But wait, what was that again about covert advertising, product placement, and all that? Shouldn't the film perhaps be labelled as a continuous infomercial—or, at worst, from start to finish? Older readers may still remember this sort of thing from Stefan Raab's shows. 

In fact, more than 30 years ago, the Federal Court of Justice addressed the question of how product placement should be assessed from a legal perspective. 

The initial question is always whether an action 'is intended to promote the business of the company in question' - that is, to boost sales of a specific product. The situation is straightforward when the brand owner pays for the product placement. However, this is often difficult to detect from the outside. This is why courts rely on the following reasoning: Based on common sense, a commercial act (and an intent to promote competition) is presumed to exist when a product appears conspicuously often and without any apparent editorial, artistic, or dramatic justification. 

At any rate, when it comes to the fashion brands in “The Devil Wears Prada 2”, it’s hard to deny that there is a 'dramatic reason' for featuring them. Incidentally, if reports in the marketing media are to be believed, no money was spent on this; the brands simply promoted the film themselves (Maybach, for instance, with a co-branded campaign titled “The Art of Arrival”). However, this should still be a significant consideration. In that respect, we can conclude as an interim finding that this is probably a case of product placement.

The standards that apply to product placement, however, vary depending on the medium. In the broadcasting sector (which includes television), this issue is specifically regulated by the State Media Treaty. Under the treaty, covert advertising is prohibited but product placement is permitted under certain conditions and within certain limits. In particular, it must be clearly indicated – on television, for example, at the beginning and end of a programme, as well as when the programme resumes after a commercial break.

The producers of “The Devil Wears Prada 2” can breathe a sigh of relief, as feature films tend to be subject to less stringent requirements. Nevertheless, drawing the line is not easy: simply having a car manufacturer pay for the main character to drive one of its vehicles in a film does not automatically make it inadmissible. It should also be noted that this vehicle is often depicted in a conspicuous manner that is not called for by the plot. Just how much of a balancing act this can be is demonstrated almost perfectly by Meryl Streep and Anne Hathaway (not only) in their conversation toward the end of the film.

Any publication—such as Runway—that evolves from a pure glossy magazine into a hybrid world of social media and strategic partnerships must also bear in mind that the legal framework for advertising and product placement varies depending on the type of media. Different laws may even apply. For instance, the State Media Treaty has separate chapters for broadcasting on the one hand and telemedia on the other (which also differ in content); it does not apply to movie theatres or newsstands. The press code applies only to the press while competition law applies to everyone. Complicated? Yes. Product placement and cross-promotions are not light entertainment.

Even German female influencers have already tested the limits of what is permissible: Cathy Hummels, for example, was able to convince the Federal Court of Justice that she has a genuine personal interest in fashion. Posts for which she receives no consideration as a result do not have to be labelled as advertising, even if they promote her commercial social media profile. The situation was different for influencers who had received something in return. This naturally raises the question of whether it counts as 'consideration' if the production company does not have to pay for the Coke – or if Anne alias Andy is allowed to keep the dress worn in the Hamptons after filming. For the record, media regulators draw the line at a product value of 100 euros, though this is open to discussion on a case-by-case basis.

And that’s not all: the guidelines are even stricter when the target audience is primarily children.

As is so often the case with legal matters, the tried-and-tested saying applies: The devil is in the details (not in Prada).

Dr. Andreas Lober
Dr. Peggy Müller

In Germany, this will be part of the updated German Civil Code (Section 356a) and take effect on 19 June 2026.

To whom does the obligation apply?

The withdrawal button requirement covers almost all online sales to consumers. The obligation applies regardless of whether the consumer purchases goods, digital content or services (including financial services). Exceptions apply only in cases where there is no right of withdrawal. Smaller businesses are not granted any special exemptions.

What are the requirements for the withdrawal button?

The legal requirements for the withdrawal button (or, as the lawmaker puts it, the withdrawal function) are quite specific:

First, there must be a clearly visible button labeled "Withdraw from contract here" (or equivalent wording). (The German law does not require the word “here”, contrary to the underlying EU directive). The button must be easily accessible, and available throughout the entire withdrawal period.

In a next step, the consumer must provide essential information to identify the contract:

1. The consumer's name,
2. Details identifying the contract (or specific part) they want to withdraw from,
3. Details regarding confirmation of receipt.

Then, there must be a ‘confirmation button’ clearly labeled "Confirm withdrawal" or similar and equally clear.

Finally, businesses must immediately send the consumer a confirmation of receipt via e-mail (or other permanent record).

EU Withdrawal Button vs. German Cancellation Button (Kündigungsbutton)

Companies offering subscriptions or ongoing services online in Germany might think this sounds familiar. You're right – it's similar to the cancellation button that's been required in Germany since July 2022 (Section 312k German Civil Code). However, unlike the withdrawal button, the cancellation button is not a requirement under EU law but German-specific. Even if a cancellation button has already been implemented, the requirement to provide a withdrawal button still applies. The legal consequences are also different: Cancellation (for instance, via the cancellation button) terminates the contract for the future, whereas in the case of withdrawal, the services already provided must (in principle, at least) be reversed.

Practical Information

19 June 2026 is less than three months away. Companies should move quickly to implement the withdrawal button if they haven't already initiated the process. Beyond the technical requirements, you'll also need to update your withdrawal policy and possibly your privacy policy. Non-compliance will almost certainly trigger warnings from competitors or consumer protection associations. Experience with the cancellation button (and other consumer laws) shows that consumer protection associations send out warnings shortly after new policies take effect and sometimes even provide consumers with ready-made reporting forms. 

If you don't respond to such warnings within a few days, this can lead to interim injunctions or other legal action. Additionally, incorrect withdrawal policy information can prevent the withdrawal period from starting, meaning it won't expire until 12 months and 14 days have passed. Fines may also be imposed in some cases, though experience shows the risk of monetary fines is low in the beginning after a new regulation takes effect.

Beyond that, e-commerce law is constantly evolving. Businesses should monitor other regulatory developments: additional information requirements (such as durability guarantees) and legally required warranty labels. The Digital Fairness Act also promises to further strengthen consumer protection.

Daniel Trunk

Banyan Software was founded in 2016 and regularly acquires growing software companies with the aim of developing them over the long term as part of a buy-and-hold strategy. Banyan Software has locations in Canada, the United Kingdom and the DACH region. 

Gini was founded in 2011 and has established itself over more than a decade as a trusted provider of document and payment AI platforms. Among other things, its solutions simplify invoice payments, automate data capture and are firmly anchored in the work processes of leading financial institutions. Under Banyan's new ownership, Gini will continue to expand its market presence, particularly in the banking sector, private health insurance and e-commerce. 

Following the transaction, the company's location and product development will continue.

ADVANT Beiten regularly advises Banyan Software on the implementation of its growth strategy in the DACH region, most recently in June 2025 on the acquisition of star/trac.

Advisor Banyan Software:

ADVANT Beiten: Christian Burmeister (Lead), Damien Heinrich, Julius Bauer (all Corporate/M&A), Heiko Wunderlich, Fabian Moser (both Tax), Mathias Zimmer-Goertz, Christian Döpke (both IP/IT), Michael Riedel (Employment Law).

Public Relations
Frauke Reuther
Manager Communications
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

The NIS-2 Implementation Act changes the Act on the German Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSIG) and introduces new, stricter cyber security obligations. The group of companies that must implement cyber security measures will be significantly expanded compared to the previous group of addressees.

After the legislative process had been interrupted by the new elections in spring 2025, it went faster than expected. As the transposition deadline of 17 October 2024 had long since expired and the European Commission had already initiated infringement proceedings against the Federal Republic of Germany, the German legislator adopted the NIS-2 Implementation Act in an accelerated manner towards the end of the year 2025. It is therefore not surprising that the Act already entered into force one day after its promulgation in the Federal Law Gazette and without any transitional periods. For the companies concerned, this means that they must now implement the new cyber security obligations at very short notice. They are obliged to take suitable and proportionate technical, operative and organisational measures to ensure IT security in the company.

The NIS-2 Directive (NIS = Network Information Security), which was passed by the European Parliament on 10 November 2022, belongs to a series of EU legal acts that are part of the digital strategy of the European Commission. An evaluation of the European Commission had shown that the previous NIS Directive and its implementation in the individual EU member states had not led to a sufficient level of cyber security in the EU. Therefore, the cyber security obligations are tightened by NIS-2.

Scope Of Application: Which Companies Are Subject To The New Cyber Security Obligations?

Previously, the BSIG differentiated between three categories of companies: (1.) operators of critical infrastructure (Section 8a BSIG), (2.) providers for digital services (Section 8c BSIG) and (3.) companies in the special public interest (so-called "UBI", Section 8f BSIG).

Now, Section 28 BSIG (new version) differentiates between so-called particularly important facilities (Section 28 (1) BSIG) and important facilities (Section 28 (2) BSIG). The exhibits 1 and 2 to the BSIG define, when a company - depending on the affiliation to a particular sector / an industry - is to be qualified as a particularly important or important facility.

The following criteria are decisive for determining whether a company falls within the scope of application of NIS-2: (1.) the classification as a critical infrastructure operator ("KRITIS-Betreiber") (i.e. as a particularly important or important facility), (2.) the affiliation to a sector / an industry and (3.) the size of the company.

In addition to operators of critical installations, providers of qualified trust services and providers of telecommunications services or operators of telecommunications networks, companies that employ at least 250 people and have an annual turnover of more than EUR 50 million or an annual balance sheet total of more than EUR 43 million are also particularly important facilities.

However, important facilities are not only critical infrastructure companies but also manufacturing industrial companies with more than 50 employees and an annual turnover of more than 10 million euros, provided that they belong to one of the sectors / industries mentioned in exhibit 1 or 2 of the BSIG.

Therefore, the scope of application has been significantly extended compared to the previous NIS Directive of 2015.

NIS-2 is of particular importance for the "manufacturing" sector. For the first time, it is covered by the new cyber security obligations. Many companies, whose business models are neither digital nor have a special relation to data, will therefore have to deal with cyber security compliance in more depth for the first time.

Tightened Cyber Security Obligations Pursuant To The BSIG

In the implementation of the NIS-2 Directive, the BSIG significantly extends the scope of application of cyber security obligations. Compared to the NIS Directive, the NIS-2 Directive also contains a much more comprehensive catalogue of cyber security obligations. Violations of cyber security obligations are also to be severely sanctioned. According to the Act on the German Federal Office for Information Security (BSIG), fines of EUR 100,000 to 10 million are provided for violations. In addition, registration and reporting obligations are introduced for companies in the event of a cyber security incident.

Cyber Security Measures And Risk Management

Pursuant to Section 30 (1) sentence 1 BSIG, so-called particularly important and so-called important facilities are obliged "to take suitable, proportionate and effective technical and organisational measures in order to avoid disruptions to the availability, integrity and confidentiality of information technology systems, components and processes, that they use for rendering their services, and to minimise the impact of security incidents."

In doing so, the extent of risk exposure, the size of the facility, the implementation costs, the probability of occurrence and severity of security incidents and their effects must be taken into account, cf. Section 30 (1) sentence 2 BSIG.

The obligations for risk management include, among others, the following measures, to which Section 30 (2) BSIG refers as minimum requirements:

• Concepts relating to risk analysis and security for information systems
• Security incident management
• Maintaining operations, such as backup management and recovery after an emergency
• Crisis management
• Ensuring security in the supply chain
• Vulnerability management
• Risk management in the area of cyber security
• Training on cyber security
• Concepts and processes for using encryption technologies
• Personnel safety: access control and authorisation management
• Multi-factor authentication or continuous authentication
• Secured voice, video and text communication and, if necessary, secured emergency communication systems

Obligation To Register And Report Significant Security Incidents

Moreover, an obligation to register has been introduced, cf. Section 33 BSIG. The responsible German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) provides for a two-step registration process for facilities in Germany concerned by the NIS 2 Directive:

First, companies should create an account with "My company account" ("Mein Unternehmenskonto", MUK), in order to register in the second step with the MUK user account with a BSI portal newly developed for NIS 2. The BSI portal has been activated since January 2026. Among other things, it serves as a reporting office for significant security incidents. The deadline for the initial registration of companies with the BSI portal is 6 March 2026 or three months from the date when a company falls into the category of the important or particularly important facility.

Companies that fall within the scope of application of NIS 2 are therefore recommended to register via the BSI portal by 6 March 2026 at the latest. On the one hand, this is in order to comply with their obligation to register, and on the other hand to be able to report IT security incidents electronically within the prescribed deadlines.

The obligations to report significant security incidents have also been tightened, cf. Section 32 BSIG. Within 24 hours (so-called early initial report) or 72 hours (so-called report), reports on significant security incidents must be given in stages. After one month at the latest, a summary final report must be submitted. This entails a considerable administrative burden for companies, as they do not only carry out measures to maintain operations or to restore their IT systems in the event of a cyber-attack, but must report to authorities on type, scope and measures taken.

Cyber Security As A Compliance Issue And Liability Of The Management

In particular, the monitoring obligation of the management pursuant to Section 38 BSIG is new. The board or the management must ensure that suitable and proportionate technical and organisational measures are taken within the company to minimise cyber risks. Moreover, companies are obliged to offer training on IT security for leadership personnel and other employees. 

These obligations cannot be delegated completely. There remains always an ultimate responsibility at the management level. If the management violates these compliance obligations, it will be liable to pay damages to the company. 

The violation of cyber security obligations, thus, constitutes a substantial risk for the management. This risk could be hedged by a D&O insurance if necessary. Companies concerned should review existing insurance contracts. Moreover, it is recommended to evaluate whether it is worth taking out cyber insurance.

Pursuant to Section 91 (3) German Stock Corporation Act (Aktiengesetz, AktG), the establishment of a risk management system is already part of the obligations of the board of a stock corporation and, thus, part of general compliance obligations of the management of companies. However, the extension to cyber security obligations is new.

Practical Note

After the NIS 2 Implementation Act entered into force without transitional periods, it is high time for the companies concerned to act. The following summary shall provide the companies concerned with a (non-exhaustive) guide on the most important points to be clarified as a matter of priority, in order to implement the new cyber security obligations.

Clarification of applicability of NIS 2 and obligations to register: First, it should be clarified, whether and to what extent NIS 2 is applicable to the respective company and whether obligations to register exist with the BSI. This must be determined in the individual case based on the product/service portfolio of a company.

Inventory and documentation: Cyber security concepts already existing should be reviewed, risks should be evaluated and the required documentation, such as cyber security concepts, emergency plans, etc. should be developed together with technical and legal experts. 

Prevention of cyber-attacks: Investments in cyber security pay off, as they are an important contribution to protecting the corporate know-how against industrial espionage and to minimising the risk of high business interruption damage in the event of a cyber-attack. Prevention and timely preparation make the decisive difference here.

Compliance and liability: In the age of Industry 4.0 and with a view to the legal innovations, IT security should become a "matter for the boss" in companies. EDP and IT security are to be understood as management tasks in a company. This does not mean that managing directors and board members must be IT experts. Rather, they should consult IT security experts. However, it is not possible to delegate the responsibility completely, as the ultimate responsibility lies with the board or the managing director.

IT security in the supply chain: Even if a company does not fall within the scope of application of NIS 2, it will have to meet the NIS 2 requirements for its clients sooner or later. Companies will be confronted with the fact that their clients will pass on their cyber security obligations to their suppliers. 

The factual scope of application of NIS 2 is thus even wider. Numerous companies delivering to companies that must meet the new cyber security requirements pursuant to NIS 2 are indirectly affected. This applies, for example, to suppliers to the medical technology and pharmaceutical industries, but also to the manufacturing industry which only produces parts for use in the automotive industry, various areas of mechanical engineering or electrical engineering.

In fact, almost every company will sooner or later have to deal with the topic of IT security.

Dr Birgit Münchbach

Artificial Intelligence

Protecting games IP against AI 

IP law has always been crucial for games companies, who own valuable assets.

2025 saw a couple of landmark decisions at the intersection between AI and IP. While neither claimants nor defendants in these cases were games companies, these decisions are highly relevant for the games industry.

At the Regional Court of Munich, GEMA, Germany's collective society for music rights, secured a favorable ruling against OpenAI's ChatGPT (decision of 11 November 2025 – 42 O 14139/24). The Court found that ChatGPT's training model contained unauthorized copies of GEMA members' original works, which were subsequently reproduced and made available through user prompts. This was deemed a breach of copyright law. This precedent establishes important implications for the industry, as there is no reason to assume that games-related IP should be treated differently.

The Higher Regional Court of Hamburg ruled that AI training using copyrighted material may be permissible under the EU copyright law's Text and Data Mining exception, even if the rights holder had declared its “opt-out” in plain text (decision of 10 December 2025 – 5 U 104/24). The court held that plain text failed to meet the "machine-readable" requirement for a valid “rights reservation” (i.e. “opt out”). This ruling shows the importance to implement proper technical opt-out mechanisms for rights holders wishing to prevent their intellectual property from being used in AI training datasets.

At a regulatory level, the EU's AI Office published its General Purpose AI Code of Practice, providing guidance for businesses seeking compliance with AI Act obligations concerning safety, transparency, and copyright for general-purpose AI models.

AI Implementation: Ownership and Valuation Risks

Games companies are also leveraging AI for their own purposes, such as asset creation and AI-assisted coding, and must therefore consider the aforementioned decisions.

AI-generated content and code generally lacks copyright protection. This necessitates ensuring that key visual elements remain human creations rather than machine-generated content. The frequent use of coding assistants raises questions about code protectability. For companies heavily reliant on AI for asset creation or coding, this presents potential valuation challenges in merger and acquisition contexts, where intellectual property traditionally serves as a key value driver. (see our blogpost (German))

AI Implementation: Regulatory Constraints

The availabilty of AI solutions through “AI marketplaces” under open-source licenses has faciliated and integration into local clients and user interfaces. However, determining liability under the AI Act for companies integrating third-party AI into their interfaces remains complex.

Apart from such marketplaces, the AI Act's impact on the gaming industry has been limited thus far. While the European Commission has indicated that AI integration in games may be prohibited in certain cases, particularly for games designed to be highly addictive or exploit vulnerabilities in children, this remains more of a theoretical concern for the time being. Also, AI use cases specific to the games industry generally do not fall in the "high risk" category, but games companies have to be mindful of the more general requirements, e.g. when using AI for HR purposes.

More games-specific are the transparency obligations notably regarding NPCs and bot-filled competitive game lobbies. 

Data Protection

In a decision on AI training using publicly available data, the Higher Regional Court of Cologne ruled that Meta's use of Facebook data for AI training was lawful, rejecting an application for a preliminary injunction filed by the Consumer Protection Association of North Rhine-Westphalia (decision of 23 May 2025 – 15 UKl 2/25). The Court held that, in this specific context, Meta's "legitimate interest" in AI product development was outweighing data subject interests, provided that users were given transparent information and the opportunity to opt-out. This decision may be useful for games companies aiming to train AI themselves.

Terms of Use, EULAs, and Consumer Protection

The Consumer Protection Network (CPC) and European Commission published Key Principles that, while non-binding, were presented as if they were binding. 

According to the Key Principles, the extensive obligations of the European Consumer Rights Directive should also apply when premium in-game virtual currency is sold or spent. This includes, but is not limited, to the call for a display in real world money, and the sizes in which “bundles” of virtual currencies should be sold.

Regarding withdrawal rights when premium in-game virtual currency is spent, the CPC identified the following practices to avoid:

• Denying consumers' 14-day withdrawal rights for unused in-game virtual currency purchases
• Denying withdrawal rights for in-game digital content or services contracts, regardless of consideration provided by the consumer

In July 2025, the European Commission published guidelines on the protection of minors, addressing implementation of in-game purchases, virtual currencies, and communication features. These positions align with broader consumer and minor protection initiatives concerning allegedly manipulative design practices.

