Anyone who embeds third-party content on their website via an IFRAME can be held liable. Both copyright law and data protection law must be taken into account. External files should be avoided wherever possible. Instead, local copies of external files should be used, which is not always possible with IFRAMES.
Introduction
When displaying an IFRAME on a website, IP addresses of users of the website are transferred to third parties. Thus, a transfer of personal data takes place. With this, the standards of the GDPR should be applied. Also, the transfer of cookies may be given.
Often IFRAMES are unknowingly embedded, for example when embedding YouTube videos.
In addition, external content is loaded via IFRAMES and displayed on the website currently being visited. This requires consideration under copyright law.
Liability on copyright grounds
Infringement of copyrights
Anyone who embeds copyright-protected content via an IFRAME, even though the author has taken technical measures to prevent this, is in breach of copyright law. This is at least the case if these measures are circumvented. The measures are obviously circumvented if the integrated IFRAME displays the copyrighted content.
The European Court of Justice (ECJ) had decided in a judgment of 09.03.2021 (C-392/19) in the matter VG Bild-Kunst ./. Stiftung Preußischer Kulturbesitz that. On 09.09.2021, the Federal Court of Justice (BGH) had confirmed this judgment (Nr. 169/2021)
Interference liability
In a ruling of 14.09.2012 (Case No.: 6 U 73/12), the Higher Regional Court Cologne found that the operator of an internet site had not committed copyright infringement by incorporating content via IFRAME. If one incorporates contents via IFRAME, these are made publicly accessible according to the Higher Regional Court Cologne, and thus no copyright infringement can occur. Without this condition, however, no copyright infringement can exist.
In this respect, the website operator can only be held liable as a disturber.
Should the operator become aware of an infringement of copyright, he can be expected to refrain from integrating the third-party content by means of an IFRAME on his homepage.
Therefore, by the way, the so-called Disclaimer, which is supposed to exclude liability for external content, is Bullshit. Rather, it's a harmful disclaimer, because the Statement on Exclusion of Liability has no positive effect. On the other hand, there can be a negative effect, although not with too high probability. After all, the operator of the website declares that he does not bear liability for external content. This raises the question of whether the operator of the website only declared this because he already had knowledge about the external content. If he had this knowledge, he would be directly liable and from knowledge on. He should be reproached for not reacting immediately and not removing the references to the external content immediately.
All other disclaimers I'm familiar with are just as harmful. You can't exclude liability any further than what the law already provides for. Whoever wants to exclude lawsuits through a hint should change doctors. ([1])
Targeted integration without labeling
Anyone who embeds text, an image, a video, audio files or other content separately from other content via IFRAMES and does not make this sufficiently clear can be held liable in the event of legal infringements.
This was clarified by the Higher Regional Court of Düsseldorf in its judgment of 08.11.2011 (Case No.: I-20 U 42/11).
Liability for data protection reasons
Cookies
If cookies are transferred or generated when loading IFRAME content, consent is likely required. This follows from the Telemedia Act, which must be complied with in accordance with the ePrivacy Directive. See the BGH judgment of 28.05.2020 – I ZR 7/16. Embedded YouTube videos are independent of cookies, consent is required! Brief summary: This applies alone because Art. 5 GDPR (data minimization). Whoever wants to can still mention the data transfer to insecure third countries as a reason.
Data minimization
When IFRAME contents are sourced from a third party with whom there is no contractual relationship, it is often at least one infringement of Article 5 GDPR (data minimization) given. A suitable contractual relationship to avoid problems could be a processing contract if the contractor sits in Germany, the EU or at least in a secure third country.
Data transfer must also remain within an acceptable framework even with contractual protection. Tracking, i.e., tracing users, should not be the purpose of IFRAME integration. Then, in fact, consent would probably be necessary. ([1])
Data transfer to unsafe third countries
If the embedded content is located on a server outside of the EU, Article 44 GDPR becomes relevant. It regulates data exchange with insecure third countries.
Technical problems with IFRAMES
IFRAMES are a technology that was increasingly used in the past. Nowadays, IFRAMES should only be used in an emergency if it is technically necessary. But here, too, there are problems that are more of a technical nature.
If you embed an IFRAME on a website in such a way that content from the embedding website appears above or below the IFRAME, it is – it is hard to believe – difficult to set the height of the IFRAME correctly. The height of an IFRAME is basically unknown. If the height were known for one resolution, the height would no longer be the same for a different resolution. In addition, IFRAME content is often dynamic, so the height is even less predictable.
If there are links to the privacy policy or imprint under the IFRAME, things get even more amusing. If you were to make the height of the IFRAME very large in order to be able to display all content in the IFRAME without scrolling, the distance to the links mentioned would possibly be too large. The user might not be able to find the links. As a consequence, the legal notice and privacy policy could be considered unavailable.
However, if the height of an IFRAME is too small, ugly scrollbars are created. On a smartphone, this quickly results in nested scroll areas: The outer area, the actual website, must be scrolled. The inner area, the IFRAME, must also be scrolled. No user likes this and many would not be able to view all the content.
Recommendations for those responsible
External content should not be integrated via IFRAME if there are other options. This is because the site operator ultimately has no control over the external content. Apart from that, problems with the General Data Protection Regulation can easily arise. Technically, IFRAMES are also difficult to control.
If third-party content is displayed via IFRAMES, this should be clearly marked. In addition, a notice should be added stating that the integration of the content in question will be removed if we become aware of any legal infringements.
YouTube Videos should not be embedded via IFRAME for data protection reasons, nor loaded without consent. My recommendation: Avoid YouTube videos or link a thumbnail image (further alternatives are mentioned in my article).
Supplement privacy policy
Any transmission of personal data must be mentioned in the data protection declaration, among other things, so that the user has the opportunity to object to it or demand the deletion of the data stored by him.
To be sure, every page of an online presence must be checked for IFRAME content. Then a decision can be made as to which IFrames are acceptable and need to be mentioned in the privacy policy, and which ones should be replaced or removed.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
