This country-specific Q&A provides an overview of Artificial Intelligence laws and regulations applicable in Germany.
What are your countries legal definitions of “artificial intelligence”?
German law does not provide a definition for “artificial intelligence” (AI). The AI strategy of the German government draws on the concepts of a “weak” and “strong” AI, whereby there is a clear focus on weak AI, i.e. “the solution of concrete application problems on the basis of mathematical methods and computer science, whereby the developed systems are capable of self-optimization. To this end, aspects of human intelligence are also modelled and formally described, or systems are constructed to simulate and support human thinking”. The Federal Office for Information Security (BSI) refers to the definition developed by the EU Commission’s High-Level Expert Group on AI (HLEG) describing AI systems as “software and hardware systems that use artificial intelligence to act “rationally” in the physical or digital world. Based on perception and analysis of their environment, they act with a certain degree of autonomy to achieve certain goals”. Decisive will be the definition provided by the upcoming EU AI Act. On June 14, 2023 the European Parliament proposed the following definition: ‘‘‘artificial intelligence system’ (AI system) means a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations, or decisions, that influence physical or virtual environments.” While the EU Commission’s initial proposal focused on listed technologies, the definition developed by the EP is technology neutral and relies on functional qualities. This provides more flexibility, which will likely be necessary considering the current rapid developments, but, on the other hand, the breadth of this definition will lead to additional room for interpretation.
Has your country developed a national strategy for artificial intelligence?
The German government developed a national strategy for artificial intelligence with input from various experts in the field. The national strategy is supposed to determine the framework for the further development and use of AI in Germany.
Key topics of the national strategy are, amongst others:
supporting research and development in Germany,
creating EU innovation clusters and participating in EU innovation competition,
using AI in governmental administration,
adopting legal framework and
facilitating use and processing of data.
Has your country implemented rules or guidelines (including voluntary standards and ethical principles) on artificial intelligence? If so, please provide a brief overview of said rules or guidelines. If no rules on artificial intelligence are in force in your jurisdiction, please (i) provide a short overview of the existing laws that potentially could be applied to artificial intelligence and the use of artificial intelligence, (ii) briefly outline the main difficulties in interpreting such existing laws to suit the peculiarities of artificial intelligence, and (iii) summarize any draft laws, or legislative initiatives, on artificial intelligence.
Germany advocates regulation based on harmonized European rules, so no specific general rules or guidelines were passed. Still, limited sector-specific regulation exists. Specific rules were already introduced on July 28, 2021 allowing the operation of High Driving Automations vehicles (SAE 4). Systems that permanently take over the guidance of the vehicle, and which can also cover longer distances within a defined operating zone without human intervention are permitted. The actual use of AI for SAE 4 vehicles is limited thus far, but would be permitted under such regulation.
Contracts concluded by an AI are controversially discussed since, contrary to contracts concluded by “classic” software, the AI is able to act autonomously, so the attribution of a decision to its operator is questionable. It is argued that the operator set the framework for the AI to operate, but specifically a self learning AI might be able or even be intended to redefine that framework. Specific framework contracts concluded between the operator and the user are also being discussed, specifically addressing the legal effects of an AI-based decision for the parties. Applying rules on legal representation is another issue in discussion, but this would require attributing a legal identity to the AI. Cases where the AI had exceeded its power of representation are also unresolved.
