This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Germany.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Under German law communications networks and services are regulated by the Telecommunications Act (TKG) . The TKG covers activities of sending, transmitting and receiving of signals according to the term “telecommunications services” regulated in section 3 TKG. Service provider is any person who performs telecommunications services wholly or partly for commercial purposes or takes part in these performances of service. However a licence or authorisation for telecommunication service providers is not required. The operators just have to notify the Federal Network Agency about commencement, modification or termination of the activities in accordance with section 6 TKG.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The specific regulator for the provision of telecommunication services is, in accordance with the TKG, the Federal Network Agency (Bundesnetzagentur) which is a governmental body. It is thus not independent of government control.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
An operator is not required to be domiciled in Germany. But a domestic representative is requested.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?
Specific regulations on interconnection between telecommunication operators are stipulated in Section 19 TKG (e.g. non-discrimination, transparency), according to which each operator of a public telecommunications network is obliged upon request to submit an offer on interconnection to other operators of public telecommunications networks to ensure the communication of the users, the provision of telecommunication services and their interoperability throughout the European Union.
Further general regulations covering interconnection between operators are located in the Treaty on the Functioning of the European Union (AEUV) and the Restriction of Competition Act (GWB).
With view to telecommunication operators with market powers, special obligations and prohibitions are regulated in Section. 19 et seq. TKG. In addition the general regulations pursuant Article 102 AEUV and Sections 19 to 21 GWB need to be taken into account. These regulations prohibit the exploitation of a dominating position.
Specific consumer protection regulations with regard to telecom services are stipulated in Section 43a et seq. TKG. The scope of protection ranges from special information requirements, claims for damages, the equivalence in disabled end-users' access to services, fault clearance service and itemized billing.
What are the principal consumer protection regulations that apply specifically to telecom services?
Section 43a TKG determines which information operators have to make available to the consumers in the contract in an explicit, comprehensive and easily accessible form. The minimum contractual information shall include, inter alia, information on all restrictions on the access and use of services and applications, the minimum level of service quality offered, as well as information on all procedures set up by the company for the measurement and control of data traffic. Moreover already at the conclusion of contract, the operator is obliged to inform about the necessary steps for a possible change of supplier according to section 46 TKG. The maximum contract term is limited to 24 months pursuant to section 43b TKG. Additionally section 44 TKG provides for customers friendly regulations in case of damage or cease and desist claim of the customer. The interests of disabled end-users are considered in section 45 TKG. The availability of an error correction service is required pursuant to section 45b TKG and the entitlement of the customer for an itemized bill in section 45e TKG.
What legal protections are offered in relation to the creators of computer software?
The creators of computer software (“author”/“Urheber”) are legally protected by copyright, especially by the special provisions for computer programmes regulated in sections 69a et seqq. of the Copyright Act (UrhG) based on the EU computer program directive (2009/24/EG). Author is defined as the maker of the piece of work according to section 7 UrhG, therefore in terms of software the software developer as natural person. This copyright ownership as author is not transferable, but it is possible to grant licenses to third parties in return for an appropriate remuneration in accordance with sections 31 et seqq. UrhG. If a software is created by an employee, then the employer has the exclusive right to use and exploit the software in accordance with section 69b UrhG provided that nothing contradictory is agreed. Moreover the creator could be protected by patent law (PatG) in specific circumstances where the software fulfils the requirements of a invention in a field of technology (“technische Erfindung”) and the Employee Inventions Act (ArbnErfG) . Furthermore the creator is protected by the criminal law provisions in sections 106 et seqq. UrhG. In accordance with those sections unauthorised use, unauthorised affixing of copyrights as well as unauthorized tampering with technical protective measures is punishable.
Are specific intellectual property rights in respect of data/databases recognised?
In respect of databases German copyright law recognises specific intellectual property rights. There are two kinds of databases. One is an autonomous work and protected by copyright because it is considered a personal intellectual creation (“persönliche geistige Schöpfung”) in accordance with section 4 UrhG. For such databases, a full copyright protection similar to software applies. The other type of database is protected because of the financial investment which was required for creating it. The latter is regulated in sections 87a to 87e UrhG which are based on the EU Database Directive (95/46/EG). These sections of the law rule that only the producer of the database is authorised to reproduce, distribute and publicly report the database as a whole or a part of essential type and extent. The European Court of Justice has decided that the essential part of a database refers to the extracted or reused volume of the database (judgment in the case C-203/02). An essential part is therefore considered to be 10 percent or more. Excluded from protection, however, are reproductions for private use, for own scientific use and for illustrative use in education pursuant to section 87c UrhG.
What key protections exist for personal data?