The European Commission has announced plans to work on the Digital Fairness Act. This will provide an additional layer of consumer protection, targeting dark patterns and addictive design.

Loot Boxes

In late 2025, the German Federal Council (Bundesrat) adopted a resolution calling for significantly stricter loot box regulation to enhance youth protection. The initiative urges an examination of whether loot boxes should be legally classified as gambling due to their "gambling-like mechanisms," potentially resulting in mandatory 18+ age ratings for games containing such features. The Council demands full transparency regarding winning odds and pricing while advocating for unified European regulation within the Digital Fairness Act framework.

IP Disputes

In Sony v. Datel cheating proceedings, the German Federal Court of Justice delivered its final judgement following a 2024 decision by the European Court of Justice, ruling that mere RAM modifications might not constitute copyright infringement. However, this ruling has limited impact on multiplayer game cheat enforcement, as it restricts specific copyright claims on the manipulation of data in the working memory while leaving the tools for enforcing unfair competition law and breach of EULA intact.

Youth Protection Beyond Violence

Interaction risks, including chat features and monetization mechanics, are increasingly considered in age ratings. Germany's rating authority USK estimates that approximately one-third of rated games contain such risks, with one-third of those (11% in total) receiving higher age ratings than they would without these mechanics.

Germany also updated its Interstate Treaty on Media Minor Protection, granting the Commission for the Protection of Minors in the Media (KJM) decisive new enforcement tools. The amendment specifically targets loopholes previously allegedly exploited by some foreign providers to bypass German age verification laws. Key measures include authority to order payment service provider transaction blocking to non-compliant platforms and, as last resort, network blocking implementation. The reform transforms KJM's ability to act against offshore violators, shifting from administrative warnings to revenue stream disruption. However, this legislation faces criticism regarding "over-blocking" risks, as broad technical mandates could lead to inadvertent censorship of legitimate content if automated filters lacking contextual nuance are introduced.

Dr Andreas Lober
Lennart Kriebel
Daniel Trunk
Fabian Eckstein

Introduction

Generative AI not only supports the writing of texts and the creation of images but increasingly also the programming of software. This can have an impact on the applicability of copyright protection to software. This is also important in the case of company acquisitions. Where the software has been largely developed by AI, it may lack copyright protection which affects the intrinsic value of the target company. This must be taken into account in the context of due diligence as well as in the drafting of contracts.

Legal Context

Computer programmes are protected by copyright if they represent individual works in the sense that they are the result of their author's own intellectual creation. According to this principle, computer programmes have usually been protected by copyright until now. Since generative AI has also found its way into software development, the question arises as to how this affects the protectability. In essence, a computer programme will be able to protect if a human uses AI only as a subordinate tool. This will be the case if, for instance, AI tests the software to be developed and uncovers inconsistencies. If, however, relevant parts of the code are generated by AI, they will in many cases lack protectability. The exact distinctions are currently still subject to further development. Nevertheless, one should not be too hasty to speak of a gray area overall. The principles are already relatively clear but the specific outcome depends highly on the facts of each individual case.

All this applies regardless of whether the AI provider grants the user (i.e. software developer) all rights to the work results of the AI. If no copyright is created because the human contribution is too small, no copyright can be transferred.

Effects on due diligence

Nowadays, software developers can hardly do without the use of AI in development. The question is thus less whether AI will be used but rather how it will be used. And this question should also be asked as part of the due diligence. Disclosed internal guidelines and documentation on employee training on the use of AI can provide information, as can relevant license agreements. In addition, it is advisable to consult dedicated experts so that the actual use can be verified as accurately as possible. With only superficial due diligence, risks could be overlooked; if W&I insurance is to be taken out as part of the transaction, the associated policy could cancel or reduce the scope of the guarantee to the extent that gaps have been identified in the due diligence. 

Effects on contract documents

In addition to general guarantees of ownership of all relevant intellectual property rights (IP), there are separate guarantees with regard to the use of AI, for which attachments with specific descriptions or disclosures may then be manufactured. If the guarantee clause were too generic, there would be a risk that, in the event of an (alleged) breach of the guarantee, legal ambiguity would arise as to whether the particular case falls under the guarantee or not. 

Other legal issues: Third Party Rights, AI Act, Scraping and Data Licenses, International Aspects

A question that must be separated from the above considerations but is nevertheless related, is whether any AI-generated code infringes the rights of third parties. This could be the case, for example, if the AI largely reproduces the foreign code – with which it was trained. The risk can be reduced with a software scan but not completely eliminated; on the other hand, there is also the risk of foreign code being incorporated when human programmers are used. On the other hand, there is likely to be a greater risk if visual content is AI-generated. However, this is not the subject of this article.

If the software solution in question itself represents AI as part of the target company or as an asset to be transferred, not only the AI Act should be kept in mind but also the origin of the datasets with which it was trained. If these are due to web scraping (automated reading of data on websites using software bots or scripts), copyright and data protection questions may arise. Even the acquisition of a license from a commercial provider is only useful if the latter in turn has all the necessary rights himself; a look at the license terms is advisable in any case (for instance, with regard to limits of use by the licensee).

In cross-border company acquisitions, particularly when the target company operates internationally or even globally, the copyright challenges relating to AI-generated software are even greater. Copyright is basically national law, although the requirements for the creation of copyright protection are similar in most countries and thus also the principles for the legal issues relevant here. However, developments are still ongoing at the international level, and a Chinese court may decide the legal issues raised here differently than an American court. The guarantee declarations of the transaction documents should also contain flexible wording that takes into consideration the different legal frameworks in the jurisdictions concerned. 

Conclusion and recommendation for action

If AI is not only used as a subordinate tool in the creation of software, the software may not be eligible for protection. The software development process should therefore be scrutinized as part of the due diligence process. The findings will have to be reflected in the contract documentation when the company is acquired. Other follow-up issues such as third-party rights, AI Act, scraping and data licenses as well as international aspects must also be considered. 

Dr Andreas Lober
Tassilo Klesen

You can find the article under this link.

ProMach is a leading international platform in the field of packaging and processing technologies.

DFT is an established provider of innovative solutions in the field of sterilization, pasteurization and other thermal processes for the food and beverage industry. With the acquisition of DFT, ProMach is continuing its growth strategy in Europe.

The international cooperation within the ADVANT alliance played a central role in this transaction: our Italian alliance partner ADVANT Nctm has been advising ProMach in Italy for many years.

ADVANT Beiten entered into the mandate in close coordination with the US law firm Thompson Hine, which regularly advises ProMach on legal matters in the United States.

Advisors to ProMach:
ADVANT Beiten: Prof Dr Hans-Josef Vogel (Dusseldorf), Roy Naor (Frankfurt, both Corporate/M&A, lead partners), Dr Andreas Imping, Anna Kubitz (both Labour Law), Mathias Zimmer-Goertz, Christian Döpke (both IP/IT), Sarah Peters, Simon Litterst (both Corporate/M&A, all Dusseldorf), Christopher Harten (Dispute Resolution, Hamburg), Marcus Mische, Markus Linnartz (both Tax), Thomas Herten (Real Estate, all Dusseldorf), Katrin Lüdtke (Public Sector, Munich).

Public Relations
Frauke Reuther
Manager Kommunikation
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

ADVANT Beiten's interdisciplinary team supported Zoot throughout the entire acquisition process - from the legal and tax due diligence to the structuring and negotiation of the transaction agreements through to the successful closing.

Zoot Sports was founded in 1983 in Kona, Hawaii - the birthplace of the Iron Man triathlon. The company specializes in innovative clothing, shoes and equipment for triathletes and endurance athletes and is one of the world's leading brands in this segment. Zoot stands for technical precision, high quality and athlete orientation and sells its products in over 25 countries. Since 2023, Zoot has been part of the Italian MVC Group, an international sporting goods company based in Italy.

Tailwind Brands is a company based in Bönen, which specializes in the distribution and brand management of premium sports and lifestyle brands. The company has an established distribution network in the DACH region as well as long-standing partnerships with leading sports retailers and online platforms. Tailwind has made a name for itself as a competent partner for the development and expansion of international brands in the European market.

With the acquisition of Tailwind Brands, Zoot Sports is laying the foundation for accelerated expansion in Europe. The combination of Zoot's international brand strength with Tailwind's regional market and sales expertise offers considerable growth potential in the coming years.

Advisor Zoot Sports:
ADVANT Beiten: Dr Markus Ley (Corporate/M&A, Munich), Dr. Erik Schmid, Virginia Mäurer (both Employment Law, Munich), Susanne Klein, Jason Komninos (both IP/IT, Frankfurt), Markus Linnartz (Tax, Dusseldorf), Petra Fendt (Banking & Finance, Munich), Anja Fischer (Real Estate, Munich).

Public Relations
Frauke Reuther
Communications Manager
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

Dr Dominik Moser specialises in national and international corporate transactions, particularly in the areas of M&A, private equity, joint ventures and venture capital, with a particular focus on the IT, technology, biotechnology and pharmaceutical industries. Beyond that, he has extensive experience in the area of search fund transactions. Dominik Moser also regularly advises on general company law (in particular limited liability company and stock corporation law), corporate governance, compliance, and national and international transformation processes. In addition to his legal training in Germany, Spain, England (Oxford) and Singapore, he also holds a degree in business administration.

"The Corporate/M&A practice, with a particular focus on private equity, is a key growth area for our firm. In Dominik Moser, we are not only gaining an outstanding lawyer, but also a strong entrepreneurial personality. His in-depth industry knowledge and strategic vision are an excellent addition to our partnership," says Dr Guido Krüger, Managing Partner of ADVANT Beiten.

As recently as early September, ADVANT Beiten expanded its visibility on the European market and its advisory services for cross-border transactions by opening a new office in London with Sebastian Diehl. The addition of Dominik Moser is a further step in the consistent implementation of ADVANT Beiten's growth strategy, namely to invest specifically in future-oriented areas of consulting and to strengthen the partnership with proven market personalities.

Dominik Moser on his transfer: "I am looking forward to further expanding the M&A practice, with a particular focus on private equity and search fund transactions, and to working with my colleagues to deepen ADVANT Beiten's international advisory services. In my view, the excellent professional environment and broad expertise offer an ideal starting point for these goals."

PR

Frauke Reuther
Manager Communication
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

Yancoal International Holding Co., Ltd. acquires 51 percent of the shares in CFH GmbH within the scope of the transaction. The parties have agreed not to disclose the transaction volume.

The globally operating CFH Group of Companies bundles under its umbrella a number of subsidiaries and holding companies, all specialising in engineering services enabling innovative solutions related to the topic of air at the workplace. 

Yancoal International Holding Co., Ltd. brings comprehensive experience in global resource allocation and industrial cooperation. The stake of Yancoal International Holding Co., Ltd. represents an important milestone in the international growth strategy of CFH Group of Companies. The partnership opens up new opportunities for technological innovation, global market presence and sustainable development. New standards in developing intelligent ventilation and environmental technologies are defined together - in particular for applications in mining, tunnelling and industry. 

The international team of ADVANT Beiten headed by Dr Martin Rappert (Dusseldorf) and Susanne Rademacher (Beijing) regularly advises companies on investments and business activities in Europe and the People's Republic of China.

Advisors to CFH GmbH: 
ADVANT Beiten: Dr Martin Rappert, Nico Frielinghaus, Prof Dr Hans-Josef Vogel, Dr Winfried Richardt, Sarah Heinrichs, Simon Litterst (all Dusseldorf), Susanne Rademacher (Beijing, all Corporate/M&A), Christian Döpke, Mathias Zimmer-Goertz (Data Protection/IP, Dusseldorf), Christoph Heinrich (Antitrust, Munich), Dr Christian von Wistinghausen (Foreign Trade Law, Berlin), Thomas Herten (Real Estate, Dusseldorf), Vasily Ermolin (Sanctions, Moscow).

Media Contact
Frauke Reuther
Manager Kommunikation
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

ApoBank and the AXA Insurance Group have been cooperating in the sale of financial and insurance products for more than 25 years. Both companies now want to bundle the sales activities of their mobile sales companies apoFinanz and Deutsche Ärzte Finanz more closely. 

As part of the restructuring, apoFinanz will be merged with Deutsche Ärzte Finanz. At the same time, apoBank acquires additional shares in Deutsche Ärzte Finanz. The merger creates the largest financial sales organisation for academic health professionals in Germany. With around 500 independent financial advisors, the new company will serve more than 320,000 customers. The merger will be completed in August 2025. A cross-office team from ADVANT Beiten is providing apoBank with comprehensive legal advice.

With more than half a million customers and total assets of around EUR 52 billion, apoBank is the largest cooperative retail bank in Germany and the number one financial services provider in the healthcare sector. Its customers are primarily members of the healthcare professions, their professional organisations and associations, healthcare facilities and companies in the healthcare market.

With the reorganisation of their joint sales subsidiaries, the partners want to combine the strengths of the companies and use the synergies for additional growth. 

Advisors to apoBank: 

ADVANT Beiten: Heinrich Meyer, Rainer Süßmann (both lead partners in charge, Banking/Finance, Frankfurt), Dr Christian Ulrich Wolf, Maren Dedert (both Corporate/M&A, Hamburg), Christoph Heinrich, Prof Dr Christian Heinichen (both Antitrust Law, Munich), Oliver Korte, Christopher D. Harten (both Commercial, Hamburg), Dr Thomas Drosdeck, Dr Gerald Müller-Machwirth (both Labour Law), Susanne Klein, Lennart Kriebel and Daniel Trunk (all IT- and Data protection Law, all Frankfurt)

Advisor to AXA: Hengeler Mueller

Public Relations
Frauke Reuther
Communications Manager
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

Heinrich Meyer
Rechtsanwalt 
ADVANT Beiten
Phone: +49 69 756095-414
heinrich.meyer@advant-beiten.com

Cyber Resilience Act? (CRA): Uniform security standards for products with digital elements

The European Union is creating a comprehensive and binding set of rules and regulations to strengthen the cyber security of products with digital elements with the Cyber Resilience Act (CRA). The aim of the regulation is to establish uniform cyber security standards for the European single market and thereby significantly reduce the risk of cyber attacks. At the same time, the confidence of consumers and companies in digital technologies should be strengthened.

The CRA obliges manufacturers, importers and traders to meet cyber security requirements during the entire product life cycle - from design and development through manufacturing and marketing to continuous maintenance and updating. This is to ensure that products are not only safe when they are placed on the market but also meet current security requirements throughout their life cycle.

Which products does the CRA apply to?

In principle, the regulation covers all products with digital elements that are manufactured, imported or distributed in the territory of the European Union. Products with digital elements are both software and hardware products and their data teleprocessing solutions, as well as software or hardware components that are placed on the market separately. These include, in particular, products that are capable of processing, storing or transmitting data - such as smart home devices, networked household appliances, mobile devices as well as other internet enabled products. Software products such as firmware, operating systems and applications also fall within the scope. 

Products, however, that are covered by already existing, sector-specific EU rules with equivalent cyber security requirements - such as medical devices pursuant to the Medical Device Regulation or certain spare parts that must be manufactured to the exact specifications of the parts to be replaced and, therefore, do not involve any additional cyber security risks, are excluded from the scope of application. 

Schedule: Staged entry into force of the CRA and transitional periods

The CRA already came into force on 10 December 2024. The regulation will be implemented in several stages. Conformity assessment bodies should already assess the fulfilment of the requirements of the CRA for products with digital elements as of 11 June 2026. Reporting requirements for specialist units and security incidents will be in place as of 11 September 2026. The transitional period will end completely as of 11 December 2027 so that new cyber security requirements for products with digital elements will be binding as of that date. This applies to new products placed on the market as of 11 December 2027 and for products previously placed on the market that have undergone significant changes.

To whom do the obligations under the CRA apply?

The CRA does not only oblige manufacturers, but all actors along the value-added chain of a product - among them importers, traders and authorised representatives - to meet cyber security requirements. Companies managing, providing or significantly changing digital products are also covered by the obligations of the regulation. This also expressly applies to developers or operators of open source software, provided that they offer their products under normal market conditions (Art. 3 No. 12 CRA).

A key innovation lies in the legal extension of the so-called capacity as manufacturer. Pursuant to Art. 22 CRA, any natural or legal person is deemed to be a manufacturer who significantly changes a product with digital elements and places it on the market again - regardless of whether the person has previously acted as a trader or importer. The regulation thus follows the system of the European Product Safety Law, according to which the placing on the market of a product is the decisive criterion.

The term "placing on the market" is not linked to a physical handover for purely software-based products. The decisive criterion in these cases is the moment when the software is made available for download, the access code is transmitted or the activation for users becomes technically feasible.

1. Obligations for manufacturers

The cyber security requirements of the CRA are primarily aimed at manufacturers. The central message is: Who places digital products on the market, must ensure that they are safe - not only if he has manufactured and/or programmed them himself. The same applies to software components that originate from third parties. Pursuant to Art. 13 (5) CRA, manufacturers must ensure with "due care" that these parts do not endanger the product's safety. Open source software (OSS) also falls within the scope of application of the CRA. This also applies if OSS is available free of charge on the internet and is not offered by companies but by individuals. 

IT security throughout the entire product life cycle

Manufacturers of products must meet numerous requirements to guarantee the safety of their products during the entire life cycle. 

The cyber security of a product must be guaranteed during the entire so-called "life cycle" of a product, i.e., from development to the end of its useful life. For Software, this means in particular creating a secure architecture, using secure standard configurations and regularly providing security updates. Corresponding processes to continuously ensure product integrity must be set up if they have not been implemented yet.

Reporting Requirements

Manufacturers are obligated to report weaknesses and major security incidents of all products. The report must be addressed to the responsible Computer Security Incident Response Team (CSIRT) as well as to the European Union Agency for Cybersecurity (ENISA). Established deadlines must be observed: Incidents must be reported within 24 hours of becoming known, subsequently further relevant information will be provided.

Conformity assessments

Before a product is launched on the market, it must be examined whether it meets the requirements of the Cyber Resilience Act. This so-called conformity assessment is mandatory and depends on how the product is classified under the CRA. Depending on how safety-critical it is, varying strict requirements apply. If the product is successfully assessed, it will receive the CE mark - an official evidence that it meets the necessary standards.

Management of weaknesses and security updates

Weaknesses in a product must be remedied within a period of at least five years after discovery. This remedy takes the form of security updates and usually must be free of charge. This period corresponds at least to the expected useful life of the product.

Documentation obligations

The manufacturer is obliged to document compliance with the security requirements for the product. This documentation must be maintained during the entire life cycle of the product and must be kept up to date. The documentation must meet the minimum requirements of the CRA and must be traceable at any time.

2. Obligations for importers

Similar to the manufacturer, the importer may only launch his product if the requirements of the CRA pursuant to Art. 19 (1) CRA are met. The importer must be able to ensure and prove that the manufacturer's obligations have already been fulfilled. In addition, he is obliged to provide his contact details on the product (if this is impossible, on the packaging or the enclosed documentation). In case of safety deficiencies, both the manufacturer and the competent authorities must be informed. The user must also be informed when safety deficiencies become known.

3. Obligations for traders

At first glance, the trader has less obligations than the manufacturer and the importer. He must only verify whether the CE number, declaration of conformity, end date of the support period and the contact details of the manufacturer and importer are available. If the trader determines that the product is CRA-compliant, he may bring this product onto the market. If this is not the case, the trader must also take measures to combat existing security vulnerabilities. For instance, he is obliged to withdraw the product from the market and to inform the competent authorities.

