Google via Google Fonts violated the GDPR and, therefore, the data subject's right to constitutional right to informational self-determination. As a consequence, it granted injunctive relief according to § 823(1) BGB in conjunction with § 1004 BGB (analogously) and awarded damages in the amount of €100.

At first, the LG München determined that injunctive relief requires a violation of rights and a risk that this violation may occur in the future again (risk of repetition). The court found the transfer of the IP address to Google without the consent of the data subject (Article 6(1)(a) GDPR) is an infringement of the data subject's constitutional right to informational self-determination. It came to the conclusion that a dynamic IP address is to be considered as personal data (Article 4(1) GDPR), as the controller has an abstract opportunity to determine the data subject.

It also held that the infringement is not justified under Article 6(1)(f) GDPR since Google Fonts could be used without having a connection to Google's servers. It rejected the arguments of the controller that the data subject should have masked their IP address, because this would run contrary to the objective of data protection law to protect data subjects by imposing obligations on the entities which are processing data, and not make data subjects responsible for their own protection.

The court further affirmed that the risk of repetition is factually presumed, when a violation of rights has been established. It found that this presumption was not rebutted by the controller, and that the need for injunctive relief was not dissolved, because the controller afterwards enabled the function to use Google Fonts without sending the IP address to Google. Only a punishable declaration to cease and desist from the controller would provide sufficient guarantees to the data subject that the controller will not repeat its illegitimate behaviour in the future.

Regarding damages the court determined that the term "damages" in Article 82(1) GDPR is to be understood broadly according to sentence 3 of Recital 146 GDPR. The interpretation of the term must meet the objectives of the GDPR, including the objective to sanction data protection violations and prevent future ones. The court left the question unanswered whether the violation must exceed a certain threshold of intensity in order to award damages. It concluded that such a threshold was clearly exceeded in the present case, since the IP address was transferred more than once to Google, which is a company known for collecting data, and since the IP address was transferred to the USA, a country without an adequate level of data protection.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Editorial motto
Dynamic IP addresses represent personal data for the operator of a website because, in the abstract, he has the legal means that could reasonably be used to, with the help of third parties, namely the competent authority and the Internet access provider, identify the person concerned based on the stored IP - to have addresses determined (following BGH VI ZR 135/13). RN 5
The use of font services such as Google Fonts cannot be based on Article 6 Paragraph 1 S.1 lit. f GDPR, since the use of fonts is also possible without the visitor having to connect to Google servers. RN 8
The visitor is not obliged to "encrypt" his IP address (probably means to disguise it, for example by using a VPN). RN 9
The transfer of the user's IP address in the above-mentioned manner and the associated encroachment on general personal rights is, with regard to the loss of control over personal data, to Google, a company that is known to collect data about its users and the way the user perceives it individual discomfort is so significant that a claim for damages is justified. RN 12

object

Injunctive relief and damages (here 100 €) wg. Passing on of IP address to Google by using Google Fonts
tenor

1. The defendant is sentenced to refrain from a fine of up to €250,000.00 to be set for each case of infringement, alternatively to imprisonment or imprisonment for up to six months, if the plaintiff accesses a website operated by the defendant on his IP address address by providing a font from the provider Google (Google Fonts) to disclose the provider of this font.

2. The defendant is sentenced to provide the plaintiff with information as to whether personal data relating to the plaintiff are being processed and, if so, to provide information as to which personal data are being stored about the plaintiff.

