Germany does not yet have any regulations specifically targeting the metaverse. There have been expert hearings before the parliamentary committee for digitalisation of the German Bundestag on opportunities and risks of the metaverse and other web3.0 concepts in December 2022 that have not yet resulted in any legislative initiatives. As an EU member state, Germany will be bound by any future legislation by the European Union that may specifically target the metaverse or other web3.0 applications. The legal landscape surrounding the metaverse can be expected to be constantly evolving over the coming months and years.

However, existing laws and regulations in Germany may already apply to legal challenges that the metaverse poses. In this regard, a briefing of June 2022 by the European Parliament has identified several risks and policy implications in connection with the metaverse, such as data protection, cybersecurity, competition and liability.

Data Privacy

Given the sheer amount of personal data that is processed by a variety of actors in connection with the provision of metaverse-related services, establishing and maintaining sufficient data privacy and cybersecurity will be particularly challenging. To this end, the processing of personal data in Germany is governed by the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

• Depending on the specific context in which the metaverse is used, there may be specific laws that apply, such as:
1. Section 26 of the BDSG, which covers the processing of personal data of employees;
2. Article 9 of the GDPR, which provides safeguards for the processing of sensitive data; and/or
3. Article 22 of the GDPR, which regulates profiling and automated decision-marking.
• The safeguards in place for sensitive data are particularly relevant, as many use cases of the metaverse involve the processing of large amounts of biometric data, as well as data on the emotional and physiological responses of natural persons.
• Under the GDPR, minors enjoy special protection and can give valid consent only from the age of 16 years.
• Allocating responsibilities in certain processing operations relating to the metaverse presents another key challenge as there is often a multitude of actors (including controllers and processors) involved in the creation and provision of virtual realities. Not only does this further complicate the obtaining of valid consent, but it could also potentially impede the enforcement of data subject rights as well.

Cybersecurity

With regard to cybersecurity – apart from the requirement to implement sufficient technical and organisational measures to ensure the security of processing under the GDPR – specific rules under the NIS2 Directive of December 2022 covering critical infrastructures will have to be transposed into national law by the end of 2024. These rules target many different sectors, among them cloud computing service providers and other digital infrastructure providers, but also digital providers, such as search engines and social networking sites. These could potentially encompass providers of metaverse-related services.

Intellectual Property

Finally, the metaverse also poses challenges to the protection of intellectual property. The unauthorised use of registered trade marks in the metaverse is on the rise, as are copyright violations through other web3.0 concepts, such as non-fungible tokens (NFTs). Additionally, more and more trade marks are filed that refer to the metaverse or NFTs. Therefore, the European Intellectual Property Office (EUIPO) has issued guidance on virtual goods, NFTs and the metaverse in June 2022 for classification purposes.

In Germany, the digital economy is not governed by a single law, but rather by a multitude of different provisions scattered across several national and Union laws, some of which pose risks of significant monetary sanctions in case of non-compliance.

E-Commerce

One of the legal foundations for the digital economy in Germany is formed by the e-Commerce Directive 2000/31/EC, transposed into German law in the German Telemedia Act (Telemediengesetz, TMG). It regulates the respective liabilities of online intermediaries (such as access and host providers, as well as other services including caching and mere conduit) and defines content moderation obligations. Most notably, it stipulates a “notice and takedown” procedure for host providers in case they are made aware of illegal content on their services.

Digital Services Act

Against the backdrop of existing regulations in the German Telemedia Act and other, sector-specific regulations on the moderation of certain kinds of contents in EU law (such as the Digital Single Market (DSM) Directive on copyright, the Audiovisual Media Services (AVMS) Directive, the Regulation on Terrorist Content Online (TCO), etc) and national law (such as the NetzDG (a law stipulating content moderation obligations) and specific youth media protection acts, etc), the Digital Services Act (DSA) was introduced by the EU in 2022. It provides for a common set of rules on the obligations of intermediaries, including transparency reporting and content moderation obligations regarding illegal contents (such as hate speech) and a ban on certain types of targeted advertising.

Very large online platforms (VLOPs) and very large only search engines (VLOSEs) are subjected to stricter rules and are required to meet additional risk management, data sharing and auditing obligations. The liability concept introduced by the e-Commerce Directive and currently in place in the TMG remains largely untouched; it is expected that the corresponding provisions in the TMG will soon be repealed. The DSA is generally directly applicable from 17 February 2024. First notification requirements have already applied since 17 February 2023.