A good example for interpretation problems, when applying even brand-new existing laws to AI, are the text and data mining exceptions provided by Art. 3, 4 Digital Single Market Act, which are also implemented into German law. Data mining is defined as an automatic analytical technique aimed at analyzing text and data in digital form in order to generate information. Aimed at scientific respectively commercial users, these exceptions permit the reproduction and extraction of copyright-protected material for data mining purposes, subject to certain limitations, in particular the legitimacy of the source and the right to opt out. The preliminary remarks to the Directive stress the significance of text and data mining for the development of new applications or technologies. Therefore, it is not surprising that these exceptions are widely discussed as legal bases for crawling the Internet to create learning data required for training generative AI models. Still, when drafting the text and data mining exceptions, the European legislator was not aware of the huge impact Generative AI might have on the creative world, as it can write or even produce images or music in the style of a certain artist. Also other aspects, such as the artists moral rights or the question of whether a work created by an AI based on arguably legitimately collected training data may still qualify as a derivate work, still have to be clarified. Besides the interpretation problems for existing regulations, this example highlights the need for flexibility of any AI regulation, as the unprecedented speed at which this technology is presently evolving will lead to numerous legal issues that we cannot anticipate today.
Which rules apply to defective artificial intelligence systems, i.e. artificial intelligence systems that do not provide the safety that the public at large is entitled to expect?
In general, any defective AI system embodied in a product causing a defect in the product can be subject to the German product liability law, the Produkthaftungsgesetz (ProdHaftG). The ProdHaftG stems from the European product liability directive 85/374/EEC. This should provide for the same level of protection EU-wide.
The requirements for liability according to Section 1 of the ProdHaftG are:
Damage is caused to a protected legal interest (death, injury to body or health, damage to an object),
by a defective product,
resulting in (financial) damages and
no legal exception according to Section 1 para. 2, para. 3 ProdHaftG applies.
Besides that the product liability law, claims based on contractual obligations (if existing) and “standard” civil liability according to e.g. Section 823 of the German Civil Code, the Bürgerliches Gesetzbuch (BGB) can apply in parallel.
Please describe any civil and criminal liability rules that may apply in case of damages caused by artificial intelligence systems.
The applicable civil rules depend significantly on the actual damage caused and legal interest concerned.
If privacy issues are concerned, the GDPR and the respective German national act, the Datenschutz-Grundverordnung (DSGVO) provide for the basic remedies (see topics 12 and 13).
If damage is caused to a person, the Produkthaftungsgesetz (ProdHaftG) and “standard” civil liability according to e.g. Section 823 Bürgerliches Gesetzbuch (BGB, German Civil Code) apply in parallel to any contractual obligations (see topic no. 4).
In terms of intellectual property rights, the use of AI systems can result in copyright infringement, trademark infringement, design infringement, patent infringement etc. It may also raise issues concerning the right of publicity and other personality rights, e.g. if images of persons are used without consent.
Outlook: At the end of 2022, the EU Commission released a proposal for a directive governing non-contractual civil liability for artificial intelligence, the “AI Liability Directive” COM (2022) 496. The aim of this Directive is to complement and modernize the liability framework and to harmonize it EU-wide. It is supposed to create the same level of protection for persons harmed by AI systems as persons harmed by other technologies.
In terms of criminal law, the use of AI as an instrument in criminal activities does not exclude liability.
Who is responsible for any harm caused by an AI system? And how is the liability allocated between the developer, the user and the victim?
In terms of product liability (see topic no. 4), the manufacturer is liable for any harm caused. This also includes any party, under whose brand the product is put on the market (see Section 4, para 1 ProdHaftG). According to Section 4, para 2 ProdHaftG, the importer is also considered to be “the manufacturer” in light of the ProdHaftG – and under certain circumstances, each supplier can be considered the manufacturer as well (Section 4, para 3 ProdHaftG).
The user of AI can also be responsible for any harm caused by the AI system. According to German law, each party in the “liability chain” may claim compensation from the party on the higher level, e.g. the user of the AI from the supplier, the supplier from the manufacturer.
What burden of proof will have to be satisfied for the victim of the damage to obtain compensation?
In general, the party claiming damages has to show not only that it suffered damages but also that the other party is responsible for the damages caused. This, in particular, is the case if claims are asserted against the user of the AI, who is not the manufacturer.
