As I understand it, the GDPR does not permit sending of personal information (which includes the IP address) without prior consent by the user.
That's not exactly true, consent is merely one of six possible legal basis for processing (article 6). For example, processing of personal data can also be lawful if it necessary to perform a contract, legally mandatory, or in the public interest.
The court decision acknowledges that but rules out another basis in this case because it considers that it is possible to serve fonts without relying on a third-party ([…] der Einsatz der Schriftarten auch möglich ist, ohne dass eine Verbindung von Besuchern zu externen Servern hergestellt werden muss). Confusingly, it only refers to article 6(1)(f) when it seems to me that (b) would also be plausible but maybe this wasn't raised during the proceedings?
If the data controller cannot invoke any other basis for the lawfulness of the processing then yes, the only thing left is asking for consent, i.e. invoking article 6(1)(a). But that doesn't mean that you should expect to be asked for consent each and every time your personal information is being used.
The consent form on the site also implicitly assumes consent, which I thought was also a violation.
Yes, implying consent doesn't really make sense under the GDPR definition (article 4, see also article 7):
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action
European data protection authorities have issued guidelines that detail what that means and clearly reject “bundling” different data processing. The regulation also makes it clear that data subjects should be able to withdraw consent at any time, which does not seem possible with the fonts on golem.de
My reading of all this is that assuming consent because you are using a service (or even created an account or checked a box at some point) simply isn't valid consent. Either you don't need consent at all in the first place or what you need is freely given, specific consent and “implying” consent or bundling it with a registration process achieves exactly nothing. But this is still extremely common and it might take some time before enforcement and case law definitively settle this question.
Smart data controllers trying to avoid collecting consent (like Meta) have abandoned any claim that signing up to the their services would constitute consent (because that's transparently not the case) and try to bypass the issue entirely using another basis like contractual necessity. This is also being litigated.
I know that a EU regulation can be implemented and interpreted differently from country to country, and that a single court ruling in Germany doesn't even mean that the national law was correctly applied. From what I've read, I get the impression that this particular ruling was not unlikely to be overturned by a higher instance, if it came down to it. So my question probably both pertains to German law specifically and the EU regulation itself.
That sounds more like the way EU directives work. Regulations are supposed to be immediately applicable (no implementation in national law necessary) with minimal differences between countries (except when they explicitely provide for that). Of course, enforcement would still mostly be in the hands of national court systems and (in Germany) provincial data protection authorities but there are mechanisms to ensure consistency (the European Data Protection Board, prejudicial questions to the CJEU, infringement proceedings from the European Commission��).
gdpr.eusite is not official in any way. The site is more like a content marketing blog for Protonmail. I agree that it's crappy, both with regards to its technical details and its explainer articles.