German court asks EU to clarify IP address data protection rules

Germany’s highest civil courtroom referred essential questions on IP tackle classification and GDPR compensation claims to the Court docket of Justice of the European Union on August 28, 2025. The Bundesgerichtshof’s preliminary ruling request in Case C-654/25 addresses whether or not dynamic IP addresses transferred by Google Fonts integration represent private knowledge when recipients can not moderately establish customers.

The case includes a web site operator who obtained a warning letter demanding EUR 170 in October 2022 after a customer’s IP tackle was mechanically transmitted to Google USA by the dynamic loading of Google Fonts. In accordance with the courtroom paperwork, the primary defendant utilized automated internet crawler software program particularly programmed to establish web sites utilizing dynamically built-in Google Fonts. The defendant’s system checked massive numbers of internet sites mechanically, visiting the applicant’s web site by automated means by specialised software program.

The defendant despatched greater than 100,000 such warning letters to numerous web site operators, in line with courtroom filings. Every letter claimed GDPR violations and requested EUR 170 to resolve the matter. The applicant paid this quantity on October 25, 2022, however subsequently demanded reimbursement after media studies concerning the defendant’s systematic marketing campaign emerged.

Decrease courts reached contradictory conclusions about whether or not the IP tackle switch concerned private knowledge. The Regional Court docket of Hanover dominated on July 1, 2024, that the applicant might recuperate the fee beneath German regulation governing intentional hurt and unjust enrichment. That courtroom held the dynamic IP tackle switch to Google USA didn’t contain private knowledge inside GDPR’s which means as a result of neither the applicant nor Google USA had authorized means moderately more likely to establish the primary defendant utilizing the IP tackle.

The Court of Justice previously addressed IP addresses in October 2016, ruling that dynamic IP addresses registered by on-line media service suppliers represent private knowledge when suppliers have authorized means enabling identification by further knowledge from web service suppliers. The German courtroom now questions whether or not that commonplace applies in another way when data is transferred quite than saved.

The Bundesgerichtshof recognized three attainable approaches to figuring out private knowledge standing throughout transfers. First, data may very well be private knowledge if any third celebration possesses further information required for identification, no matter whether or not the transferring controller or recipient can establish people. Second, private knowledge standing might rely on whether or not the controller accountable for switch or the recipient has means moderately more likely to establish the info topic. Third, if the second method applies, courts should decide whether or not summary authorized prospects for identification suffice or whether or not circumstances should be fulfilled in each truth and regulation in particular circumstances.

In accordance with the courtroom paperwork, each the applicant and Google USA theoretically possessed authorized avenues for acquiring identification by prison process provisions and telecommunications regulation. German regulation permits authorities to request subscriber knowledge from web service suppliers beneath sure circumstances. Nevertheless, factual stipulations weren’t established—neither celebration demonstrated storing the IP tackle lengthy sufficient to allow such inquiries, and authorized circumstances for data requests weren’t glad.

The compensation query facilities on whether or not automated, large-scale triggering of GDPR violations can represent non-material injury. The attraction courtroom discovered no injury occurred as a result of the primary defendant intentionally prompted the info switch for documentation and claims functions. The defendant visited the applicant’s web site with sure information that accessing websites utilizing dynamic Google Fonts would ahead his IP tackle to Google USA.

Court docket precedent establishes that GDPR injury requires greater than mere infringement. In accordance with the ruling, worry of potential knowledge misuse can represent non-material injury when that worry is well-founded given particular circumstances. Nevertheless, purely hypothetical dangers or mere allegations with out confirmed adverse penalties show inadequate for compensation.

The German court ruling on Google Tag Manager delivered March 19, 2025, bolstered that IP tackle processing requires express authorized foundation beneath GDPR Article 6. That call discovered automated knowledge transmission to exterior servers violated each telecommunications privateness necessities and knowledge safety provisions.

The Bundesgerichtshof’s third query addresses abuse of rights doctrine. European case regulation establishes that EU regulation can’t be relied upon for abusive ends, even between non-public individuals. Proving abusive follow requires goal circumstances displaying formal compliance whereas failing to attain legislative functions, plus subjective intent to acquire benefits by artificially creating circumstances for these benefits.

The courtroom requested whether or not compensation rights beneath Article 82(1) GDPR may be denied when knowledge topics knowingly trigger infringements solely to doc violations and assert claims. In accordance with courtroom paperwork, the attraction courtroom couldn’t rule out that the defendant’s actions additionally supposed to attract web site operators’ consideration to knowledge safety considerations related to dynamic Google Fonts integration.

Monetary motivations had been clearly current. The attraction courtroom discovered monetary pursuits at minimal had been clearly on the forefront of the primary defendant’s motivation. Nevertheless, the courtroom acknowledged that financial actions could have explanations past mere advantage-seeking, probably precluding abuse findings.

The preliminary ruling request displays elementary tensions in European data protection frameworks. Privateness rights should steadiness towards respectable enterprise operations and technological performance. The European Fee’s proposed Digital Omnibus amendments would cut private knowledge definitions by introducing relativity based mostly on controllers’ cheap identification means.

Advertising expertise implementations face explicit scrutiny. The Swedish pharmacy data transfer case resulted in SEK 37 million in penalties for Apoteket AB when Meta Pixel superior matching options transferred buyer knowledge with out sufficient safety measures between January 2020 and April 2022. These violations concerned health-related buy data transmitted by monitoring applied sciences embedded in pharmacy web sites.

