Thought leadership from our experts

Current IT law trends in Germany

Currently, Data Protection seems to be the hottest topic of IT law in Germany. Even before finalisation of the revised European laws, many companies are focussing on data protection compliance and their procedures, products and services. Many trends and new technologies are related to the processing of information and services that need to consider data protection laws.

Data protection laws experienced further development by case law. There have been various landmark decisions by the European Court of Justice (ECJ), such as on the intention of full harmonization by the current EU Directive, the infringement of fundamental personal rights of citizens by traffic data retention for security purposes, the application of EU laws for non-EU companies and a "right to be forgotten" in search engines (the last two topics were decided in a case against Google). Further important decisions are to be expected by the ECJ, such as whether IP addresses are personal data. Likewise, in Germany, a number of remarkable court decisions have been rendered against the big internet companies, such as Apple, Facebook, Google, Whatsapp, dealing mainly with applicable law, privacy policies and consent, as well as the transparency requirements.

One particular example advice on data protection, apart from the evergreen of data transfers outside the European Union (on the basis of an increasing number of Binding Corporate Rules, EU model clauses or EU US safe harbour) is Big Data: Companies seek to implement big data applications, for example, for CRM purposes and service providers offer new services based on big data. Apart from other IT-law related questions, data protection is the core concern.

Many devices and applications and services, that might be categorized as part of the Internet of Things, are currently entering the market (for example, SmartTvs, Wearables). If offered for consumers, terms of use are subject to strict rules, and, respective privacy notices and consents may be required. Other issues relate to non-consumer developments (in Germany often called Industry 4.0) such as more complex liability issues in case of mistakes in machine-to-machine communication, etc.

Cloud Computing, in particular software-as-a-service, is another big trend, no longer limited to consumers and small enterprises. Even big multi-national companies are implementing cloud computing solutions, at least as part of their portfolio of IT services. Contracts relate to a number of questions on copyrights and software licensing rights: Who is the user? Who requires a license? What are the consequences, in case of IP right infringements? Providers and various associations currently seek to establish standards for cloud computing contracts. One core topic, again, is data protection, in particular in case of data transfers outside the European Economic Area. While European data protection authorities (Article 29 Group) have approved Microsoft's Office365 contract as being compliant with the various national and international guidelines for data protection, a court decision against Microsoft in the US ordering disclosure of data located in Ireland (against which Microsoft appeals) is getting a lot of attention. Further uncertainty is driven by statements of German data protection authorities that they, as a consequence of the revelations by Edward Snowden, do no longer consider established instruments for transfers of personal data to the US (EU model clauses, EU-US safe harbour rules) to be reliable. Currently, the EU-US safe harbour rules are subject to negotiations between the EU Commission and US authorities.

Stricter enforcement of Consumer Protection Laws against IT services providers seems to by another trend: an increasing number of cases are brought up by consumers and consumer protection organizations on the basis of German unfair trade laws, not only for compliance with the German rules on general terms and conditions, but as well for breach of data protection rules, transparency etc. An increasing number of cease and desist requests, court orders and court cases are reported against providers that are not located in Germany, but addressing the German market need to comply with German transparency requirements, provide terms of use in the German language and need to comply with before said rules.

Taking into account the growing importance of the Internet of Things and increasing connectivity of devices, Cybercrime and IT Security play a more important role. The German government has presented a draft IT security law (to be implemented within two years), which will impose mandatory obligations to implement sufficient IT security measures and to report security breaches on critical industries such as communications, traffic, health, etc. As a consequence, it is expected that other industries will also need to put a closer focus on IT Security, as IT compliance is getting more attention and the consequences of Cybercrime become more obvious, such as recently in the Sony Pictures case.

E-Commerce companies, since the summer of 2014, need to implement revised rules on distance-selling and the right to withdraw transactions. Many shops and other website operators also struggle with the requirements regarding cookies (because Germany has not explicitly implemented the EU Directive and, hence, the legal situation remains unclear).

Outsourcing still is a very important factor in Germany. While there seem to be no landmark legal developments, the trend now is clearly going towards second generation outsourcing contracts with a different focus, compared to first generation outsourcing, in particular requiring complex transition agreements between the former and the new outsourcing services provider.

Finally, developments around Copyright Laws are again driven mostly by ECJ decisions on the responsibility of access providers, the possibility to transfer software licenses (Used Soft case) and on the framing of foreign content on websites. Currently, streaming technologies are a matter of various disputes and German courts struggle to deal with such services.