Update Data Protection No. 114
The New EU Digital Law and its Implementation in Germany
With the GDPR, the European Union made its first major impression on the digital economy in 2018. While this is primarily aimed at protecting the individual and personal data, the EU is now also addressing the rights to non-personal data and the competition law dimension of the influence of large digital companies such as Google, Meta, Amazon and Co.
In addition, the new consumer law for digital content and services as well as goods with digital elements has been in force in Germany since the entry into force of the comprehensive reform on digital sales law on January 1, 2022.
For companies operating in digital markets or offering digital products, these reforms require comprehensive action. This article provides an overview of the new digital law in Germany and the EU as well as recommendations for action regarding the respective laws or draft laws.
B. Changes in German law
At the national level, the Act on the Implementation of the Directive on Certain Aspects of Contract Law in the Provision of Digital Content and Digital Services and the Act on the Regulation of the Sale of Goods with Digital Elements and Other Aspects of the Purchase Agreement were adopted on June 25, 2021, an entered into force on January 1, 2022. The laws serve to implement the EU Directives 2019/770 and 2019/771. In principle, the new consumer law does not apply to the B2B sector, but it may have a ripple effect.
Deviating agreements to the detriment of the consumer are only possible in the case of contracts for digital content and services as well as for goods with digital elements pursuant to Sec. 476 (1) sentence 2 BGB (German Civil Code) or Sec. 327h BGB if:
- the consumer has been specifically informed; and
- the deviation has been expressly and separately agreed.
With the implementation of the Consumer Rights Directive and the Fair Consumer Contracts Act (Gesetz für faire Verbraucherverträge), a number of other changes have entered into force that can lead to companies having to take action. Failure to do so may result in the risks of warnings, and companies may also be exposed to significant contractual liability risks.
I. Contracts for digital content and services
With the contract on Digital Content and Services (DCS) (Sec. 327 et seq. BGB), a new type of contract was introduced into the BGB, which deals with the supply of DCS by a business to a consumer (B2C). This type of contract always applies if the performance of a purchase or service contract is provided in digital form.
While, digital content, for example, includes computer programs, apps, video & audio files, digital games or eBooks, digital services include the creation, processing or storage of data in digital form or the enabling of access thereto (e. g. software as a service — SaaS, games offered in a cloud computing environment and on social media, streaming services, social media memberships, messenger services, webinars).
Unlike in the past, the consumer protection regulations pursuant to Sec. 312 (1a) BGB already apply if the consumer provides personal data as consideration or undertakes to do so and this is not only done to fulfil the performance obligations of the entrepreneur, even if they do not owe any remuneration in cash.
Compared to general contract law, Sec. 327 et seq. BGB entails special obligations for companies. In addition, DCS is subject to a special term of defect pursuant to Sec. 327e BGB, which also results in a need for further action.
Checklist for DCS providers
- The supply of DCS must take place without undue delay after conclusion of the contract, unless otherwise agreed, i.e. without culpable hesitation. Otherwise, the consumer has a right of termination after an unsuccessful request according to Sec. 327c BGB. As a rule, the supply takes place without undue delay. The supply takes place by giving the consumer access to the digital content itself or the means for accessing or downloading it.
- Supply of the latest version available at the time of conclusion of the contract or explicitly deviating agreement.
- In the case of DCS requiring payment: Informing the consumer that the right of withdrawal expires upon commencement of the performance of the contract and obtaining the express consent to the performance of the contract (in the case of non-payable, non-physically provided DCS, the right of withdrawal expires automatically at the commencement of the performance of the contract, Sec. 356 (5) BGB).
- The quality of the product must not deviate from previously provided test versions.
- If there is no obligation to later performance for test functions, this must be expressly pointed out beforehand.
- If the integration of a product is carried out, it must also be carried out properly (Sec. 327e para. 4 BGB).
- Provision of updates (updates that establish the contractual nature or security of the service, but not upgrades). In the case of contracts for permanent supply, this is done during the supply period of the main service, otherwise the following applies: for the period that consumers can expect due to the nature and purpose of the digital product and taking into account the circumstances and the nature of the contract (Sec. 327f BGB).
- Freedom from defects must be guaranteed for the period mentioned above.
