N/A

Under German law communications networks and services are regulated by the Telecommunications Act (TKG)^[1]. The TKG covers activities of sending, transmitting and receiving of signals according to the term “telecommunications services”^[2] regulated in section 3 TKG. Service provider is any person who performs telecommunications services wholly or partly for commercial purposes or takes part in these performances of service. However a licence or authorisation for telecommunication service providers is not required. The operators just have to notify the Federal Network Agency^[3] about commencement, modification or termination of the activities in accordance with section 6 TKG.

References

^[1] Telekommunikationsgesetz

^[2] Telekommunikationsdienste

^[3] Bundesnetzagentur

See question 2.

The specific regulator for the provision of telecommunication services is, in accordance with the TKG, the Federal Network Agency (Bundesnetzagentur) which is a governmental body. It is thus not independent of government control.

See question 4.

N/A

N/A

An operator is not required to be domiciled in Germany. But a domestic representative is requested.

N/A

Specific regulations on interconnection between telecommunication operators are stipulated in section 19 TKG (e.g. non-discrimination, transparency), according to which each operator of a public telecommunications network is obliged upon request to submit an offer on interconnection to other operators of public telecommunications networks to ensure the communication of the users, the provision of telecommunication services and their interoperability throughout the European Union.

Further general regulations covering interconnection between operators are located in the Treaty on the Functioning of the European Union (AEUV) and the Restriction of Competition Act (GWB).

With view to telecommunication operators with market powers, special obligations and prohibitions are regulated in section 19 et seq. TKG. In addition the general regulations pursuant Article 102 AEUV and sections 19 to 21 GWB need to be taken into account. These regulations prohibit the exploitation of a dominating position.

Specific consumer protection regulations with regard to telecom services are stipulated in section 43a et seq. TKG. The scope of protection ranges from special information requirements, claims for damages, the equivalence in disabled end-users’ access to services, fault clearance service and itemized billing.

See question 10.

Section 43a TKG determines which information operators have to make available to the consumers in the contract in an explicit, comprehensive and easily accessible form. The minimum contractual information shall include, inter alia, information on all restrictions on the access and use of services and applications, the minimum level of service quality offered, as well as information on all procedures set up by the company for the measurement and control of data traffic. Moreover already at the conclusion of contract, the operator is obliged to inform about the necessary steps for a possible change of supplier according to section 46 TKG. The maximum contract term is limited to 24 months pursuant to section 43b TKG. On 24 June 2021, the German Bundestag passed a resolution to ensure that as of the beginning of 2022 tacit contract extensions for consumer contracts will only be permissible if they result in an extension for an indefinite period, and the consumer is granted the right to terminate the extended contractual relationship at any time with a notice period of no more than one month (section 309 No. 9 b German Civil Code (BGB)^[1], new version). A maximum contract term of one year considered in the legislative process was withdrawn from the draft legislation.

Additionally section 44 TKG provides for customers friendly regulations in case of damage or cease and desist claim of the customer. The interests of disabled end-users are considered in section 45 TKG. The availability of an error correction service is required pursuant to section 45b TKG and the entitlement of the customer for an itemized bill in section 45e TKG.

Reference

^[1] Bürgerliches Gesetzbuch

The creators of computer software (“author”/“Urheber”) are legally protected by copyright, especially by the special provisions for computer programmes regulated in sections 69a et seqq. of the Copyright Act (UrhG)^[1] based on the EU computer program directive (2009/24/EG). Author is defined as the maker of the piece of work according to section 7 UrhG, therefore in terms of software the software developer as natural person. This copyright ownership as author is not transferable, but it is possible to grant licenses to third parties in return for an appropriate remuneration in accordance with sections 31 et seqq. UrhG. If a software is created by an employee, then the employer has the exclusive right to use and exploit the software in accordance with section 69b UrhG provided that nothing contradictory is agreed. Moreover the creator could be protected by patent law (PatG)^[2] in specific circumstances where the software fulfils the requirements of a invention in a field of technology (“technische Erfindung”) and the Employee Inventions Act (ArbnErfG)^[3]. Furthermore the creator is protected by the criminal law provisions in sections 106 et seqq. UrhG. In accordance with those sections unauthorised use, unauthorised affixing of copyrights as well as unauthorized tampering with technical protective measures is punishable.

