Germany: TMT

Under German law communications networks and services are regulated by the Telecommunications Act (TKG)^[1]. The TKG covers activities of sending, transmitting and receiving of signals according to the term “telecommunications services”^[2] regulated in section 3 TKG. Service provider is any person who performs telecommunications services wholly or partly for commercial purposes or takes part in these performances of service. However a licence or authorisation for telecommunication service providers is not required. The operators just have to notify the Federal Network Agency^[3] about commencement, modification or termination of the activities in accordance with section 6 TKG.

References

^[1] Telekommunikationsgesetz

^[2] Telekommunikationsdienste

^[3] Bundesnetzagentur

See above.

The specific regulator for the provision of telecommunication services is, in accordance with the TKG, the Federal Network Agency (Bundesnetzagentur) which is a governmental body. It is thus not independent of government control.

See above.

An operator is not required to be domiciled in Germany. But a domestic representative is requested.

See above.

Specific regulations on interconnection between telecommunication operators are stipulated in Section 19 TKG (e.g. non-discrimination, transparency), according to which each operator of a public telecommunications network is obliged upon request to submit an offer on interconnection to other operators of public telecommunications networks to ensure the communication of the users, the provision of telecommunication services and their interoperability throughout the European Union.

Further general regulations covering interconnection between operators are located in the Treaty on the Functioning of the European Union (AEUV) and the Restriction of Competition Act (GWB).

With view to telecommunication operators with market powers, special obligations and prohibitions are regulated in Section. 19 et seq. TKG. In addition the general regulations pursuant Article 102 AEUV and Sections 19 to 21 GWB need to be taken into account. These regulations prohibit the exploitation of a dominating position.

Specific consumer protection regulations with regard to telecom services are stipulated in Section 43a et seq. TKG. The scope of protection ranges from special information requirements, claims for damages, the equivalence in disabled end-users’ access to services, fault clearance service and itemized billing.

See above.

Section 43a TKG determines which information operators have to make available to the consumers in the contract in an explicit, comprehensive and easily accessible form. The minimum contractual information shall include, inter alia, information on all restrictions on the access and use of services and applications, the minimum level of service quality offered, as well as information on all procedures set up by the company for the measurement and control of data traffic. Moreover already at the conclusion of contract, the operator is obliged to inform about the necessary steps for a possible change of supplier according to section 46 TKG. The maximum contract term is limited to 24 months pursuant to section 43b TKG. Additionally section 44 TKG provides for customers friendly regulations in case of damage or cease and desist claim of the customer. The interests of disabled end-users are considered in section 45 TKG. The availability of an error correction service is required pursuant to section 45b TKG and the entitlement of the customer for an itemized bill in section 45e TKG.

The creators of computer software (“author”/“Urheber”) are legally protected by copyright, especially by the special provisions for computer programmes regulated in sections 69a et seqq. of the Copyright Act (UrhG)^[1] based on the EU computer program directive (2009/24/EG). Author is defined as the maker of the piece of work according to section 7 UrhG, therefore in terms of software the software developer as natural person. This copyright ownership as author is not transferable, but it is possible to grant licenses to third parties in return for an appropriate remuneration in accordance with sections 31 et seqq. UrhG. If a software is created by an employee, then the employer has the exclusive right to use and exploit the software in accordance with section 69b UrhG provided that nothing contradictory is agreed. Moreover the creator could be protected by patent law (PatG)^[2] in specific circumstances where the software fulfils the requirements of a invention in a field of technology (“technische Erfindung”) and the Employee Inventions Act (ArbnErfG)^[3]. Furthermore the creator is protected by the criminal law provisions in sections 106 et seqq. UrhG. In accordance with those sections unauthorised use, unauthorised affixing of copyrights as well as unauthorized tampering with technical protective measures is punishable.