- Clearly define characteristics of the DCS contractually in order to be able to prove freedom from defects despite reversal of the burden of proof for one year (Sec. 327k BGB).
- Clearly define update periods in advance by contract. However, a blanket exclusion from updating in terms and conditions is inadmissible.
- In the case of continuing obligations concluded online, such as streaming services or software subscriptions: Provision of a cancellation button (e. g. “Cancel contracts here”) with the following characteristics: a) just as easy to use as the Purchase button (Sec. 312k para. 2 BGB), b) forwarding to a confirmation page, if necessary, entering further required data and confirmation by the customer, c) possibility of saving the notice of cancellation, d) sending a confirmation in text form (e. g. by email).
- In case of the permanent supply of DCS: Contractual definition of valid reasons that justify a change in service (a valid reason exists, for example, if changes are necessary to adapt the digital product to a new technical environment or increased number of users and, if necessary, for other operational reasons);
- Change of permanently provided DCS is only possible according to Sec. 327r BGB if a) there is a contractually provided reason, b) the consumer does not incur any additional costs as a result of the change and c) the consumer is clearly and understandably informed about the change. The consumer may then have an extraordinary right of termination, but in no case in the event of insignificant changes or continued access to the unmodified product.
- For operators of online marketplaces: Information on the main parameters of product rankings and their weighting (Sec. 312l BGB in conjunction with Art. 246d EGBGB (German Introductory Act To The Civil Code)).
II. Goods with digital elements
For goods with digital elements, on the other hand, Sec. 475a et seqq. BGB applies, so consumer goods sales law with some modifications is applicable. Goods with digital elements are:
- a thing within the meaning of Sec. 433 BGB (German Civil Code);
- that which is connected to DCS elements or in which DCS are contained;
- so that they cannot fulfil their functions without this DCS (e. g. “smart” household appliances, smartphones, tablets, smartwatches or vehicles);
- that which cannot be separated from the DCS; indications for this: DCS is required for the functions of the purchased thing or is provided under the same purchase contract;
- not only data carriers within the meaning of Sec. 327 V BGB.
Checklist for goods with digital elements
- Check whether these are actually goods with digital elements or whether they are separable DCS.
- Defect-free supply of the thing. In this context, quality agreements also refer to the type, quantity, quality, functionality, compatibility, interoperability and other characteristics of the thing for which the parties have agreed requirements. If necessary, define these features contractually.
- Supply of updates and a guarantee of freedom from defects as with DCS (see above). In the event of a defective update, the buyer may assert warranty rights even if the thing was free of defects at the time of transfer of risk.
- Information about the availability of updates and possible consequences of a failure to update (confirmation for verification purposes).
- Clearly define the characteristics of permanently provided digital elements in order to be able to prove freedom from defects for two years despite the reversal of the burden of proof (Sec. 477 (2) BGB).
- If the buyer desires an agreed quality that exceptionally does not correspond to the usual quality referred to in Sec. 434 (3) (1) (1) BGB, this must be expressly waived individually(!) by contract (negative quality agreement, cf. Sec. 476 (1) BGB). Exclusion via terms and conditions is not sufficient.
- Contractually define update periods, which may not be less than two years for the permanent supply of digital elements.
- Amend contracts with the suppliers of the respective digital elements, so that they bindingly guarantee the timely supply of updates.
C. New developments in EU law
I. Data Act
At the beginning of 2022, the EU Commission presented a first draft for the EU Data Act, which is part of the European Data Strategy of February 2020. The aim of the Data Act is to create a legal framework for the use of and trade in non-personal data in order to better exploit its value. As a result, smaller companies will also be able to gain access to data in the future that was previously exclusively in the hands of large platforms and that they themselves could not collect to a comparable extent. This primarily affects data generated by networked objects in Europe, such as intelligent objects, machines and devices.
The Data Act could in future entail the following need for action for digital companies, whereby the rights of small and medium-sized enterprises (SMEs) vis-à-vis large digital companies will in principle even be strengthened by the Data Act:
- Enable data portability by ensuring simple (free) data transfer, for example, when a provider is changed.
- Supply of certain data if authorities demand such (e. g. aggregated and anonymized data from mobile operators) in the event of an exceptional situation of major public interest (e. g. floods, forest fires).
