The year of “Google Fonts” warning letters


Last year, there were some positive developments in related to data protection law. Unfortunately there were also bad ones in which Google Fonts were involved and had some impact on how German websites are build.

The year 2022 is over and from a legal point of view, many exciting developments could be followed. But there were also some backward steps and not every verdict will be go down in legal history as a glorious one.

This should undoubtedly include the unfortunate ruling of the Munich I Regional Court of 20 January 2022 (3 O 17493/20) with reference to a so-called “Google Font warning”.

Whether legally versed or even halfway interested in legal matters, a large majority in Germany has heard about the “Google Fonts warning”. After the ruling, there was an accumulation of reports that website providers had been “warned off” for using Google Fonts. In the same period the search query on the Google search engine for the term “Google Fonts” increased significantly compared to last year in Germany and reached its peak in the fourth quarter.

The “warning letter”

The demand letters always had a similar structure and prominently feature the word “warning letter”. The facts of the cases and the demands are explained quickly and in summary as follows:

The data subject would have came across the website of the addressee and found that the website provider as a controller had used Google Fonts and that this fact had been documented. The data subject’s right of personality had been violated because of the use of Google Fonts, as the controller had therby transferred personal data to a third country (USA) without permission. Although it is called a warning letter, the demand is usually for damages of between 100,00 € and 170,00 € and of course lawyer fees. A German “cease-and-desist” declaration was not demanded, although such a declaration is essential.


The trigger

The trigger for this wave was, as indicated, the verdict of the Munich I Regional Court.

The Court ordered the defendant website provider (controller) to pay the plaintiff who visited the website (data subject) 100,00 € because the defendant violated the plaintiff’s right to informational self-determination. The awarded compensation in the amount of 100.00 € - according to the Court literally - "is appropriate with regard to the severity and duration of the infringement". The verdict was not unfortunate because the content of the decision was per se wrong, but because the reasoning for damages according to Article 82 GDPR, which followed the established data protection violation, was too sweeping and undifferentiated.

Legal (in)justification

But in order and for the sake of completeness:

In its judgement, the Court found an infringement of the GDPR in the sense that the defendant violated the plaintiff's right to informational self-determination by forwarding the dynamic IP address to Google at the moment the plaintiff accessed the defendant's website. The automatic forwarding of the IP address by a controller within the meaning of the GDPR to a third party is, according to data protection law, in this respect indisputably an inadmissible interference with the general right of personality of the data subjects, insofar as this processing is not justified, for example and in particular pursuant to Art. 6(1)(a) GDPR ("consent").

However, the Court went on to interpret Art. 82 GDPR extensively. "The interpretation should fully comply with the objectives of this regulation, including the objective of sanction and prevention”, although neither the wording nor the recitals to Art. 82 GPR suggest that the ratio of this claim serves the purpose of sanctioning or an dissuasive effect. Art. 82 GDPR also does not regulate damage compensation as such. The GDPR leaves this to Member State law. German civil law provides in the first consequence the restitution of a damage that has actually occurred (§ 249 para. 1 German Civil Code) and only in the second consequences for compensation of a material (in rem) and/or immaterial (in person) damage that has actually occurred (§ 249 para. 2 German Civil Code). The Court however did not deal with this at all and assumed, without further justification and without foresight, “punitive damages”, which German civil law simply does not know.

Admittedly, Munich I Regional Court was not the first court to rely an such lax reasoning. What was new, however, was the combination of a simple factual situation that occurs many times and the very thin reasoning, which was understood as lump-sum damages and thus serves as an excellent breeding ground for such “warning waves”.


Article provided by INPLP members: Juri Knaub and Jens Eckhardt (Derra, Meyer & Partner, Germany)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.