Many self-employed people and small businesses create their website themselves using tools offered on the Internet. They must now reckon with the fact that they can be sued by robber barons of the Internet with the help of the provisions of the General Data Protection Regulation (GDPR) for payment of damages, even though they are not aware of any wrongdoing.
The background is a decision of the LG München I of 20.01.2022 - 3 O 17493/20, which is based on the following facts: The operator of a website had used fonts from Google without realizing it. These fonts, since they were not embedded in the website, were retrieved from the Google server every time the website was accessed. In doing so, the IP address of the person who had called up the website was transmitted to Google, which was necessary so that the fonts could be transmitted to the computer that had called up the website.
According to the LG Munich, the transmission of the (dynamic) IP address to Google constitutes a violation of personal rights within the meaning of Art. 82 DSGVO. Dynamic IP addresses are also personal data, since with the help of the competent authority and the Internet access provider, the person in question can be determined on the basis of the stored IP address (BGH, ruling dated May 16, 2017 - VI ZR 135/13).
Based on this decision at the latest, it should be clear that our data protection law goes far beyond any reasonable concern. It is true that the Munich Regional Court can be conceded that it applied the GDPR correctly with regard to the BGH ruling. However, it is incomprehensible that it ordered the website operator to pay damages. In justification, it stated:
"The encroachment on the general right of personality (associated with the transmission of the IP address) is so significant in view of the plaintiff's loss of control over a personal data to Google, a company that is known to collect data on its users, and the individual discomfort felt by the plaintiff as a result, that a claim for damages is justified."
It is not known what prompted the plaintiff to file suit in the case decided by the Munich Regional Court. In any case, the ruling is now being used so that - similar to earlier warning letter cases - data protection highwaymen exploit the ruling for reasons of their personal financial self-interest in order to blackmail ignorant website operators.
It can only be hoped that further courts dealing with corresponding claims for damages will know how to distinguish between individual discomfort and financial self-interest.
For questions on this topic, please contact attorney Dr. Probandt.