References

^[1] Urhebergesetz

^[2] Patentgesetz

^[3] Arbeitnehmererfindungsgesetz

In respect of databases German copyright law recognises specific intellectual property rights. There are two kinds of databases. One is an autonomous work and protected by copyright because it is considered a personal intellectual creation (“persönliche geistige Schöpfung”) in accordance with section 4 UrhG. For such databases, a full copyright protection similar to software applies. The other type of database is protected because of the financial investment which was required for creating it. The latter is regulated in sections 87a to 87e UrhG which are based on the EU Database Directive (95/46/EG). These sections of the law rule that only the producer of the database is authorised to reproduce, distribute and publicly report the database as a whole or a part of essential type and extent. The European Court of Justice has decided that the essential part of a database refers to the extracted or reused volume of the database (judgment in the case C-203/02). An essential part is therefore considered to be 10 percent or more. Excluded from protection, however, are reproductions for private use, for purposes of scientific research pursuant to section 60c, for illustrative use in education and – as of June 2021 – for text and data mining purposes pursuant to section 60d (section 87c UrhG).

The key protection for personal data is found in the GDPR (DS-GVO)^[1] and the German Federal Data Protection Act (BDSG)^[2]. Since 25 May 2018 the GDPR and the revised BDSG have been in force. The GDPR constitutes a regulation on the protection of personal data for the whole of the European Union and pursues the objective to ensure a quite harmonized approach to data protection within all member states. In general, the GDPR can be considered to be very strict, particularly due to the very high fines it imposes for breaches.

In accordance with Art. 6 GDPR the processing of personal data shall only be lawful if and to the extent that a statutory permission is applicable or the data subject has given consent to the processing. Art. 6 (1) GDPR permits the processing of personal data in particular to the extent necessary for the performance of a contract (lit. b), for compliance with a legal obligation (lit. c) and in case of prevailing interests of the data controller (lit. f) as general permissions.

In addition, German law also contains sector specific protection for personal data. Section 88 TKG is an important provision for the telecoms sector as it stipulates the requirement of secrecy of telecommunications. Further telecom-specific regulations on data protection are found in sections 91 et seqq. TKG. The data protection regulations of the TKG, which have been issued to implement the directive 2002/58/EG, will continue to be applicable in accordance with Art. 95 GDPR.

In respect of electronic information and communication services (“telemedia”) which are not considered telecommunications, in particular websites, specific protection rulings were found in sections 11 et seqq. in the Telemedia Act (TMG)^[3]. However, since the GDPR came into force, it was unclear whether the special regulations of the TMG remain applicable. The TMG was until now not adapted to the GDPR yet. In this regard the DSK (Datenschutzkonferenz, a joint committee of the data protection authorities of the German federal states) issued a position paper in April 2018. Hereinafter the sections 12, 13, 15 TMG are no longer applicable. The German Federal Court of Justice (Bundesgerichtshof) ruled on 28 May 2020 that section 15 (3) TMG is applicable, but must be interpreted in accordance with the European ePrivacy Directive. However, the applicability of the other provisions, in particular section 12 and section 15 (1) TMG, remains unclear. Kindly note that at the latest on 21 December 2021, these discussions will come to an end when the new German “Telecommunications and Telemedia Data Protection Act” (“TTDSG”) will come into force. This new act, which was passed by the German parliament on 21 May 2021, replaces the outdated data protection provisions in the German Telemedia Act (TMG) and the German Telecommunications Act (TKG) and, in § 25 of the TTDSG, also implements the consent requirement for storing and reading information on terminal equipment, in particular cookies, in accordance with Art. 5 (3) sentence 1 of the ePrivacy Directive.

Sections 67 et seqq. of the Volume X of Social Security Statute Act (SGB X)^[4] contain special provisions protecting social data which have been revised in the context of the GDPR and continue to apply in this respect.

