Online
and
IT law.
Online
and
IT law.
IT law is all about legal know-how and technical understanding: Trust our experienced experts to provide you with professional advice in the areas of IT, software, artificial intelligence and online business models.
IT law
Digitalization is permeating all industries – from software development and cloud services to the use of social media and artificial intelligence. IT and internet law therefore affects companies of all sizes and almost every industry. This refers to the legal framework conditions surrounding information technology and the use of the internet. Both IT companies and almost all companies from other sectors that provide IT solutions and are commercially active online are affected by IT law.
Das IT-Recht ist ein interdisziplinäres Rechtsgebiet, das die rechtlichen Rahmenbedingungen der digitalen Welt regelt. Es umfasst eine Vielzahl von Vorschriften aus unterschiedlichen Rechtsgebieten in den Bereichen, Vertragsrecht, Recht der digitale Diensten und Services, Recht der künstlichen Intelligenz, Lizenzrecht sowie Regelungen zur IT-Sicherheit, aber auch Datenschutz und E-Commerce. Ziel des IT-Rechts ist es, die Rechtssicherheit im digitalen Geschäftsverkehr zu gewährleisten, den Schutz personenbezogener Daten sicherzustellen sowie die Integrität und Verfügbarkeit von IT-Systemen zu fördern.
For companies, compliance with the multitude of legal requirements is an increasing challenge. The rapid pace of technological development and increasing legal regulation, such as the Digital Markets Act (DMA), the Digital Services Act (DSA), the AI Act, the Data Act and many more, make continuous adaptation, legal review and advice essential. The compliance requirements created by legislators have continued to increase in recent years. This affects not only companies that operate digital services or online platforms, but all companies that use IT systems and process data digitally.
As a cross-section of different areas of law, IT law attempts to provide a legal framework for(new) digital business models and technologies such as artificial intelligence or blockchain , while at the same time ensuring regulation and a level playing field for companies on the market.
Software
Software is at the heart of the digital economy. Every digital process uses software. Different types of contract are used in connection with software. The contractual basis can be a purchase contract, a contract for work, a service contract, a rental contract or a mixed contract of the above contract types. Each type of contract has its advantages and disadvantages for the software provider and its customer. Which type of contract is the right one and how it should be structured is of decisive importance for the success of every software project for all parties involved. Qualified legal advice is therefore essential in this area.
Software development
Contracts for the development of software, i.e. the creation or adaptation of software according to the client’s specifications, are regularly contracts for work and services. It is crucial for the parties to define the contractually owed services in the contractual agreement in such a way that it is ultimately clear to both parties what the software developer has to develop and what the customer can expect in return. Due to the complexity of projects, it is impossible and economically unreasonable to agree on every detail, which is why a balance must be struck between the interests of both parties by drafting suitable contracts.
Agile software development
Today, many modern software projects are carried out in an agile manner (e.g. Scrum). Compared to traditional development models (e.g. waterfall), this has the advantage of being able to react flexibly and quickly to adaptation requests and changes, especially as experience has shown that adaptations and changes are frequent in every software project.
From a legal perspective, agile contracts cannot always be clearly classified as a contract for work or a contract for services. Whether it is a contract for work or a contract for services or a mixture of both depends on the specific implementation of agile software development. This can be clarified by drafting the contract accordingly.
License, buy or rent software
As soon as software is procured, the question arises as to how this should be legally implemented. Commonly, one speaks of software licenses and software license agreements. In legal terms, these are usually purchase and rental agreements, with the latter having increased in recent years. The advantage of rental agreements such as Software-as-a-Service (SaaS) for the provider is the ongoing rental income compared to a one-off income from a sale. For the customer, the permanent warranty provided by the lessor can be an advantage. At the same time, there are also good reasons for buying instead of renting, so the legal and technical advantages and disadvantages need to be considered in advance.
Software maintenance and service contracts
Software maintenance and service contracts are contracts following software development or the purchase of software. They regulate the scope of updates, upgrades, support and comparable services, especially after the expiry of the statutory warranty. They usually also include service level agreements, i.e. regulations on how, how quickly and to what extent a service provider must respond to problems and support requests.
Open Source Software
Open source software is software whose source code is publicly accessible and can be viewed, used, modified and distributed by anyone. The core idea of open source is transparency, cooperation and collaborative development, which allows innovations to be driven forward more quickly. A special feature of open source software is that, unlike proprietary software, it can not only be made available free of charge, but users also have the law to adapt it to their needs. However, the use and distribution of open source software is subject to certain license conditions. The best-known open source licenses include the GNU General Public License (GPL)which requires that derived software is also published under the GPL (copyleft principle), the MIT license, which allows very free use, including commercial use, and the Apache Licensewhich also contains provisions on patent rights. The BSD license is also widely used and, like the MIT license, is very permissive. These licenses specify the conditions under which open source software may be used, modified and distributed.