Digital Markets Act

Another “centrepiece” of the EU’s digital strategy is the Digital Markets Act (DMA) which was introduced alongside the DSA. It aims at regulating large online platforms that act as “gatekeepers” to ensure free and fair competition across the EU. It limits large online platforms’ abilities to impose unfair terms and conditions on competitors and consumers. Companies with a strong economic position that are active in multiple EU member states with a strong intermediation position between users and businesses will have to comply with a broad set of rules, among which are obligations to allow third parties to interoperate with the company’s services and to access data generated on these platforms. Additionally, these “gatekeepers” are prohibited from treating their own services more favourably in rankings as compared to other services or preventing their customers from linking up to other businesses outside of their platform. The DMA is directly applicable in all EU member states from 2 May 2023.

Codes of Conduct

Finally, there are Codes of Conduct in Germany that have been published by the German Association for the Digital Economy (Bundesverband Digitale Wirtschaft) on a variety of areas, such as affiliate and content marketing, search engine advertising (SEA) or search engine optimisation (SEO).

Cloud and edge computing are not regulated as such, but these technologies are affected by several different laws in Germany that concern data protection, cybersecurity and highly-regulated industries.

Data Privacy

As far as the processing of personal data is concerned, the General Data Protection Regulation (GDPR) applies. In this regard, the transfer of personal data to third countries regularly raises practical issues. Data transfers are governed by Chapter V of the GDPR and are subject to specific restrictions. The use of US cloud computing services is particularly challenging, specifically since the Schrems II decision by the European Court of Justice of 16 July 2020, which introduced extensive transfer impact assessment requirements to be met when exporting data to third countries.

Additionally, the use of processors, such as cloud service providers, requires the conclusion of a data processing agreement (DPA) which must meet certain substantive requirements. This often proves difficult when large service providers are involved as these processors regularly impose their own conditions that do not necessarily align with the requirements set out in Article 28 GDPR.

NIS and NIS2 Directives

Both the NIS and NIS2 Directives (Directives (EU) 2016/1148 and (EU) 2022/2555) specifically target cloud computing services and impose on them comprehensive cybersecurity obligations, such as the implementation of appropriate technical and organisational measures to tackle risks and incident reporting obligations. The NIS Directive has been transposed into German national law in the IT Security Act (IT-Sicherheitsgesetz) that amended several laws in Germany. The NIS2 Directive will have to be transposed into national law by the end of 2024.

Regulated Industries and Guidance by Supervisory Authorities

In Germany, certain sector-specific restrictions are applicable for highly-regulated industries (such as insurance and banking) which limit outsourcing via cloud services. For example, the outsourcing of activities and processes are subject to restrictions in Section 32 of the Insurance Supervision Act (Versicherungsaufsichtsgesetz, VAG), Section 5(3) of the Stock Exchange Act (Börsengesetz, BörsG), Section 80(6) of the Securities Trading Act (Wertpapierhandelsgesetz, WpHG) and Section 25b of the Banking Act (Kreditwesengesetz, KWG).

In this regard, several German supervisory authorities have issued guidance on cloud services and outsourcing, such as the independent conference of the German data protection supervisory authorities (Datenschutzkonferenz, Orientierungshilfe – Cloud Computing, 9 October 2014) or the Federal Financial Supervisory Authority (BaFin, Merkblatt – Orientierungshilfe zu Auslagerungen an Cloud-Anbieter, November 2018).

The legal landscape surrounding artificial intelligence is constantly evolving. While Germany still does not have specific legislation regulating AI, there are legislative proposals on an EU level and discussions among legal scholars concerning certain AI-related issues.

AI Act

Aiming to provide for harmonised rules on artificial intelligence, the EU is in the late stages of enacting an AI Act, the proposal of which had been published by the Commission as early as 2021. Following a risk-based approach, the proposed AI Act envisages a gradual regulatory framework which subjects different AI systems to different requirements, depending on the specific risks associated with these systems.

While some very high-risk AI systems are outright banned (such as AI systems employing subliminal techniques beyond a person’s consciousness, social scoring systems for general purposes, real-time remote biometric identification systems in publicly accessible places for certain law enforcement purposes), other AI systems are generally permitted, yet placed under certain rules.

So called “high-risk AI systems” (such as AI systems intended to be used as a safety component of a product, AI systems for purposes of biometric identification of natural persons, education, employment, law enforcement, etc). Under the proposed AI Act, high-risk AI systems may only be trained with data where data quality requirements are met. In addition, specific record-keeping, transparency, human oversight, and conformity assessment requirements apply.