References

^[1] Datenschutzgrundverordnung

^[2] Bundesdatenschutzgesetz neu 2018

^[3] Telemediengesetz

^[4] Zehntes Buch Sozialgesetzbuch

The EU applies restrictions on the transfer of personal data overseas. These are grounded in Art. 44 et seqq. GDPR. These supplementary rules set higher requirements on the lawfulness of the transfer of personal data to a third country outside of the EU or international organisations. In addition to compliance with the general requirements of  the GDPR, a transfer of data in this sense may take place on the basis of an adequacy decision of the European Commission pursuant to Art. 45 GDPR. The decision on adequacy depends on whether the third country offers an adequate level of protection that is comparable to the EU (which is the minority), and “unsafe” countries, as determined by the European Commission. For example, India, China and the United States are considered “unsafe” in data protection context.

When there is no adequacy decision pursuant to Art. 45 GDPR, personal data may only be transferred to a recipient in that country if the controller or processor in such countries has provided appropriate safeguards, and on the condition that data subject rights are enforceable and effective legal remedies for data subjects are available pursuant to Art. 46 (1) GDPR. In practice the most common measure is the implementation of the “EU model clauses” as part of the contract between the data exporter in the EU and the data importer in the “unsafe” country outside the EU. The EU model clauses are based on decisions of the European Commission and can be used for controller-to-controller transfers (decision 2001/497/EC and decision 2004/915/EC) and controller-to-processor transfers (see decision 2010/87/EU), as the case may be. Additionally, Binding Corporate Rules (BCR) play an important role in multi-national companies. The EU and the USA had established the so-called “EU-US Privacy Shield” since August 2016. It provided for an opportunity for US companies to receive data from the EU by registering in a list of the US Federal Trade Commission (FTC) and thereby committing to comply with the fundamental principles of EU data protection laws. The Privacy Shield has been the successor of the so-called “Safe Harbor Framework” which was declared invalid by the European Court of Justice on 6 October 2015 (C-362/14). In its Schrems II judgment on 16 July 2020 (C-311/18), the European Court of Justice also declared the European Commission’s Privacy Shield Decision invalid on account of invasive US surveillance programmes, thereby making transfers of personal data on the basis of the Privacy Shield Decision illegal. The Court held that the USA do not provide a sufficient level of protection as guaranteed by the GDPR. Accordingly, the only remaining justified option for companies to transfer personal data to a recipient in the USA in accordance with the GDPR is to use the EU model clauses as a basis for the transfer contract.

The European Court of Justice has made clear its expectation that authorities “suspend or prohibit” unauthorized transfers. Since 1 June 2021, the German data protection authorities have been monitoring the implementation of the new legal standards by sending questionnaires to companies about candidate applicant portals, intra-group data traffic, e-mail service providers, web trackers and hosting providers.

On 4 June 2021, the Commission issued an implementing decision (2021/914) regarding Standard Contractual Clauses for the transfer of personal data to third countries (SCC-INT). Pursuant to Art. 1 (1) thereof the standard contractual clauses supplied by the Commission are considered to provide appropriate safeguards within the meaning of Art. 46 (1) and (2) GDPR. Due to the SCC legal audit and adjustment efforts, as well as any necessary renegotiations between the parties, are significantly reduced. The modular structure of the SCC and the possibility of subsequent party entry on both sides create necessary flexibility. However, this does not mean any simplification for the export of data to the USA. An appropriate level of data protection cannot be established with the SCC-INT alone due to the “disproportionate authority” in the USA; additional technical measures such as encryption or pseudonymization are still required.

In accordance with Art. 83 (4) GDPR the maximum fines for infringements of the provisions set out therein is 10,000,000 EUR or in the case of an undertaking up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For infringements of provisions set out in Art. 83 (5) GDPR a maximum fine of even 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, is foreseen.

For the telecommunications sector, the maximum fine ranges from 10,000 EUR to 1,000,000 EUR, for companies with an average annual turnover of more than 50,000,000 EUR up to 2% of the average annual turnover pursuant to section 149 (2) TKG.