- For SMEs: Agreement of fair model contract terms with large suppliers provided by the Commission.
- For large companies: Revision of the contracts used, in particular with regard to SMEs, and deletion of certain unfair terms.
The EU Digital Markets Act (DMA) is aimed primarily at large platforms. The European Parliament adopted it on July 5, 2022, together with the Digital Services Act (DSA), which (as things stand today) lacks only the consent of the Council of the European Union, though this is considered a formality. Both the DMA and the DSA no longer need to be implemented at the national level (because of the EU regulation).
The DMA has its background in competition law and is aimed at so-called gatekeepers, who have a consolidated market position in the EU for the operation of a platform service. This is usually the case if:
- an annual turnover of at least EUR 7.5 billion was achieved in the EEA over the last three financial years or a market capitalization of at least EUR 75 billion in the previous financial year;
- the central platform service had more than 45 million monthly active end-users and more than 10,000 annual active business users in the EU in the previous financial year; and
- these criteria have been met in each of the last three financial years (Art. 3 (2) DMA).
This means that the DMA is primarily aimed at the major US companies Google, Amazon, Meta, Apple and Microsoft. In Europe, the DMA will initially target only a handful of companies, if at all. For the other digital companies, it is sufficient if they regularly check whether they are approaching the lower limits of Art. 3 DMA.
The DMA also provides that messenger services establish interoperability with other messenger services, so that users could, for example, also receive messages on WhatsApp which were sent by another messenger (Art. 7 DMA). Providers of smaller messenger services should already create the technical interfaces for this interoperability in order to be prepared.
Under the DMA, fines of up to 10 % of the worldwide annual turnover can be imposed or 20 % in the case of repetitions, and even a dismantling of corporations is possible in individual cases.
Unlike the DMA, the Digital Services Act (DSA) basically covers all online intermediaries of digital services in the EU (e. g. Internet providers, domain registrars, social networks, e-commerce providers, cloud and web hosts). In addition, there are special rules for providers that are classified as “very large” and exceptions for very small providers.
The DSA is primarily concerned with protecting consumers from illegal or harmful content such as fake news, hate postings and illegal or counterfeit services, but also disinformation. Sanctions under the DSA can after all amount to up to 6 % of a company’s worldwide annual turnover, but can only be threatened in the case of illegal content if they are aware of said content.
For the online services concerned, the following requirements for action arise, which will certainly still be specified by court decisions or official recommendations for action after the DSA has entered into force.
Checklist for the Digital Services Act
- Introduction of an internal procedure for the simple reporting and deletion of illegal content as well as for responding to official deletion requests (“notice and take down”).
- Draft internal policy to quickly identify illegal content within the meaning of the DSA. However, it is currently unclear which content will specifically be classified as “illegal”, but terrorist propaganda, hate speech or the sale of counterfeit goods are likely to be included.
- Investigate services for dark patterns and remove them if necessary. Dark patterns are when users are brought to certain decisions by targeted design or suggestions (for example, when a certain choice is visually pushed into the foreground or users’ minds are to be changed by targeted pop-ups). In particular, it must not be more difficult to reject cookies than to consent to them.
- Offer simple options for the cancellation of services (see cancellation button according to Sec. 312k BGB).
- Technically prevent profiling of and personalized advertising aimed at minors.
- Discontinue targeted advertising related to sensitive data.
Further obligations for large online platforms (at least 45 million users in the EU):
- At least once a year: Carry out a risk mitigation analysis with regard to the dissemination of illegal content, negative impacts on fundamental rights, intentional manipulation of the service and the resulting risks.
- Supply recommendation mechanisms that are not based on profiling to the detriment of users.
- Further obligations regarding the transfer of data to authorities and handling of user data.
With regard to EU law in particular, further innovations and publications are to be expected. In the event of strong growth, companies should regularly check whether other requirements from the DSA and DMA are applicable. There are currently many legislative initiatives in the EU still in progress. For this reason, it is currently essential for providers of digital services to keep an eye on current legislative procedures and to regularly inform themselves about changed requirements.
Companies offering goods with digital content or DCS should adapt their current contracts to align with the above recommendations, and preferably have them reviewed by a lawyer.