Sanctions in case of violations of the CRA

Manufacturers, importers or traders who violate the new cyber security requirements pursuant to the CRA must, in principle, expect consequences. Pursuant to Art. 64 (3), fines of up to EUR 10 million or of up to 2% of the total worldwide annual turnover of the preceding financial year of a company may be imposed, whichever is higher. Violations of the manufacturer obligations can result in sanctions of up to EUR 15 million or 2.5% of the total worldwide annual turnover. Additionally, further restrictive measures may be taken. Pursuant to Art. 64 (10), exceptions are made for micro and small enterprises and for administrators of open source software. The fine imposed in individual cases will always be based on the specific violation, its gravity and also on the degree of culpability of the actor concerned, i.e., it must be proportionate. Nevertheless, companies should not take this possibility of sanctions lightly. As in data protection law, the same applies to the CRA: In the event of a violation, a good documentation of the cyber security measures taken helps to provide evidence that a company fulfilled its obligations.

Need for action for companies: What must be done now?

Companies that manufacture, import or distribute products with digital elements should check these products for possible cyber risks already now and take appropriate security measures if necessary. In addition, they should prepare themselves for their obligations to provide documentation and evidence. Targeted training courses and raising awareness among employees are also indispensable. Agreements with suppliers should be checked to determine whether the suppliers of components also meet appropriate IT security requirements. In addition, it is recommendable to develop an incident response plan which, among other things, ensures compliance with reporting requirements and clearly defines responsibilities in the company.

Last but not least, the new requirements of the CRA for products with digital elements should already be considered during product design in the development in order that manufacturers will not be taken by surprise by the new cyber security requirements for their products in December 2027. Here, legal and technical expertise have to be combined to find solutions that not only meet the requirements of the CRA but are also practicable and economical.

The existence of the AFSL, AFSL Provisions and the IP Dispute Provisions obliges any parties engaged in foreign (= outside China) or domestic legal action involving Chinese parties to carefully assess the risks of any dispute resolution strategies. Not only China-based enterprises but also foreign enterprises are affected by these regulations and must hence balance these Chinese regulatory and compliance requirements with other responsibilities resulting from conflicting sanctions regimes of other jurisdictions such as Europe and the US and general international compliance requirements.

I. Countermeasures under AFSL Provisions in case of “foreign litigation”

The AFSL Provisions allow the Chinese government to take countermeasures against “promoting and implementing litigation by any foreign country, organisation or individual”, which the Chinese government deems will “endanger the sovereignty, security, and development interests of China”. It is thereby irrelevant where such litigation occurs inside or outside China and the “foreign” element is rather established by a foreign (invested) party promoting or implementing such litigation.

The potential countermeasures faced by the affected litigation subjects (including natural and legal persons) range from restrictions to enter/leave China, seizing of any kind of property in China; prohibition/limitation on transactions and cooperation with third parties; compulsory property enforcement and other measures. 

Whether the AFSL Provisions will be applied also to private commercial disputes or are more directed against cases of important strategical/political matters remains to be seen. However, given the far-reaching wording and the lack of excluding private party legal action against Chinese parties, one would be amiss to think this could not become a tool at the convenience of Chinese regulatory bodies to invoke countermeasures even in cases of private commercial disputes against Chinese parties if China deems such legal action could endanger the sovereignty, security, and development interests of China.

II. Particular Importance of IP Disputes - Link between the IP Dispute Provisions & AFSL Provisions

The IP Disputes Provisions are expressly linked to the ASFL and AFSL Provisions. The IP Disputes Provisions emphasise that “containment or suppression” against China and “discriminatory restrictive measures” against Chinese citizens and organisations taken “under the guise of IP disputes” fall within the scope of AFSL. 

While the AFSL uses the terminology of “containment, suppression and discriminatory restrictive measures”, it fails to define these terms. To date there is also no other public legislation known that would specify these terms. This ambiguity makes it very daunting to predict situations in which countermeasures could be taken against what China believes to be a foreign containment, suppression or discriminatory restrictive measures under the guise of international IP disputes in which Chinese enterprises are a party. 

While the IP Disputes Provisions only became effective on 1 May 2025, already on 15 January 2025 the PRC Supreme People’s Court issued a ruling in patent dispute filed by Huawei against Netgear, prohibiting Netgear and its affiliates from seeking anti-suit injunctions in the US and other foreign countries that would restrict Huawei from initiating or continuing patent infringement proceedings in China. 

Given that Chinese enterprises having become increasingly active in the international arena and are leaders in many high-tech sectors, it appears plausible to believe that in the future one will rather see more than less international IP disputes between foreign and Chines parties. 

Therefore, with these new IP Disputes Provisions, any such international IP disputes between foreign and Chinese parties should be subject to a risk assessment if they could create cause for potential countermeasures being invoked by China against the foreign litigants. In addition, foreign parties starting litigation against Chinese parties for IP disputes may also risk other legal consequences such as refusal to recognise and enforce foreign judgments and arbitral awards in China if they would be considered by China to fall under these new provisions.

III. AFSL Provisions in General  

The AFSL obliges China-based organizations and individuals to implement China’s countermeasures to (a) safeguard China’s interests against discriminatory restrictive measures imposed on organizations and individuals, and (b) against interference with China’s internal affairs by foreign countries, or individuals and organisations that have directly or indirectly participated in the formulation or implementation of discriminatory restrictive measures. 

The AFSL entitles Chinese individuals or organisations to initiate civil legal action to demand cessation of infringement and compensation for losses against any organisation or individual that “implements or assists in implementing discriminatory restrictive measures” taken by any foreign country against them. 

Further, the AFSL Provisions allow administrative measures to be taken against such organisations or individuals, including conducting interviews, orders to make corrections and other corresponding measures. 

In both such cases (civil & administrative cases), the related liabilities and administrative penalties apply to China-based and foreign organizations and individuals.

Legal consequences suffered in case of a failure to execute China’s countermeasures can entail the following: being ordered to make a correction, prohibition/limitation to partake in government procurement and in import/export of goods & services in general, prohibition/limitation to transfer/receive data and personal information across borders and prohibition/limitation to enter/exit China. 

Cooperations involving organizations or individuals against whom countermeasures have been taken are generally prohibited or limited unless an exemption is granted as per the AFSL Provisions. Such an exemption application must be submitted to the State Council department and documentary requirements, review timelines, and substantive evaluation criteria of the exemption mechanism remain subject to further clarification. 

Susanne Rademacher

1. Introduction

On 28 June 2025, the German Accessibility Reinforcement Act (Barrierefreiheitsstärkungsgesetz, BFSG) entered into force with the objective of digital inclusion. People with disabilities, handicaps and elderly people should be given equal access to products and services that are important for participation in life in society. This entails new obligations for companies. Violations may result in fines and other sanctions. 

2. Who is affected?

The Act applies to companies that place the products specified in the BFSG on the market or render services after 28 June 2025. This includes, in particular, banking services for consumers, telecommunications services, electronic ticketing services, self-service terminals such as ATMs or ticket machines, hardware systems and their operating systems for consumers (computers, tablets, notebooks), devices with interactive performance capabilities such as smartphones and smart tvs, e-books and e-readers. 

In addition, the requirements of the BFSG also apply to all electronic commerce services. Thus, every company is concerned that sells its products or services via an online shop.

This applies in principle to all companies operating in the relevant areas. In case of services, only micro enterprises are exempted that offer employment to less than ten people and have an annual turnover or an annual balance sheet total of no more than EUR 2 million. However, they should receive advisory services in order to be able to provide services that are accessible to everyone. Companies, that manufacture, import or distribute products, must also meet the requirements of the BFSG as micro enterprises. 

Accessibility requirements, however, must only be met if their compliance does not require any fundamental change in the essential characteristics of a product or a service. The manufacturer or service provider must document such an assessment and submit it to the competent market surveillance authority upon request.

In addition, the accessibility requirements apply only insofar as their compliance would not result in a disproportionate financial burden on the company. Companies are obliged to carry out and document an appropriate assessment before providing a product or service and to inform the competent market surveillance authority immediately.

3. What needs to be done?

The BFSG transposes the EU Directive 2019/882 ("European Accessibility Act", shortly EAA) into German law. It obliges the addressees to make the products and services covered accessible und provide information. 

3.1 Ensuring accessibility

Products and services must meet specific requirements for accessibility. They are barrier-free according to the legal definition in section 3 (1) sentence 2 BFSG if they can be found, accessed and used by people with disabilities in the usual manner, without any particular difficulties and generally without external help. Regarding the specific requirements, the BFSG refers to the Regulation on the Accessibility Requirements (BFSGV) (in German).

Products must contain components, functions and characteristics that enable people with disabilities to access, perceive, operate, understand and control the product. The same applies to the product packaging, user instructions and warnings. For instance, they must be made available via more than one sensory channel, must be easy to find and linguistically understandable and must be displayed in an appropriate font size.

Services must provide for functions, procedures and possible changes in the performance that are tailored to the needs of people with disabilities. This relates, in particular, to information on the functioning of the service. Comparable requirements for the comprehensibility and perceptibility apply here as for product packaging.

If services are offered online, the corresponding websites, including mobile apps, must also be designed to be perceptible, operable, understandable and robust. This includes ensuring interoperability with assistive technologies, such as screen readers.

In addition to these general requirements, the BFSGV contains numerous additional regulations regarding certain products and services, such as telecommunications services, banking services or e-books. 

When fulfilling the requirements of the BFSGV, companies must observe the state of the art. For products and services that comply with harmonised standards or technical specifications, it is presumed that they meet the requirements of the BFSGV. 

Manufacturers and providers may only place their products and services on the market and/or offer them if they meet the accessibility requirements. Traders must monitor compliance with these obligations of the manufacturer and may only make a product available on the market if it is compliant. If there is reason to assume that a product does not meet the accessibility requirements, traders may not distribute it.

3.2 Information obligations

In addition to the implementation of the accessibility requirements, service providers are also obliged to provide information on how these requirements are actually met. Additionally, this information must contain at least a general description of the service in an accessible format, descriptions and explanations that are required to understand the performance of the service, and the indication of the competent market surveillance authority.

This information can be included in the General Terms and Conditions used, but may also otherwise be made available, e.g. via a separate link on the website, as far as this is clearly perceptible.

3.3 Effects on GTC & data protection declarations

Insofar as a product or service must be made accessible without barriers pursuant to the BFSG, all contents that functionally belong to the product or service must also be accessible without barriers. For instance, this may concern GTC, but also data protection declarations. 

In this case, it must be ensured in particular that there is a text structuring through headings, there are alternative texts for embedded images or other media, a clear, comprehensible language is used, the font size and contrast are appropriate, and the compatibility with screen readers is guaranteed.

4. Implementation deadlines and transitional provisions

In principle, companies have had to meet the new accessibility requirements since the Act came into force, thus, since 28 June 2025. Partially, transitional provisions take effect. By 27 June 2030, services may be provided using products that have been used lawfully by the service provider already before 28 June 2025. Agreements on services concluded before 28 June 2025 must be adapted by 27 June 2030 at the latest.

Self-service terminals that companies used to provide services before 28 June 2025, may continue to be used until the end of their economic useful life, but for no longer than fifteen years after they are put into use.

5. Sanctions

Negligent and wilful violations of certain requirements of the BFSG are subject to fines of up to EUR 10,000 in minor cases and up to EUR 100,000 in serious cases. The specific amount of the fine is based on the circumstances of the individual case. 

The market surveillance authorities of the federal states verify compliance with the requirements of the BFSG. This task should be carried out by the "Market Surveillance Authority of the Federal States for the Accessibility of Products and Services" (Marktüberwachungsstelle der Länder für die Barrierefreiheit von Produkten und Dienstleistungen, MLBF) centrally in the future. In addition to the imposition of fines, market withdrawals of non-compliant products and a prohibition of service provision are imminent.

Administrative offence proceedings can be initiated ex officio, at the request of a consumer, an association recognised under the German Act on Equal Opportunities of Persons with Disabilities (Behindertengleichstellungsgesetz) or a consumer protection association. Competitors may also take action against alleged violations by way of a warning under competition law. In this case, the assertion of claims for injunctive relief and damages is imminent.

6. Recommended course of action

Companies should verify whether they are addressees of the obligations of the BFSG. If necessary, they should check their digital offers for accessibility and adapt them where appropriate. An accessibility audit or a quick check may help to identify and to remedy weak points in the technical implementation of accessibility requirements or of information obligations.  

However, it can also make sense for companies that do not fall within the scope of the BFSG to improve the accessibility of their products and services. In addition to an image gain by supporting inclusion of disadvantaged people, this may also lead to a measurable increase in sales, by reaching new customer groups.

Kristin Trittermann, LL.M.
Mathias Zimmer-Goertz

1. Stimulating business vitality

• District and municipal incentives for top-performing software and IT firms with annual revenues over RMB 2 billion and above-average growth.
• One-time cash grants of RMB 5–30 million for SMEs reaching key revenue thresholds.
• Micro and fast-growing small firms may receive RMB 200,000–500,000 depending on scale and growth. 

2. Supporting AI‑driven industry upgrades

• Subsidies for computing power to support innovative AI and cloud-based projects.
• Funding up to 30 percent of investment in industry model projects across sectors including finance, education, health, and new economy services.
• Enhanced R&D pre-tax deduction policies for qualifying software firms.
• Rolling funding through municipal strategic and emerging‑industry funds, covering up to 30 percent R&D expenses, and up to 50 percent for priority strategic projects. 

3. Reducing costs and burdens

4. Cultivating digital content leaders

• A procurement incentives list: eligible software application projects receive subsidies of up to 80 percent of contract value.
• Support for building digital content clusters—covering games, film/TV, micro‑videos, music, live‑streaming.
• Pilot program to treat game titles developed by foreign‑funded studios in Shanghai as “domestic” games for licensing purposes (Pilot).
• Support for copyright-pledge financing trials for digital content firms.

What does this Pilot mean for foreign game developers if their games get classified as “domestic” if developed in Shanghai:

Foreign‑funded entities physically based in Shanghai (with real R&D teams and IP registered under the Shanghai entity) can now apply for game licensing via the domestic track instead of the imported-game route. 

Difference of Imported Games VS Domestic Games and why the reclassification under the Pilot could make a big difference: The China National Press and Publication Administration (NPPA) classifies all games into two categories — imported and domestic — when issuing game approvals, also known as ISBNs. Though there is no official definition distinguishing these two categories, imported games are generally understood to be those whose copyright (including game software and content) is held by foreign entities, including foreign-invested companies established in China. While domestic games are those whose copyright is fully owned by Chinese natural/legal persons. Legally speaking, NPPA should apply the same set of content censorship criteria when reviewing all games and granting the ISBNs. However, practically speaking, it is perceived that foreign game developers face more difficulties in obtaining approvals compared to Chinese game companies that seek approvals for domestic games. Also, much less ISBNs for imported titles are granted and according to public sources, ISBNs for imported titles averaged less than 10% of domestic titles (e.g. in 2024, China issued 1,306 domestic game licenses, but only 110 for imported titles). With the Pilot, a new pipeline for foreign-developed games to access the larger domestic quota could be opened.

Faster approvals: Imported games often take 18–24 months to get licensed; domestic titles typically 6–12 months. Thus, treating Shanghai‑based foreign games as domestic could cut approval times significantly. That being said, it will still be the case that unlike domestic titles tailored for Chinese users, imported titles need a certain degree of localization effort to obtain NPPA approval and meet Chinese users’ expectations. 

A significant number of domestic casual games can benefit from faster track approval, with ISBNs typically granted within 20 working days. This is designed to accommodate the short lifespan and development cycles of casual games. However, imported casual titles are explicitly excluded from this beneficial treatment according to the NAAP’s current rules.

Things to be aware of:

• Although the implementation details and timeline are yet to be disclosed, this Pilot addresses major challenges faced by international game companies.

• While procedural access is via the domestic track, foreign-origin games may still face tighter internal scrutiny compared to domestic Chinese games.

• It remains unclear whether games based partially on internationally licensed IP will qualify under this Pilot. 

• Foreign investors and their subsidiaries in China are still not allowed to engage in game publishing and operation business. Consequently, the prevailing model – licensing foreign-copyrighted games to Chinese partners who handle ISBN acquisition as well as game publishing and operation – should remain unchanged under the Pilot if not adapted further. 

• Without the clear implementation guidelines being issued, the requirements concerning game copyright registration, the number of development team members based in Shanghai and other factors, such as local software development in Shanghai while games are based on offshore-licensed works, remain yet to be clarified.

Thus, Shanghai-developed games of internationally invested companies based in Shanghai may not necessarily enjoy an entirely equal footing with those of Chinese competitors but at least the unequal treatment gap should be closed a bit more under the Pilot.

Susanne Rademacher

Banyan Software was founded in 2016 and regularly acquires growing software companies with the aim of developing them over the long term as part of a buy-and-hold strategy. Banyan Software has offices in Canada, the UK and the DACH region.

Headquartered in Munich, Germany, star/trac is specialised in optimizing complex yard management operations. Its innovative solutions significantly enhance operational efficiency, reduce truck waiting times, and ensure compliance with the stringent safety and regulatory standards.

ADVANT Beiten advises Banyan Software regularly on the implementation of its growth strategy in the DACH region, most recently in January 2025 on the acquisition of FoxInsights.

Advisor Banyan Software:
ADVANT Beiten: Christian Burmeister (Lead), Damien Heinrich, Julius Bauer (all Corporate/M&A), Heiko Wunderlich, Fabian Buker (both Tax), Mathias Zimmer-Goertz, Christian Döpke (both IP/IT), Lelu Li (FDI), Alexander Grässel (Labor & Employment Law).

Public Relations
Frauke Reuther
Manager Kommunikation
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

Path to an “AI Nation” and Cloud Infrastructure

The future government has outlined the ambitious goal of making Germany Europe’s leading “AI Nation.” At the core of this vision are substantial investments into developing a high‑performance cloud and AI infrastructure to serve as the foundation for data‑driven applications. Significant resources will also be devoted to integrating artificial intelligence with robotics. Lightweight construction technologies and 3D printing are identified as key drivers for modernizing traditional manufacturing processes.

Data Strategy and Data Protection

“Public money, public data” is the principle which shall make sure that any data generated with public funds is generally available for governmental and societal use. To this end, the future government plans a comprehensive “Data Code” to consolidate existing regulations and to establish a right to open data related to government institutions. Coupled with strengthened data trustees this measure is intended to ensure trust in the quality and integrity of such datasets.

There are plans to reorganize data protection supervision by bundling responsibilities and competencies under the Federal Commissioner for Data Protection, who may be renamed the Federal Commissioner for Data Use, Data Protection and Freedom of Information. The Data Protection Conference (DSK) will be anchored in the Federal Data Protection Act (BDSG) in order to continuously develop common standards. For public services, the future government aims to replace consent-based processes with “opt‑out solutions” where feasible. At the European level, it will seek to exempt nonprofit associations, small and medium‑sized enterprises, and low‑risk data processing from the scope of the GDPR.

Administration 4.0 and E‑Justice

A key priority is the digitalization of public administration and the justice system. Administrative processes will be automated and accelerated, with AI playing a key role. Formal requirements for written documentation will be eased so that digital documents can be used without legal barriers. A nationwide “Justice Cloud” is also planned, into which case files and documents from courts and public prosecutors’ offices will be migrated. This will be complemented by a user-friendly "Justice Portal" offering digital filing procedures, an enforcement register and, in the future, AI-assisted support functions - particularly aimed at significantly shortening civil proceedings.

