Is the wave of Google Fonts warnings coming to an end? The Federal Court of Justice asks the mass warning industry uncomfortable questions

Image: IB Photography / Shutterstock.com

A business model is faltering—and with it thousands of warnings

The well-known wave of Google Fonts warnings, which has caused panic among countless website operators in recent years, could soon come to an end. The Federal Court of Justice (BGH) has stopped a case with explosive implications—and is now submitting three fundamental questions to the European Court of Justice (ECJ). It is not only a question of how personal an IP address is, but also whether it is permissible to deliberately cause data protection violations in order to make money.

What is being negotiated here concerns more than just a few poorly secured websites: it is about the future of a system that many experience as a perfidious warning trap. And about the question of how far data protection should—and can—really go.

Are IP addresses really "personal"?

At the heart of the dispute: the IP address. It is automatically transmitted to servers when visiting many websites—including Google, if fonts are dynamically integrated. This was precisely the gateway for thousands of warnings.

But is an IP address automatically personal data? Not necessarily, says the Hanover Regional Court: Google cannot identify the user because it has no access to the data of the Internet service providers. But the Federal Court of Justice sees things differently—and has asked the European Court of Justice for clarification: Is it not enough that someone—such as the provider—could identify the user? If so, then every IP address would be personal data, even if Google itself cannot identify the user.

If the ECJ were to adopt this stricter interpretation, website operators would find it even more difficult to defend themselves against data protection allegations in the future.

When the data breach is deliberately provoked

Question two is even more delicate: Can someone claim damages if they deliberately cause a data protection violation themselves? In this specific case, the defendant had deliberately scanned websites with a crawler, developed software, and automatically accessed pages where he knew that data would be sent to Google. All this was done in order to document a GDPR violation—and claim money.

The Federal Court of Justice is now asking quite directly: Is this still "real" damage? Or is it simply calculated abuse? The European Court of Justice must decide whether self-staged data protection violations are suitable for the cash register model—or not.

Abuse or legitimate tip?

The third question brings morality into play: What if the whole thing was just a money-making scheme? Can you still claim damages? Or is that a pure abuse of the law?

The defendant claims that he only wanted to draw attention to data protection gaps. But the question remains: Was it really about raising awareness—or just about making a quick buck? The Federal Court of Justice wants to know from the European Court of Justice whether a claim can be ruled out even if financial interests were not the only motive, but clearly the dominant one.

Comment: GDPR as a gold mine? Hopefully soon to be history

What was intended as a tool for greater data protection has, in some cases, degenerated into a business model. Surfing websites en masse, deliberately provoking violations, then issuing warnings or immediately taking legal action—this has nothing to do with the actual purpose of the GDPR. If the ECJ does not draw clear boundaries here, a sensible law will ultimately become a self-service store for warning letter professionals. Data protection yes – but not as a pretext for rip-offs. Those who plan to lose control of their data themselves should not complain about losing control in the end.

Source: heise.de