Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Digital Transformation volume discussing various topics, including a look at the main laws and regulations, the impact of cybersecurity legislation, cloud contract considerations, the impact of data protection laws and more, within key jurisdictions worldwide.
1 What are the key features of the main laws and regulations governing digital transformation in your jurisdiction?
There is no comprehensive regulation on digital matters in Germany. Rather, general principles under existing laws apply, although specific aspects are increasingly subject to legislation. Many of these developments are shaped by European regulations and directives.
The main source of civil law, including general liability and contract principles, remains the German Civil Code (GCC) dating back from the year 1900, with consumer protection rules on online contracting included from the year 2002 onwards. Other important laws on digital transformation include the Copyright Act and the Telemedia Act, which incorporates key features of Directive 2000/31/EC (the e-Commerce Directive), such as the country of origin principle and liability mitigation for internet providers.
Recently, some important laws have been enacted in Germany to cope with the challenges of the digital era. These include, in particular, the IT Security Act of 2015 (ITSA) and, of course, implementing legislation for the European General Data Protection Regulation (GDPR). The ITSA represents a significant development in the field of digital transformation, as it sets forth cybersecurity standards and establishes the obligation to report IT security incidents. As part of the ITSA, the Act on the German Federal Office for Information Security (AGFOIS), addresses critical infrastructure operators, inter alia in the fields of energy; information technology; telecommunications; transport and traffic, as well as providers of digital services. Such addressees are obliged to take appropriate organisational and technical precautions to avoid disruption of their information technology systems. The compliance with the obligations set forth in the ITSA is monitored by the German Federal Office for Information Security (GFOIS)..
The GDPR on the other hand provides a legal framework for the use of personal data, with the aim to ensure data protection and security. As a European regulation, the GDPR is directly applicable within the German jurisdiction. Nevertheless, Germany has implemented the GDPR, including certain German specifics as permitted under the GDPR, in a new version of the German Data Protection Act (GDPA). The quintessential principle of the GDPR and the GDPA is that data processing is always subject to a legal permission, meaning that data processing is forbidden unless permitted by consent or statute.
2 What are the most noteworthy recent developments affecting organisations’ digital transformation plans and projects in your jurisdiction, including any government policy or regulatory initiatives?
With a view to increasing cybersecurity, there has been a government initiative to amend the ITSA and inter alia to expand the authority of the GFOIS. The initiative aims to add companies of special public interest to the circle of addressees of the ITSA and thereby expand the applicability of those regulations one step further, meaning that these would also be bound by higher IT security standards and reporting obligations. This initiative is still, however, in the drafting process so a concluding evaluation cannot be made yet.
In light of Directive 2019/770/EU (Digital Content and Digital Services Directive) which was adopted by the EU in May 2019, major changes will be brought to contract law as enshrined in the GCC. Due to the implementation, there will, for the first time, be specific rules in German law on contracts for the supply of digital content and services. Given the broad application of the directive, such new contract law will cover items ranging from media content to software, including sale, rental and service models, along with cloud services and platforms such as Facebook, AirBnB and Uber. Key provisions of the directive relate to unified standards, including customer rights, for defects. The scope of the directive is, however, limited to B2C relationships in which the customer pays a price, and the German government has indicated that it intends to restrict implementation efforts accordingly and not extend the new law to B2B relationships. Nevertheless, non-paid services will be covered by the laws where ‘payment’ is made by the consumer providing personal data.
3 What are the key legal and practical factors that organisations should consider for a successful Cloud and data centre strategy?
As providers extend their range of highly customised, flexible and scalable services, cloud and data centre outsourcing provides major opportunities to customers to save technical and financial resources. However, such outsourcing involves a number of legal and practical challenges.
The issue of IT and data security is both a driver for and a concern associated with cloud outsourcing. While it results in an operative loss of control as the data processing will be taken over by an external IT provider, notably larger providers are usually more qualified and resourceful in mitigating security threats than internal IT departments. On a technical level, the integration and compatibility with other clouds and systems of both external providers and internal IT departments of the customer’s organisation are factors to be taken into account. The decision for the operative dependence on and the selection of suitable external IT providers should therefore be considered carefully.