References

^[1] Urhebergesetz

^[2] Patentgesetz

^[3] Arbeitnehmererfindungsgesetz

In respect of databases German copyright law recognises specific intellectual property rights. There are two kinds of databases. One is an autonomous work and protected by copyright because it is considered a personal intellectual creation (“persönliche geistige Schöpfung”) in accordance with section 4 UrhG. For such databases, a full copyright protection similar to software applies. The other type of database is protected because of the financial investment which was required for creating it. The latter is regulated in sections 87a to 87e UrhG which are based on the EU Database Directive (95/46/EG). These sections of the law rule that only the producer of the database is authorised to reproduce, distribute and publicly report the database as a whole or a part of essential type and extent. The European Court of Justice has decided that the essential part of a database refers to the extracted or reused volume of the database (judgment in the case C-203/02). An essential part is therefore considered to be 10 percent or more. Excluded from protection, however, are reproductions for private use, for purposes of scientific research pursuant to sections 60c and 60d and for illustrative use in education pursuant to section 87c UrhG.

The key protection for personal data is found in the GDPR (DS-GVO)^[1] and the new version of the German Federal Data Protection Act (BDSG)^[2]. Since 25^th May 2018 the GDPR and the revised BDSG have been in force. The new regulation on the protection of personal data for the whole of the European Union pursues the objective to ensure a quite harmonized approach to data protection within all member states. In general, the GDPR can be considered to be very strict, particularly due to the very high fines it imposes for breaches.

In accordance with Art. 6 GDPR the processing of personal data shall only be lawful if and to the extent that a statutory permission is applicable or the data subject has given consent to the processing. Art. 6 (1) GDPR permits the processing of personal data in particular to the extent necessary for the performance of a contract (lit. b), for compliance with a legal obligation (lit. c) and in case of prevailing interests of the data controller (lit. f) as general permissions.

In addition, German law also contains sector specific protection for personal data. Section 88 TKG is an important provision for the telecoms sector as it stipulates the requirement of secrecy of telecommunications. Further telecom-specific regulations on data protection are found in sections 91 et seqq. TKG. The data protection regulations of the TKG, which have been issued to implement the directive 2002/58/EG, will continue to be applicable in accordance with Art. 95 GDPR.

In respect of electronic information and communication services (“telemedia”) which are not consider telecommunications, in particular websites, specific protection rulings were found in sections 11 et seqq. in the Telemedia Act (TMG)^[3]. However, since the GDPR came into force, it was unclear whether the special regulations of the TMG remain applicable. The TMG was until now not adapted to the new data protection laws. In this regard the DSK (Datenschutzkonferenz, a joint committee of the data protection authorities of the German federal states) issued a position paper in April 2018. Hereinafter the sections 12, 13, 15 TMG are no longer applicable. Sections 67 et seqq. of the Volume X of Social Security Statute Act (SGB X)^[4] contain special provisions protecting social data which have been revised in the context of the GDPR and continue to apply in this respect.

References

^[1] Datenschutzgrundverordnung

^[2] Bundesdatenschutzgesetz neu 2018

^[3] Telemediengesetz

^[4] Zehntes Buch Sozialgesetzbuch

The EU applies restrictions on the transfer of personal data overseas. These are grounded in Art. 44 et seqq. GDPR. These supplementary rules set higher requirements on the lawfulness of the transfer of personal data to a third country outside of the EU or international organisations. In addition to compliance with the general requirements of  the GDPR, a transfer of data in this sense may take place on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR. The decision on adequacy depends on whether the third country offers an adequate level of protection that is comparable to the EU (which is the minority), and “unsafe” countries, as determined by the European Commission. For example, India, China and the United States are considered “unsafe” in data protection context.