European Framework and Platform Regulation

The parties in the future government intend to implement EU digital legislation in Germany in an innovation-friendly and coherent manner. They plan to set up a central service office to manage the national implementation of the AI Act in order to minimize bureaucratic hurdles for companies. To strengthen digital resilience against cyber threats, the EuroStack initiative will be supported. Regarding platform regulation, the focus will be on rigorous enforcement of the Digital Services Act (DSA). Providers will be required to promptly remove illegal content and actively combat systemic risks such as disinformation. The future government will also explore mandatory bot identification and a ban on manipulative design practices ("dark patterns"). At the same time, criminal law will be modernized to close gaps in the prosecution of deepfakes and image‑based sexual violence, and platforms will face stricter cooperation obligations. The planned “Digital Violence Protection Act” will enable the blocking of anonymous hate accounts and create an interface for law‑enforcement authorities. Independent bodies in media supervision will receive clear legal mandates to counter manipulation of information, hate, and incitement on digital platforms. The mass and coordinated use of bots and fake accounts will be prohibited. Finally, Germany will proceed with implementing the NIS 2 Directive, the implementation deadline having already passed.

Contract Law and Consumer Protection

Consumer and contract law will also become more digital. So-called "smart contracts" will allow simple compensation and refund cases - such as ticket purchases - to be processed almost automatically via pre-populated online forms where the necessary data is already available. A reform of the law on standard terms and conditions (AGB) is planned to give large companies confidence that their mutually agreed terms will be reliably recognized in practice; this may entail a relaxation of the control of terms in B2B transactions. For telephone-based subscription agreements, a universal confirmation solution will be introduced to avoid burdensome follow-up verifications. The "by design" and "by default" principles will oblige providers to make digital offerings consumer-friendly from the outset.

Copyright and Media Law in the Digital Age

According to the coalition agreement, the government aims to strike a fair balance between creators, industry, and users. Notably, it proposes to compensate authors for the use of their works in generative AI systems - suggesting a form of copyright levy. In the digital music market, streaming platforms would be required to transparently share revenues with artists.

Conclusion

Many topics are described only in broad strokes, but the coalition agreement between the conservative parties (CDU/CSU) and the SPD does contain some specific initiatives. Whether and to what extent these plans will be implemented remains to be seen. In any case, the declared objectives are to digitize processes, reduce bureaucracy, and make significant investments in the digital space. We will continue to follow developments closely.

Fabian Eckstein

Banyan Software was founded in 2016 and regularly acquires growing software companies with the aim of developing them over the long term as part of a buy-and-hold strategy. Banyan Software has offices in Canada, the UK and the DACH region.

FoxInsights, headquartered in Munich, is a spin-off of one of the Top3 Innovation Labs (EnBW Innovation) in Germany. The company offers IoT-based remote tank monitoring solutions. Through digitalisation and data analytics, FoxInsights optimises the sales and ordering process as well as supply chains in the energy, mobility and recycling sectors.

Advisor Banyan Software:
ADVANT Beiten: Christian Burmeister (Lead), Damien Heinrich (both Corporate/M&A), Dr Christian von Wistinghausen, Lelu Li (both Investment Control), Heiko Wunderlich, Fabian Buker (both Tax), Mathias Zimmer-Goertz, Christian Döpke (both IP/IT), Dr Erik Schmid, Alexander Grässel (both Labor & Employment Law).

Public Relations
Frauke Reuther
Manager Communications
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

The Hayden vs. Take-Two Case: When Tattoo Art Goes Digital

Jimmy Hayden is a renowned tattoo artist from Cleveland. He counts several NBA stars among his clients, including Shaquille O'Neal, Kyrie Irving and, relevant to this case, LeBron James. His tattoos have been the subject of a long-running legal battle with video game publisher Take-Two Interactive, the company behind the popular "NBA 2K" series of video games.

Hayden filed a lawsuit in 2017. In his lawsuit, which was revised in 2019, he argued that the detailed reproduction of the tattoos he had engraved in several titles in the "NBA 2K" series infringed on his copyrights. 

The key legal question was: Does a video game company need the tattoo artist's permission to display the tattoos as part of a licensed likeness of the athlete? Take-Two argued that the license to use James' likeness included the right to display his tattoos. The Ohio federal jury agreed with this argument. It ruled that Take-Two's agreement to use James' likeness impliedly granted it the right to display his tattoos.

But this is not the only case of its kind. Take-Two won a similar lawsuit in a New York federal court in 2020. The case concerned the depiction of tattoos of the late basketball player Kobe Bryant and other NBA players. 

However, another case shows that the law in this area is not yet fully established: In 2022, an Illinois jury ordered Take-Two to pay damages to a tattoo artist whose work was featured on the body of wrestler Randy Orton in the "WWE 2K" game series, even though the damages amounted to only $3,750.

These differing decisions illustrate that the legal assessment of tattoos in another medium is still evolving, as tattoo artist Hayden is said to have already appealed the most recent decision.

What the "photo wallpaper rulings” of the German Federal Court of Justice have to do with it

Although there has not yet been a comparable decision in Germany regarding the depiction of tattoos in video games, the recent rulings of the German Federal Court of Justice (BGH, rulings of September 11, 2024 - I ZR 139/23; I ZR 140/23; I ZR 141/23) regarding so-called photo wallpapers could provide an indication of how such a decision would turn out in German courts.

The BGH had to deal with a number of cases concerning the display of photo wallpapers on the Internet. The cases before the BGH revolved around a company founded by a professional photographer that marketed photo wallpapers featuring his photographs. In three different constellations, these wallpapers were placed on the Internet as images by the respective defendants: A private user showed the wallpaper as a background in Facebook videos, a media agency presented a client project in which the wallpaper could be seen, and a hotel operator advertised with photos of its decorated rooms. In each case, the photographer's company took legal action against the use, seeking damages and reimbursement for the cost of the warning.

However, the BGH clearly rejected these claims and assumed "clear consent". The core consideration of the court: Anyone who places a copyrighted work such as a photo wallpaper on the market without special restrictions must expect certain usual uses. Today, this includes the fact that the wallpaper can be seen in photos or videos posted on the Internet - not only in a private context, but also in a commercial context.

It is particularly interesting that the BGH did not limit these considerations to the direct purchaser of the wallpaper. Third parties, such as the media agency in this case, may also rely on implied consent if their use is considered customary. The court emphasized that the author is, of course, free to prohibit certain uses - but he must then also make such restrictions clear, for example through corresponding contractual agreements or clearly visible reservations of rights.

These considerations should also apply to celebrity tattoos in video games. A tattoo artist also takes his or her work "out into the world" without any particular restrictions - moreover, he or she applies it to the skin of a person who naturally moves around in public and is photographed or filmed doing so. In the case of prominent sports stars such as LeBron James, this media presence is even an essential part of their professional activity. Following the logic of the BGH, a tattoo artist would therefore have to expect that his work would be depicted together with its "wearer" - be it in traditional media, on social networks, or even in video games.

It is up to the authors of the tattoos to regulate their works in explicit agreements with their "objects", the tattooed persons. The extent to which such regulations would then be effective, particularly with regard to the personal rights of the tattooed person, offers potential for further decisions by the BGH.

Fabian Eckstein

What is the DSA? Who does it apply to?

The DSA aims to create a safe and transparent online environment by strengthening consumer protection and the safeguarding of fundamental rights in the digital space. This regulation, which applies to the provision of intermediary services since February 17, 2024, entails extensive due diligence obligations on hosting services and especially online platforms to regulate the handling of illegal content, disinformation and other digital risks.

Online platforms are, simplified, services that allow the publication of information provided by and stored for the user (the user can also be a business!), if that is not merely a subordinate function.

The DSA as a toolbox for your IP:

IP infringements are common on online platforms (think, for example, of online marketplaces) and other hosting services. Movies or music are uploaded to file-sharing sites, where they are freely available to other users them. Online marketplaces list unlicensed and counterfeit goods sold at low prices. A mobile clone of a popular video game is released in an app store, generating revenue from in-app purchases while exploiting the original game's IP. In many cases, uploaders do not use their real names or provide an address. Sometimes they are based in countries where intellectual property rights are difficult to enforce. The DSA is primarily a set of rules for the providers of these services used by uploaders. However, it also offers some help for taking action against infringing content and can facilitate access to information about its uploaders. 

Contact the service provider:

Under the DSA, hosting services and online platforms must provide an easily accessible and user-friendly notification mechanism that allows individuals or entities to notify them of illegal content on their services. Typically, this mechanism is accessible either in the footer or next to shareable content. Upon the receipt of this notice, it is deemed that service providers have actual knowledge of the existence of the specific content reported. As long as the provider of the service (e.g. the online platform) does not know about infringing content the content, it is generally not liable. This exception has been known for many years as the "host provider privilege" or "safe harbor" for hosting providers. It was established in the EU through the EU by Directive 2000/31/EC, also known as the E-Commerce Directive (and is pretty similar to the “safe harbor” under the DMCA in the United States). If providers are informed about an infringement, they must review and act in a timely, diligent, non-arbitrary, and objective manner. Otherwise, they might be liable for the infringing content themselves. This is nothing new, but it should be easier and there is additional pressure on the service provider. (As far as copyright infringements go, the ECJ and national courts such as the German Federal Supreme Court have established some other criteria when service providers can be liable for infringing content. This regime is not restricted by the DSA.)

Breaches of the DSA on their part can be reported to the competent Digital Services Coordinators (i.e., the authorities responsible for the DSA), which can lead to investigations and ultimately fines. (We won't mention the fines anywhere else in this blog article, but they're worth keeping in mind).

Online marketplaces:

The DSA has even more specific rules for online platforms that allow consumers to enter into distance contracts with traders. We see these as potentially powerful tools to reduce counterfeit and pirated goods and other IP infringements. In the past, traders offering illegal products on online marketplaces often provided fake names and identities – IP owners could send take-down notices to online platforms, but did not get hold of the trader actually offering the goods.

Under the DSA, providers of online marketplaces now have to ensure what is called the “traceability of the traders” (aka “Know Your Business Customer”). The provider of the online marketplace must obtain the following information:

• the name, address, telephone number and email address of the trader;
• the trade register, registration number or equivalent means, if applicable; and
• a self-certification by the trader to only offer products or services that comply with the applicable rules of Union law

This information must be easily accessible and comprehensible to any user of the online marketplace.

Additionally, the provider of the online marketplace must obtain

• a copy of the identification document or other electronic identification;
• the payment account details.

This information must be collected before the trader can offer its products on the online marketplace, and the provider must use best efforts to assess whether the provided information is reliable and complete. For traders who were already active on the online marketplace before the DSA entered into force, the provider must obtain the relevant information until February 17, 2025. If the trader's information is inaccurate, incomplete or out of date, the online marketplace must ask the trader to rectify the situation. Otherwise, the service provider must suspend its service to the trader. These obligations are now starting to show an effect, and the information can be found on many online marketplaces where it wasn't available before. Recently, the online marketplace TEMU undertook to comply with the Know Your Business Customer obligations under the DSA after being sued by the Wettbewerbszentrale, a German organization for the enforcement against unfair commercial practices. 

Providers of online marketplaces must also randomly check whether products or services offered have been identified as illegal through official, freely accessible and machine-readable online sources. If products or services are identified as being illegal, the provider of the marketplace must inform all the purchasers of the fact that they were illegal, along with the identity of the trader and any relevant means of redress. 

Consequently, persistence can pay off. Traders who repeatedly offer infringing products mean a lot more work for online marketplaces. There is also an increased risk of personal liability. In addition to costly claims and court orders, reporting slow or inadequate DSA-compliance to the Digital Services Coordinators can be issues that make the online marketplace less attractive to bad actors.

Very Large Online Platforms:

Very Large Online Platforms (VLOPs) are online platforms with at least 45 million monthly active users in the EU on average, and are designated by the European Commission. These VLOPs must perform risk assessments on a regular basis to identify systemic risks in the EU stemming from the design or functioning of their service and related systems. The repeated violation of IP rights can be seen as such a systemic risk which must consequently be mitigated in the future. It remains to be seen how IP infringements on VLOPs will be mitigated if they are identified as a systemic risk. At least for VLOPs that repeatedly offer products and services in breach of EU law, the mitigation measures could become much stricter than what is already covered by the DSA to deal with such illegal offerings.

Seek the assistance of a trusted flagger:

Trusted flaggers are special entities under the DSA that detect specific potentially illegal content and notify the online platforms. Providers of online platforms must prioritize reports from trusted flaggers and process them without delay. Trusted flaggers are designated by the competent Digital Services Coordinator in the state they have their establishment if they meet the respective criteria. They have particular expertise in their field of competence which is taken into account by the service providers who receive the notice. The European Commission has updated a list of trusted flaggers. The list will be updated regularly as more will be added in the future.

Conclusion:

While the legal grounds for taking action against infringing products on the internet remain unaffected, the DSA is more than just a comprehensive set of difficult obligations to comply with. It is a robust framework designed to make it easier to take action against illegal content by simplifying notifications and putting appropriate pressure on online service providers. If they do not respond diligently and promptly, they may not only lose their liability privilege, but also be subject to enforcement by the authorities. One important aspect will be how rigorous the authorities are in ensuring compliance. Advocating for proper regulatory action is, therefore, crucial. If applied wisely, it can be a powerful tool for protecting intellectual property rights in the European Union. 

Daniel Trunk

Amphenol is one of the world’s largest designers, manufacturers and marketers of connectors and interconnect systems, antennas solutions, sensors and high-speed cable.

Luetze International Group is active worldwide and consists of various companies in a holding structure. The group of companies has a tradition of over 60 years in automation and is one of the leading companies in the industry today. Luetze Group offers innovative solutions in the areas of highly flexible cables, cable assemblies, interfaces, power supply and monitoring as well as control cabinet wiring.

Luetze Group's range of services complements Amphenol's portfolio in various segments of the fast-growing electronics market and underlines Amphenol's future-oriented, cross-border positioning.

In this transaction, ADVANT partner firm ADVANT Altana advised on French law, Fox Williams advised on UK law, Havel & Partners advised on Czech law, Kellerhals Carrard advised on Swiss law and E+H advised on Austrian law.

ADVANT regularly advises Amphenol on European M&A projects, most recently ADVANT Altana and ADVANT Beiten jointly advised Amphenol on the acquisition of the CMR Group based in France.

Advisor Amphenol Corporation: ADVANT Beiten: Dr Christian von Wistinghausen, Tassilo Klesen (both lead partners in charge), Olga Prokopyeva (all Corporate/M&A, Berlin), Susanne Rademacher, Lelu Li, Kelly Tang, Dr Jenna Wang-Metzner (all Corporate/M&A, Beijing), Michael Riedel (Labour & Employment, Berlin), Carsten Pütger, Danah El-Ismail (both Real Estate, Berlin), Mathias Zimmer-Goertz, Christian Döpke (both IP/IT/Media, Dusseldorf), Uwe Wellmann (Antitrust Law, Berlin), Christoph Heinrich (Antitrust Law, Munich), Dr Marion Frotscher and Simon Bauer (both Tax, Hamburg).

Advisor Sellers of Luetze Group: Heuking Kühn Lüer Wojtek: Dr. Rainer Herschlein, LL.M., Dr. Emanuel Teichmann (both Corporate/M&A, Stuttgart), Dr. Stefan Bretthauer, Jia-Xi Liu (both Antitrust Law, Hamburg).

Public Relations
Frauke Reuther
Manager Kommunikation
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

The Action Plan sets out a series of measures to address the challenges posed by e-commerce. Here is a closer look at its key elements.

Enhanced Market Surveillance and Customs Controls

The BMWK proposes to extend the powers of market surveillance authorities so that they can take direct action against online platforms if no responsible economic operator can be identified. Additionally, it proposes a collaborative approach between national and European market surveillance authorities and customs. This would include automated controls, coordinated inspections and test purchases to ensure that imported goods comply with EU safety, environmental and quality standards. Economic operators shall ensure that they can be contacted by the authorities throughout the distribution of their products and appoint a legal representative in the EU.

Abolition of the EUR 150 duty-free limit

The Action Plan provides for the rapid end of the EUR 150 duty-free limit quickly. At present, only import VAT is payable on purchases from online retailers outside the EU worth less than EUR 150, but not customs duties. This has led to a flood of cheap goods on the European market. It is even suspected that many of these goods are split into several packages to remain below the duty-free limit.

Enforcement of the Digital Services Act (DSA)

The BMWK calls on the European Commission to strictly enforce the DSA. Illegal offers, such as unsafe products or product piracy, must be removed and must not be available in the European Union. For active enforcement the DSA, the European Commission should work with the national Digital Services Coordinators to collect data on infringements so as to identify systematic violations. In addition, fines should be imposed to deter operators from committing further infringements. The reporting tool of the Federal Network Agency, Germany’s (main) Digital Services Coordinator, should be more strongly promoted.

Informing Consumers

The BMWK is proposing a “Digital Product Pass” containing all relevant information on the safety of a product, as well as on environmental and health protection. Operators of online trading platforms shall be obliged to review this information for completeness and plausibility.

In addition, the BMWK and associations shall provide information with the aim of motivating consumers to make sustainable purchasing decisions.

Data Protection

The Action Plan also addresses data privacy concerns, calling for closer collaboration between national data protection authorities and the creation of an EU-wide data protection body to ensure that personal data collected by online platforms is handled responsibly and in compliance with the General Data Protection Regulation (GDPR).

Representative Actions

In addition to market surveillance authorities, associations should also be able to enforce the provisions of the EU Market Surveillance Regulation.

Continuous Evaluation

Finally, the Action Plan includes provisions for regular public reporting by the European Commission to ensure continuous evaluation and, if necessary, adaptation of the strategies.

Increasing Pressure on Online Platforms

The BMWK takes the view that the level playing field is threatened by non-EU economic operators that do not comply with existing EU legislation. It refers in particular to the range of products offered on Temu and SHEIN, which have recently become very successful in Germany. This increases the pressure on both online platforms which have also received requests for information under the DSA from the European Commission. It remains to be seen what the results of the Commission's investigations will be and how the DSA will be implemented in practice. What is certain is that market surveillance authorities, consumer watchdogs and competitors will be watching these developments closely.

Daniel Trunk

Section 26 of the German Telecommunications Digital Services Data Protection Act (TDDDG), which was introduced in December 2021 as the "TTDSG", provides the Federal Government with the power to issue regulations to govern so-called consent management services.

The original idea of such services, which are also discussed under the keyword of "Personal Information Management System (PIMS)", was that the internet user would submit their personal cookie preferences once to the PIMS and the providers of digital services would be able to request these preferences from the PIMS. Users would have the option of agreeing to all cookies, generally accepting or rejecting individual categories of cookies across the board (e.g. statistics cookies or marketing cookies) or rejecting all unnecessary cookies.

(In)permissibility of general consents

The problem with such blanket consent to the use of cookies, even if it is only given for certain categories of cookies, is that the internet user cannot really give informed consent in this case. Even though providers of digital services often use similar cookies and tools, they are not exactly the same. Each provider uses different cookies in some cases and therefore also transmits information from internet users to different recipients. Internet users would thus never know exactly what processing they are consenting to at the time of giving their consent, let alone to whom their data is being transmitted. For this reason, the German government has also decided against blanket default settings and comments on this in the explanatory memorandum to the regulation:

“General default settings for possible consent requests from the provider of digital services, which are made by the end user without reference to the specific use of a digital service, do not meet the requirements for the management of consent.”

However, this also means that the desired effect of PIMS, namely, to reduce the number of cookie banners, is lost. 

Solution through the EinwV?

