Today I would like to point out a danger of a warning, which is – still – both legally and technically disputed, but which is already imminent. Imminently, because courts have already affirmed a violation of competition (or data protection) if you operate a website without SSL encryption and either process user data on it (for example, for a forum, comments and the like) or, above all, and probably few people are aware of this, you have a contact form on the site where someone can enter their data to contact the website owner.
Some already derived such an obligation for contact forms from Section 13 of the German Telemedia Act. Its 7th paragraph states:
(7) Service providers shall, insofar as this is technically possible and economically reasonable, ensure within the scope of their respective responsibility for telemedia offered on a businesslike basis by means of technical and organizational precautions that
- 1.
- 2.
- a)
- b)
are secured. Precautions according to sentence 1 must take into account the state of the art. A measure pursuant to sentence 1 is, in particular, the use of an encryption method recognized as secure.
These changes to the TMG stem from the Act to Increase the Security of Information Technology Systems, which came into force in August 2015.
Since the GDPR has been in force, an obligation is also derived from data protection aspects. There are even 5-figure claims for damages circulating. Here, with warnings, the now notorious lawyer colleague Sandhage from Berlin has distinguished himself. It even hit a fellow attorney and the opinion of the colleague was shared by the LG Würzburg in a decision from September 2018.
Since an SSL certificate, and be it only the use of Let’s Encrypt, is part of today’s state of the art, it is hard to argue that the use of one was not possible. Online stores, sites with user-generated content or user data should therefore take no chances, use SSL throughout and also gain increased user confidence and better SEO scores.