Given that this is typically difficult, at least in product liability matters, the claimant can rely on certain means to ease the burden of proof. For instance, the claimant of a product liability claim does not have to show that the other side acted intentionally or negligently. It is sufficient to show that the product was defective. Given the specifics of AI, however, this can still be an issue, since the information to show that the system/product is defective requires not only access to the program but also inside knowledge about its functioning.
In light of the issues that are accompanied with showing that a product has a defect, German case law developed the concept of the so called “manufacturer liability” according to Section 823 BGB. On the basis of “manufacturer liability”, the injured party can rely on a reversal of the burden of proof. In such cases, the manufacturer has to show that its product is actually not defective. AI systems may require a further development of this case law, since the question will arise at what point in time the defect is no longer in the sphere of the manufacturer – considering the learning process of the AI.
Outlook: The AI Liability Directive intends to create a ‘presumption of causality’, which can be rebutted by the defendant. Its objective is to ease the burden of proof for anyone who suffered harm from AI systems. The AI Liability Directive also seeks to establish means for national courts to order disclosure of information in respect to AI systems allegedly having caused damage.
Is the use of artificial intelligence insured and/or insurable in your jurisdiction?
Yes, the use of AI can be subject to insurance. Certain insurance companies in Germany already offer specific AI insurance, such as backed performance guarantees.
We expect more and more insurance products, in particular also covering damages caused by the use of AI, to become available in the course of further development and a more wide-spread use of AI in daily life.
Can artificial intelligence be named an inventor in a patent application filed in your jurisdiction?
So far, no. In its decision with case ID: 11 W (pat) 5/21, the German Federal Patent Court found that only natural persons can be designated as an inventor on patent applications with the German Patent and Trademark Office (GPTO). The Court also did not allow the omission of the designation of inventor, as such designation is required by German patent law. In case of doubt, the applicant should designate himself as the inventor. Finally, the Court allowed a designation of inventor where the applicant designated himself, with an addition that he had caused (or prompted, arranged for) an AI system to generate the invention. However, the Court indicated that the GPTO is not required to consider the addition in publications, for example in the Register and in the publication of a granted patent.
While a legal appeal to the German Federal Court of Justice, which is the highest instance court on patent matters in Germany, is still pending, another Senate at the German Federal Patent Court has recently confirmed that the GPTO cannot grant a patent on AI-generated inventions, in that case unless the applicant falsifies statements regarding the inventor (case ID: 18 W (pat) 28/20).
Since, according to German patent law, the main consequence of an incorrect designation of inventor is that the true inventor can request a correction, any uncertainty is unlikely to have a negative effect. The decision confirmed the dominant trend in other jurisdictions concerned with the matter that the designated inventor of a patent application must be a natural person and AI systems cannot be designated as inventors. The EPO came to a similar conclusion, stating in its decision No. J 0008/20 that under the EPC the designated inventor has to be a person with legal capacity.
However, by allowing the applicant Stephen Thaler, who insisted on not having made the subject invention, to be nevertheless designated as the inventor, the Federal Patent Court also opened up an opportunity for him to become the patent owner.
It is highly controversial how the suggested wording, designating a natural person applicant as having prompted an AI system to generate the invention, aligns with the notion of “Erfinderehre” derived from human creativity and underlying the inventor’s right to be named, which was reaffirmed rather than discounted by the adjudicating Senates.
Do images generated by and/or with artificial intelligence benefit from copyright protection in your jurisdiction? If so, who is the authorship attributed to?
German copyright law is largely based on harmonized EU law. A copyright-protected work according to the CJEU (C-683/17-Cofemel) requires an “intellectual creation reflecting the freedom of choice and personality of its author”, which effectively excludes copyright protection for an image created by AI.
What are the main issues to consider when using artificial intelligence systems in the workplace?
Issues may arise in particular from the usage of information, specifically when information is uploaded on a cloud-based service operated by a third party. In this context, “accidental” or uncontrolled disclosure of trade secrets and other confidential data can be an issue. Should personal data be concerned, obligations under the GDPR also have to be considered. In the legal context, problems may be created in respect to professional codes of conduct and any additional confidentiality obligations arising therefrom. Transparency concerning the use of AI as well as the respective sources and the question of “who owns the work product” can become problematic.