Section 3 (1) of the now adopted Consent Regulation (EinwV) stipulates that the approved consent management service (i.e. the PIMS) stores the end user's cookie settings when they use a digital service for the first time. According to its wording, internet users will still have to see a cookie banner every time they visit a website for the first time.
The approved service must also be user-friendly, i.e. transparent and comprehensible, and a request to review the end user's settings may only be made after one year at the earliest (Section 4 EinwV). It must also be possible to switch to another approved consent management service at any time (Section 5 EinwV). Furthermore, in accordance with Section 6, a competition-compliant procedure is required for providers of digital services. Finally, integration into so-called retrieval and display software (usually presumably Internet browsers) should be made possible (Section 7 EinwV).

As the name "approved consent management service" makes clear, the service must be approved. This is done in accordance with the procedure described in Part 3 of the Regulation. The competent body for this is the Federal Commissioner for Data Protection and Freedom of Information (Section 8 EinwV).

Part 4, the last part of the regulation, defines technical and organizational measures for providers of digital services as well as manufacturers and providers of retrieval and display software. Particular attention should be paid to Section 18 (1) of the Consent Regulation, which declares the integration of approved consent management services by digital service providers to be voluntary. This provision has been criticized by consumer advocates as the requirements of the regulation can easily be circumvented in this way. Moreover, the fact that the use of consent management services is voluntary will probably result in them rarely being used, especially in practice. In light of the study cited at the beginning, the proportion of those who use such a service to generally reject non-optional cookies is likely to be very high. The providers of digital services will also assume this and therefore have no interest in using such services. They will be inclined to continue to use cookie banners to access the data of at least those users who click on "accept all" because they actually want to give their consent, do not really care or simply like to press green buttons.

Conclusion

There are major doubts as to whether the adopted regulation can really reduce the number of cookie banners on the internet. It can also only regulate consent in accordance with Section 25 (2) TDDDG. In practice, however, consent is often also obtained via cookie banners in accordance with the GDPR (in particular also in accordance with Article 49 para. 1 a) GDPR). Strictly speaking, these cannot then be obtained through the consent management service, which would probably entail that the previous cookie banners would have to remain in place for these consents in any case.

However, another argument against the regulation is that the use of the consent management service does not appear to have any added value for either users or service providers. Users would still have to make a setting at least for every new website and even several times if the website uses new cookies or other tools, because no blanket default setting for different providers of digital services is to be legally permissible. Service providers, on the other hand, are presumably not interested in participating in consent management, which will probably result in more refusals of optional cookies.

Ultimately, though, the relevance of the services for consent management will depend on the specific technical design. If this is kept as easy to install and low-threshold as possible, it could perhaps be attractive for some digital service providers. With a well-functioning solution that actually makes things easier for the user, these service providers could then advertise particularly user-friendly cookie handling.

Fabian Eckstein

The transaction was backed by Keensight Capital, one of the leading private equity managers for Europe-wide growth buyout investments. The parties have agreed not to disclose the transaction volume.

Fischer Information Technology has focused on expertise in the development of reliable software for the efficient management, organisation and distribution of technical documentation and product information since its foundation in 1985. The company has played a key role in shaping the European market for technical documentation software.

Quanos was formed by software experts for after-sales, service and technical documentation, optimised by AI capabilities. The company offers innovative, successful and reliable technology to more than 1,200 customers worldwide.

The acquisition of Fischer IT strengthens Quanos' market presence and increases the customer base to 1,400 customers worldwide. This enables Quanos to offer a wide product portfolio that delivers significant added value to the joint customer base. In addition, Fischer IT's proven technical expertise will further enhance Quanos' innovative potential.

Advisor to Fischer Information Technology GmbH: 
ADVANT Beiten: Gerhard Manz, Dr Christian Osbahr (both Corporate/M&A, Freiburg), Dr Birgit Münchbach und Dr Holger Weimann (both IP/IT, Munich)

Advisor to Quanos Group GmbH:
Renzenbrink & Partner: Team Dr Ulf Renzenbrink

Media Contact
Frauke Reuther
Manager Kommunikation
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

Gerhard Manz
Rechtsanwalt
ADVANT Beiten
+49 (761) 15 09 84 - 11
gerhard.manz@advant-beiten.com

There is no doubt that manufacturers of AI systems will have to comply with the provisions of the AI Act and will therefore certainly be keeping a close eye on this European Regulation. However, companies that "only" use AI should do the same. In the following, we have compiled the ten practical questions that companies should ask themselves if they are using or planning to use AI.

1. Which companies must comply with the provisions of the AI Act?

Most of the provisions of the AI Act deal with prohibited and high-risk AI systems and the resulting obligations for providers, as well as for importers and distributors of such AI systems. However, this does not mean that users of an AI system can now sit back and relax. On the contrary: users (referred to as "deployers" in the AI Act) of AI systems are also covered by the AI Act and must comply with extensive obligations.

The AI Act applies not only to companies based in the EU, but also to providers and deployers based outside the EU, provided that the output generated by the AI systems is used in the EU.

2. Excluded areas of application

First, the AI Act excludes from ist scope the use of AI by natural persons for purely personal, non-professional purposes from the scope of application. AI systems that are developed and used exclusively in the field of scientific research and development are also excluded from the scope of application.

The provision that the AI Act does not apply to certain AI with free and open source licenses (open source) may become significant in the future. The AI Act provides for another significant exception for the use of AI systems in the military, defense and national security sectors. In addition, Member States have the option to provide for further exceptions in specific areas. For example, they can provide for further legal and administrative provisions on the use of AI systems by employers to provide further protection for employees.

3. Prohibited AI systems

AI systems that pose an unacceptable risk are completely prohibited under Art. 5 AI Act. This includes AI systems in the following eight areas:

• Techniques of subliminal influence beyond human consciousness to significantly distorting or harm a person's behaviour
• Targeted exploitation of the vulnerabilities of certain groups of people due to their age or disability
• Social scoring
• The use of profiling systems to assess or predict the risk of an individual committing a criminal offense
• Non-targeted collection (scraping) of facial images from the Internet or from video surveillance systems to create facial recognition databases
• The use of emotion recognition systems in the workplace and in educational institutions
• The use of biometric categorisation systems
• The use of 'real-time' remote biometric identification systems in public spaces for purposes of law enforcement (although this is declared permissible within narrow limits).

4. Which systems are high-risk AI systems?

The core of the AI Act are the regulations on so-called high-risk AI systems. In principle, AI systems are considered high-risk AI systems if they pose a significant threat to fundamental rights.

A high-risk AI system exists if an AI system is used as a safety component for a product that falls under the EU harmonisation legislation listed in Annex I or is itself such a product. This includes, for example, machinery, toys and medical devices.

An AI system is also considered to be a high-risk AI system if it falls into one of the following areas of Annex III:

• Remote biometric identification systems and AI systems for biometric categorisation and emotion recognition
• Critical infrastructure: This includes AI systems that are intended to be uses as safety components in the management and operation of critical digital infrastructure, road traffic or in the supply of water, gas, heating and electricity.
• Education and vocational training: AI systems are covered if they are used to make decisions on the access of natural persons to educational and vocational training institutions.
• Employment, workers management and access to self-employment: AI systems used for analyzing, filtering and evaluating applicants are covered.
• Certain essential private and essential public services and benefits: This includes, for example, AI systems that are used to evaluate the creditworthiness and credit score of natural persons.
• Law enforcement
• Migration, asylum and border control management
• Administration of justice and democratic processes

However, the AI Act provides for an important exception: AI systems from the aforementioned Annex III categories can be exempted from classification as high-risk AI systems under certain conditions. The prerequisite is that there is no significant risk of harm to the health, safety or fundamental rights of natural persons. Examples include AI systems that ae intended to perform a narrow prcedural task. The same applies if the AI system is used to improve an activity previously carried out by humans. The assessment of whether such an exemption applies must be carried out by the company itself as part of a risk evaluation and documented accordingly.

5. What regulations apply to deployers of high-risk AI systems?

Companies that use high-risk AI systems as deployers must fulfill a comprehensive catalog of obligations. These include the following, for example:

• They shall take appropriate technical and organizational measures to ensure that the high-risk AI systems are used in accordance with the instructions for use.
• They transfer human supervision to natural persons.
• They ensure that input data is relevant and sufficiently representative with regard to the purpose of the AI system.
• They monitor the operation of the high-risk AI system on the basis of the instructions for use and, if necessary, inform the suppliers or, in the event of serious incidents, the importer, distributor and the relevant authorities.
• You keep automatically generated logs for at least six months.
• If they are also employers, they must inform the employees concerned and the employee representatives about the use of a high-risk AI system in the workplace.
• They are subject to an obligation to cooperate with the authorities.

The fundamental rights impact assessment for high-risk AI systems, which was originally required for all deployers, is now only foreseen in the current text of the Regulation for state institutions and private companies performing public services, as well as for those high-risk AI systems where public services, credit assessment or risk-based pricing of life and health insurance are affected, Art. 27 AI Act.

Under certain conditions, deployers may also become providers of a high-risk AI system themselves and then be subject to the stricter provider obligations, such as the establishment of a risk management system, the implementation of a conformity assessment procedure and registration in an EU database. Such a change of responsibility comes into effect if a high-risk AI system is placed on the market or put into operation under its own name or brand, or if a significant change is made to a high-risk AI system.

6. What obligations apply to deployers of AI systems that are not high-risk AI systems?

While the comprehensive list of obligations outlined above applies to deployers of high-risk AI systems, deployers of low-risk AI systems are generally only subject to certain transparency obligations, Article 50 AI Act. For example, they must disclose if content such as images, videos or audio content constituting a deep fake has been artificially generated or modified by an AI. The same obligation applies when an AI generates or manipulates text that is published with the purpose of informing the public on matters of public interest.

7. What applies to SMEs?

The declared aim of the AI Act is to create an innovation-friendly regulatory framework. Accordingly, the legislator has introduced regulatory relief for micro, small and medium-sized enterprises (SMEs) - including start-ups - based in the EU. For example, SMEs can benefit from non-material and financial support. Finally, under certain conditions, SMEs are to be given priority and free access to so-called regulatory sandboxes. Finally, fines can be capped.

8. When does the AI Act apply?

Exact dates cannot yet be given, as the final text oft he AI Act needs to be published in the Official Journal of the EU before it can enter into force. The ban on AI systems will take effect six months after the Regulation comes into force. The majority of the provisions of the AI Act will apply 24 months after entry into force. However, the obligations stipulated for high-risk AI systems will only apply after 36 months.

9. How are violations of the AI Act sanctioned?

Non-compliance with the requirements of the AI Act can result in exorbitant fines. These vary depending on the violation and the size of the company. While violations of prohibited AI systems can result in fines of up to EUR 35 million or 7% of global annual turnover, other violations of obligations under the AI Act can result in fines of up to EUR 15 million or 3% of annual global turnover. Fines of up to EUR 7.5 million or 1% of turnover may be imposed for providing of false information.

Several national and EU-wide authorities are involved in enforcement, resulting in a complex structure of responsibilities and coordination procedures. In Germany, it is not yet clear which authority will ensure compliance with the requirements of the AI Act. The Federal Network Agency and the Federal Office for Information Security are being discussed.

10. ToDos for companies

First of all, each company should determine and classify the risk class to which the AI systems used belong. The requirements for their proper use are then derived from this categorisation. Especially for future projects, it is important to involve the departments responsible for AI in the company at an early stage to ensure sufficient testing and compliance with the regulations. This is highly recommended, especially in view of the high fines.

Dr Peggy Müller

Another article on this topic can be found under this link.

The Act is a milestone (see our blog post for more details). It is really relevant for providers and deployers of AI systems, especially those with high risks. However, most of the practical and legal issues associated with the use of AI are not regulated or even addressed in the law. They remain to be negotiated between the parties.

1. Internal: Clear rules

Wherever employees have access to the Internet, they use to at least experiment with AI, in particular to see what ChatGPT, Copilot, Claude, Dall-E, Midjourney and others can do. It has also become widely known that there can be risks for the company in using them. This has already cost some people their jobs. It is therefore all the more surprising that many companies still do not have internal guidelines on the correct use of artificial intelligence in the workplace. It is essential to regulate the handling of sensitive information and the use of the results of AI work, but ideally also responsibilities, accountability, and documentation requirements. One thing is certain: these systems will be used. A total ban would be impossible to enforce and would also hamper productivity.

2. Reliable contracts

Many organizations buy AI solutions from third parties or license software that includes AI. This should be governed using contracts that take into account the specific issues associated with the use of AI - not just outdated standard IT terms and conditions that are still silent on the subject of AI. Of course, there is nothing wrong with adapting outdated IT standard terms and conditions to the many new practical and legal requirements.

Some important challenges:

No licensee or user should rely on the legal compliance of generative AI systems (such as Chat GPT, etc.). In particular, it is questionable whether the data used for training has been obtained and used legally, especially with regard to data protection, personal rights and third party copyrights. This does not mean that a company should generally refrain from using such systems. But the distribution of risk must be properly regulated.

Artificial intelligence also sometimes produces undesirable results or exhibits strange behavior. For example, the results of AI generated work can infringe the rights of third parties. Rights clearance can be much more difficult here than with human-generated work, because the AI does not or cannot disclose which authors it has used in the first place (a particular problem: this makes proper disclosure of the use of open source code almost impossible and the use therefore inadmissible). There have also been reports of chatbots used on company websites that have literally fallen flat on their faces - because the chatbot gave customers rights that they would not have had under the contract. Finally, AI also makes mistakes, which can have unexpected consequences: With this in mind, some systems regularly accept a certain level of error tolerance. However, if the settings of an AI system, for example for fraud prevention, are so strict that it only approves a transaction if fraud can be ruled out 100%, it is unlikely to ever approve a transaction. At the same time, however, a more “tolerant” setting means a conscious acceptance of wrong decisions, which can, for example, invalidate the insurance cover that would exist for wrong human decisions.

In general, the point is that AI is effective but often operates in an opaque way and will sooner or later produce errors. It is therefore necessary to regulate contractually how the lack of transparency is dealt with and who bears the risk if it is not possible to determine where the error was made - and also what level of error probability is still acceptable.

The usual standards of intent and gross negligence found in most standard contracts are not useful here: both parties know that errors can occur. It is therefore necessary to regulate which errors are attributable to which party. This can be done, for example, in provisions on data quality, service levels and indemnity clauses. Of course, there is no boilerplate solution for every use of AI. However, it is important that the issue is considered and regulated appropriately.

It is also important to regulate the extent to which the AI can be 'trained' using the licensee's data, and whether other customers can also benefit from what the AI learns in this way. In the worst case, the data used for training could be disclosed to other customers or their end users of the AI, which could constitute a violation of privacy rights, intellectual property rights or trade secrets. If the licensee's dataset includes personal data, it generally must not be used to train the AI for other customers anyway.

In connection with the AI Act, the European Commission has also presented draft standard contractual clauses for the procurement of AI systems by public authorities (AI SCC). The requirements set out in the AI SCCs are intended to ensure that the contract terms comply with the requirements of the AI Act, with one version of the AI SCCs published for high-risk AI systems and one for non-high-risk AI systems.;

The AI SCCs cannot be used as the sole contractual basis for the use of AI, as many issues relevant to contract law (e.g. liability, intellectual property) are not addressed or are inadequately addressed. Nevertheless, the AI SCCs can provide useful points of reference for negotiating contractual terms, even between private companies.

3. HR software

As mentioned above, EU legislation on artificial intelligence will not apply across the board, but will impose specific obligations on providers and deployers of AI systems. However, there is one area of application that deserves special mention: Software in the HR sector is often considered a high-risk system, in particular recruitment tools (for the recruitment and selection of candidates or the placement of targeted job advertisements) and personnel management tools. High risk systems are subject to particularly strict requirements.

Dr Andreas Lober
Lennart Kriebel

What does the Cyber Resilience Act cover?

The scope of the CRA is very broad, covering all types of hardware and software, from low to high risk. The CRA initially distinguishes between three categories of products:

• "Basic" products with digital elements
• Class I and II important products with digital elements, and
• Critical products with digital elements.

The requirements for the products vary depending on the category.

Class I important products include:

• Identity management systems
• Stand-alone and embedded browsers
• Password managers
• Anti-malware
• Network management systems
• Security information and event management systems
• Boot managers
• Public key infrastructures and digital certificates issuance software
• Physical and virtual network interfaces
• Operating systems
• Routers, modems, and switches
• Microprocessors
• Microcontrollers
• Application-specific integrated circuits and field-programmable gate arrays
• Smart home general purpose virtual assistants
• Smart home products with security features
• Internet connected toys
• Wearables for health monitoring

Class II important products include:

• Hypervisors
• Container runtime systems
• Firewalls
• Intrusion detection and/or prevention systems
• Tamper-resistant microprocessors and microcontrollers

The annex of critical products currently includes hardware devices with security boxes, smart meter gateways in intelligent metering systems, and smartcards or similar devices. Both lists are to be expanded and specified by the EU Commission through delegated acts in the future.

Essential Cybersecurity Requirements:

In order to make a product with digital elements available in the EU, it must meet some essential requirements. First, the manufacturer must assess and document the cybersecurity risks of the product, taking into account the results during planning, production, and the expected lifetime of the product. Based on this assessment, the products must, in particular

• be free of known exploitable vulnerabilities,
• have secure configurations enabled by default, and
• enable free security updates automatically.

They must

• protect against unauthorized access,
• maintain the confidentiality and integrity of data,
• minimize data processing, and
• ensure core functionality even after disruptions.

Product design must minimize attacks, limit impact, and provide transparent security information. This includes an obligation to identify and document exploitable vulnerabilities, regularly review product security, and take precautionary measures, including a coordinated vulnerability disclosure policy. The support period for products with digital elements, during which security updates must be provided and technical documentation must be produced, shall generally be at least five years. The end of the support period shall be clearly and conspicuously disclosed at the time of purchase.

Importers and distributors of products are also required to ensure that the products comply with the requirements of the Regulation.

Conformity Assessment and CE Marking:

For products with digital components, an EU declaration of conformity from the manufacturer is required, ensuring compliance with the requirements set out in the CRA or further regulations. The corresponding CE Marking must be visibly, legibly, and permanently affixed to the product. For software products, the software must be indicated either on the conformity declaration or on the accompanying website.

The intended conformity assessment procedure can be conducted by the manufacturer on their own responsibility for products not classified as important or critical. The involvement of an independent notified body is voluntary for important products of Class I but mandatory for Class II.

Point of Contact:

Manufacturers shall designate a single point of contact where users can report vulnerabilities and obtain information. The single point of contact should not only be automated but also enable contact with a human employee.

Reporting Obligations:

Manufacturers must report security breaches by malicious actors and cybersecurity incidents that pose an increased risk to users or other individuals. The European Union Agency for Cybersecurity (ENISA) will set up a uniform reporting platform for these reports, which must generally be made immediately but can be delayed for a necessary period for security reasons in individual cases. Addressed vulnerabilities will be recorded in a European vulnerability database in agreement with the manufacturer.

Monitoring and Enforcement:

Monitoring and enforcement are primarily carried out by market surveillance authorities, which must now be designated in each Member State. These can also demand access to internal data from manufacturers to assess product conformity.

In case of violations, as with other EU legislation, depending on the nature and severity, substantial fines can be imposed. In the case of the Cyber Resilience Act, they can amount to up to 15 million euros or 2,5% of the company's total worldwide annual turnover in the preceding financial year. The specific rules are left to the EU Member States.

Timeline

The CRA must now be formally adopted by the Council of the European Union. This is expected to take place in April 2024. In line with other EU legislation, the CRA will then enter into force on the twentieth day following its publication in the Official Journal of the European Union. The Regulation will be fully applicable 36 months after its entry into force, although some aspects, including the obligation to report security incidents, will apply earlier.

