A German civil court has ruled that a website that used Google’s Font Library has to pay the plaintiff 100 euros (about 110 US dollars) because it disclosed his IP address to Google without first notifying him, and the court warned the website of more severe penalties if it happens again.
The General Data Protection Regulation (GDPR) rules protect the user’s data in the European Union and set very clear directions for companies that deal with private information. According to one of those rules, the IP address a person uses when connecting to the internet is Personal Identifying Information (PII) and should not be disclosed to third parties without first informing the user.
The German court determined that the website disclosed the user’s IP address to Google without informing him. This was possible because the website implemented Google Font Library, a font embedding service that sent back to Google some user information.
“The unauthorized disclosure of the plaintiff’s dynamic IP address by the defendant to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination according to § 823 Para. 1 BGB” the German court explained in the sentence motivation (LG München, Urteilvom 20.01.2022, Az. 3 O 17493/20, Rn. 3 nachrewis). “The right to informational self-determination includes the right of the individual to disclose and determine the use of their personal data.”
The court also explained that the IP represents personal data because the website operator could use this data, in conjunction with other information, to determine the internet user’s identity. The court also deemed it irrelevant if the website or Google had the opportunity to link the IP address to the user.
While the 100 euro fine is little more than a warning for the website, the court also said any other future case of infringement on the users’ rights by the website would result in a 250,000 euro fine for each case or imprisonment up to six months.