Another issue is liability, as no specific information about functionality or training data used, and therefore also about the validaty/accuracy of work results, may be available.
A possible dependence on AI could also become an overall problem, especially regarding critical processes. In terms of sustainability, one will also have to consider the question of energy consumption of intense server processing. Concerning the latter, costs could become an issue too.
Finally, usage of AI can affect the employee-employer relationship. It can also create internal issues if AI is perceived by the human staff as competing with their job legitimacy.
What privacy issues arise from the use of artificial intelligence?
Processing vast amounts of personal data scraped from the internet for training AI, in particular Large Language Models (LLMs), significantly affects privacy rights. The application of AI will cause a plethora of further privacy issues, which we can only begin to recognise today. Already, the unique ability of an AI to take autonomous decisions, clashes with the general human expectation to only be subjected to decisions made by other humans. This is even more problematic as recent incidents show that AI is also not immune to “bias”, depending on the quality of the training data. The GDPR accordingly prohibits or at least severely restricts decisions based solely on automated processing. Similarly, the Digital Single Market Act and the Digital Service Act also require that content moderation measures on internet platforms are at least subject to human review. Possibly even more problematic is AI that does not make active decisions, but “merely” monitors human behaviour or analyses personal data limited only by allocated computing power. The German Constitutional Court has developed in its ground-breaking “Volkszählungsurteil”, the right for informational-self-determination, which would not be ”compatible with a social order and a legal order that enables it, in which citizens can no longer know who knows what, when and on what occasion about them”. Transparency obligations are therefore a key element for AI regulation, but beyond that “bans” for specifically intrusive and discriminatory uses of AI systems are necessary, e.g. for “Real-Time” biometric identification systems, which the upcoming AI Act will likely include.
What are the rules applicable to the use of personal data to train artificial intelligence systems?
The GDPR does not apply to anonymized personal data, whereby AI software might effectively lead to a higher threshold for an effective anonymization and anonymization might sometimes contradict the specific training purpose. Existing data is regularly used for training purposes, so if no anonymization is possible and also no consent for the new purpose of training an AI can be obtained, the prerequisites for a legitimate change of purpose (Art. 6 (4) GDPR) have to be regularly examined and the data subject will have to be informed about the intended processing. The right to be forgotten (Art. 17 GDPR) will also be difficult to implement regularly, as this might require resetting the AI.
Have the privacy authorities of your jurisdiction issued guidelines on artificial intelligence?
The Conference of German Independent Data Protection Authorities published a position paper on “recommended technical and organisational measures for the development and operation of AI systems” on November 6, 2019. These address the whole lifecycle of an AI system, starting with the design of the AI and its components, the process of selecting raw data to create training data, the training process itself, validation and examination of the trained system, certainly the use of the AI system and finally feedback and optimization mechanisms.
Have the privacy authorities of your jurisdiction discussed cases involving artificial intelligence?
Not only following the temporary ban of ChatGPT by the Italian DPA, the service is discussed among German DPAs and, according to the DPA of Hessen, shall be subject to an evaluation on a German national or preferably European level coordinated by the European Data Protection Board (EDPB). Beyond mere discussions, the Berlin DPA has already imposed a fine of EUR 300.000 against a bank that had rejected a consumer’s request to provide a detailed and comprehensible explanation for a rejection of a credit card application by an AI. The Berlin DPA considered this to be a violation of the transparency obligations according to Art. 22 (3), 5 (1) a and 15 (1)h GDPR.
Have your national courts already managed cases involving artificial intelligence?