When there is no adequacy decision pursuant to Art. 45 GDPR, personal data may only be transferred to a recipient in that country if the controller or processor in such countries has provided appropriate safeguards, and on the condition that data subject rights are enforceable and effective legal remedies for data subjects are available pursuant to Art. 46 (1) GDPR. In practice the most common measure is the implementation of the “EU model clauses” as part of the contract between the data exporter in the EU and the data importer in the “unsafe” country outside the EU. The EU model clauses are based on decisions of the European Commission and can be used for controller-to-controller transfers (decision 2001/497/EC and decision 2004/915/EC) and controller to processor transfers (see decision 2010/87/EU), as the case may be. Additionally, Binding Corporate Rules (BCR) play an important role in multi-national companies. The EU and the USA had established the so-called “EU-US Privacy Shield” since August 2016. It provided for an opportunity for US companies to receive data from the EU by registering in a list of the US Federal Trade Commission (FTC) and thereby committing to comply with the fundamental principles of EU data protection laws. The Privacy Shield has been the successor of the so-called “Safe Harbor Framework” which was declared invalid by the European Court of Justice on 6 October 2015 (C-362/14). As many principles of Safe Harbor were again found in the Privacy Shield, the Privacy Shield was also successfully challenged in the European Court of Justice and declared invalid on 16 July 2020 (C-311/18). Accordingly, the only remaining justified option for companies to transfer personal data to a recipient in the USA in accordance with the GDPR is to use the EU model clauses as a basis for the transfer contract.

In accordance with Art. 83 (4) GDPR the maximum fines for infringements of the provisions set out therein is 10,000,000 EUR or in the case of an undertaking up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For infringements of provisions set out in Art. 83 (5) GDPR a maximum fine of even 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, is foreseen.

For the telecommunications sector, the maximum fine ranges from 10,000 Euro to 500,000 Euro pursuant to section 149 (2) TKG.

There is no law that general prohibits cloud-based services in German law. But the data protection laws mentioned above set the legal framework to be complied with.

There is a guide for cloud computing (actual version: Orientierungshilfe – Cloud Computing vom 09.10.2014, Version 2.0) issued by the highest data protection authorities in Germany which provides detailed instructions on how to use cloud-based services.

Moreover there are specific restrictions for regulated markets. For example, financial institutions which outsource activities and processes are obliged to follow the requirements pursuant to section 25b Banking Act (KWG)^[1]. Cloud computing often qualifies as “outsourcing” in this respect. Similar specifications are found in the Stock Exchange Act (BörsG)^[2] and the Securities Trading Act (WpHG)^[3]. Also for the insurance sector, special restrictions exist, e.g. section 32 Insurance Supervision Act (VAG)^[4], according to which the insurance company stays responsible for the fulfilment of regulatory rules when outsourcing activities. For usage of social data in clouds exist restrictions regulated in section 80 SGB X revised in the course of the GDPR and for taxation the restrictions are regulated in section 146 (2, 2a) tax code (AO)^[5]. According to this section books and otherwise required records shall be kept within the scope of AO, therefore in national territory.

Up to now, some professionals which are subject to professional secrecy had to face restrictions with regard to cloud-based services. For example doctors, lawyers, tax advisors and persons working in life and health insurance have a statutory duty of professional secrecy, and in case of unauthorized disclosure, this is considered a criminal offence pursuant to section 203 German criminal code (StGB)^[6]. But a recent legislative amendment of section 203 StGB also provides these professionals the opportunity to use e.g. Cloud-Services and external service providers, because pursuant to section 203 (3) StGB it is no longer a problem to pass on the information to involved persons as long as this is necessary for the using of the person’s activity and provided that proper contractual safeguards as regards data secrecy are in place.

References

^[1] Kreditwesengesetz

^[2] Börsengesetz

^[3] Gesetz über den Wertpapierhandel

^[4] Versicherungsaufsichtsgesetz

^[5] Abgabenordnung

^[6] Strafgesetzbuch

German requirements on electronic signatures are laid down in the Regulation on Electronic Identification and Trust Services (eIDAS)^[1] which replaced the German Signature Act (SigG)^[2] only recently in July 2017. The new regulation contains binding European-wide rules in the areas of electronic identification and electronic trust services. The eIDAS Regulation introduced the so called “electronic seals”. Technically, these are similar to the electronic signatures. The main difference is the assignment to a legal rather than a natural person. While electronic signatures can be used to sign a declaration of intent, the electronic seal of an institution serves as proof of origin: It can be used wherever a personal signature is not necessary, but proof of authenticity is desired, e.g. in the case of official decisions, certificates and account statements.