N/A

There is no law that general prohibits cloud-based services in German law. But the data protection laws mentioned above set the legal framework to be complied with.

There is a guide for cloud computing (actual version: Orientierungshilfe – Cloud Computing vom 09.10.2014, Version 2.0) issued by the highest data protection authorities in Germany which provides detailed instructions on how to use cloud-based services.

Moreover there are specific restrictions for regulated markets. For example, financial institutions which outsource activities and processes are obliged to follow the requirements pursuant to section 25b Banking Act (KWG)^[1]. Cloud computing often qualifies as “outsourcing” in this respect. Similar specifications are found in the Stock Exchange Act (BörsG)^[2] and the Securities Trading Act (WpHG)^[3]. Also for the insurance sector, special restrictions exist, e.g. section 32 Insurance Supervision Act (VAG)^[4], according to which the insurance company stays responsible for the fulfilment of regulatory rules when outsourcing activities. For usage of social data in clouds exist restrictions regulated in section 80 SGB X revised in the course of the GDPR and for taxation the restrictions are regulated in section 146 (2, 2a, 2b) tax code (AO)^[5]. According to this section books and otherwise required records shall be kept within the scope of AO, therefore in national territory. Electronic books and records can be kept and stored in member states of the EU under certain requirements. Storage in non-member countries is only possible under high preconditions and with the approval of the local tax authority.

Since a legislative change in 2018, professional secrecy holders (e.g. doctors, lawyers, tax advisors and family advisors) can disclose third party secrets to other persons involved in their professional activities pursuant to section 203 (3) German criminal code (StGB)^[6]. The explanatory memorandum to the law explicitly mentions cloud storage providers – the use of which was very difficult for professional secrecy holders before the reform. In turn, according to section 203 (4) StGB these other persons are also covered by section 203 StGB, so punishment of persons involved in the violation of private secrets is possible in the form of a prison sentence of up to one year or a fine.

In addition to that, special provisions of certain professions, e.g. § 43e of the Federal Lawyers Act (BRAO)^[7], also stipulate that professionals must carefully select service providers, put them under an obligation to confidentiality and inform them of the criminal consequences of a breach of duty.

References

^[1] Kreditwesengesetz

^[2] Börsengesetz

^[3] Gesetz über den Wertpapierhandel

^[4] Versicherungsaufsichtsgesetz

^[5] Abgabenordnung

^[6] Strafgesetzbuch

^[7] Bundesrechtsanwaltsordnung

German requirements on electronic signatures are laid down in the Regulation on Electronic Identification and Trust Services (eIDAS)^[1]. This regulation contains binding European-wide rules in the areas of electronic identification and electronic trust services. The eIDAS Regulation introduced the so called “electronic seals”. Technically, these are similar to the electronic signatures. The main difference is the assignment to a legal rather than a natural person. While electronic signatures can be used to sign a declaration of intent, the electronic seal of an institution serves as proof of origin: It can be used wherever a personal signature is not necessary, but proof of authenticity is desired, e.g. in the case of official decisions, certificates and account statements.

For the validity of electronic signatures in general (for example in e-mails or PDF documents), there are no specific requirements. However, for legal acts which require written form according to section 126 BGB, this form requirement can (where not excluded in the law) only be replaced by a qualified electronic signature. A qualified electronic signature is only given in cases where an certified identification unit was used when creating the signature (which is rarely the case). Electronic documents only have the same value of proof as documents which were signed by hand if a qualified electronic signature is used in the document (section 371a German Code of Civil Procedure)^[2].

References

^[1] Verordnung über elektronische Identifizierung und Vertrauensdienste

^[1] Zivilprozessordnung

In some cases, yes. In the event of an outsourcing of IT services, there are rules for an automatic transfer by law to the outsourcing supplier in respect of employees (so called “transfer of undertaking”/“Betriebsübergang”). These rules are laid down in section 613a BGB. In accordance with this section the former employer has the duty to notify the employee about the date and the reason of the transfer and about the legal, economic and social consequences for the employee. The rights and obligations of the existing employment relationship cannot be changed to the detriment of the employee before expiry of one year as of the date of the transfer. In addition the employee can object to the transfer in writing within one month.

