German court asks EU to clarify IP address data protection rules

Germany's highest civil court referred critical questions about IP address classification and GDPR compensation claims to the Court of Justice of the European Union on August 28, 2025. The Bundesgerichtshof's preliminary ruling request in Case C-654/25 addresses whether dynamic IP addresses transferred through Google Fonts integration constitute personal data when recipients cannot reasonably identify users.

The case involves a website operator who received a warning letter demanding EUR 170 in October 2022 after a visitor's IP address was automatically transmitted to Google USA through the dynamic loading of Google Fonts. According to the court documents, the first defendant utilized automated web crawler software specifically programmed to identify websites using dynamically integrated Google Fonts. The defendant's system checked large numbers of websites automatically, visiting the applicant's website by automated means through specialized software.

The defendant sent more than 100,000 such warning letters to various website operators, according to court filings. Each letter claimed GDPR violations and requested EUR 170 to resolve the matter. The applicant paid this amount on October 25, 2022, but subsequently demanded reimbursement after media reports about the defendant's systematic campaign emerged.

Lower courts reached contradictory conclusions about whether the IP address transfer involved personal data. The Regional Court of Hanover ruled on July 1, 2024, that the applicant could recover the payment under German law governing intentional harm and unjust enrichment. That court held the dynamic IP address transfer to Google USA did not involve personal data within GDPR's meaning because neither the applicant nor Google USA had legal means reasonably likely to identify the first defendant using the IP address.

The Court of Justice previously addressed IP addresses in October 2016, ruling that dynamic IP addresses registered by online media service providers constitute personal data when providers have legal means enabling identification through additional data from internet service providers. The German court now questions whether that standard applies differently when information is transferred rather than stored.

The Bundesgerichtshof identified three possible approaches to determining personal data status during transfers. First, information could be personal data if any third party possesses additional knowledge required for identification, regardless of whether the transferring controller or recipient can identify individuals. Second, personal data status could depend on whether the controller responsible for transfer or the recipient has means reasonably likely to identify the data subject. Third, if the second approach applies, courts must determine whether abstract legal possibilities for identification suffice or whether conditions must be fulfilled in both fact and law in specific cases.

According to the court documents, both the applicant and Google USA theoretically possessed legal avenues for obtaining identification through criminal procedure provisions and telecommunications law. German law permits authorities to request subscriber data from internet service providers under certain conditions. However, factual prerequisites were not established—neither party demonstrated storing the IP address long enough to enable such inquiries, and legal conditions for information requests were not satisfied.

The compensation question centers on whether automated, large-scale triggering of GDPR violations can constitute non-material damage. The appeal court found no damage occurred because the first defendant deliberately caused the data transfer for documentation and claims purposes. The defendant visited the applicant's website with certain knowledge that accessing sites using dynamic Google Fonts would forward his IP address to Google USA.

Court precedent establishes that GDPR damage requires more than mere infringement. According to the ruling, fear of potential data misuse can constitute non-material damage when that fear is well-founded given specific circumstances. However, purely hypothetical risks or mere allegations without proven negative consequences prove insufficient for compensation.

The German court ruling on Google Tag Manager delivered March 19, 2025, reinforced that IP address processing requires explicit legal basis under GDPR Article 6. That decision found automatic data transmission to external servers violated both telecommunications privacy requirements and data protection provisions.

The Bundesgerichtshof's third question addresses abuse of rights doctrine. European case law establishes that EU law cannot be relied upon for abusive ends, even between private persons. Proving abusive practice requires objective circumstances showing formal compliance while failing to achieve legislative purposes, plus subjective intent to obtain advantages by artificially creating conditions for those advantages.

The court asked whether compensation rights under Article 82(1) GDPR can be denied when data subjects knowingly cause infringements solely to document violations and assert claims. According to court documents, the appeal court could not rule out that the defendant's actions also intended to draw website operators' attention to data protection concerns associated with dynamic Google Fonts integration.

Financial motivations were clearly present. The appeal court found financial interests at minimum were clearly at the forefront of the first defendant's motivation. However, the court acknowledged that economic activities may have explanations beyond mere advantage-seeking, potentially precluding abuse findings.

The preliminary ruling request reflects fundamental tensions in European data protection frameworks. Privacy rights must balance against legitimate business operations and technological functionality. The European Commission's proposed Digital Omnibus amendments would narrow personal data definitions by introducing relativity based on controllers' reasonable identification means.

Marketing technology implementations face particular scrutiny. The Swedish pharmacy data transfer case resulted in SEK 37 million in penalties for Apoteket AB when Meta Pixel advanced matching features transferred customer data without adequate security measures between January 2020 and April 2022. Those violations involved health-related purchase information transmitted through tracking technologies embedded in pharmacy websites.

The case demonstrates how third-party integrations create liability exposure. Google Fonts provides website operators access to more than 1,500 fonts free of charge. Default settings enable dynamic integration where fonts download via Google servers when domains are requested through browsers. This architectural choice transmits visitor IP addresses to Google USA unless website operators adjust settings to integrate fonts locally.

Technical implementation details matter for compliance assessments. According to court filings, the applicant had not modified default settings to prevent data transfers. When browsers request websites using dynamically integrated Google Fonts, the fonts are downloaded from Google servers and respective IP addresses are transferred to Google in the United States.