From a contractual standpoint, it is often difficult for a customer to achieve sufficiently protective agreements with cloud providers, even more so where specific regulatory requirements are involved that the provider is expected to implement (hereto see below). Usually based on Anglo-American contract forms, cloud terms are mostly provider-friendly (eg, in terms of service standards, service levels, warranty and liability provisions) and, given their standardised nature, providers often decline major amendments. As German companies are bound by restrictions under German general terms and conditions law even in a B2B context, they will in many situations risk taking responsibilities vis-à-vis their customers without respective recourse under the contracts with cloud providers. It is therefore important for German cloud customers to either negotiate the cloud terms with the providers, or at least review to which extent those terms are enforceable when German law is chosen (see below).
Where cloud-based services qualify as data processing in the sense of the GDPR, they need to meet applicable data protection requirements, and the contractual framework must establish that the customer controls the cloud provider in this regard. In general, there is established practice to take account of such data processing. However, following the European Court of Justice’s decision in Schrems II invalidating the EU-US Privacy Shield and casting doubt on the sufficiency of standard contractual clauses, there is uncertainty as to the requirements for legally compliant data transfers to the US. Similar uncertainties exist in relation to data transfers to the UK in light of the ongoing negotiations with the EU on the future relationship in connection with the Brexit.
4 What contracting points, techniques and best practices should organisations be aware of when procuring digital transformation services at each level of the Cloud ‘stack’? How have these evolved over the past five years and what is the direction of travel?
When it comes to digital transformation to the cloud, organisations should be aware that cloud computing often involves a large number of subcontractors and multiple server locations. In this context, companies should ensure that clear performance standards and independent controls are defined in the contract, so that they can react accordingly to the poor controllability and agree on support services. In addition, organisations need to consider the applicable law. Where choice of law clauses are not included in contracts, the jurisdiction is determined by private international law, in particular Regulation No. 593/2998/EC (Rome I).
Assuming cloud agreements are governed by German law that is largely enshrined in statutes, it is a key factor in understanding and shaping applicable rules to determine the relevant contract types. These are different depending on the cloud computing solutions. Cloud agreements can qualify as service, work or rental contracts, each of them with distinct impact on rules including service standards, warranties, liability and termination. Further complexity stems from the fact that cloud contracts usually consist of several, often different, service components that are combined in a single contract. Therefore, those contracts are in general considered as mixed type contracts. Most notably, however, it can be derived from a decision of the German Federal Court of Justice (GFCJ) on the classification of a contract on application service providing that, in principle, a cloud service agreement would be considered as a rental contract. Nevertheless, services that go beyond the mere provision of the cloud services will be characterised as services in the sense of a service or work contract.
In recent years, there has been a trend towards standardised contracts presented by cloud providers rather than project-oriented individual outsourcing contracts. Usually based on Anglo-American-style contract forms, cloud terms are mostly provider-friendly (eg, in terms of service standards, service levels, warranty and liability provisions). Such terms are often considered invalid, in whole or part, under German general terms and conditions law, where they provide for an ‘unreasonable disadvantage’ to the other party. While these standards always apply to German B2C customers, cloud providers may avoid the application of German law by choice of foreign jurisdiction in relation to B2B customers. However, German corporate customers often insist on German law contracts. It is a specific feature of German general terms and conditions law that it even applies in the B2B context, and therefore standard forms under German law always need to be adapted accordingly. Hence, cloud providers have to take care when choosing German law as the applicability of T&C laws may render their international terms unenforceable in many respects.
5 In your experience, what are the typical points of contention in contract discussions and how are they best resolved?
Based on our long-time experience negotiating cloud (and other outsourcing) contracts, the main points of contention consist in defining the service standards including the applicable service levels, along with warranty provisions. In particular, in order to implement appropriate safeguards for the customer, the service quality must be specific and measurable. Therefore, the more precisely service level agreements and legal consequences of a breach are defined, the better the customer can assert his or her rights in the event of a disruption.