There are strategies on how to avoid a transfer of undertakings which can be applied in certain cases.

The liability for malfunctions of a software program which purports to be an early form of A.I. is in German law still unsolved. Three different approaches are discussed amongst legal scholars. One opinion attributes the liability to the operator according to sections 280, 823 BGB. In a legal sense the attribution of a breach of duty or a fault is the big problem in this context. Another opinion wants to solve this problem with a new regulation about strict liability which is independent of negligence and intent similar to product liability. But there is still no legal basis for this concept in German law. A third idea, which also lacks a legal basis, is to invent an own legal entity for A.I. – the so-called “e-person” – as counterpart to natural and legal persons.

a) obligations as to the maintenance of cybersecurity

There are diverse regulations on cybersecurity depending on the industry sector and depending on which data is processed. When personal data is processed, section 32 GDPR requires a level of security appropriate to the risk. Telecommunications operators are obliged to take measures for the security of the secrecy of telecommunications and against unauthorized access to personal data in accordance with section 109 TKG. Section 8a BSI-Act (BSIG)^[1] regulates obligations for operators of critical infrastructure to ensure their technical functionality. The implementation of the NIS EU directive in the member states led to a high common security level of network and information systems in the EU.

b) the criminality of hacking/DDOS attacks

Hacking/DDOS attacks are often considered as criminal offence according to sections 202a to 202d StGB. These regulations punish spying on data, data interception, the preparing of spying and intercepting as well as unauthorized data receiving. Additionally section 263a StGB regulate computer fraud and sections 303a and 303b StGB cover data alteration and computer sabotage.

Reference

^[1] Gesetz über das Bundesamt für Sicherheit in der Informationstechnik

The most legal change is to be expected regarding artificial intelligence. As mentioned above the liability for malfunctions of A.I. is still unsolved in German law. The lack of liability provision will trigger need for a legal reform. Essential questions that have to be solved soon are for example: Who will be liable for robots utilizing artificial intelligence? Will intelligent machines be able to conclude valid contracts and under which requirements, e.g. in the Internet of Things (IoT)?

On 21 April 2021, the European Commission presented a draft regulation establishing harmonized rules for A.I. (“Proposal for a Regulation laying down harmonised rules on artificial intelligence”). The European Union wishes to encourage the development and use of A.I. in order to strengthen Europe’s position as a global center of excellence in A.I. Furthermore research must be prevented from being affected by inhomogeneous regulations, thereby weakening the EU’s competitiveness. The regulation follows a risk-based approach differentiating between uses of A.I. that create (i) an unacceptable risk, (ii) a high risk, and (iii) low or minimal risk. The higher the potential hazards, the higher the requirements for the A.I. system should be.

One of the greatest legal impediments to economic development/commerce are the consumer protection regulations governed by German civil law in sections 312 et seqq. BGB. These sections contain very complicated consumer protection regulations for e-commerce and distance selling which are almost impossible to comply. Therefore, a simplification and reform is needed.

The importance of contracts for digital goods and services for the German legislature is reflected in the new version of sections 327 onwards BGB, applying to contracts entered into from 1 January 2022. While the amendments primarily apply only to contracts between businesses and consumers, they also play a role in the business operator’s recourse against its supplier, so the impact is huge. The law also provides for a special warranty right which supersedes the general rules of the sales law or rental law and thus takes precedence. For the first time, the legislator also takes into account cryptocurrencies such as bitcoin. In addition, according to the new version of section 327f BGB, the business operator is liable for providing, during the “relevant time”, the updates necessary to ensure that the digital product is in conformity with the contract. The amendment to the German Civil Code will keep legal practitioners, businesses and courts busy with many unresolved individual issues for the next few years. Some changes were long overdue, given the ever-increasing importance of the digital market. Nevertheless, the legal ambiguity created by some regulations is unlikely to be conducive to the distribution of digital offerings.

There is still quite some legal uncertainty regarding artificial intelligence. (See above)