The key protection for personal data is found in the German Federal Data Protection Act (BDSG) . For May 2018, this law will be largely substituted by the General Data Protection Regulation (GDPR), which is going to be in force for the whole of the European Union to ensure a quite harmonized approach to data protection within all member states.
As a status quo, German data protection laws may be considered to be very strict. In accordance with section 4 BDSG the collecting, processing and use of data is prohibited with exceptions in case of a statutory permission or data subject’s consent. Section 28 BDSG regulates more precisely the data gathering and data storage for own business purposes which is one of the most important statutory permissions.
In addition, German law also contains sector specific protection for personal data. Section 88 TKG is an important provision for the telecoms sector as it stipulates the requirement of secrecy of telecommunications. Further telecom-specific regulations on data protection are found in sections 91 et seqq. TKG.
In respect of electronic information and communication services (“telemedia”) which are not consider telecommunications, in particular websites, specific protection rulings are found in sections 11 et seqq. in the Telemedia Act (TMG) . Sections 67 et seqq. of the Volume X of Social Security Statute Act (SGB X) contain special provisions protecting social data.
As the sector specific provisions prevail over the general provisions in the BDSG but are not comprehensive, this adds additional complexity to the application of data protections laws.
Are there restrictions on the transfer of personal data overseas?
Germany applies restrictions on the transfer of personal data overseas. These are grounded in sections 4b and 4c of the BDSG, which differ between data transfer inside the EU/EEA countries and to other countries outside of the EU. For such other countries, there is again a differentiation between such having a level of data protection comparable to the EU (which is the minority), and “unsafe” countries, as determined by the European Commission. For example, India, China and the United States are considered “unsafe” in data protection context. This means that the permissions of the BDSG will be replaced by Article 44 et. segg. GDPR in accordance with the current legal framework.
Personal data may only be transferred to a recipient in an unsafe country if the controller or processor in such countries has provided appropriate safeguards, and on the condition that data subject rights are enforceable and effective legal remedies for data subjects are available. In practice the most common measure is the implementation of the EU model clause. Additionally, Binding Corporate Rules (BCR) play an important role in multi-national companies. The EU and the USA have established the so-called “EU-US Privacy Shield” since August 2016. It provides for an opportunity for US companies which would like to receive data from the EU to register in a list of the US Federal Trade Commission (FTC) and thereby commit to comply with the fundamental principles of EU data protection laws. The Privacy Shield has replaced the so-called “Safe Harbor Framework” which was declared invalid by the European Court of Justice on 6 October 2015 (C-362/14). As many principles of Safe Harbor are again found in the Privacy Shield, some scholars are of the opinion that there is a risk that also the Privacy Shield may be successfully challenged in the European Courts.
What is the maximum fine that can be applied for breach of data protection laws?
In accordance with section 43 (3) BDSG, the maximum fine that can be applied for breach of data protection laws is 50,000 Euro or 300,000 Euro respectively, depending on the breach. For the telecommunications sector, the maximum fine ranges from 10,000 Euro to 500,000 Euro pursuant to section 149 (2) TKG.
In contrast, the fines regulated in the GDPR are much higher. In accordance with Article 83, the GDPR fines go up to – depending on the breach – 10,000,000 Euro or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, and up to 20,000,000 Euro, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover depending on the individual case.
Are there any restrictions applicable to cloud-based services?
There is no law that general prohibits cloud-based services in German law. But the data protection laws mentioned above set the legal framework to be complied with.
There is a guide for cloud computing (actual version: Orientierungshilfe – Cloud Computing vom 09.10.2014, Version 2.0) issued by the highest data protection authorities in Germany which provides detailed instructions on how to use cloud-based services.
Moreover there are specific restrictions for regulated markets. For example, financial institutions which outsource activities and processes are obliged to follow the requirements pursuant to section 25b Banking Act (KWG) . Cloud computing often qualifies as “outsourcing” in this respect. Similar specifications are found in the Stock Exchange Act (BörsG) and the Securities Trading Act (WpHG) . Also for the insurance sector, special restrictions exist, e.g. section 32 Insurance Supervision Act (VAG) , according to which the insurance company stays responsible for the fulfilment of regulatory rules when outsourcing activities. For usage of social data in clouds exist restrictions regulated in section 80 SGB X and for taxation the restrictions are regulated in section 146 (2, 2a) tax code (AO) . According to this section books and otherwise required records shall be kept within the scope of AO, therefore in national territory. Furthermore, some professionals which are subject to professional secrecy face restrictions with regard to cloud-based services too. For example doctors, lawyers, tax advisors and persons working in life and health insurance have a statutory duty of professional secrecy, and in case of unauthorized disclosure, this is considered a criminal offence pursuant to section 203 German criminal code (StGB) . However, a reform of this law is about to pass the German parliament which will make the usage of cloud computing legally possible also for these professions, provided proper contractual safeguards as regards data secrecy are in place.