For certain lower than high-risk AI systems (such as emotion recognition systems, biometric categorisation systems, or deepfakes), transparency obligations apply that shall ensure that natural persons are informed that they are interacting with an AI system.

For low-risk AI systems, the AI Act encourages the development of, and voluntary adherence to, specific codes of conduct.

Data Privacy

Training artificial intelligence (for example, through machine learning algorithms) often involves the processing of large amounts of data. These sets of training data often involve both personal and non-personal data. Where personal data is concerned, the processing of such data must be based on a lawful basis and the processing must be compatible with the purposes for which the data has been collected. Moreover, the processing for training purposes will regularly require the use of anonymised data. As it constitutes a processing of personal data as well, the anonymisation of personal data also requires a lawful basis and that the anonymisation for training purposes is compatible with the purposes for which the data was collected. In many cases, a data protection impact assessment (DPIA) will have to be conducted. As far as non-personal data is involved, Regulation (EU) 2018/1807 applies.

The independent conference of the German data protection supervisory authorities (Datenschutzkonferenz, DSK) has published a policy paper on artificial intelligence on 3 April 2019 (DSK, Hambacher Erklärung zur Künstlichen Intelligenz, 3 April 2019), outlining seven guiding principles that should govern the development and utilisation of AI:

• AI must not turn humans into objects;
• AI may only be used for purposes legitimised by the constitution and must not override the purpose limitation requirement;
• AI must be transparent, comprehensible, and explainable;
• AI must avoid discrimination;
• the principle of data minimisation applies to AI;
• AI demands responsibility by a controller; and
• AI requires technical and organisational standards.

Liability for AI Malfunctions

With regard to AI malfunctions, there are debates among German legal scholars on questions of liability. While some argue that already-existing contract or tort laws should be applied to address the infliction of damages by an AI, other voices in academia and practice propose that such damages should be covered by specific insurance solutions. Additionally, there are proposals that call for strict liability of AI manufacturers and/or operators of AI. Other solutions involve the creation of an own legal personality in AI systems (so-called “e-persons”); however, apparently this proposal has not been able to attract broad support.

On an EU level, in September 2022 the Commission adopted two proposals to adapt and modernise liability rules to meet current technical and market developments. One of the policy proposals concerns the proposal for an AI Liability Directive which aims at fostering the enforcement of claims by individuals who have been harmed by AI products through alleviating the victims’ burden of proof and facilitating access to relevant evidence.

Intellectual Property Issues

Under German copyright law (Urheberrechtsgesetz, UrhG), big data collections are not protected as such. The creation of a big data collection merely involves the systematic and indiscriminate collecting of data points which does not constitute an “author’s own intellectual creation” as is required under Section 4(2) of the UrhG to warrant protection as a database work. A protection of the collection as a right of the maker of a database pursuant to Section 87a et seq of the UrhG can generally seem conceivable under certain circumstances, if the maker of the database has made significant investments in obtaining, verifying and/or presenting the data and if they have arranged them systematically or methodically.

Finally, big data collections can be granted a sui generis protection as a trade secret under the German Trade Secrets Act.

Further, the creation of new text and art by AI machines such as ChatGPT will pose significant challenges to copyrights as the AI driven machines create text and/or art based on smaller or larger fragments of works that enjoy copyright protection. Apart from the question as to whether these fragments still enjoy copyright protection, it is entirely unclear how such copyrights could be enforced. Likely, the new AI creations will not enjoy their own copyright protection.

There is no law in Germany that specifically governs the Internet of Things (IoT). The notion of IoT usually involves devices that monitor or communicate with smart cars, smart homes, work environments or physical activities. In its Opinion 8/2014 on recent developments on the IoT of 16 September 2014, the EU’s Article 29 Working Party defined the concept of the “Internet of Things” as to refer to an “infrastructure in which billions of sensors in common, everyday devices (…) are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities”.

Although there is no specific legislation targeting the IoT, several laws governing the processing of personal data necessarily involved with using IoT devices apply. Among these are:

• the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG); and
• the ePrivacy Directive 2002/58/EC, which has been implemented in German law in the Federal Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG).

Data Privacy

Privacy-related issues connected to the IoT are manifold. Several of these issues have been identified by the Article 29 WP in its Opinion 8/2014 on recent developments on the IoT.