Products with digital elements placed on the market before the full entry into force of the Regulation will not be subject to the requirements, provided they are not significantly modified after that date. However, this does not apply to the obligation to report security incidents

Assessment

The Cyber Resilience Act obliges economic operators to exercise particular care in the context of cybersecurity. On the one hand, this leads to considerable additional efforts, but on the other hand, it provides a certain degree of legal certainty, as the CRA applies throughout the European Union. Thus, products that comply with the requirements of the Regulation can, in principle, be marketed in any other EU Member State without stricter cybersecurity requirements hindering economic activity. Although the requirements of the Cyber Resilience Act will not be fully applicable for approximately 36 months, they need to be considered early for products with long development cycles and long-term contracts.

From a legal perspective, in addition to compliance with mandatory disclosures, new aspects will play a critical role in the negotiation of IT contracts. For example, manufacturers who obtain components for their products from third parties should require assurances that these components are compliant with the CRA.

Daniel Trunk

However, providers of cloud, SaaS, edge and similar services are also affected. The Data Act dedicates a separate chapter to them. This Chapter VI contains regulations for so-called data processing services and primarily aims to make it easier to switch between different services, i.e. to remove existing barriers to switching.

In particular, if providers work with long term-contracts or the export of customer data is complex, the business model must be reviewed- ideally immediately.

The main reasons for this are as follows:

Long contract terms are obsolete. The customer can initiate a switch to another provider at any time with a notice period of two months. As a rule, the switch should be successfully completed after a further 30 days. After a successful switch, the previous contract is general-ly deemed to be terminated. The previous practice of refinancing providers' initial investments via certain minimum contract terms will therefore no longer work without further ado. Set-up fees, which have become less important in recent years as a result of SaaS services becoming more popular, could be considered as an alternative, as could payments in the event of premature contract termination (e.g., termination fees).

Exit support can be very costly, but must generally be provided free of charge in the future. Since January 11, 2024, only reduced switching fees may be charged; from January 12, 2027, switching must be free of charge. At the same time, however, the Data Act provides for comprehensive support obligations that the source provider cannot evade.

The provider is – to a certain extent – responsible for interoperability with the new provider's system.

These issues should be addressed immediately, as they will force many providers to adapt their business model. As soon as the Data Act will fully come into force on September 12, 2025, a whole range of other obligations will be added, in particular

• Adaptation of contracts (the Data Act specifies mandatory contract clauses)
• Abolition of technical and organizational barriers to change
• Extensive information obligations

In addition to civil litigation with customers, breaches of the Data Act can also result in sanctions being imposed by the regulatory authorities; the maximum amount of fines has not yet been determined. Particularly juicy: The provisions on data processing services are likely classified as market conduct rules and thus subject to competition law. Breaches could be subject to warnings from competitors.

Providers of data processing services must also implement safeguards against unauthorized access from public bodies in third countries.

Our blog post provides an overview of the provisions of the Data Act, including those relating to networked products.

Dr Andreas Lober
Lennart Kriebel

The AI Act aims to ensure that only AI systems which are both safe and respect the fundamental rights and values of the EU are brought onto the European market and are used in the EU. Still, even though an agreement has been reached, the outcome of the negotiations was announced although there is not yet a consolidated text to present. The political agreement will be put into a final text over the coming months. To this end, a number of technical negotiation meetings have been scheduled until the end of February. As some of the information currently available varies widely , we will have to wait until the final text will be published in the first quarter of 2024. The overview below presents the most significant known regulations.

Definition of an AI System

The new AI Act will include an amended definition of AI systems compared to the European Parliament's last proposals, which is close to the OECD's definition. The OECD's definition is as follows:

“An AI system is a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment.”

This definition is particularly criticised because it is extremely broad and therefore even includes simple auto-correction or Excel functions, for example. In this respect, the final wording of the Act including its recitals which, as we know, may often be used to fine-tune certain terms must be awaited.

Risk-based Approach

The Regulation, which is based on a proposal by the EU Commission in April 2021 and is part of the EU's digital strategy, follows a risk-based approach. It categorises AI systems into different groups depending on the risk they pose: from minimal risk to high-risk and even banned AI systems.

According to this approach, six principles apply to all AI systems. AI systems should (1) enable human agency and oversight, (2) be technically robust and safe, (3) comply with privacy and data protection regulations, (4) be transparent, (5) ensure diversity, non-discrimination and fairness and (6) ensure social and environmental well-being.

Banned AI Systems

AI systems involving an unacceptable risk will be banned in the EU. These include, for example, systems using manipulative techniques, systems that exploit weaknesses or vulnerabilities, social scoring and databases based on mass facial recognition.

Until the very end there was an intense debate as to whether AI for facial recognition should be permitted or not. While individual countries, such as France, supported the use of AI for facial recognition, arguing that it could be used to ensure security around major events such as the 2024 Olympic Games, most remained sceptic. Despite a tough battle over several days of negotiations, a complete ban on real-time biometric identification could not be achieved against the massive resistance of the member states. After lengthy discussions, the bans involving the recognition of emotions and remote biometric identification were adjusted.

The ban on AI systems for emotion recognition now only applies in the workplace and in education. It will however still be permissible to use such systems for medical or safety reasons, for example to monitor pilot fatigue.

The regulations on remote biometric identification have also been amended. Both 'real time' and 'post' identification will remain banned. Exceptions are expected for the prosecution of criminal offences in clearly defined cases. The AI Act also includes a catalogue of protective measures to prevent potential misuse.

High-risk Systems

A large part of AI systems will be categorised as high-risk AI systems. These are, for example, AI based medical devices or autonomous vehicles. In general, education, critical infrastructure, migration, asylum, or border controls are considered critical high-risk areas.

High-risk AI systems will have to comply with a number of requirements and obligations to be approved in the EU. For example, conformity assessments must be carried out and a quality and risk-mitigation system must be integrated. High-risk AI systems will also have to be registered in the corresponding EU database. The requirement to carry out an impact assessment for fundamental rights remains unchanged, although this will now only apply to public organisations and private bodies that provide essential public services, such as hospitals or banks. Further changes have been made to the responsibilities and the roles of the various players.

Further, a filter system has been introduced. An AI system can lose its classification as a high-risk system if it fulfils one of a total of four conditions, for example if it (1) is intended to monitor or improve a human activity or (2) is only used to recognise decision-making patterns or deviations from previous decision-making patterns, (3) is only used to carry out preparatory tasks for a human activity relevant for critical applications or (4) is only intended to carry out procedural tasks.

AI Systems with Limited Risk

Specific transparency obligations will apply to AI systems with limited risk. These will, above all, include the information that a certain content has been generated by AI. The aim is to ensure that users can make informed decisions about further use.

Generative AI

Also in the field of generative AI there will be some changes, unsurprisingly, as these provisions were the most controversial. While the European Parliament ‑ not least in view of ChatGPT - supported a regulation of generative AI systems, the Commission had recently been of the opinion that these AI systems did not require a regulation. It was instead sufficient if manufacturers submit to voluntary commitments.

These AI systems are now called 'general purpose AI' instead of 'foundation models'. The definition of general purpose AI was amended so that it now only includes large generative AI systems.

“‘General purpose AI model’ means an AI model, including when trained with a large amount of data using self-supervision at scale, that is capable to competently perform a wide range of distinct tasks regardless of the way the model is released on the market.”

Developers of general purpose AI models will have to comply with certain minimum requirements, such as creating technical documentation, providing information for downstream providers and providing information about training and testing procedures. They must also comply with copyright regulations and the products generated must be labelled with a watermark.

Large AI systems posing systemic risks, so-called 'systemic risk AI' or top tier models that exceed a certain computing power (1025 FLOPs) during training, must fulfil additional obligations. These include, for example, setting up a risk-mitigation system and maintaining an appropriate level of cyber security. Details of this have not yet been finalised. Still, it is assumed that OpenAI's GPT4 and Google's Gemini will be considered to be systems with systemic risk. Models of the European developers Aleph Alpha and Mistral on the other hand will most likely not be categorised as AI models with systemic risk based on their computing power. Honi soit qui mal y pense.

Linking transparency requirements to computing power is heavily criticised, as the capability alone says little about the risks of an AI system. In order to be able to make adjustments as technology develops, the Commission will be able to adjust the current threshold and also define additional criteria.

Open Source Models

The previous proposal also excluded models based on open source licences from the AI Act. According to the recent agreement, only those open source generative purpose AI systems that are categorised as systemic risk AI systems are to fall within the scope of the AI Act. They are also not exempt from the requirements for high-risk AI systems. This is to be welcomed, as the mere fact that an AI model is based on open source licences or not says little about the risk it poses.

Copyright Requirements

According to the regulation, AI developers will have to disseminate a copyright policy and a detailed summary of the content they have used to train their generative purpose AI models. This transparency requirement is intended to let authors determine whether their work has been used. It has not been specified yet what exactly 'detailed' means. If the information provided so far is to be believed, the text and data mining limitation for generative AI is explicitly recognised. This had been controversial. The background: Interference with copyright exploitation rights is only permitted if the rights are exempted by limitation provisions. The limitations for text and data mining, i.e. the automated analytical technique of works to obtain information about patterns, trends and correlations, are relevant for the multiplication which happens in the training of AI. According to the text and data mining limitation, the reservations of rights holders in particular must be observed.

Penalties

The penalties under the AI Act have been amended again, but remain differentiated in proportion to the seriousness of the irregularity. For example, a breach of the ban on certain systems and non-compliance with data requirements may be penalised with up to 7% of the company's global annual turnover or EUR 35 million.

Enforcement and Authorities

An AI Office is (already) being set up in the European Commission to enforce the regulation of generative purpose AI systems. All other AI systems will be monitored by the competent national authorities. In order to ensure the uniform application of legislation, they will meet regularly in a European Committee on Artificial Intelligence.

Right to Lodge a Complaint

Another new addition is the possibility for natural and legal persons to lodge a complaint with the competent national authority about non-compliance with the requirements of the AI Act.

Entry into Force of the AI Act

In principle, the majority of the AI Act's catalogue of obligations will apply 24 months after its entry into force. However, the current draft of the AI Act provides for certain obligations to apply earlier. For example, the ban on certain systems will take effect just six months after the Act comes into force, which means it is expected to apply as early as over the course of 2024. The requirements for generative purpose AI systems will apply just 12 months after the AI Act comes into force.

It is therefore highly advisable to review the provisions of the AI Act at an early stage, not least in view of the fact that the conversion of any systems may well take some time.

Next Steps

As mentioned at the beginning of this post, the AI Act is not yet final - and it may still be a while. Although the recently announced political agreement on the key points has been reached, the technical aspects of the legal text still have to be negotiated in detail over the next few weeks. It may take a while for the bits and pieces to be divided and negotiated, with a lot of the details being figured out later. Finally, the EU bodies must then approve the final text of the regulation. As it is a regulation, it applies directly in all Member States and does not need to be transposed into national law.

Conclusion

With the AI Act, the EU intends to keep what it calls an 'extremely delicate balance' between boosting innovation and uptake of AI in Europe on the one hand and respecting the fundamental rights of EU citizens on the other. However, the final document which contains more than 250 pages comes across as a bureaucratic nightmare, imposing high documentation requirements on many companies. Due to the vagueness of many regulations, there will be a range of grey areas that could lead to uncertainties and, in the worst case, to considerations as to whether the use of AI should initially be avoided against this background until a uniform application practice of the competent authorities emerges. Nonetheless, the EU's attempt to address this major contemporary issue and to take account of dynamic developments by continuously adapting the provisions, as explicitly envisaged, is to be welcomed in principle.

Dr Peggy Müller

On 27 November 2023, the EU Council adopted the Data Act, which was the final requirement after the the text had been adopted by the European Parliament on 9 November 2023. Following the formal adoption by the Council, the new regulation will be published in the EU’s official journal in the coming weeks and will enter into force 20 days after this publication.

The Data Act - an EU regulation and as such directly applicable in all EU member states - provides for harmonized rules for "fair access to and use of data". Unlike the GDPR it is not limited to personal data. The aim is to make this data commercially usable.

It is clear already that the Act will go well beyond regulating the „Internet of Things“ (IoT). It relates in particular to "connected products" and cloud services.

Below we provide an initial overview.

Data Sharing: Far-reaching obligations are imposed on data holders, in particular provision and access obligations in relation to user data.

Data from connected products or related services may have to be shared with the user or a third party (data recipient). This is intended to strengthen the rights of users in relation to the data holder. It is also intended to encourage new players to invest in the data economy.

Connected products and related services must be designed in accordance with the requirements of the Data Act ("access by design"). Moreover, the Act requires data holders to make data from connected products or related services accessible free of charge and, where applicable, continuously in realtime.
To date, many connected products and related services have not been designed with this in mind, which is why the Data Act and its obligations must be considered from the very beginning of product development in future.

Vice versa, data holders are no longer allowed to freely share non-personal data with other players - for advertising purposes, for instance. In this respect, the right to share data is generally restricted to the extent necessary to fulfil the user contract. Any further sharing of non-personal data may in future require a data licence agreement. This is also likely to affect existing data records.

With a few exceptions , small and certain medium-sized enterprises are exempt from the obligation to share data (less than 50 employees or EUR 10 million annual turnover).

UNFAIR CONTRACTUAL CLAUSES: The provisions on unfair contractual terms (Chapter IV) are meant to prevent the abuse of contractual imbalances. The law introduces a ban on unilaterally imposed unfair terms in B2B contracts and is based on the law on general terms and conditions. In addition to a general clause, the Data Act also contains (non-exhaustive) examples of unfair terms. These include, for instance, provisions that limit liability for the quality of the data provided. Furthermore, exclusive rights of use to data that are imposed unilaterally can be problematic. To support this, the European Commission is to publish model contract clauses that companies can use use for orientation.

DATA FOR THE PUBLIC SECTOR: In emergencies, such as natural catastrophes, public sector bodies must be provided with data that is required to deal with the emergency.

REGULATING DATA PROCESSING SERVICES, ESPECIALLY CLOUD SERVICES: The Data Act is intended to facilitate switching between similar "data processing services" (Chapter VI). The generic term "data processing services" includes, inter alia, Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). These provisions are intended to break up the EU cloud market and facilitate the portability of data between cloud providers. The regulations are very detailed and primarily cover technical and organisational measures, but also contractual details. For instance, a maximum limit for cancellation periods is provided for. Furthermore, interfaces must be created for data transfer when exporting data between different cloud service providers. In addition to these very detailed requirements in individual cases, however, there is also a seemingly endless ban on obstacles to switching ("In particular, providers of data processing services may not impose any pre-commercial, commercial, technical, contractual or organizational obstacles and must remove such obstacles"). Exceptions apply to "custom-built“ data processing services.

INTERNATIONAL DATA TRANSFER AND INTEROPERABILITY: International data transfer is also specifically regulated to prevent unlawful access to non-personal data by foreign state authorities (Chapter VII). However, the requirements are not identical to the provisions of the GDPR on data transfers to third countries. Additionally, regulations on interoperability are provided for (Chapter VIII).

Late Changes to Definitions

The law-making process for the Act started in early 2022. There were still significant changes in the legislative process, even in provisions such as the definitions of "connected product" and "related services". These are, however, fundamental to the area of application of the Act, specifically for determining who is considered a "data holder" and is thus affected by numerous obligations. The European Commission’s initial draft still excluded devices such as PCs, Smartphones, and game consoles. In the text which has been adopted now, they are no longer excluded.
The definition of the term "connected product" now reads as follows:
‘connected product’ means an item that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user;

‘related service’ means a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one or more of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product;

Trade Secrets still little protected

The obligation to share data may even extend to trade secrets, although there have also been some changes in the course of the legislative process. It is striking to see that the protection of trade secrets appears to be weaker than under the GDPR. In principle, the protection of trade secrets comprises a multi-level mechanism: the relevant data must first be identified as a trade secret by the data holder or trade secret holder. The parties involved in the data transfer must then agree on contractual, technical and organizational measures to ensure the confidentiality of the trade secrets to be transferred. Model contractual terms will also be available for this purpose in future. Once protective measures have been agreed, trade secrets must also be disclosed. It remains unclear how a data holder should enforce these protective measures in practice vis-à-vis the recipients of the data, i.e. typically their own users or authorized third parties. Basically, the disclosure of trade secrets can only be suspended if no agreement can be reached on the protective measures to be taken or if these are insufficiently implemented by the recipient of the data. However, the latter will often be accompanied by the compromising of trade secrets. Any decision to suspend the transfer of data must be justified by the data holder and reported to the competent authority.

The data holder may also refuse to disclose trade secrets ex ante in individual cases under exceptional circumstances if he can prove that the disclosure of the trade secret is very likely to cause him serious harm - in this case, too, the data holder must inform not only the user of the refusal, but also the competent national authority. The threshold for the right to refuse ("highly likely to suffer serious economic damage") has been somewhat weakened as of late, but is still very high. This is regrettable from the perspective of the data holder or trade secret holder, as this ex ante right could in many cases be the most effective way of preventing the disclosure of trade secrets from the outset.

What about the GDPR?

Unlike the GDPR, the Data Act applies to both non-personal data and personal data. The GDPR primarily serves to protect natural persons and creates a legal basis for the processing of personal data. The Data Act, in contrast, primarily aims to realize the free movement of data. The Data Act does not affect the GDPR, i.e. in cases where a connected product or a related service is used and personal data is also generated, both laws apply in parallel.
In particular, the Data Act is not intended to reduce the protection offered by the GDPR for personal data and therefore cannot serve as a legal basis for data processing under the GDPR. In practice, this will probably cause more difficulties than it seems at first glance, especially if a connected product or a related service collects personal and non-personal data - in this case, the latter may have to be passed on, but the former may not (as far as persons other than the user are concerned) or not easily: In any case, the question then arises as to whether a legal basis within the meaning of the GDPR would allow a transfer. This may create difficult situations for data holders in the future. They must now decide more conclusively than before which data is actually personal data: Disclosure may not be mandatory for this data, but it is for data without a personal reference. This is not made any easier by the fact that data from connected products will often have a "relative" personal reference - and the question of relative personal reference is currently before the ECJ.
There may also be discussions on the question of whether owners of trade secrets can rely on the fact that the GDPR appears to weigh their interests more heavily than the Data Act.

Timeline

Following the adoption by the Council and the publication in the official journal, the Data Act will be directly applicable in all EU member states after a transitional period of 20 months, without the need for member state implementation of the regulations. The so-called "access by design" obligation, i.e. the requirement to design (new) connected products and related services, only applies after a further 12 months. Apart from this "access by design" obligation, however, the Data Act not only affects new connected products and related services, but also - at least in principle - those already on the market. This means that owners of existing data records or existing data silos could potentially also be subject to the new rules, in particular the data provision obligations and the restrictions on data use (such as the requirement of a data licence agreement). For such potential data holders in particular, the period of 20 months could be quite short to adequately prepare for the obligations of the Data Act.

Dr Andreas Lober
Lennart Kriebel

With Spandau Pumpen, SKF disposes of extremely competitive screw-type and seal-less coolant pumps with a valuable customer base mainly in the European market. Through the acquisition, EBARA aims to enter the global market for machine tools and filter systems and will expand its portfolio by providing new products and services.

EBARA will take over the customer base and certain assets of Spandau Pumpen, will relocate the production to one of its plants in Italy and will work on the expansion of its business. EBARA Corporation has committed itself to achieve several UN Sustainable Development Goals (SDGs) in order to create added business value and to reinforce its reputation as an excellent global player.

The global development of new markets through acquisitions and integration of value-added products are a central element of EBARA's strategy. Further investments are planned in the field of M&A.

Advisor to EBARA Pumps Europe:
ADVANT Beiten: Dr Markus Ley and Moritz Kopp (both in charge, Corporate/M&A), Christian Hess (IP/IT), Dr Erik Schmid, Regina Dietel (both Labour Law), Christoph Heinrich, Cathleen Laitenberger (both Antitrust Law) and Maximilian Matusewicz (Corporate/M&A, all Munich).