AI-based tools for speech recognition and translation are widely used. There are numerous projects running on the use of AI e.g. for eDiscovery, anonymization processes or also creating and curating knowledge bases. Beyond that for mass proceedings, smart tools, including those based on AI, are increasingly used. The lower district of Frankfurt is handling about 15.000 cases per year concerning air passenger rights, using an AI-based system (FRAUKE). The system analyses and categorizes cases and creates text suggestions for the ruling. Similarly, the flood of “Dieselgate” cases are handled e.g. by the Court of Appeal of Stuttgart or the Regional Court of Ingolstadt using AI based tools. Those tools e.g. analyse briefs, categorize and structure cases, help with the organisation of hearings or assist when drafting the final ruling and adapting it to corresponding cases. Courts noticed that AI tools can be extremely useful, not only for standardized mass procedures, but also for structuring highly complex and comprehensive individual cases and are starting to apply them.
Does your country have a regulator or authority responsible for supervising the use and development of artificial intelligence?
There is no regulator or supervising authority for AI. Guidance is provided from a data security perspective by the Federal Office for Information Security (BSI) and from a privacy perspective by the “Düsseldorfer Kreis” coordinating German DPAs.
How would you define the use of artificial intelligence by businesses in your jurisdiction? Is it widespread or limited?
There was a lot of hesitation regarding the adoption or usefulness of AI for German businesses. According to BITKOM, still in 2022, around two-thirds of businesses considered AI to not be relevant for them, and only 10% of businesses answered in the affirmative when asked whether they would use AI in their businesses. In view of the dramatic advances in the generative AI sector and the everyday application of Large Language Models, this will certainly have changed in the meantime.
A severe limitation to widespread use of AI is the strong level of data protection, as regulated, for instance, by the EU General Data Protection Regulation (GDPR), and the generally conservative approach of individuals in Germany, as compared to the US or even China, to sharing data. This results in severe hurdles for successful implementation of well-trained, high-quality AI models.
Is artificial intelligence being used in the legal sector, by lawyers and/or in-house counsels? If so, how?
German courts discuss wide-ranged use of AI in quality control and analysis of cases brought to court.
Law firms and in-house counsels may use or already use AI for:
Analysis of technical documents (published),
Summaries of documents,
Generating draft contracts and letters,
Profiling of Judges.
It remains to be seen whether the use of AI in legal proceedings needs to be clearly regulated.
What are the 5 key challenges and the 5 key opportunities raised by artificial intelligence for lawyers in your jurisdiction?
Among the 5 key challenges, we see:
Need for adoption, but substantial hurdles for integration of successful AI tools in the legal sector:
strict obligations for discretion by attorney codes of conduct in view of nontransparent data transfer routes and use of servers worldwide
Loss of business – simple legal advice, consulting, routine tasks done by software or under expectation of extremely low fees
Resistance and hesitation with highly qualified knowledgeable workers, attorneys, engineers – do not trust the machine, “this is my core competence”
Lack of transparency regarding functionality and training data used, limited trust in work results
Costs of creating or licensing reliable AI systems, if available at all. Structural challenges, specifically for small and medium firms handling standard cases, which are well suited for an AI application.
5 key opportunities, on the other hand are:
Successful counter to a lack of a qualified workforce and related costs of personnel
addresses the ever increasing complexity (more and more case law, more and more knowledge and data to handle)
Focused work on interesting and important aspects rather than spending time on tedious routine work
Increased efficiency, to better match clients’ expectations on responsiveness and budget requirements
Can facilitate new creative solutions and lead to higher quality work product
Where do you see the most significant legal developments in artificial intelligence in your jurisdiction in the next 12 months?
The EU’s AI Act will be the first comprehensive set of regulations for the artificial intelligence industry. Similarly to the GDPR, the expectation is that it will provide a model also for other jurisdictions. While there is a broad consensus that regulation is necessary, it remains to be seen whether the Act will actually achieve a fair balance between an undisputedly necessary regulation on the one side and innovation and adoption of new and potentially disruptive technologies on the other.
Estimated word count: 4130
Join our mailing list to receive updates on new Guides: