Damages for Google Fonts? Now the ECJ must decide

Remember? Some time ago, a wave of warning letters swept across Germany because website operators were using Google Fonts. The amounts to be paid were low. One person who paid is now suing for a refund. One of the key questions is: Are damages also payable in cases of abusive behavior?

Background to the proceedings

The starting point for the legal dispute is the mass mailing of warning letters due to the dynamic integration of Google Fonts. The defendant had used a web crawler to automatically visit websites that loaded fonts via Google servers. This type of integration of Google Fonts resulted in the respective IP address being transmitted to Google in the USA.

The defendant then sent standardized letters via his lawyer to the operators of the affected sites, demanding €170 in “compensation for pain and suffering.”

One website operator paid the amount but demanded a refund after learning about the mass warning letters (over 100,000 (!) such warning letters were sent).

The lower courts ruled differently: The Hanover Local Court awarded the plaintiff €70, while the Hanover Regional Court ultimately awarded the full amount. The Regional Court considered the action to be intentional immoral compensation. Interestingly, the defendant was not only the person who used the web crawler, but also his lawyer, who ultimately sent the warnings.

The Regional Court ruled that there was a claim for damages because

1. the disclosure of the defendant’s dynamic IP address to Google USA did not involve any personal data;
2. no damage had been caused; and
3. – even if there had been damage – the claim for compensation would be excluded due to abuse of rights.

The defendants appealed against the decision of the Regional Court, so that the case ended up at the Federal Court of Justice (decision of August 28, 2025 – VI ZR 258/24).

The latter found that the case raised questions of EU law interpretation of the GDPR that went beyond national law. It therefore referred three complex questions to the ECJ for a preliminary ruling.

Is the IP address personal data?

The first question concerns whether dynamic IP addresses are personal data.

Specifically, the Federal Court of Justice wants to know whether personal data already exists if any third party – such as the internet access provider – has additional knowledge that allows identification.

Or whether it depends on whether the controller (in this case, the website operator) or the recipient (in this case, Google) itself has the legal and factual means to determine the identity of the person whose IP address was transmitted.

The BGH thus questions the relative approach that has prevailed to date and suggests a possible objective interpretation.

Damage despite deliberate provocation?

The second question referred for a preliminary ruling concerns the interpretation of Article 82(1) GDPR, according to which any person who has suffered material or non-material damage as a result of an infringement of the GDPR is entitled to compensation. The ECJ is to clarify whether non-material damage can also exist if the data subject deliberately and exclusively provokes the infringement in order to be able to claim compensation.

The BGH refers to recent ECJ case law, according to which even a well-founded fear of misuse of personal data can constitute non-material damage. However, it remains unclear whether this approach also applies if the data subject intentionally causes the data transfer – as in the present case, in which over 100,000 websites were visited automatically.

The Regional Court of Hanover had denied damages because the defendant had voluntarily disclosed his IP address and there was no actual impairment.

Not all damage is the same

However, from the perspective of the Federal Court of Justice, it must be clarified what constitutes damage. In German law, lawyers understand this to mean “any involuntary loss of material and immaterial goods as a result of a specific event.” This understanding excludes compensation for damages if the loss is voluntary.

However, the GDPR does not refer to the respective national law for the concept of immaterial damage, so that a so-called autonomous interpretation under EU law must be made. And only the ECJ is allowed to do this.

In the past, the ECJ has had frequent opportunities to comment on the concept of damage. For example, a mere violation of the GDPR is not sufficient; rather, damage must have occurred as a result of this violation. However, a loss of control may be sufficient. And—very importantly—the burden of proof for the occurrence of damage lies with the data subject.

In principle, according to the BGH, such a loss of control could have occurred as a result of the (unlawful) transfer of data to Google – and thus a compensable damage.

However, this consideration may be countered by the fact that the defendant deliberately intended to transfer the data to the US.

Such provocation to violate the law has not yet been the subject of ECJ case law, which is why the BGH is referring this question to the ECJ.

Abuse of rights and limits under EU law

Finally, the BGH would like to know from the ECJ whether, in cases of this kind, a claim for compensation for non-material damage can be ruled out on the grounds of abuse of rights. According to established case law of the ECJ, abusive reliance on EU law is inadmissible, even in relations between private individuals.

The BGH is seeking clarification as to whether the deliberate creation of the conditions for a data protection violation – combined with the aim of obtaining financial advantages from it – already qualifies as abusive conduct within the meaning of EU law. It also remains unclear whether such conduct is only considered an abuse of rights if the financial motivation was the sole determining factor, or whether “mixed” motives – such as an alleged interest in data protection – are also sufficient.

Significance for practice and data protection law – not only when using Google Fonts

The preliminary ruling is of considerable relevance in practice. On the one hand, it touches on the fundamental question of when technical identifiers such as dynamic IP addresses constitute personal data.

This question is particularly relevant for website operators, e.g. also for the use of Google Tag Manager and the need to obtain consent.

On the other hand, the proceedings concern the increasing trend toward “warning letters and claims for damages” in data protection law. If the ECJ also affirms a claim for damages in the case of provoked data protection violations, this could lead to a new wave of warning letters as a source of income for those affected.

If, on the other hand, the ECJ denies the eligibility for compensation or recognizes an abuse, this would prevent attempts to derive financial benefits from targeted GDPR violations.

Outlook

Until the ECJ’s decision, it remains unclear whether the transmission of a dynamic IP address is in itself personal data and whether deliberately provoked data protection violations can constitute compensable immaterial damage. The decision of the Federal Court of Justice (BGH) makes it clear that the relationship between data protection and abuse of rights under the GDPR remains unclear. The ECJ once again has the opportunity to answer fundamental questions of European data protection law.

We are happy to assist you with any questions you may have about data protection.