Data protection with the involvement of US service providers
In recent weeks, website operators - especially SMEs - have frequently received warnings and claims for damages due to the use of "Google Fonts". These are fonts that are retrieved by default from Google servers in the USA when the website is accessed. The thousands of letters were triggered by a ruling by the Munich Regional Court. In a case there, the court found that the use of Google Fonts not only constitutes a breach of data protection law, but also easily justifies a claim for damages. The legally highly questionable nature of the warnings sent out by allegedly affected parties as a result was reported extensively in the media and VOELKER supported various clients in their defense against the claims.
However, one follow-up question to this wave of warnings remains: Is there a threat of further waves of warnings for data protection violations in the future? The problem behind the "Google Fonts" warnings concerns the transfer of data to the USA. Since the so-called "Schrems II" ruling of the ECJ, there is no longer a general agreement between the USA and the EU that legitimizes data transfer to certain companies in the USA under data protection law if certain conditions are met. Without such an agreement, services that require data to be transferred to servers of US service providers by default regularly face difficulties under data protection law. This is exemplified by the fact that not even state institutions in Germany are currently able to use services such as "Microsoft Office 365" in compliance with data protection law (or at least this is highly controversial). The aforementioned difficulties arise with any involvement of US service providers, for example when using certain hosting or cloud service providers or using some tracking and advertising networks. Because the use of such critical services can often be checked simply by surfing the website, there is the potential for further waves of warnings due to the low level of effort involved. It should be noted that the mere promise of a hosting provider such as AWS to only use servers located in Frankfurt will not be enough to solve the problem. This is because there is still a possibility of access by the respective US company.
However, a solution is on the horizon: a new intergovernmental agreement - the "EU-US Data Privacy Framework " - is set to replace the "Privacy Shield" agreement, which was declared invalid by the "Schrems II" ruling, as early as spring 2023, thus enabling data protection-compliant transfers to the USA, at least to those companies in the USA that are certified under the framework. However, lawsuits against this new agreement have already been announced. The reason for this is that the new "EU-US Data Privacy Framework" is essentially a continuation of the previous agreement, which has been declared invalid. Nevertheless, the new agreement may provide a solution, at least for a transitional period. Further developments will therefore have to be monitored closely.
However, the current waves of warnings could also be threatened with the longed-for end for a completely different reason: since August 2021, proceedings have been pending before the ECJ to finally clarify whether so-called "trivial damages" can be claimed at all with reference to the GDPR. This could at least eliminate the current financial incentive to issue mass warnings.