I have an img on my website which is used as the profile picture of the user. It is embedded as <img src="${Hotlink}". The user can specify an URL and that is used as his profile picture.
What are the legal implications of this, does this under any Copyright or similiar issues?
Where do I look the legal paragraphs up myself?
Landgericht München I published a verdict on 10.01.2007 (AZ: 21 O 20028/05) that explicitly dealt with hotlinking a photo to embed it into a webpage. It was held, that this violates copyrights, if you present the work to a previously not impacted part of the public.
This sentiment was mirrored by the highest European court, the EuGH in the verdict of 09.03.2021 (Az. C 392/19) after the BGH asked about a very similar situation with videos. You can not legally embed or frame someone elses media (videos, images etc) on your page if the owning party has made even the tiniest (even ineffective!) protections. If such protections do not exist, then framing and hotlinking can be allowable.
What are the legal implications of this, does this under any Copyright or similiar issues?
So lets say I browse your site and then the code on your site makes a GET request to a third party site for an image, leaking my IP address to a third party.
Welcome to your very own DSGVO (=GDPR) violation. You would basically need to have me sign a consent form to leak my private data to random strangers all over the internet. Not going to happen.
You can either download the picture to your backend server and then serve me this picture from your server, or you can ask for my consent before you send my browser to download this picture from a third party source. That is how many sites link facebook posts and twitter posts nowadays with all their connected "like" buttons.
If you allow your code to automatically give my private information to a third party, you will be liable. Not for anything the third party could do wrong with it, just for the simple fact that you did.
Feel free to read through LG München I, Endurteil vom 20.01.2022 - 3 O 17493/20.
Partial Quote from the written judgement linked above:
The dynamic IP address constitutes personal data for a website operator because the website operator has abstract legal means that could reasonably be used to have the person concerned identified with the help of third parties, namely the competent authority and the internet access provider, on the basis of the stored IP addresses (BGH, judgment of 16.05.2017 - VI ZR 135/13). It is sufficient for the defendant to have the abstract possibility of identifying the persons behind the IP address. It does not matter whether the defendant or Google has the concrete possibility of linking the IP address to the plaintiff.
the defendant violated the plaintiff's right to informational self-determination by forwarding the dynamic IP address to Google when the plaintiff accessed the defendant's website.