Data minimization principles require controllers to implement least invasive processing methods. The court noted that Google Fonts can be used without establishing connections to Google servers, which precludes IP address transfers. This alternative implementation would have prevented the alleged violation while maintaining website functionality.

The preliminary ruling mechanism enables national courts to clarify EU law interpretation before deciding cases. Article 267 TFEU requires courts of final instance to refer questions when EU law interpretation proves necessary for judgment. The Bundesgerichtshof stayed proceedings pending the Court of Justice's response.

Systematic enforcement campaigns raise distinct compliance questions. The WetterOnline data access complaint filed February 12, 2025, addressed whether companies can refuse data subject access requests citing disproportionate effort. Privacy group noyb challenged weather app provider WetterOnline's denial of Article 15 GDPR access rights, arguing no exception permits effort-based refusals.

Professional complaint operations involving automated systems and mass mailings differ from individual privacy grievances. The first defendant's web crawler systematically scanned websites for Google Fonts integration, automatically accessing sites through specialized software rather than manual browsing. This industrialized approach generated more than 100,000 warning letters demanding standardized EUR 170 payments.

The appeal court characterized the defendants' conduct as violating common decency standards under German law. Paragraph 826 of the German Civil Code establishes liability for intentional harm caused in manners offending common decency. The court found the first defendant lacked legitimate claims under Article 82(1) GDPR, making the warning letter and payment demand actionable under domestic tort principles.

Legal basis requirements for international data transfers remain contested. Article 44 GDPR requires personal data transfers to third countries to comply with specific conditions ensuring protection levels not undermined. The appeal court left open whether the IP address transfer to Google USA met Article 6(f) legitimate interest provisions and Article 44 transfer requirements.

The case arrives as Google faces multiple privacy enforcement actions. A San Francisco federal jury delivered a $425.7 million verdict on September 3, 2025, finding Google violated privacy rights of nearly 100 million users through Firebase SDK data collection that continued despite disabled Web & App Activity settings.

Data protection authorities across Europe have imposed substantial penalties for tracking technology violations. France's CNIL fined Google EUR 325 million on September 1, 2025, for displaying advertisements in Gmail without consent and violating cookie requirements during account creation.

The Court of Justice's forthcoming ruling will establish how GDPR's personal data definition applies when controllers transfer information to third parties with varying identification capabilities. The decision carries implications for countless websites using third-party resources, content delivery networks, analytics platforms, and advertising technologies that necessarily transmit visitor IP addresses.

Website operators face difficult choices balancing functionality, user experience, and compliance obligations. Local font integration eliminates data transfers but requires additional storage and maintenance. Dynamic integration through content delivery networks reduces infrastructure costs but creates data processing events triggering GDPR requirements.

Professional service providers must evaluate whether standard implementations meet data protection requirements. The European Data Protection Board's clarification on DSA compliance adopted September 11, 2025, addressed how platforms process personal data while meeting Digital Services Act obligations, creating additional compliance frameworks for technology integrations.

The preliminary ruling request reflects broader debates about balancing privacy enforcement against vexatious litigation. Systems designed to protect fundamental rights must not become vehicles for systematic extraction of settlements from technically non-compliant but functionally harmless practices.

Timeline

• October 19, 2016: Court of Justice rules dynamic IP addresses constitute personal data for providers with legal means enabling identification
• October 2022: Website operator receives warning letter demanding EUR 170 for Google Fonts IP address transfer
• October 25, 2022: Applicant transfers EUR 170 to defendant's account
• July 12, 2023: Amtsgericht Hannover orders defendant to pay EUR 70
• July 1, 2024: Landgericht Hannover modifies judgment ordering EUR 170 payment to applicant
• August 28, 2025: Bundesgerichtshof refers preliminary questions to Court of Justice
• September 1, 2025: French CNIL fines Google EUR 325 million for Gmail advertising violations
• September 3, 2025: San Francisco jury awards $425.7 million against Google for Firebase privacy violations
• September 4, 2025: Court of Justice clarifies personal data definition in pseudonymized transfers
• October 6, 2025: Anonymized court decision published as Case C-654/25

Summary

Who: Germany's Bundesgerichtshof referred preliminary questions to the Court of Justice of the European Union in a case between a website operator (applicant) and two defendants who systematically sent warning letters demanding EUR 170 payments for alleged GDPR violations involving Google Fonts IP address transfers.

What: The court seeks guidance on three critical questions: whether dynamic IP addresses transferred to third parties constitute personal data when recipients cannot identify users; whether non-material damage occurs when data subjects knowingly cause GDPR violations through automated means for claims purposes; and whether abuse of rights doctrine can deny compensation when infringements are deliberately triggered solely to assert claims.

When: The Bundesgerichtshof issued its preliminary ruling request on August 28, 2025, following lower court proceedings that began after the applicant received a warning letter in October 2022 and paid EUR 170 on October 25, 2022.

Where: The case originated in Germany involving a website accessible globally, with IP address transfers to Google USA, and will be decided by the Court of Justice of the European Union with implications across European Union member states.

Why: The case addresses fundamental questions about how GDPR's personal data definition applies during information transfers when different parties have varying identification capabilities, whether systematic triggering of technical violations constitutes compensable harm, and how privacy frameworks should address potential abuse through industrialized compliance enforcement campaigns involving automated systems and mass warning letters.