• There is a general lack of control, depending on the transparency with which the IoT devices collect data. This may result in excessive self-exposure beyond a data subject’s control.
• This lack of information may lead to data subjects not being aware that their IoT devices are processing data which, in turn, presents a significant burden to obtaining valid consent. It should be noted that the processing of health or other sensitive data is subject to additional protection under Article 9 GDPR.
• Due to the large amounts of data created and collected by IoT devices, there is the inherent risk that inferences are drawn from data processed for purposes other than those for which this data had originally been processed (eg, to allow conclusions as to the health or habits of users). It is thus important, as Article 29 WP notes, that personal data is only processed for purposes compatible with the purposes for which it was collected and that these purposes are known to the data subject.
• The fact that conclusions of an individual’s habits, behaviours and preferences may be inferred from the data collected by IoT devices may significantly change a data subject’s behaviour.
• IoT has the potential to put a severe strain on the ability to remain anonymous given that, for example, wearable devices in close proximity to data subjects can reveal a range of other identifiers, such as MAC addresses, which can be used for purposes such as location tracking, fingerprinting or analysis of movement patterns of individuals or even crowds of people.

To address these privacy issues, developers of IoT systems must, in particular:

• inform data subjects of the specific purposes for which their data is collected;
• ensure that data subjects give valid and informed consent;
• conduct a data protection impact assessment (where sensitive categories of data is processed);
• limit a device’s data collection to conform with the GDPR’s privacy by design and by default principles;
• implement appropriate technical and organisational measures to address cybersecurity risks.

Cybersecurity

IoT devices can raise cybersecurity concerns, some of which had already been identified by the Article 29 WP’s Opinion 8/2014. Vulnerabilities of IoT devices can be exploited and misused for purposes of surveillance and data theft or to attack critical infrastructures. Some vulnerabilities can also be linked to a lack of regular security updates or an appropriate end-to-end-encryption.

Some of these risks will be addressed by the Cyber Resilience Act (CRA) proposed in September 2022 by the European Union which seeks to close regulatory gaps with regard to IoT products. The main objectives of this initiative are:

• to foster the development of secure products with fewer security vulnerabilities;
• to ensure that manufacturers and developers are appropriately addressing a digital product’s security throughout its lifecycle;
• to enhance the transparency of a product’s security properties; and
• to enable consumers to make educated decisions as to their choice of digital products.

For these purposes, a coherent cybersecurity framework shall be established.

Audio-Visual Media Services

Due to Germany’s federal structure, audio-visual media services are governed at both the federal and state levels in Germany by the State Media Treaty (Medienstaatsvertrag, MStV) and State media laws. Under these laws, broadcasting requires permission by the respective media authorities. Broadcasting is defined as any linear provision and distribution of moving images and/or sound for simultaneous reception by the general public along a broadcasting schedule using electromagnetic transmission paths (be it, for instance, via satellite, cable, terrestrial or the internet). Audio-visual media provided “on demand” (eg, on video sharing platforms) is regularly exempt from this definition.

However, livestream content on streaming platforms can often constitute “broadcasting” within the meaning of the regulations mentioned above, especially in cases that it follows along a broadcasting schedule. The fees for the authorisation procedure can cost between EUR1,000-2,500 or, in some cases, up to EUR 10,000, depending on the administrative effort necessary for the authorities and on the economic value of the company requesting an authorisation.

Video-Sharing Platforms

Video-sharing platform services are also targeted specifically under a variety of German laws. Most importantly, the latest review to the Audio-Visual Media Services Directive (EU) 2018/1808 of 14 November 2018 has brought many changes to several media laws in Germany over the past few years. The legal situation in Germany for video-sharing platforms tends to be rather complex, as the relevant provisions are scattered across many different laws.

The obligations for video-sharing platform services are mainly laid out in:

• Section 10a, 10b of the Telemedia Act (Telemendiengesetz, TMG);
• Section 97 et seq of the State Media Treaty (Medienstaatsvertrag, MStV); and
• Section 5a, 5b, 14 of the Youth Media Protection State Treaty (Jugendmedienschutz-Staatsvertrag, JMStV).

The obligations stipulated in the provisions stated above mainly concern content moderation obligations to protect minors and the general public from hate speech, the incitement of violence and other hateful content, as well as criminal and child pornographic content.

In addition, other legislation that does not specifically target video-sharing platform services only but more generally stipulates obligations for the moderation of harmful or illegal content for many different kinds of platform or host services may apply as well, namely:

• several content moderation obligations under the Network Enforcement Act (Netzwerkdurchsetzungsgesetz, NetzDG);
• Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online (TCO-Regulation);
• provisions based on the Directive (EU) 2019/790 on Copyright in the Digital Single Market (DSM Directive), transposed into German law in the Copyright Service Provider Act (Urheberrechts-Diensteanbieter-Gesetz, UrhDaG); and
• in the near future, several obligations under the Digital Services Act (DSA) targeting online platforms and/or very large online platforms (VLOPs).