Public Relations
Frauke Reuther
Communication
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

Dr Markus Ley
Rechtsanwalt (Lawyer)
ADVANT Beiten
+49 (89) 3 50 65 - 1211
markus.ley@advant-beiten.com

The ECJ ruling of July 16, 2020 and its impact

The European Court of Justice (ECJ) had ruled in the so-called "Schrems II" judgment in July 2020 that the so-called EU-US Privacy Shield, which until then had served in practice as the most important mechanism for data transfers to the U.S., was ineffective (we reported in our Privacy Ticker July 2020). Since then, there has been major uncertainty as to whether and under what conditions data transfers to the U.S. were still legally possible. The ruling thus had significant implications for transatlantic data exchange. This applied above all, but not only, to the use of popular online services such as Google and Facebook. The ECJ had argued that data privacy standards in the U.S. were inadequate, in particular due to the excessive powers of the U.S. intelligence services, and that European citizens were not adequately protected against government surveillance and misuse of data. The ECJ also criticized the lack of effective legal protection for EU citizens in the U.S. with regard to their data protection rights.

Alternative safeguards for data transfers, such as the conclusion of standard contractual clauses ("SCCs") or even obtaining consent for data transfers to third countries, especially the U.S., remained highly controversial and always carried a certain risk of not being able to hold up under judicial review or of incurring a substantial fine from a data protection authority.

The EU-US Data Privacy Framework as a solution

After the EU Commission and the U.S. government announced in March 2022 that they had agreed in principle on a legal framework for transatlantic data transfers, the EU Commission has finally issued the long-awaited adequacy decision for the EU-US Data Privacy Framework ("Data Privacy Framework"). In doing so, it is responding to the ECJ's objections in the "Schrems II" ruling and once again certifies that the U.S. has an adequate level of data protection within the meaning of the GDPR, but this time under certain conditions.

Similar to the former "Privacy Shield", the Data Privacy Framework is based on a system of certification. US organizations and companies can commit to compliance with the so-called EU-US Data Privacy Framework Principles, which are based on the principles of the GDPR, as well as other principles issued by the US Department of Commerce. The U.S. Department of Commerce will also publish a list on the Internet, similar to the former "Privacy Shield", listing the organizations and companies certified under the Data Privacy Framework.

In order to certify (or recertify on an annual basis) under the Data Privacy Framework, organizations and companies must publicly commit to compliance with the above principles, make their privacy policies available, and fully implement them. As part of their certification application, they must submit various other information to the U.S. Department of Com-merce. These include their organization, a description of the purposes for which personal data is processed, the personal data covered by the certification, and the chosen method of review, the relevant independent complaint mechanism, and finally the relevant enforcement authority. Organizations and businesses can only receive and process personal data based on the Data Privacy Framework from the time they are added to the U.S. Department of Commerce's Data Privacy Framework list. To ensure legal certainty and to avoid organiza-tions or companies falsely claiming to be certified, when they first become certified, they may not publicly reference their compliance with the Principles or their certification until the U.S. Department of Commerce has determined that the relevant certification application is complete and the organization or company has been added to the list. To continue to rely on the Data Privacy Framework as a transfer mechanism, annual recertification must be conducted.

What do companies in the EU need to be aware of?

Unfortunately, the mere existence of the adequacy decision or the Data Privacy Framework does not yet mean that companies located in the EU or the EEA can now directly base their data transfers on it. This is because the respective US company to which the data is to be transferred must first be certified and published in the Data Privacy Framework list. This is likely to take some time, as the US companies must first implement the principles and comply with the requirements described above.
When the time comes, the privacy policies of the companies transferring data may have to be adapted, as they are likely to rely on mechanisms other than the adequacy decision with regard to data transfers to the U.S. so far. However, the privacy policy must always mention the existence or absence of an adequacy decision by the Commission in the case of data transfers to third countries (Art. 13 (1) (f) GDPR).

Conclusion and prospects

The EU Commission's adequacy decision for the time being ends a long period of legal uncertainty for the transfer of personal data to the US. Provided that the conditions de-scribed above are met, the decision is likely to lead to significant simplifications in the legal assessment and implementation of lawful U.S. data transfers in practice. However, the Data Privacy Framework has also immediately received harsh criticism because it allegedly deviates too little from the Privacy Shield, which has already failed before the ECJ, and therefore does not offer any real protection for the personal data of EU citizens in the US. So, it remains to be seen how long this agreement will last this time. For the time being, however, many companies based in the EU or EEA that regularly want or need to transfer data to the U.S. can breathe a sigh of relief until the next ECJ ruling on this topic.

Fabian Eckstein

As one of the leading German games publishers, astragon Entertainment strengthens the development of its own simulation brands with the acquisition. astragon gains an experienced and reliable partner in Independent Arts, thus enabling it to continue the development of existing and new working simulation titles as well as to diversify the portfolio of own productions across various platforms.

Independent Arts, located in Hamm, Germany, has developed commercial video games since 1990, which makes it one of the oldest and most traditional German development studios. The studio with 39 employees has decades of experience and expertise through its own development projects and porting, as well as a strong creative contribution and an excellent management. Independent Arts welcomes an even closer cooperation and the opportunity to expand personnel and structure of the studio as a part of astragon in order to implement more projects and business strategies in the future.

Advisors to astragon:
ADVANT Beiten: Dr Andreas Lober (IT/IP/Media), Dr Guido Ruegenberg (Corporate/M&A, both in charge), Lennart Kriebel (IT/IP/Media), Dr Gerald Müller-Machwirth (Labour Law, all Frankfurt).

Media Contact
Frauke Reuther
Manager Kommunikation
ADVANT Beiten
+49 (69) 75 60 95 - 570
frauke.reuther@advant-beiten.com

Dr Guido Ruegenberg
Rechtsanwalt
ADVANT Beiten
+49 69 756095-393
guido.ruegenberg@advant-beiten.com

Dr Andreas Lober
Rechtsanwalt
ADVANT Beiten
+49 69 756095-582
andreas.lober@advant-beiten.com

And as is the case with the GDPR violations, the sanctions envisaged, which are based on a company's annual global turnover, are indeed quite respectable, if not impressive. The prohibited violation of certain consumer interests can incur costs of up to 4% of the annual turnover.

Now the European Commission, together with national consumer protection authorities from 23 member states plus Norway and Iceland, presented the results of a Union-wide review of retail websites and shopping apps.

The review focused on three specific types of manipulative practices (so-called "dark patterns") designed to encourage consumers to take actions that are not in their real interest. These included the hiding of information relevant to decision-making, fake countdowns, and websites whose design was intended to pressure consumers into concluding purchase contracts and subscriptions.

The results are disappointing:
The acting Commissioner for Justice said that of the nearly 400 online stores checked, almost 40% had used manipulative practices to exploit consumers' weaknesses. It would now be up to the national authorities to exert influence on the retailers and take further measures if necessary.

The coordinated review of store providers is a so-called "sweep" to verify compliance with EU consumer protection law. Enforcing the correction request is now the second step, non-compliance with which may entail such a severe fine in the constellations described.
In her statement at the time, Vera Jourová said that cheaters should not get off lightly. Thus, it therefore remains to be seen with some excitement whether the first fines in the millions will now follow that will certainly make it into the headlines.

Daniel Trunk

To the European Commission press release
To our original blog post

An online platform is – slightly simplified – defined as a hosting service that, at the request of a user of the service, stores and disseminates information to the public (unless it is a minor and purely ancillary feature). A hosting service is any service that stores information provided by, and at the request of, a user of the service.

The problem with this definition is that it is so wide: Pretty much anything a user of an online service does has something to do with information which is stored somewhere. Users fill in their names and contact details in a web form, choose a nickname under which they are known online, leave comments on a website, review and rate products in an online shop, communicate with others in a chat, store preferences for their news websites, customize avatars in a virtual world, build worlds or otherwise interact with an online game. Business might have their profiles on a delivery service, details on their vehicles in a taxi app, or their products in an online marketplace. Most of this information is stored somewhere by the operator of such service. And, as said above, a hosting service is any service that stores information provided by, and at the request of, a user of the service. This means that online services which do just that might be considered hosting services (the definition of a hosting service is almost identical to the one which was introduced in the e-Commerce Directive – under the e-Commerce Directive, there is some case-law on the definition of hosting service but not a lot which would help us narrow down this overly broad definition). However, even providers who have not been able to invoke the exclusion of liability under the host-provider privilege to date may be affected by the due diligence obligations as a hosting provider.

As soon as this information is not only stored but shared with the public, the service might even be qualified as an online platform. The DSA contains many new obligations for online platforms. Most of them are only to be complied with by February 2024, but some as early as 17 February 2023 – especially the average number of monthly active users has to be published (very large online platforms with more than 45 million active users are another category with much more burdensome obligations). As of February 2024, all the other obligations apply – for online platforms, they include the obligations to set up an internal complaint-handling system and an out-of-court dispute settlement system, to give priority treatment to trusted flaggers of problematic content, to implement measures and protection against misuse, transparency reporting obligations, restrictions on online interface design and organization (including restrictions of so-called "dark patterns"), to establish rules for advertising on online platforms (with restrictions for personalized advertising which are stricter than GDPR provisions), to implement rules for recommender system transparency and the online protection of minors.

Some of these obligations can be quite onerous. They require very relevant implementation efforts as – depending on the service – its core processes might have to be reviewed.

It also seems that the definition of online platform might be broader than it should be, covering services the legislator did not have in mind. Companies are therefore well-advised to examine carefully if their services are in fact online-platforms on a feature-by-feature-basis. This may require legal analysis, e.g. in case the information which is stored consists of elements provided by the operator of the service which leaves little room for abuse, in case the service provider exercises control over the information which is stored or disseminated, or on the question whether a "dissemination" is "public" and is performed "at the request" of the user. A diligent analysis may also have to include a technical analysis, e.g. what type of information is actually stored, and where. Finally, it should be assessed whether the "minor or ancillary feature" exception can be applied.

These assessments must be carried out individually: For example, in some online shops, the review and rating system may be more important than in others, replays of some online games may be stored just on the user's PC while others store it on the server and let users share them, and the influence a service operator exercises on the information it stores and shares can vary widely.

ADVANT will host a webinar on the Digital Services Act on 16 February 2023 at 05:00 p.m. CET. Webinar registration | Microsoft Teams

Dr Andreas Lober

After having had an excellent start into the new year, we would like to look back on the year 2022 from a German "games law" perspective and go into a "speed run" through –what we personally think were most important innovations and rulings on games and e-sports. We want to focus on the "main quests" of 2022 and venture a detour to the places where one or the other legal "Easter Egg" was hidden.

Privacy and Data Protection

The Federal Court of Justice (FCJ) (BGH I ZR 186/17) again had to deal with the right of consumer protection associations to institute legal proceedings in the event of GDPR violations, and once again referred the case to the European Court of Justice. The proceedings between the umbrella organisation of consumer associations (vzbv) and Facebook (Meta) regarding an earlier design of the app centre for instant games had last been suspended by the FCJ in 2020 and referred to the ECJ to clarify the question of the legal standing of associations. Subsequently, the ECJ had already affirmed this on the merits.

E-Sports

The non-profit status of e-sports promised in the coalition agreement between the governing parties was not implemented in 2022. E-sport has not been recognized as a sport in Germany to date. Granting such a status would be possible, for instance, by adding it to the catalogue of non-profit purposes (Section 52 German Fiscal Code). The Federal Government stated upon request that the content and timetable for the implementation of the non-profit status of e-sports had not yet been determined.

More encouraging news on e-sports came from the EU. In its resolution 2022/2027, the European Parliament emphasized the importance and positive impact of e-sports and video games. The resolution states, among other things, that national, regional and global e-sports tournaments could be seen as a means of promoting cultural exchange and Europe's culture and values, and that video games and e-sports can also offer significant benefits to many players in terms of mental health and enable spreading positive values. The European Parliament nevertheless considers that e-sports and traditional sports are different "sectors", which is related to the position of power of the publisher, who holds an exclusive and unrestricted right to use its games. However, sports and e-sports complemented each other, learned from each other, and promoted comparable positive values. The European Parliament's demands to the Commission include introducing an e-sports visa for the Schengen area and adopting guidelines regarding the status of professional e-sports players. We eagerly await to see how the European Commission implements this request.

The Regional Court of Kiel (17 O 24/20) had to deal with a case in which an e-sports athlete successfully sued another e-sports athlete for injunctive relief and damages for pain and suffering due to defamatory statements broadcast via the streaming platform Twitch. The Regional Court of Kiel found that the plaintiff's general right to privacy had been unlawfully violated by the insults in dispute. This does not change even if a "rough tone" prevails in e-sports - as claimed by the defendant.

Protection of Minors

The protection of minors in games was also a subject of intense discussion in 2022. On the one hand, this covered the content of the games themselves, such as the depiction of violent actions in the post-apocalyptic survival game "Dying Light 2," and on the other hand, and above all, usage risks in digital games. The Norwegian consumer organization Forbrukerrådet published an extensive report on the supposed "enfant terrible" among the usage risks - the Lootbox - which was supported by other consumer organizations in Europe. This report was picked up, among others, by ZDF Magazin Royale, a journalistic-satirical TV program, and thus stimulated a new the discussion about the Lootbox issue, which had meanwhile faded away in Germany.

Usage risks in computer games and how to deal with them will continue to keep us busy in 2023, as the USK (Entertainment Software Self-Regulation Body) has revised itscriteria for reviewing, rating, and labelling digital games based on the 2021 revision of the German Protection of Minors Act (Jugendschutzgesetz). Now, interaction risks (usage risks) must be taken into account, and the games must make explicit reference to these by means of so-called descriptors. At present, there are the following four categories of interaction risks (usage risks):

• In-Game purchases
• Chats
• In-game purchases + random objects (e.g., loot boxes)
• Location sharing

That the topic is red-hot is also proven by the record fine of 520 million US dollars imposed in December in the USA against the company Epic Games, among other things, because of communication options available in the game Fortnite (Fortnite has since been adapted in this respect). It remains to be seen whether similar proceedings will occupy European or even German courts in 2023.

What else was up?

The Higher Administrative Court of North Rhine-Westphalia (19 B 961/21) had to deal with the legality of the indexing of a computer game because it is harmful to minors. Referring to the Bushido decision of the Cologne Administrative Court, the Higher Administrative Court clarified that the Federal Review Board for Media Harmful to Minors can make up for the hearing of the author pursuant to Section 21 (7) of the German Protection of Minors Act during court proceedings.

Platform Regulation

Additional tasks which will continue to keep us busy also in 2023, arose from the coming into force of the Digital Markets Act and, in particular, the Digital Services Act. The latter subjects providers of intermediary services (mere conduit, caching and hosting services as well as operators of online platforms and search engines) to a comprehensive catalogue of duties.

The Digital Services Act will put an end to the patchwork of regulations currently in force for providers of intermediary services providers in the European Union. In doing so, the law follows the seemingly simple principle that what is illegal offline should also be illegal online. Less simple, and thus worthy of careful consideration, is the sometimes extensive, graduated catalog of obligations that goes hand in hand with the law.

Providers of online services, such as multiplayer games, must now check in the first place whether and which of their services fall under one of the above categories to determine the resulting new obligations. Non-compliance with the regulations can be sanctioned with heavy fines of up to six percent of consolidated annual worldwide turnover in future.

Copyright

The German Federal Court of Justice confirmed its previous line on network blocking for copyright infringements in a ruling in October (BGH I ZR 111/21). According to this ruling, the blocking of websites by access providers can only be demanded if the rights holder has tried all other reasonable means to no avail. In the case decided, it was still possible to bring an action for information against the Swedish host provider to identify the infringer.

The Cologne Regional Court (14 O 38/19) dealt with contributory liability for copyright infringement of automation software (also known as: bots) for a well-known smartphone and tablet game in early 2022. The question arose as to whether a managing director could be held liable for the infringing acts (in addition to the defendant company). The Cologne Regional Court assumed this, applying the general principles of complicity pursuant to Section 25 (2) German Criminal Code, because the latter had a significant share and influence on the organizational, technical and entrepreneurial framework of the copyright infringement.

Bots were also (indirectly) an issue before the German Federal Constitutional Court in 2022 (BVerfG - 1 BvR 1021/17). There, a bot creator defended himself against the enforcement of an injunction limited to the Federal Republic of Germany. The publisher, on the other hand, took the view that the title also required the debtor to do everything possible in Germany to prevent future copyright infringements by third parties - including third parties abroad. This was also the view of the Dresden Higher Regional Court in its order for payment of an administrative fine to the detriment of the bot creator. However, the Federal Constitutional Court considered the order to be arbitrary and thus a violation of the bot creator's fundamental right under Article 3 (1) of the German Constitution. As a consequence of the principle of territoriality applicable in copyright law, the infringing act in question must hence have been committed at least in part within Germany. The cease-and-desist order from the main proceedings (BGH I ZR 25/15) must not be understood as a general obligation to act.

Consumer Protection Law

Challenges for companies arose at national and EU level as a result of new requirements in consumer protection law. The implementation of the Directive on certain aspects of contracts relating to the provision of digital content and services (Directive 2019/770/EU - Digital Content and Service Directive) added a new section to the German Civil Code (BGB) in Sections 327 et seq. German Civil Code, which regulates rights and obligations in contracts for digital content and services between entrepreneurs and consumers. As Recital 19 of the Directive also makes clear: Very relevant for "digital games".

New and surprising for some companies was the fact that consumer protection provisions from distance selling law now also apply when a consumer "pays with its data" rather than with money. This now results, among other things, in comprehensive pre-contractual information obligations, the requirement of a revocation instruction and the necessity of a contract confirmation.

Companies should urgently tackle this and other homework (such as reviewing user terms and conditions) in 2022, because the implementation of the "New Deal for Consumers" means that companies will face severe fines of up to 4% of global annual turnover in the future for violations of European consumer protection law.

On a national level, Section 312k of the German Civil Code, new version, has been in force since July 1, 2022, which stipulates that a "cancellation button" must be made available to consumers in electronic business transactions for continuing obligations against payment (entgeltliche Dauerschuldverhältnisse). Consumer groups and associations didnot hesitate for long to issue the first warnings which have led to improvements by the companies according to the consumer watchdogs. The cancellation button is mandatory for the vast majority of continuing obligations that can be concluded online, regardless of whether they were concluded before July 1, 2022.

What else was up?

The Karlsruhe Regional Court (3 O 108/21) dealt, among other things, with the premature expiration of the right of cancellation when purchasing game currency in an in-game store. In deviation from the standard 14-day cancellation period, the statutory consumer right of cancellation pursuant to Section 356 (5) of the German Civil Code may expire prematurely and end earlier under certain circumstances in the case of contracts for the supply of digital content. The consumer must confirm that the right of cancellation expires before the 14 days have expired in this case and that the entrepreneur begins to provide the digital content before the end of the cancellation period in the case of contracts against payment. As the Karlsruhe Regional Court states in its ruling, however, this does not require any prior information about the conditions, the procedure and the exercise of the right of cancellation. A checkbox with the addition "I agree to the execution of the contract [...] before the expiry of the cancellation period and know that my right of cancellation thereby expires." makes it sufficiently clear that a right of cancellation exists and is extinguished. Following the decision of the Karlsruhe Regional Court, a "waiver" of the right of cancellation is also legally permissible before the final purchase confirmation.

Conclusion

We note that in fact, there was a lot of work to be done in 2022 as well. One or the other struggle in copyright law had to be fought out. The right tools had to be prepared for the compliance jungle, which presents new challenges from year to year. Now it is time to focus on the legislative quests that the year 2023 brings.

