Q&A: cloud computing law in Germany

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

In 2021, specific rules governing certain cloud computing contracts were introduced into the German Civil Code. Implementing Directive (EU) 2019/770, the new provisions cover cloud computing contracts and include rules on service defects, liability and statutes of limitation. As the new framework mainly applies to business-to-consumer (B2C) contracts (except for a few provisions on business-to-business (B2B) recourse in supply chains), there is still no legal framework in Germany specifically for B2B cloud computing. Therefore, cloud computing services are mostly governed by general German and EU laws, such as:

IT security laws;
the German Civil Code;
the German Commercial Code;
the General Data Protection Regulation;
the German Telecommunications-Telemedia Data Protection Act (TTDSG);
the German Telemedia Act;
the German Copyright Act; and
rules against unfair competition.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The IT Security Act 2.0 (BSIG), which implements the Directive (EU) 2016/1148 (the NIS Directive), applies to cloud computing. The BSIG imposes certain IT security obligations on providers of critical infrastructure. Pursuant to BSIG, section 2, paragraph 11, no. 3, cloud computing qualifies as a digital service that enables ‘access to a scalable and elastic pool of commonly usable computing resources’. Generally, cloud computing services may constitute critical infrastructures, pursuant to the BSIG and associated regulations provided, that they meet the requirements and thresholds set forth therein. Also, and more importantly, where a provider of a critical infrastructure uses a cloud service, it will try and contractually impose the legal requirements on the cloud provider. BSIG stipulates various IT security requirements for providers of cloud services of a certain size, including the obligation to take adequate technical and organisational measures to maintain a level of IT security that minimises risks to the security of the network and information systems used for the service. Cloud providers that are subject to BSIG also must report all security incidents that have a significant impact on the respective service to the Federal Office for Information Security (BSI).

In January 2023, Directive (EU) 2022/2555 (the NIS2 Directive) entered into force, which qualifies cloud computing services as digital services. The NIS2 Directive must be implemented by EU member states by October 2024, so legal changes at a national level are to be expected.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Beyond new additions to the German Civil Code (sections 327 et seq), which directly govern B2C cloud computing contracts, a variety of German regulations and legislation may have indirect impacts on cloud computing services. In addition to the general provisions of the German Civil and Commercial Codes, telemedia regulation, the TTDSG, and the rules against unfair competition, particular attention should be paid to the relevant data protection provisions of the GDPR, the German Data Protection Act and related sector-specific regulations. However, each cloud computing service may face specific issues depending on its business model and offerings. Furthermore, customers of cloud services may be subject to sector-specific requirements for the use of cloud services (eg, those from the medical sector).

Software made available via cloud computing may also be subject to German copyright law. While software packages made available via the cloud are usually used online without being copied to the user’s device, their use may still qualify as an action that requires a licence (contrary to a mere copyright-neutral enjoyment of a work).

The provisions of the German Telecommunications Act (TKG) apply to cloud computing services that qualify as telecommunications services, as per TKG, section 3, number 24 (eg, services that include voice-over-internet-protocol, video conferencing, instant messaging or email services). In these cases, the service is subject to strict rules regarding telecommunications secrecy and is obliged to register with the Federal Network Agency.

In addition, cloud computing services qualify as hosting service providers within the meaning of the EU Digital Services Act (DSA), which came into force in November 2022. The DSA imposes various specific obligations, particularly regarding dealing with illegal content, as well as reporting and transparency obligations.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

Under German law, there are no general consequences for legal violations in the context of cloud computing. Depending on which provisions are violated, the following main types of consequences or sanctions must be considered.

lf providers or customers do not comply with regulatory requirements, this may trigger administrative proceedings, possibly resulting in investigations, conditions to be completed, or prohibition of the practice complained about or, in exceptional cases, of the respective cloud service.

In the case of certain infringements, supervisory authorities may also impose administrative fines on cloud providers or users (eg, in the area of data protection). According to the GDPR, fines of up to €20 million or 4 per cent of the preceding financial year’s worldwide turnover, whichever is higher, may be imposed on providers or customers operating or using cloud computing services that are not in compliance with GDPR. Pursuant to the DSA, fines of up to 6 per cent of the service provider’s annual turnover can be imposed for violations. In addition, periodic penalty payments can also be imposed (up to 5 per cent of daily turnover).

Certain particularly serious infringements may result in criminal liability. Currently, German law only holds individuals liable under criminal law. However, this may change as extending criminal liability to enterprises is being discussed. For example, employees of the cloud provider may be liable to prosecution for certain forms of illegal tampering of data. In addition, if a cloud provider is commissioned by persons subject to professional secrecy (eg, doctors, attorneys, tax advisers), the provider’s employees may also be liable if they disclose information protected by professional secrecy to third parties (German Criminal Code, section 203, paragraph 4).

lf cloud providers violate certain regulations of unfair competition law, competitors or customers may claim injunctive relief or damages, or both. As far as consumer protection regulations are concerned, consumer protection organisations are entitled to issue warnings against such cloud providers and to claim injunctive relief.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

German Civil Code, sections 327 et seq, which specifically govern digital B2C services like cloud computing, form a comprehensive set of rules on consumer contract law. Among these, German Civil Code, section 327f, may be of interest to cloud service providers, as it obliges them to provide any necessary software (security) updates and inform consumers of such updates. Providers may be liable for defects of service resulting from a failure to do so.