Telecommunications Regulation

In Germany, telecommunications are regulated in the Telecommunications Act (Telekommunikationsgesetz, TKG) which has transposed rules laid out in the European Electronic Communications Code (EECC ‒ Directive (EU) 2018/1972) into German law. To promote competition in the telecommunications sector and efficient telecommunications infrastructures, the TKG follows a technology-neutral approach to ensure that adequate and sufficient services can be provided across Germany. Telecommunications services regulated under the TKG are:

• internet access services;
• interpersonal telecommunications services; and
• services which consist wholly or mainly in the transmission of signals, such as transmission services used for machine-to-machine communications and for broadcasting.

Interpersonal telecommunications services (also called “OTT-I” services, ie, over-the-top-I services, such as instant messaging, web mail services, internet (video) phone services, etc) are services usually provided for remuneration that enable a direct interpersonal and interactive exchange of information over telecommunications networks between a finite number of persons, whereby services which enable interpersonal and interactive telecommunications merely as a subsidiary ancillary function inextricably linked to another service are not included. OTT-I services are partially governed by the TKG, whereas OTT-II services (eg, blogs, streaming, websites, etc) are not covered by the TKG.

Pre-marketing Requirements

The Telecommunications Act regulates both communications networks and communications services. Under the EECC, the provision of such networks or services is subject to a “general authorisation” (Article 12, EECC) and thus does not require a grant of a licence or specific authorisation. However, any intended commencement, change or termination of such services must be notified to the Federal Network Agency (Bundesnetzagentur, BNetzA) without undue delay. The same applies for any changes to an operator’s or service provider’s name/company name, legal structure or address.

Technology agreements (ie, agreements relating, inter alia, to the development, sale, transfer, provision and maintenance of software, hardware or cloud solutions, etc) are not specifically regulated as such under German contract law. Instead, general contract law and the law of general terms and conditions (Allgemeine Geschäftsbedingungen, AGB) of the German Civil Code (Bürgerliches Gesetzbuch, BGB) apply. Depending on the subject of the technology contract, the rules of different contract types are applicable, such as sales contracts, service contracts, rental contracts or work contracts. In addition, antitrust rules may apply which are not covered by this analysis.

Exact Specification of the Services and Products

Since the different contract types entail different rights and obligations, especially with regard to the provision of the technology subject to the contract as well as with regard to warranties and liabilities for defects, a precise and detailed description of the services/products is necessary to clearly define the scope and the nature of the respective technology agreement. Under all circumstances, parties must make sure not to confuse different contractual elements or choose descriptions that refer to a type of contract that is not appropriate for the service or product provided and which establishes rights and obligations that are inappropriate or too far-reaching. This can often occur whenever pre-formulated standard clauses are used that are not specifically adapted to the concrete service or product. For example, Software-as-a-Service (SaaS) or software rental contracts involve different service descriptions that result in different rights and obligations for both parties.

Licensing and Liability

Software licensing can cause difficulties, especially when open-source software (OSS) is involved. Many OSS licences require the licensee, if they publish modifications based on the OSS, to make the source code available and publish it under the same licence terms as the original OSS licence (so-called “Copyleft” principle). This can lead to problems where open-source software code is combined with other open-source or proprietary software code under different, and possibly conflicting, licence terms. Here, careful consideration is necessary to avoid violating any licensing conditions.

Finally, in cases where a group licence is to be granted, attention must be given to the means by which it can be granted in a legally secure manner. Notably, in general, no additional licences can be granted on the basis of a simple licence.

Wherever general terms and conditions are used, some restrictions can also stem from German laws specifically targeting general terms and conditions. Extensive exemptions and limitations of liability are often deemed invalid by German courts, as are comprehensive disclaimers of warranties.

German law sets out specific rules on trust services in the Trust Services Act (Vertrauensdienstegesetz, VDG) and in the Trust Services Ordinance (Vertrauensdiensteverordnung). It includes various regulations on trust services, electronic signatures and seals, as well as the validation of such identification methods. These rules complement the eIDAS Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market. Formal requirements for electronic signatures are established in the German Civil Code. It regulates the cases in which a mandatory written form can be replaced by an electronic signature.

However, electronic signatures are only catching on very slowly because they require special hardware and software, an effort that many – except for individual industries – have tended to avoid up to now.