3. The defendant is sentenced to pay the plaintiff €100.00 plus interest from this amounting to 5 percentage points above the base interest rate since January 28, 2021.
Reasons for decision
1

The admissible action is predominantly well-founded.
I
2

The plaintiff has a claim against the defendant to refrain from passing on the plaintiff's IP addresses to Google under Section 823 (1) in conjunction with Section 1004 of the German Civil Code.
3

The unauthorized disclosure of the plaintiff's dynamic IP address by the defendant to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination according to § 823 Para. 1 BGB. The right to informational self-determination includes the right of the individual to disclose and determine the use of their personal data.
4

1. The dynamic IP address passed on to Google by the defendant is personal data within the meaning of Section 12 (1) and (2) TMG (in the version applicable at the time of transmission, hereinafter the old version), Section 3 Para. 1 BDSG, Art. 4 No. 1 DS-GVO.
5

The dynamic IP address represents personal data for a website operator, because the website operator has abstract legal means that could reasonably be used to identify the person concerned using the stored IP to have addresses determined (Federal Court of Justice, judgment of May 16, 2017 - VI ZR 135/13). It is sufficient that the defendant has the abstract possibility of identifying the persons behind the IP address. Whether the defendant or Google has the specific opportunity to link the IP address to the plaintiff is irrelevant.
6

2. The defendant violated the plaintiff's right to informational self-determination by forwarding the dynamic IP address to Google when the plaintiff accessed the defendant's website.
7

The automatic transmission of the IP address by the defendant to Google was an inadmissible encroachment on the plaintiff's general personality rights under data protection law, since the plaintiff in this encroachment was undisputedly not in accordance with Section 13 (2) TMG old version, Art. 6 (1) a ) GDPR has consented.
8th

3. There is also no justification for the encroachment on the general right of personality. A legitimate interest of the defendant within the meaning of Art. 6 Para. 1 f) DS-GVO, as claimed by it, does not exist, because Google Fonts can also be used by the defendant without a connection to a Google Server is established and the IP address of the website user is transmitted to Google.
9

4. The plaintiff was also not obliged to encrypt his own IP address before accessing the defendant's website. Demanding this from the plaintiff would run counter to the purpose of the data protection law concerned here, which primarily aims to protect natural persons from impairment when processing their personal data, but rather reverse it, since such an obligation would prevent the rights holder from exercising his rights worthy of protection would be restricted (LG Dresden, judgment of January 11, 2019, file number 1 AO 1582/18).
10

5. The risk of repetition is to be affirmed. It is undisputed that the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website. Previous unlawful impairments justify an actual assumption of the risk of repetition, which was not refuted by the defendant. The risk of repetition is not eliminated by the fact that the defendant now uses Google Fonts in such a way that the IP address of the website visitor is no longer disclosed to Google. The risk of repetition can only be eliminated by a declaration of discontinuance with a penalty.
II.
11

The plaintiff's right to information follows from Art. 15, Art. 4 No. 2 DS-GVO.
III.
12

The plaintiff is entitled to a claim for damages under Art. 82 Para. 1 DS-GVO. The concept of damage within the meaning of Article 82 GDPR is to be interpreted broadly according to recital 146 sentence 3. The interpretation should fully correspond to the objectives of this regulation, including the objective of sanctions and prevention (BeckOK data protection law, Wolff/Bring, 38th edition, DS-GVO Art. 82, para. 24). According to Art. 82 (1) GDPR, immaterial damage is sufficient. It is controversial whether a threshold of significance must be reached or exceeded and so-called minor damage excluded (cf. BVerfG NJW 2021, 1005, margin no. 20 with further references; Kohn ZD 2019, 498 (501); Paal MMR 2020, 14 (16)) , but can be left undecided in the present case. The defendant admits that before the modification of its website, it transmitted the plaintiff's IP address to Google when he visited its website. The IP address was not only transmitted once. With regard to the plaintiff's loss of control over personal data to Google, a company that is known to collect data about its users, and the individual discomfort felt by the plaintiff as a result, the associated encroachment on general personal rights is so significant that a claim for damages is justified. It must also be taken into account that the IP address was undisputedly transmitted to a Google server in the USA, although an appropriate level of data protection is not guaranteed there (cf. ECJ, judgment of 16.7.2020 - C-311/18 (Facebook Ireland and . Schrems), NJW 2020, 2613) and the liability under Article 82 (1) GDPR should prevent further violations and create an incentive for security measures. The amount of the claimed damages is appropriate in view of the seriousness and duration of the infringement and is not challenged by the defendant.

For better readability, typos may have been removed or formatting adjusted.