For the validity of electronic signatures in general (for example in e-mails or PDF documents), there are no specific requirements. However, for legal acts which require written form according to section 126 German Civil Code (BGB)^[3], this form requirement can (where not excluded in the law) only be replaced by a qualified electronic signature. A qualified electronic signature is only given in cases where an certified identification unit was used when creating the signature (which is rarely the case). Electronic documents only have the same value of proof as documents which were signed by hand if a qualified electronic signature is used in the document (section 371a German Code of Civil Procedure^[4]).

References

^[1] Verordnung über elektronische Identifizierung und Vertrauensdienste

^[2] Signaturgesetz

^[3] Bürgerliches Gesetzbuch

^[4] Zivilprozessordnung

In some cases, yes. In the event of an outsourcing of IT services, there are rules for an automatic transfer by law to the outsourcing supplier in respect of employees (so called “transfer of undertaking”/“Betriebsübergang”). These rules are laid down in section 613a BGB. In accordance with this section the former employer has the duty to notify the employee about the date and the reason of the transfer and about the legal, economic and social consequences for the employee. The rights and obligations of the existing employment relationship cannot be changed to the detriment of the employee before expiry of one year as of the date of the transfer. In addition the employee can object to the transfer in writing within one month.

There are strategies on how to avoid a transfer of undertakings which can be applied in certain cases.

The liability for malfunctions of a software program which purports to be an early form of A.I. is in German law still unsolved. Three different approaches are discussed amongst legal scholars. One opinion attributes the liability to the operator according to sections 280, 823 BGB. In a legal sense the attribution of a breach of duty or a fault is the big problem in this context. Another opinion wants to solve this problem with a new regulation about strict liability which is independent of negligence and intent similar to product liability. But there is still no legal basis for this concept in German law. A third idea, which also lacks a legal basis, is to invent an own legal entity for A.I. – the so-called “e-person” – as counterpart to natural and legal persons.

a) obligations as to the maintenance of cybersecurity;

There are diverse regulations on cybersecurity depending on the industry sector and depending on which data is processed. When personal data is processed, section 32 GDPR requires a level of security appropriate to the risk. Telecommunications operators are obliged to take measures for the security of the secrecy of telecommunications and against unauthorized access to personal data in accordance with section 109 TKG. Section 8a BSI-Act (BSIG)^[1] regulates obligations for operators of critical infrastructure to ensure their technical functionality. The implementation of the NIS EU directive in the member states led to a high common security level of network and information systems in the EU.

Reference

^[1] Gesetz über das Bundesamt für Sicherheit in der Informationstechnik

b) the criminality of hacking/DDOS attacks?

Hacking/DDOS attacks are often considered as criminal offence according to sections 202a to 202d StGB. These regulations punish spying on data, data interception, the preparing of spying and intercepting as well as unauthorized data receiving. Additionally section 263a StGB regulate computer fraud and sections 303a and 303b StGB cover data alteration and computer sabotage.

The most legal change is to be expected regarding artificial intelligence. As mentioned above the liability for malfunctions of A.I. is still unsolved in German law. The lack of liability provision will trigger need for a legal reform. Essential questions that have to be solved soon are for example: Who will be liable for robots? Will intelligent machines be able to conclude valid contracts and under which requirements, e.g. in the Internet of Things (IoT)?

One of the greatest legal impediments to economic development/commerce are the consumer protection regulations governed by German civil law in sections 312 et seqq. BGB. These sections contain very complicated consumer protection regulations for e-commerce and distance selling which are almost impossible to comply. Therefore, a simplification and reform is needed.

On the one hand, the guide for cloud computing (Orientierungshilfe – Cloud Computing vom 09.10.2014) provides detailed instructions on how to use cloud-based services which provides much clarity in this area. On the other hand, data protection regulations are very strict, as it will be the case throughout Europe due to the GDPR.

There is still quite some legal uncertainty regarding artificial intelligence. (See above)