External links on websites: privacy problem or not?

On almost every website, links to other websites exist. When a visitor clicks on a link, personal data is inevitably transmitted. Is that a problem of data protection? What about link targets in insecure third countries like the US?

Introduction

A link or hyperlinking is a hyperlink that is possible on HTML-pages. An HTML-page is what many understand under the term "web page". HTML stands for HyperText Markup Language.

In HTML there are called Tags. A Tag is an instruction. A Tag controls the appearance or behavior of a text. With the tag <b> for example, bold print can be activated for a text passage. The tag <a> on the other hand defines a link. Example for a link definition:

<a href="https://www.a-link-target.co.uk">Click here to go to the other website</a>

The day is defined by a link target, thus an address goal (URL) and a text enclosed in the a-tag. When the user clicks on the text, the address goal is called up.

Data transfer on click of a link

Only when a user clicks on a link themselves, is data transferred. Only then does data collection take place. Data collection occurs as soon as, based on an offer from a responsible party, data can be received by the provider or a third party and actually become known.

A responsible person in the case of an external link is the link provider, i.e., the person responsible for the website that contains the external link.

The data transferred when clicking on a link are technically necessary and conditioned by the Internet Protocol TCP. TCP stands for Transmission Control Protocol.

The transferred data contain the IP address of the user. The IP address as a network address is a personal value. This has been determined by the ECJ and BGH. It even applies to dynamic IP addresses, i.e., those that are regularly assigned anew. Even if a user receives a new IP address from their internet service provider every day, this is still considered personal data.

Data processing at target link

The link provider is not responsible for data processing carried out by the link target in its own initiative. It would be different if there were an instruction from the link provider. Even a joint responsibility of the link provider and the link target, which can come into being through a contract, is another case.

The link target is therefore itself responsible for processing the data it receives as a result of clicking on the external link on the website of the link provider.

Safe haven in a third country

In a safe third country, an equivalent level of data protection under the GDPR is at least officially and formally ensured.

If the link target is in a safe third country, the provider is only responsible for the data transfer and collection that he himself has initiated. The data transfer is technically necessary. There is nothing for which someone could be responsible. A responsibility may exist. Not being responsible for anything is actually the same as not being responsible at all.

Data collection at the link target is only permitted as far as it is allowed by the GDPR. For example, the link target can take measures to secure systems against hackers, but not record IP addresses for marketing purposes. The link target is responsible for this.

In this case, the provider is actually not responsible due to data transfer nor due to data collection.

In practice, there is no liability for a link provider when linking to targets in safe third countries.

Target location in a foreign country with uncertain security conditions

The consideration of link targets in insecure third countries is more complex. The US remains an insecure third country as long as the American Cloud Act is still in effect in its current form. Any EU regulation will not change this. Unfortunately, the EU has sold out our fundamental rights by agreeing to a purely politically motivated data protection agreement with the US called Data Privacy Framework (DPF). The DPF is based on an Executive Order of the US President, which can be revoked at any time. Regardless of this, EU citizens are not adequately protected from US espionage. The final blow comes from the fact that an organization in the US is referred to as a court, but it is not a proper court, but rather a stage. Regardless of this, one must check which third countries come into play when a service provider is equipped with data. Especially with Google, numerous other third parties from other third countries are often involved, for which there often does not exist an adequacy decision.

Art. 44 GDPR defines general principles for data transfer. These principles state that a transfer of personal data_, „_that has already been processed or is to be processed after its transfer to a third country or an international organisation“ is only permissible under certain conditions.

Data transmission to the US is only permitted after prior consent from a person concerned. Processing of the transmitted data by the link source has not yet taken place.

From this, several questions arise with external links.

Clicking on such a link, has the user then given consent? Consent is according to Art. 4 No. 11 DSGVO "any freely given specific informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her".

A classical consent, as you know it from so-called Cookie Popups, is structured differently. There you click on Accept or Reject. A rejection there should ideally be possible with just as little effort as an acceptance. Consent by clicking on a link, in my opinion, exists when the user has been informed beforehand. Because consent requires a click here, a rejection, on the other hand, does not require a click, so less effort, but even less.