Other important aspects are termination rights. From the customer’s perspective, the agreements should provide for specific termination rights of the customer for compelling reasons. The parties would then define different scenarios in which the customer would be entitled to terminate the agreement for cause (for example, if the service provider breaches the service level agreements or delays the implementation of certain critical milestones). Termination must of course be linked to the return of all data to the customer in a suitable format, and further transition support by the cloud provider where required.
Based on the lack of control over the service moved to the cloud, it is important for the customer to include monitoring and audit rights into the contractual framework. However, IT service providers are usually reluctant to allow customer audits, particularly in person at the providers’ premises, this may become a major point of contention.
German statutory law provides for an unlimited liability of the parties for all damages adequately caused by a culpable breach. Service providers will therefore usually request restrictions such as a damage cap or the exclusion of consequential damages. Hence, liability issues will be a major discussion point.
6 How do your jurisdiction’s cybersecurity laws affect organisations on their digital transformation journey?
In addition to security requirements under the GDPR, there is increasing cybersecurity regulation in Germany. While general IT security provisions apply to all commercial information and communication services, providers of critical infrastructure and organisations in certain regulated sectors are subject to increased standards that are usually accompanied by technical guidelines which need to be implemented by internal IT departments and external service providers.
Under German jurisdiction, organisations operating critical infrastructures as well as digital service providers are bound by the obligations set forth in the ITSA (see above). According to section 8c of the AGFOIS, providers of digital services shall take ‘suitable and adequate technical and organisational measures to manage risks to the security of the network and information systems which they use to provide the digital services within the European Union’. They furthermore shall immediately report to the AGF any security incident materially affecting the provision of a digital service provided by them within the European Union. The same principles apply to operators of critical infrastructures. In addition, they shall take appropriate organisational and technical precautionary measures in order to avoid disruptions of the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are decisive for the functionality of the critical infrastructures operated by them.
Particular IT security requirements apply to certain regulated sectors. In case the addressee is an organisation in the banking industry, it must comply with section 25(a) of the Banking Act (BA) as well as the new Outsourcing Guidelines of the European Banking Authority. Similar requirements exist for insurance companies. This inter alia requires the development of an appropriate IT emergency concept by the respective organisation. There are also special regulatory requirements regarding the IT of banks and insurance companies, which are laid down in the Banking Regulatory Requirements for IT (BRRIT) and the supervisory requirements for insurance IT. Where an organisation is part of the energy sector, specific cybersecurity requirements of the Energy Industry Act (EIA) must be taken into account, in particular section 11 of the EIA.
From an operative perspective, even where not mandatory, it is an essential function within digital transformation to appoint an IT security officer and to provide this person with the appropriate knowledge and necessary authority for this function. It may be advisable for companies on the path to digital transformation to familiarise themselves with the German industry norm standards on IT security, such as ISO/IEC 27001:2013, which, although they do not have any direct legal effect, can be used as an interpretation aid when specifying undefined legal requirements addressing IT security. Furthermore, compliance with the industry norm standards can be included in the assessment of whether, in the case of a cyberattack, fault lies with the attacked company or individually responsible employees. So far, the law provides very few specifications regarding IT security for digital transformation. However, the few existing specifications should be adhered to at all costs in order to be able to exculpate oneself to the injured parties in the event of a hacking or other attack on the digital infrastructure.
7 How do your jurisdiction’s data protection laws affect organisations as they undergo digital transformation?
The GDPR (and the GDPA as its German implementation act) sets forth the fundamental regulations on data protection under German law. While its strict principle that every data processing requires justification restricts data driven businesses in certain ways for the sake of protection of the individual’s rights, German law does not specifically limit the free flow of data.
Traditionally, Germany has had strong emphasis on data protection. However, the implementation of the GDPR has intensified attention of businesses and other organisations for data protection in Germany, in particular due to high fines of up to €20 million or 4 per cent of the company’s (or group of companies’, as the case may be) revenue pursuant to article 83 of the GDPR. Most notably, the GDPR foresees considerable documentation efforts as all companies processing personal data were required to establish a separate register of processing activities in accordance with article 30 of the GDPR and comply with information obligations set forth in articles 13 and 14 of the GDPR.