Daniel Trunk

Dr Kathrin Bürger, Dr Silke Dulle, Christina Kamppeter, Susanne Klein, Dr Ralf Hafner, Dr Georg Tolksdorf and Dr Sebastian Weller represent five different legal areas and are spread across five locations.

• Dr Kathrin Bürger (Labour Law, Frankfurt and München), Licensed Specialist for Labour Law, advises particularly on collective labour law issues. She assists companies with collective bargaining changes and (in-house) collective bargaining negotiations as well as strike preparation measures. Beyond that, Dr Bürger advises companies on the negotiation with works councils, also as a part of conciliation boards, as well as on all kinds of individual labour law issues.
• Dr Silke Dulle (Corporate/M&A, Berlin), Licensed Specialist for Medical Law, provides legal advice to clients of the healthcare sector, especially in the area of hospitals and health insurance companies. Her legal consultancy covers hospital law, social security and pharmaceutical law, procurement law and corporate law.
• Christina Kamppeter (Labour Law, Munich), Licensed Specialist for Labour Law, advises national and international companies on all aspects of individual and collective labour law, in particular regarding negotiations with works councils and trade unions. One focus of her work is on providing labour law advice on restructurings.
• Susanne Klein (IP/IT/Media, Frankfurt), Licensed Specialist for Information Technology Law, is a renowned expert in data protection law. In addition, she advises her national and international clients in IT and copyright law.
• Dr Ralf Hafner (Litigation & Dispute Resolution, Munich), advises his national and international clients in complex international disputes on dispute resolution out of court and represents them in arbitration and state court proceedings.
• Dr Georg Tolksdorf (Assets/Succession/Foundations, Hamburg) provides legal advice in the area of inheritance and foundation law as well as (tax-optimized) succession planning for private individuals and (family-owned) companies. Another focus of his work is on the execution of (corporate) wills.
• Dr Sebastian Weller (Corporate/M&A, Dusseldorf) focuses on Corporate/M&A as well as Private Equity/Venture Capital, particularly providing legal advice for take-overs, participations and restructuring projects. He provides support on all issues relating to corporate and transformation law as well as corporate compliance.

In addition to the seven new Equity Partners, the following Salary Partners have been appointed Local Partners:

• Dr Anne Dziuba, Labour Law, Munich
• Dr Daniel Fischer, Real Estate, Frankfurt
• Dr Christina Hackbarth, IP/IT/Media, Munich
• Christian Hipp, Antitrust Law, Berlin
• Tanja Hogh Holub, IP/IT/Media, Munich
• Sylvia Jenoh, Tax, Frankfurt
• Dr Klaus Kemen, Real Estate, Berlin
• Dr Markus Ley, Corporate/M&A, Berlin
• Jörn Manhart, Labour Law, Dusseldorf
• Carsten Pütger, Corporate/M&A, Dusseldorf
• Dr Jochen Reuter, Real Estate, Frankfurt
• Dr Winfried Richardt, Corporate/M&A, Dusseldorf
• Dr Florian Weichselgärtner, Dispute Resolution, Munich
• Mathias Zimmer-Goertz, IP/IT/Media, Dusseldorf

Furthermore, the following colleagues successfully continue their career path and have been appointed from  Senior Associates to Salary Partners:

• Annalena Benz, Real Estate, Munich
• Jens Ledermann, Tax, Frankfurt
• Dr Martina Schlamp, Labour Law, Munich

Beyond growth from its own ranks, ADVANT Beiten also continues its course of targeted growth with lateral hires in selected areas and confirms the salary partnership of the following colleagues:

• Christian Burmeister, Corporate/M&A, Freiburg/Berlin
• Dr Moritz Jenne, Corporate/M&A, Freiburg
• Dr Sebastian Kroll, Labour Law, Munich
• Markus P. Linnartz, Tax, Dusseldorf
• Dr Ariane Loof, Labour Law, Berlin
• Dr Michael Matthiessen, Labour Law, Berlin
• Dr Birgit Münchbach, Corporate/M&A, Freiburg
• Kristin Müller-Nedebock, Tax, Hamburg

"All seniority levels are of central importance for the future of our law firm. We are therefore all the more pleased to be able to accompany so many colleagues of different seniority levels, legal areas and locations on their career paths, comments Philipp Cotta, Managing Partner of ADVANT Beiten, and adds: Our modified career track offers all colleagues even more flexibility in their individual career planning and allows us to emphasise our professional expertise across the different levels even more clearly to our clients."

Congratulations to all elected and confirmed partners.

Our partners Dr Andreas Lober (Media/Entertainment), Dr Wolfgang Lipinski (Labour Law) and Dr Gerrit Ponath (Private Clients and Nonprofit Sector) are listed as leading names in their respective legal areas. Wojtek Ropel (Media/Entertainment) and Katharina Fink (Private Clients and Nonprofit Sector) are among the names of the next generation. In addition, numerous lawyers are on the list of recommendations for the various legal areas.

Legal areas/practice areas in the ranking:

Labour Law, Corporate Law and M&A (medium-sized deals), Industrial Property (Trademark Law and Competition Law), Real Estate and Building Law (Real Estate Law and Project Development), Information Technology (Data Protection and IT/Digitalisation), Media (Gaming, Entertainment, Press Law and Publication Law), Private Clients and Nonprofit Sector, Public Law (Planning and Environmental Law, Public Procurement Law, State Aid Law).

Congratulations to the practice groups and industry groups and to our recommended lawyers.

Background:
The Legal 500 has been published for 35 years and is an independent guidebook. Law firms and lawyers are recommended exclusively on the basis of their performance. In-house lawyers are given a comprehensive overview of around 400 commercial law firms and 2700 lawyers in Germany. The analysis covers 23 practice areas and 90 rankings. As part of the research of The Legal 500 Deutschland, hundreds of interviews are conducted with lawyers and more than 23,000 clients are surveyed.

Christie’s started a collaboration with the NFT marketplace Open Sea and held its first auction via this platform in December 2021. The competition is not sleeping either. Since the start of 2021, Sotheby’s operates an auction house in the interactive virtual world Decentraland. Users can trade in NFT art and other digital works via this digital auction house. In October 2021, Sotheby’s also announced that it was taking the next big step towards connecting the analogue and virtual art worlds with the launch of its own NFT trading platform under the name "Sotheby’s Metaverse".

A further sensation followed at the start of December 2021 with the auction of the NFT artwork "the Merge" by the artist PAK through the NFT trading platform Nifty Gateway for a record total sum of USD 91.8 million. In this case a complex procedure was used to split the work and the related NFTs into a total of 266,455 shares ("fractionalisation"), which were sold to more than 28,000 buyers. Given the total sales price, "the Merge" not only broke Beeple’s record for the most expensive NFT artwork, but it also took the record for the most expensive artwork of a living artist ever sold in a public sale.

But what makes digital NFT art so valuable? To answer this question, it helps to recognise the key problem with traditional digital art: it can be easily reproduced identically. It was impossible to create a unique digital artwork. After its release, an artist could no longer control whether her work was copied or shared.

Digital art is therefore an ideal use case of blockchain-based NFTs. NFTs are "non-fungible" by definition, i.e. they cannot be exchanged and are thus unique. They are the opposite of "fungible tokens", which can be exchanged and are primarily used for cryptocurrencies. If a digital artwork is linked to a unique NFT ("tokenisation"), the resulting certificate allows the owners to show that they are the exclusive owner of the linked digital artwork. This makes the tokenised work a kind of original digital artwork. Thus, digital art becomes really tradeable for the first time. As a result, interest in buying digital art has increased exponentially and sales prices have exploded in the last year.

There are countless further examples for the booming NFT art market. With one record price chasing the other, the question arises how legally secure the trade of NFT art is. This article provides an overview of the various existing legal issues and current discussions related to NFT art under German law.

I. Technical background

Before delving into the legal issues related to NFT art, some basic knowledge of the main features of blockchain-based NFT technology is useful.

A blockchain² is essentially a constantly expanding, decentralised public database, which is continuously updated via a limitless number of participating computers ("nodes") in a global network. This database consists of individual blocks in which specific information of the blockchain participants (e.g. transactions) can be saved. The blocks are cryptographically connected, so that every new block clearly references the previous blocks in the chain. This linking ensures that the data saved in the previous blocks cannot be subsequently changed. Since the whole blockchain is stored by all nodes, it is also not possible to manipulate the data from a central location.

Within a blockchain, assets are represented by NFTs. NFTs can only be created ("minting") on programmable blockchains (e.g. Ethereum). Such blockchains allow NFTs to be minted through "smart contracts". These are not contracts in a legal sense, but transaction codes, which represent certain contractual provisions technically, and document and control their execution. It is not possible to make subsequent changes to smart contracts due to the described functionality of the blockchain.

Each NFT has a "token-ID" and is clearly identifiable through this token-ID in combination with the smart contract address, through which the NFT was generated. In addition, the smart contract of an NFT can contain specific information about the asset represented by the token, as well as the identity of the owner. If the token represents a digital artwork, the smart contract normally contains only a link to the image file and not the file itself. Various configurations are possible. For the Beeple NFT described above, the smart contract was linked to a "IPFS hash". This is a unique cryptographically generated fingerprint of a data file. The Beeple NFT did not link directly to the hash of the image file, but to a text file that contained the most important metadata about the image. The actual image file of the Beeple artwork can be found via another link.

II. Many open legal issues

Given the recent headlines about sales of NFT art, it is not surprising that the legal literature has also started to look more closely at this topic over the past few months. Since there is no law in Germany yet that establishes a clear legal classification of NFTs or NFT transactions and other issues in this connection, the debate about the NFT phenomenon has been lively and open. This article provides an overview of the main issues raised in this debate so far.

1. Similarity to ownership

As NFTs are not corporal objects within the meaning of Sec. 90 of the German Civil Code (Bürgerliches Gesetzbuch, BGB), there is no ownership of NFTs according to Sec. 903 BGB. Instead, it might be possible to apply Sec. 903 BGB analogously. The unintended loophole (planwidrige Regelungslücke) in German law necessary for such an analogue application should exist since the legislator has presumably not yet considered the issue. In addition, the interests of the owner of an NFT can be compared to those of an owner of a corporal object. Exactly like ownership, the NFT has, in a sense, an "assignment and exclusion function" (Zuordnungs- und Ausschlussfunktion) because it is assigned to a particular user via the smart contract and other users are excluded from using it. The assignment of the NFT to a single authorised user and the transparency guaranteed by the smart contract should also sufficiently fulfil the "principle of publicity and certainty" (Publizitäts- und Bestimmheitsgrundsatz) required under German property law. Given this similarity of NFTs to ownership, an analogue application of Sec. 903 BGB seems justifiable. The legislator could provide clarity by establishing a legal fiction (comparable to Sec. 2 (3) of the German Electronic Securities Act (Gesetz über elektronische Wertpapiere)), through which NFTs are considered objects within the meaning of Sec. 90 BGB.

There is also a discussion that NFTs should be classified as "another rights" (sonstige Rechte) within the meaning of Sec. 823 (1) BGB. The owner of an NFT should have the ownership-like position necessary for this, as outlined above. The classification of NFTs as "another rights" within the meaning of Sec. 823 (1) BGB therefore seems reasonable too.

2. Relevance of minting under copyright law

The debate also covers the issue of whether minting an NFT tied to a digital artwork results in a use of this work that is relevant under German copyright law. Since the smart contract normally only contains a link to the digital artwork (see above under I), minting does not constitute a reproduction (Vervielfältigung) of the artwork within the meaning of Sec. 16 of the German Act on Copyright and Related Rights (Gesetz über Urheberrecht und verwandte Schutzrechte, UrhG). A use of the work in form of "making it available to the public" (öffentliche Zugänglichmachung) in accordance with Sec. 19a UrhG by inserting the link in the smart contract will normally also not apply if the originator has put the work online. In this case, minting is not an act of use that is relevant under German copyright law.

3. Which rights of use does the buyer obtain?

Whether the buyer of an NFT also acquires the rights of use to the artwork represented by the NFT depends on the intentions of the parties in each case. An NFT transaction does not always result in a transfer of rights of use. The agreement should therefore be transparent with respect to which rights are acquired. Often the rights of use are regulated in the general terms and conditions of the NFT trading platform used. In addition, license terms can be linked in the metadata of the smart contract.

4. The sale of NFT art from a copyright perspective

Another issue is the question of how the sale of NFT art should be classified under German copyright law. As the artwork tied to an NFT is normally only linked in the smart contract (see above under I), the artwork itself is not touched by the transaction. The sale of the NFT in the blockchain, therefore, does not involve any reproduction or distribution of the work (Sec. 16 and 17 UrhG). The work is also not "made available to the public" within the meaning of Sec. 19a UrhG because the artwork was already linked to the smart contract during minting (which in turn normally will not fall under Sec. 19a UrhG, see above under II.2).

Therefore, at best sales-related measures, such as previews of the linked work provided via the sales platform to advertise the NFT, can be relevant under German copyright law. Such measures often constitute a reproduction (Sec. 16 UrhG) and a use of the work by "making it available to the public" (Sec. 19a UrhG).

5. Significant risk of misuse!

From a purely technical perspective, anyone can mint an NFT for a digital artwork published online. There is no guarantee that the creator of the NFT is also the originator of the artwork or at least the copyright holder. Just as a forger of a painting can write the signature of one of the old masters on a painting, a fraudulent internet user can mint an NFT for a digital work and claim that the work is an original or at least an authorised copy. Since it is not possible to acquire rights of use in good faith under German copyright law, the buyer will be left empty-handed in this case. The copyright holder also does not have any legal recourse against unauthorised minting because minting does not constitute an act of use that is relevant under German copyright law (see above under II.2).

It is therefore not surprising that the first cases of unauthorised NFT minting are already making the headlines. In November last year, various well-known artists accused the London curator and founder of the "Art Wars Project", Ben Moore, of minting and selling NFTs for photos of the works created by the artists as part of the project without their authorisation.

6. Automatic participation in the proceeds of sale

Smart contracts make it possible to automatically pay the artist a portion of the proceeds from future sales. This has great potential for NFT art. The creator of the NFT can regulate in the smart contract that he or she is to receive a particular share of any future proceeds of resale. If the NFT is sold, the blockchain will automatically transfer the relevant amount to the creator.
From a legal perspective, the creator of a digital NFT artwork is well advised to establish an automatic payment of proceeds of sale through the smart contract. The author will otherwise normally not be entitled to a share of the proceeds under Sec. 26 UrhG because the "right of resale" under German copyright law generally only applies to physical original works.

III. Implications for artists and art dealing

There are numerous open legal issues related to the trade in NFT art. The German legislator and German courts should therefore establish the framework for a legally secure token economy. Until then, it is up to the artists, gallery owners and platform providers to make NFT transactions as transparent as possible in order to ensure that all parties have the necessary legal certainty.

Above all, artists themselves can help to prevent the unauthorised minting of NFTs of their works. Digital artworks should not be released before the related NFT has been minted. This eliminates the opportunity for third parties to create the first NFT for the work. In addition, artists (and galleries) should ensure transparency by publishing information about which NFT is linked to the original artwork. This will provide at least some legal certainty.

Dr David Moll

¹ The term "NFT art" refers to digital art that is linked to an NFT.
² The term "Blockchain" refers to a public Blockchain.

In the following, we will give you a brief overview of how and under what conditions a live stream is to be notified.

Who is entitled to make use of the simplified notification procedure?

If there is a duty to notify (see below), the simplified notification procedure does not apply to all live streams. Rather, live streams are only privileged if they concern "cultural or religious events or educational offers".

Yet the term "event" in particular will have to be interpreted broadly at present: In view of the existing contact bans and other provisions, an "event" cannot usually require an audience these days. The reading at home or the service in an empty church are therefore to be viewed as "events". The question whether an offer is being " cultural " remains a question of the individual case but should at present also be answered generously.

Why is there a duty of notification and to whom does it apply?

The German Interstate Broadcasting Treaty (Rundfunkstaatsvertrag) of the Federal States stipulates that a permit, a so-called broadcasting licence, is required for the operation of "private broadcasting". In order to obtain this, notification must be made to the competent Media Authority.

This obligation also applies to services provided via the Internet if they are legally qualified as "broadcasting". However, not every live stream can be classified as "broadcasting" subject to licensing.

What is "broadcasting"?

Basically, broadcasting is defined as being present when the following four key characteristics are fulfilled:

• Linear distribution: Live streams are distributed linearly if they initially offer no possibility for the respective viewer to go back to past parts of the stream just as they cannot "fast-forward" to future parts. In this sense (true) live streams are usually linear. This also applies if the live stream is subsequently offered for viewing "on demand".
  Live streams, which are described as such but actually represent an offer independent of broadcasting time, are not subject to licensing. If, for instance, a band uploads a video to YouTube that was and is only available on demand, this video does not represent a linear offer ,even if the band calls the video a "live stream".
• 500 or more potential viewers at the same time: According to the Media Authorities, this criterion is generally met for live streams on the Internet because countless viewers can be "potentially" reached via the Internet. Only if the provider limits the number of participants from the outset to a maximum of 499 is this number of "potential viewers" not achieved.
  If the number of participants is not limited, the actual number of viewers is not important: Even if the live stream only reaches 20 viewers, it is potentially addressed to 500 or more viewers.
• Editorial design: According to the position of the Media Authorities, this criterion is also quickly met. To achieve this, it is sufficient to use different camera perspectives or to zoom with the camera. Commenting on the contents of the live stream also represents an editorial design.
  So if a live stream does not only reproduce a certain event in a technically and content-neutral way, an "editorial design" can be assumed.
• Presence of a broadcasting schedule or regular repetition: If the live stream is broadcast regularly, for example every evening at 7 p.m. or every Sunday, a "regular repetition" is given.
  
  The term "broadcasting schedule" seems antiquated but in the opinion of the Media Authorities it is already fulfilled when several future live streams are announced.
  
  If such a "broadcasting schedule" is given, for instance because an author announces several future readings via live stream on Twitter, regular repetitions are no longer required. No broadcasting schedule should be presented if "only rarely, sporadically, at very irregular intervals and/or only occasionally streamed live for specific occasions".

Where can I obtain a licence?

Should you offer a live stream as broadcasting in the sense described above, the respective State Media Authority of your Federal State is your competent authority (here. to be found) For the simplified notification procedure the following information is usually required, which you can send by e-mail to the Media Authority in charge of you:

• Name and address of the artist (if applicable of the broadcasting institution, then with contact details of the person responsible for the live stream)
• What content does your live stream have? Which offer or event is streamed?

• Presentation of the contents: Do you use one or more (fixed) cameras? Are there editorial elements such as comments, moderation, interviews?

Usually, however, the State Media Authorities also provide forms for a simplified notification online.

How much does a licence cost?

The fees for the granting of a licence vary considerably and depend, among other things, on the economic success of the live stream. The State Media Authority of North Rhine-Westphalia specifies the range of costs at between EUR 100 and 10,000. By the way, these fees are only payable once.

Please note that you may have to refer to the State Media Authority as the supervisory authority in your imprint.

Should you have any further questions, please do not hesitate to contact our experts.

Dr Florian Jäkel-Gottmann

A practical cross-border insight into data protection law

The ICLG to: Data Protection Laws and Regulations covers relevant legislation and competent authorities, territorial scope, key principles, individual rights, registration formalities, appointment of data protection officer and of processors - in 42 jurisdictions.

We are happy to contribute to this important publication with a whole chapter written by Dr. Axel von Walter.

If you are interessted in the whole publication: it is available on the webpage ICLG (International Comparative Legal Guides).

You will find the entire article on the Legal 500 website starting on page 91.