For data protection reasons, social media plugins such as those from Facebook or Twitter are highly critical. What about simple links to social media platforms and other websites? The question of responsibility applies to every website operator who uses external links on their website.
Introduction
Almost every website links to third-party content. This is done using so-called hyperlinks, which I also refer to as external links. Every website should have a few of these links, so that search engines can assess the quality of the website (SEO = Search Engine Optimization = Search Engine Optimization). SEO measures are particularly carried out on the website itself, which is also referred to as Onpage Optimization. The externally linked content should naturally fit the topic of the website and be embedded at an appropriate place in the text. In contrast, Link Building is assigned to Offpage Measures. Here it's about getting as many backlinks as possible. Whoever sets a backlink must again take on some responsibility for this external link. Exactly that's what this article is about.
Update:
According to Section 19 (3) TTDSG, the user must be notified of any forwarding (via external links) to another website.
§ Section 19 (3) TTDSG
Update May 2024: The TTDSG was incorporated into the TDDDG with the same wording. Wherever TTDSG is written, TDDDG must be written from now on.
Besides, there are always internal links, which point to the website itself that was just visited. Examples include menu points such as imprint, contact form, press releases, blog articles etc.
External and internal links** are often indistinguishable from one another. Most websites I'm familiar with use underlined text to indicate links. Whether it's a link to a third party, such as a Google Maps address, is often unclear. Here's an example from the t3n website:
The internal link points to your own website, the external link to gesetze-in-bayern.de. The two links are visually indistinguishable from each other.
Responsibility for hyperlinks
At least when clicking on a link, personal data of the user as a visitor of a website is transmitted. The website operator could be held responsible for causing this transmission. Not infrequently, the linked website is in American hands. Here many people ask themselves about the Schrems II problem (Privacy Shield, American intelligence services).
The aforementioned personal data essentially consist of the network address of the user, which is also referred to as an IP address. This has been considered personal since the ECJ ruling “Breyer“ since 2016. Already in 2011, the ECJ had decided this for static IP addresses. The judgment from 2016 made it clear that this also applies to dynamic IP addresses. The BGH confirmed the judgment a year later for Germany. By the way, cable-bound IP addresses are predominantly of a static nature, even if they occasionally change. On the other hand, DSL connections have more dynamic IP addresses, which often only have an attachment lifetime of one day or a few days. Fully static IP addresses can now be booked in addition to an internet connection for a few euros per month. With such static addresses, one's own network can be reached from outside more reliably.
External links on your website should be marked as such.
This reduces the legal risk for links to virtually zero.
In addition comes person-related data, which is also considered personal (cf. statements of the Article 29 Data Protection Group, predecessor of the European Data Protection Board EDSA). These data are metadata or (technical) traffic data. This includes, for example, information about the browser and operating system used. These data are also used for Fingerprinting.
For data processing at the link target, i.e., the website called up via a link, the provider is initially not responsible. It can be different if it is known or should be known that the link target commits unlawful contents or data processing. Making works accessible can mean an infringement of copyright (but does not have to). Not only links, but also so-called framing play a role here (cf. BGH judgment of 09.07.2015 – Az. I ZR 46/12). On this I cannot go into further detail for technical reasons due to complexity.
It is clear to me: When providing a link to a third party's website, there is a certain risk of liability. This risk may not be great, but I consider it to exist.
I have already extensively examined the question of responsibility for external links some time ago in a separate piece. Please use the link from the previous sentence! It can certainly be that one day a court will decide that an external link leads to liability. Then I'd like to see the excitement on the internet among those who were not prepared for it.
Recommendations
To eliminate the risk and achieve a constructive result with as little effort as possible, I recommend the following:
- Mark all external links.
- Provide a clearly visible reference to the labeling for external links on every page.
- Provide information on external links in your privacy policy.
Labeling external links** can be done, for example with a suitable symbol that appears after the link text. You see an example here on Dr. GDPR. I'm inserting an external link here, so you can see how it looks: That's what Wikipedia has to say about hyperlinks.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