Cloud computing: SaaS, PaaS, IaaS contracts
More and more companies are moving IT systems to the cloud. Whether Software as a Service (SaaS) – using ready-made software online, Platform as a Service (PaaS) – development platforms in the cloud, or Infrastructure as a Service (IaaS) – outsourcing server infrastructure: all models involve special legal issues.
Availability and performance obligations
As with any IT outsourcing agreement, the contract with the cloud provider must contain clear regulations on availability, performance and support. Here, contractual agreements such as service level agreements (SLAs) can be used to define whether a certain availability, response times in the event of support, etc. are owed. This can be particularly relevant with regard to the liability of the provider and customer in the event of failure or unavailability of the cloud services.
Data protection and data sovereignty
Cloud-Dienste bedeuten häufig, dass Unternehmensdaten extern gespeichert werden. Wenn es sich dabei um personenbezogene Daten handelt, kommt die DSGVO zur Anwendung. Der Cloud-Anbieter wird dann zum Auftragsverarbeiter und es muss ein Vertrag zur Auftragsverarbeitung (AV) geschlossen werden, der unter anderem Sicherheitsmaßnahmen, Einsichtsrechte und Unterauftragnehmer regelt. Wichtig ist auch, wo die Daten gespeichert werden: Liegen sie außerhalb der EU, können zusätzliche Regelungen erforderlich sein (z.B. Standardvertragsklauseln) und es sollte geprüft werden, ob ein Zugriff durch Behörden von Drittstaaten droht (Stichwort: Cloud Act in den USA). Einige Branchen verlangen, dass bestimmte Daten nur innerhalb der EU gespeichert werden dürfen (z.B. Gesundheits- oder Finanzsektor).
Data availability at the end of the contract
Companies must ensure that they receive their data back in the event of termination or a change of provider – and in a common format. Otherwise, there is a risk of vendor lock-in, which makes it difficult or impossible to switch providers. Customers must therefore ensure that data portability is possible.
Liability and security in the cloud
Who is liable if data in the cloud is lost or accessed without authorization? As a rule, providers largely exclude liability or limit it (e.g. to the amount of the annual fee). Companies should check whether such liability limitations are acceptable. Critical data should also be secured with your own backups. Attention should also be paid to the IT security of the cloud provider (e.g. through appropriate certifications). If a data breach occurs (e.g. hacker attack on the cloud provider), the company is still obliged to report it in accordance with the GDPR, even if the error was caused externally. Security requirements and incident response processes should therefore be set out in the contract.
We advise
You are welcome to
IT law!
Social Media
Social media platforms such as Instagram, TikTok, Snapchat, Facebook, LinkedIn, X and Bluesky are important for many companies today for advertising purposes and for their own corporate communication or recruiting.
This creates risks for disseminated content. What employees or commissioned agencies post on behalf of the company can be legally attributed to the company. Advertising must also be recognizable as such – advertising posts or influencer contributions must be labeled as advertisements or advertising as soon as there is a commercial intention. Otherwise, infringements may result in warnings under competition law.
However, there are also risks associated with user-generated content, meaning that companies need to develop strategies for dealing with unlawful comments (e.g. insults, hate speech or copyright-infringing content posted by users).
In addition, data protection requirements must be observed when using social media, which can quickly become a challenge with non-European platforms.
Artificial intelligence (AI)
Künstliche Intelligenz, insbesondere generative künstliche Intelligenz, revolutioniert immer mehr Geschäftsprozesse. Die Anwendungen reichen von Chatbots, Bild-, Musik- und Videogeneratoren, Mustererkennung in der Medizin oder anderen naturwissenschaftlichen Bereichen bis hin zur Auswertung biometrischer Daten.
This raises a number of as yet unclear and unresolved legal issues that need to be considered when using and developing AI systems. Regulations such as the EU AI Regulation, which imposes far-reaching requirements in this regard, must also be observed.
Legal advice is essential here, which deals with the matter both technically and legally and also takes into account the decision-making practice and regulations in other countries.
Blockchain, NFT, crypto and smart contracts
Blockchain technology stands for decentralization, transparency and immutability of data. Applications range from cryptocurrencies (Bitcoin, Ethereum) and smart contracts to supply chain tracking and digital identities. However, this innovation boost raises a variety of legal questions, as conventional legal norms collide with the special features of blockchain.