German law also provides for a range of general consumer protection measures, of which the rules on distance selling (German Civil Code, sections 312c et seq) have a notable impact on cloud services. Among other obligations, providers are subject to extensive information requirements (eg, provider details, the scope of services, total costs, warranties). Consumers also have a 14-day right to withdraw from contracts. In addition, the provisions in German Civil Code, section 305 et seq, on the use of standard terms and conditions restrict provider-friendly drafting, and prohibit surprising or inequitable terms, particularly in B2C contracts. Restrictions include controls on the exclusion and limitation of liability, dispute resolution clauses, choice of venue and governing law, contractual penalties, termination rights or contract terms. These provisions are mandatory vis-a-vis customers residing in Germany, and cannot be circumvented by the choice of a different law. Regulation (EU) No. 524/2013 on online dispute resolution for consumer disputes imposes further information obligations on providers.

If they qualify as host providers pursuant to the DSA, cloud providers must also comply with certain obligations (eg, designating a single point of contact for its users for direct communication, or including certain mandatory information in their general terms).

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

There is no general cross-industry and cross-sector legislation for cloud computing in Germany. However, the BSIG contains industry- and sector-specific IT security requirements for operators of critical infrastructure such as energy, telecommunications, insurance or healthcare. lf companies in these critical sectors use (or provide) digital services such as cloud computing, they may have to comply with increased requirements for technical and organisational measures to protect their IT systems, and to report significant IT security incidents to the BSI. In addition, the BSI publishes the Cloud Computing Compliance Controls Catalogue (C5) defining criteria for assessing the IT security of cloud services. In addition, companies in specific sectors need to comply with industry-specific legal requirements, such as:

for companies in the financial sector:
- the German Banking Act;
- the Payment Services Supervision Act;
- the German Securities Trading Act; and
- the Investment Act;
for companies in the insurance sector, the Insurance Supervision Act;
for companies in the energy sector, the Electricity and Gas Supply Act; and
in the telecommunications sector, the TKG and TTDSG.

Companies in the healthcare and legal sectors are subject to certain confidentiality requirements of the German Criminal Code and rules of conduct. The respective supervisory authorities usually issue guidelines to specify these sector-specific requirements. For example, the Federal Financial Supervisory Authority provides detailed information on the legally compliant use of IT, including cloud computing, for the financial sector, particularly regarding IT security, contractual design and data protection. In the public sector, the resolutions of the Council of IT Officers (2015) and the IT Planning Council (2016) provide criteria for the use of cloud services by the federal administration.

In 2021, the IT Planning Council passed a resolution to promote federal digital sovereignty, including the criteria provided in 2016 for the use of cloud services by the federal administration (eg, that cloud services of private providers may only be used subordinately, and that data may only be stored in Germany and may not be subject to disclosure or publication obligations, such as the US Cloud Act).

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

As there is no specific insolvency law for providers of cloud computing or other IT services, the general German Insolvency Code applies (if German insolvency law is applicable under conflict of laws rules). For most insolvent companies an insolvency administrator will be appointed. The administrator is generally free to continue to perform or to refuse to perform ongoing obligations of a cloud computing contract.

lf a cloud customer becomes insolvent, an administrator is likely to refuse to perform the cloud services contract and to stop payments, in which case the provider is entitled to cease the provision of the services due to payment default. The administrator may also elect to continue the contract for a limited period of time if necessary (and feasible) for the administered cloud customer, but then needs to pay for (future) services.

lf a cloud provider files for insolvency, the administrator may choose to refuse performance (ie, stop the provision of services). In this case, customers should in most cases be entitled to claim separation of their stored data, and its migration or deletion. The practical enforceability of such a claim may depend on whether the insolvency estate has sufficient funds to operate the respective servers. lf not, the administrator (or hardware provider) will switch off the servers and prevent further access to customers’ data. Should the cloud provider’s administrator elect to continue a contract, the services will be available irrespective of the insolvency proceedings. Customers will then have to assess whether they have a contractual right to terminate a cloud computing contract and whether such termination rights remain enforceable in the provider’s insolvency. In the event of the other party’s insolvency, a contractual termination right is often unenforceable under German law.

Register now for your free, tailored, daily legal newsfeed service.

Q&A: cloud computing law in Germany

Filed under

Popular articles from this firm

Q&A: the promotion and sale of pharmaceuticals and medical devices in Germany *

Multimillion-Euro Fine Imposed on German Residential Real Estate Company for Violations of the EU General Data Protection Regulation *

At a glance: cloud computing contracts in Germany *

CJEU: First Request for Access May Be Rejected as Abusive Under GDPR *

Q&A: Data protection, privacy and digital health in Germany *

Professional development

Related practical resources PRO

Related research hubs

Germany

IT & Data Protection