Are there specific requirements for the validity of an electronic signature?
German requirements on electronic signatures are laid down in the Regulation on Electronic Identification and Trust Services (eIDAS) which replaced the German Signature Act (SigG) only recently in July 2017. The new regulation contains binding European-wide rules in the areas of electronic identification and electronic trust services. The eIDAS Regulation introduced the so called “electronic seals”. Technically, these are similar to the electronic signatures. The main difference is the assignment to a legal rather than a natural person. While electronic signatures can be used to sign a declaration of intent, the electronic seal of an institution serves as proof of origin: It can be used wherever a personal signature is not necessary, but proof of authenticity is desired, e.g. in the case of official decisions, certificates and account statements.
For the validity of electronic signatures in general (for example in e-mails or PDF documents), there are no specific requirements. However, for legal acts which require written form according to section 126 German Civil Code (BGB) , this form requirement can (where not excluded in the law) only be replaced by a qualified electronic signature. A qualified electronic signature is only given in cases where an certified identification unit was used when creating the signature (which is rarely the case). Electronic documents only have the same value of proof as documents which were signed by hand if a qualified electronic signature is used in the document (section 371a German Code of Civil Procedure .
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
In some cases, yes. In the event of an outsourcing of IT services, there are rules for an automatic transfer by law to the outsourcing supplier in respect of employees (so called “transfer of undertaking”/“Betriebsübergang”). These rules are laid down in section 613a BGB. In accordance with this section the former employer has the duty to notify the employee about the date and the reason of the transfer and about the legal, economic and social consequences for the employee. The rights and obligations of the existing employment relationship cannot be changed to the detriment of the employee before expiry of one year as of the date of the transfer. In addition the employee can object to the transfer in writing within one month.
There are strategies on how to avoid a transfer of undertakings which can be applied in certain cases.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
The liability for malfunctions of a software program which purports to be an early form of A.I. is in German law still unsolved. Three different approaches are discussed amongst legal scholars. One opinion attributes the liability to the operator according to sections 280, 823 BGB. Another opinion wants to solve this problem with a new regulation about strict liability which is independent of negligence and intent similar to product liability. A third idea is to invent an own legal entity for A.I. – the so-called “e-person” - as counterpart to natural and legal persons.
What key laws exist in terms of obligations as to the maintenance of cybersecurity?
There are diverse regulations on cybersecurity depending on the industry sector and depending on which data is processed. When personal data is processed, the sections 9 BDSG and 32 GDPR require a level of security appropriate to the risk. Telecommunications operators are obliged to take measures for the security of the secrecy of telecommunications and against unauthorized access to personal data in accordance with section 109 TKG. Section 8a BSI-Act (BSIG) regulates obligations for operators of critical infrastructure to ensure their technical functionality. An adjustment of the BSIG will be made to implement the NIS EU directive. The directive defines measures to ensure a high common security level of network and information systems in the EU.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
Hacking/DDOS attacks are often considered as criminal offence according to sections 202a to 202d StGB. These regulations punish spying on data, data interception, the preparing of spying and intercepting as well as unauthorized data receiving. Additionally section 263a StGB regulate computer fraud and sections 303a and 303b StGB cover data alteration and computer sabotage.
What technology development will create the most legal change in the jurisdiction?
The most legal change is to be expected regarding artificial intelligence. As mentioned above the liability for malfunctions of A.I. is still unsolved in German law. The lack of liability provision will trigger need for a legal reform. Essential questions that have to be solved soon are for example: Who will be liable for robots? Will intelligent machines be able to conclude valid contracts and under which requirements, e.g. in the Internet of Things (IoT)?
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
One of the greatest legal impediments to economic development/commerce are the consumer protection regulations governed by German civil law in sections 312 et seqq. BGB. These sections contain very complicated consumer protection regulations for e-commerce and distance selling which are almost impossible to comply. Therefore, a simplification and reform is needed.
Do you believe the legal system specifically encourages or hinders digital services?
On the one hand, the guide for cloud computing (Orientierungshilfe – Cloud Computing vom 09.10.2014) provides detailed instructions on how to use cloud-based services which provides much clarity in this area. On the other hand, data protection regulations are very strict, as it will be the case throughout Europe due to the GDPR.
To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?
There is still quite some legal uncertainty regarding artificial intelligence. (See above)