8 What do organisations in your jurisdiction need to do from a legal standpoint to move software development from (traditional) Waterfall through Agile (continuous improvement) to DevOps (continuous delivery)?
While internal development organisations undergo fundamental reshuffling with new structures and working methods being implemented, changes from a legal perspective are mostly observed in development by external providers.
Agile software development and, even more so, continuous delivery, means continuous review and should also be accompanied by ongoing legal advice. A major advantage of Agile development is the fact the customer is not bound to long delivery cycles. In this context, the customer receives flexible products at short notice. However, using Agile software development solutions can lead to major risks as for a successful application of Agile project methods it is essential that the customer has experience with such a method as that the customer needs to participate in the development process. Also, the establishment of Agile development methods results in a seismic shift in contract design. Agreements on traditional, waterfall-based development qualify as a contract for work, which is protective of the customer as it allows the customer to hold the provider accountable for the finished and measurable result, usually at a fixed price. Agile development and DevOps, on the other hand, are based on sprints or phases, that, by definition are not directed at finished products. Respective contracts are more akin to contracts for services, where the provider owes time and skill, rather than a particular result. Hence, it is also more difficult to establish warranties, liability and budget compliance of the IT service provider in such contract. However, depending on the actual process and requirements of the customer, it is possible to also tailor contracts for Agile development and DevOps in a way to include result-based elements that allow, in particular, for acceptance and result-based warranties.
9 What constitutes effective governance and best practice for digital transformation in your jurisdiction?
Many German companies have set up new operational structures and units to spearhead digital transformation, often lead by the new function of a Chief Digital Officer (CDO). In the company, the relevant technical knowledge should be ensured by appropriate staffing, and the obligation to appoint a data protection officer should be explicitly emphasised.
In the German legal market, however, there is no particular best practice yet. Rather, digital transformation has increased the importance of legal support functions focused on IT matters, coupled with specific commercial law experience to support the development of digital business models and expertise in data protection law. Given the technology-driven nature of digital transformation, it is also important to provide for close exchange between operational and legal support functions, so risks and business models are appropriately understood and reflected in the assessments and agreements prepared by the law department. In case of doubt, it can be helpful to consult a law firm specialising in IT and outsourcing in order to eliminate existing uncertainties and to ensure the secure support of the digital transformation.
The Inside Track
What aspects of and trends in digital transformation do you find most interesting and why?
We see that digital transformation affects a variety of legal matters in almost every part of our client’s businesses, ranging from increased emphasis on IT infrastructure through new regulatory requirements to contracting and liability issues involved with new technologies such as data analytics; platforms. This challenges us to find new innovative solutions and driving innovation and digital transformation forward together with our clients. For us, every problem that arises out of a matter concerning digital transformation is an opportunity to find the best possible solution for our client and increase our expertise in this matter. It also enables our creativity, as many aspects are still undecided by German jurisprudence. This gives us leeway to advise our client to find the optimal solution, and, sometimes, there are also opportunities for shaping the law going forward. Being part of this transformation and not only witnessing it, but also providing legal support to create the conditions for a successful digital transformation, is what makes our work fascinating.
What challenges have you faced as a practitioner in this area and how have you navigated them?
One is always faced with the challenge of working in a field of law that is not fully regulated by the German legislator as digital developments often arise so fast that the legislation is not able to cope. Therefore, one must always look for comparable situations in other legal areas (such as construction law compared to an IT project contract) in order to provide some guidance on how jurisprudence will develop.
What do you see as the essential qualities and skill sets of an adviser in this area?
An essential quality in an adviser in this field of work would be deeper expertise not only regarding legal, but also technical, matters. Further, an adviser should have understanding not only regarding essential IT law matters but work cross-divisionally in other connected areas and therefore see the ‘big picture’. On top of that, an adviser in the information technology field must be able to react quickly to changing developments in order to ensure that he or she can provide the best possible support for the client even when confronted with a problem arising for the first time.