The blockchain works like a decentralized cash book. But is an entry in the blockchain (e.g. a Bitcoin transfer) legally considered a transfer of ownership? In many jurisdictions, including Germany, cryptoassets are now recognized as legal objects. Nevertheless, legal uncertainties remain. For example, can an insolvency administrator reverse a crypto transaction in the event of an insolvency challenge?
Smart contracts
A smart contract is a code that is executed on the blockchain and, for example, automatically triggers payments or actions as soon as defined conditions are met. Example: A self-executing insurance policy automatically pays out an amount when a sensor reports that a parcel has been damaged. Technically sophisticated – legally complex. Strictly speaking, a smart contract is not a “contract” in the legal sense, but software. A conventional contract often exists in parallel, which stipulates that the parties are subject to the execution of the code. The challenge is to regulate what happens in the event of programming errors or unintended consequences. It is therefore strongly recommended to have written contracts in the background for important transactions, which regulate, for example, what applies if the smart contract deviates from the intended result or whether and how a smart contract can be stopped if necessary.
Non-Fungible Token (NFT)
A non-fungible token (NFT) is a unique, non-exchangeable digital token based on blockchain technology, usually on Ethereum or other smart contract-enabled blockchains such as Solana or Polygon. NFTs serve as digital certificates of ownership for digital or physical goods such as artworks, music, videos or virtual properties in metaverses. Unlike cryptocurrencies such as Bitcoin or Ether, which are interchangeable (“fungible”), each NFT is unique and cannot be replaced by another token of the same type. NFTs are managed by smart contracts that define rules for the transfer and use of the token. The authenticity and ownership of an NFT is stored in the blockchain in a tamper-proof manner, making digital content tradable and collectible.
Another aspect is the finality of blockchain entries. Once a transaction has been confirmed, it can technically no longer be changed (without reorganizing the entire network, which is practically impossible). This collides with legal principles such as contestability or the right of revocation.
Public blockchains such as Ethereum are also transparent by design – all transactions can be viewed by anyone. Although the parties are pseudonymized (using wallet addresses), personal data may still be present despite pseudonymization. However, the GDPR requires, for example, a law on erasure. Deletion of data on a blockchain is not possible without further ado.
IT security and cybersecurity
In a networked world, IT security is not a nice-to-have, but a must. Data leaks, hacker attacks and system failures can have serious economic and legal consequences: in addition to the impairment of internal company processes, which can lead to immense damage, there is also the threat of loss of customer confidence, contractual penalties and even official sanctions. Companies must therefore take organizational and technical precautions to protect their IT systems and data.
Many of these obligations are implicit in the law. For example, the GDPR requires “appropriate technical and organizational measures” to protect personal data. The IT Security Act and the NIS 2 Directive oblige critical infrastructures and increasingly also important companies in certain sectors to comply with minimum standards and to report serious IT security incidents. Industry regulations (e.g. in the financial, energy and healthcare sectors) often stipulate detailed security measures.
The Cyber Resilience Act (CRA) is new at EU level. For the first time, this stipulates a minimum cyber security standard for all products with digital elements. Manufacturers and distributors of software/hardware must ensure IT security throughout the entire life cycle of a product. In concrete terms, this means, for example, secure default settings, regular provision of security updates, closing known vulnerabilities and hardening products against common attacks. Particularly critical products may have to undergo security certification before they are launched on the market.
IT law in a state of constant change
IT law, like IT itself, is in a state of constant change. The European Union alone has recently passed a series of digital laws that have a significant influence on the legal framework for IT and internet law.
The new EU rules are intended to create a level playing field in the European single market. Companies that operate internationally will benefit from clear guidelines instead of many individual national laws. In addition, all of these acts aim to strengthen trust and security in the digital economy – be it through fair competition (DMA), a more secure internet (DSA), trustworthy AI (AI Act), data sovereignty (Data Act) or secure products (CRA). It is worthwhile for companies to keep an eye on these developments and introduce compliance measures at an early stage where necessary.
Our expertise in IT law
From contract law for software projects and the use of cloud and social media to future topics such as AI and blockchain, companies need to keep an eye on a wide range of regulations. Technical innovation and legal compliance must go hand in hand.
We have highly specialized and experienced lawyers in the field of IT law to advise companies from start-ups to large corporations on all IT law issues and to support them in the digital age. Our services include
- Drafting contracts for the creation, maintenance and licensing of software and contracts in the areas of SaaS, PaaS and IaaS
- Advice on legal requirements for IT systems and their use
- Representation in IT law disputes before courts or arbitration boards
Our team
in IT law
Our team
in IT law
Significant laws in the
IT law
Significant laws in the
IT law