The case demonstrates how third-party integrations create legal responsibility publicity. Google Fonts supplies web site operators entry to greater than 1,500 fonts freed from cost. Default settings allow dynamic integration the place fonts obtain through Google servers when domains are requested by browsers. This architectural selection transmits customer IP addresses to Google USA until web site operators modify settings to combine fonts domestically.

Technical implementation particulars matter for compliance assessments. In accordance with courtroom filings, the applicant had not modified default settings to forestall knowledge transfers. When browsers request web sites utilizing dynamically built-in Google Fonts, the fonts are downloaded from Google servers and respective IP addresses are transferred to Google in america.

Knowledge minimization rules require controllers to implement least invasive processing strategies. The courtroom famous that Google Fonts can be utilized with out establishing connections to Google servers, which precludes IP tackle transfers. This various implementation would have prevented the alleged violation whereas sustaining web site performance.

The preliminary ruling mechanism allows nationwide courts to make clear EU regulation interpretation earlier than deciding circumstances. Article 267 TFEU requires courts of ultimate occasion to refer questions when EU regulation interpretation proves vital for judgment. The Bundesgerichtshof stayed proceedings pending the Court docket of Justice’s response.

Systematic enforcement campaigns increase distinct compliance questions. The WetterOnline data access complaint filed February 12, 2025, addressed whether or not firms can refuse knowledge topic entry requests citing disproportionate effort. Privateness group noyb challenged climate app supplier WetterOnline’s denial of Article 15 GDPR entry rights, arguing no exception permits effort-based refusals.

Skilled grievance operations involving automated techniques and mass mailings differ from particular person privateness grievances. The primary defendant’s internet crawler systematically scanned web sites for Google Fonts integration, mechanically accessing websites by specialised software program quite than handbook searching. This industrialized method generated greater than 100,000 warning letters demanding standardized EUR 170 funds.

The attraction courtroom characterised the defendants’ conduct as violating widespread decency requirements beneath German regulation. Paragraph 826 of the German Civil Code establishes legal responsibility for intentional hurt prompted in manners offending widespread decency. The courtroom discovered the primary defendant lacked respectable claims beneath Article 82(1) GDPR, making the warning letter and fee demand actionable beneath home tort rules.

Authorized foundation necessities for worldwide knowledge transfers stay contested. Article 44 GDPR requires private knowledge transfers to 3rd international locations to adjust to particular circumstances making certain safety ranges not undermined. The attraction courtroom left open whether or not the IP tackle switch to Google USA met Article 6(f) respectable curiosity provisions and Article 44 switch necessities.

The case arrives as Google faces multiple privacy enforcement actions. A San Francisco federal jury delivered a $425.7 million verdict on September 3, 2025, discovering Google violated privateness rights of almost 100 million customers by Firebase SDK knowledge assortment that continued regardless of disabled Internet & App Exercise settings.

Knowledge safety authorities throughout Europe have imposed substantial penalties for monitoring expertise violations. France’s CNIL fined Google EUR 325 million on September 1, 2025, for displaying ads in Gmail with out consent and violating cookie necessities throughout account creation.

The Court docket of Justice’s forthcoming ruling will set up how GDPR’s private knowledge definition applies when controllers switch data to 3rd events with various identification capabilities. The choice carries implications for numerous web sites utilizing third-party sources, content material supply networks, analytics platforms, and promoting applied sciences that essentially transmit customer IP addresses.

Web site operators face troublesome decisions balancing performance, consumer expertise, and compliance obligations. Native font integration eliminates knowledge transfers however requires further storage and upkeep. Dynamic integration by content material supply networks reduces infrastructure prices however creates knowledge processing occasions triggering GDPR necessities.

Skilled service suppliers should consider whether or not commonplace implementations meet knowledge safety necessities. The European Data Protection Board’s clarification on DSA compliance adopted September 11, 2025, addressed how platforms course of private knowledge whereas assembly Digital Companies Act obligations, creating further compliance frameworks for expertise integrations.

The preliminary ruling request displays broader debates about balancing privateness enforcement towards vexatious litigation. Techniques designed to guard elementary rights should not turn into autos for systematic extraction of settlements from technically non-compliant however functionally innocent practices.

Timeline

Abstract

Who: Germany’s Bundesgerichtshof referred preliminary inquiries to the Court docket of Justice of the European Union in a case between a web site operator (applicant) and two defendants who systematically despatched warning letters demanding EUR 170 funds for alleged GDPR violations involving Google Fonts IP tackle transfers.

What: The courtroom seeks steering on three essential questions: whether or not dynamic IP addresses transferred to 3rd events represent private knowledge when recipients can not establish customers; whether or not non-material injury happens when knowledge topics knowingly trigger GDPR violations by automated means for claims functions; and whether or not abuse of rights doctrine can deny compensation when infringements are intentionally triggered solely to say claims.

When: The Bundesgerichtshof issued its preliminary ruling request on August 28, 2025, following decrease courtroom proceedings that started after the applicant obtained a warning letter in October 2022 and paid EUR 170 on October 25, 2022.

The place: The case originated in Germany involving a web site accessible globally, with IP tackle transfers to Google USA, and shall be determined by the Court docket of Justice of the European Union with implications throughout European Union member states.

Why: The case addresses elementary questions on how GDPR’s private knowledge definition applies throughout data transfers when totally different events have various identification capabilities, whether or not systematic triggering of technical violations constitutes compensable hurt, and the way privateness frameworks ought to tackle potential abuse by industrialized compliance enforcement campaigns involving automated techniques and mass warning letters.