Find out more about our IT law & data protection practice group - now regularly summarised for you at a glance! On a quarterly basis, we will be presenting you with the most important developments in IT law and data protection. In addition to informing you of the latest draft laws and developments in the field, we advise you on classic IT law, data protection law and new media. Please also feel free to contact us for audits, IT project support and consulting, including cloud computing, e-commerce topics and social media issues.

1. Artificial intelligence, creativity and copyright

2. Cybersecurity in German companies: new obligations through planned new regulations of the German Act on the Federal Office for Information Security (BSIG) 

3. ECJ specifies scope of right to information and copies pursuant to Art. 15(1) and (3) GDPR

4. Legal tech and the law governing the legal profession

5. FCJ refers questions to ECJ on GDPR: immaterial damage in case of mere negative feelings?

1. Artificial intelligence, creativity and copyright

Creative artificial intelligence

Hardly any other term is as present in today’s media as that of artificial intelligence (AI). Recently, the focus has been on autonomous vehicles, robots and facial recognition systems, with liability risks and data protection issues being a frequent topic of discussion.

Today, AI is also used to generate images, music and even films. Well-known examples are the "The Next Rembrandt" project, the "Deep Bach" application and the "Driven by Intuition" commercial. Such generative AI applications have attracted the attention of the general public, especially since the release of the chatbot Generative Pre-trained Transformer, or "ChatGPT" for short, in November 2022. Today, this AI can be used to generate texts. The user asks the AI a question, so-called prompts, via a chat function and receives an answer that, according to ChatGPT's calculations, would probably be given by a human. During a corresponding dialogue, a person communicating unknowingly with ChatGPT would probably not immediately recognise that his conversation partner is not human. This would make ChatGPT actually intelligent in the sense of the so-called Turing Test.

Experts are evidently already attributing creativity as well as intelligence to generative applications. In all events, art lovers bid over 430,000 US dollars for the AI-generated Portrait of Edmond de Belamy at auction at the well-known auction house Christie’s in October 2018. No reference is made to any natural person in the copyright notice. Rather, the painting is signed with the code of the algorithm. But can artificial intelligence really be the author?

Legal framework for art: copyright law

As far as German copyright law is concerned, this question can be answered succinctly: no, AI cannot be an author. This is due to the fact that, according to Section 7, 2(2) German Copyright Act (Urheberrechtsgesetz, “UrhG”), only natural persons, and not machines, for example, can be creators of a work.

At the same time, this answer raises the follow-up question of whether works of art generated with the aid of artificial intelligence can be attributed to a natural person. This would be the case if the artificial intelligence could be classified as an aid during the creative process. What matters here is whether the aid merely has a supporting function or whether it has an overriding formative influence on the creation of the work.

Copyright law has already faced comparable problems in the past with technical innovations such as the camera and the computer. In principle, these inventions do not conflict with copyright and can be aids, as long as the essential creative decisions lie with the human. However, it is not all that long since this issue became undisputed.

In case of generative AI, the question of demarcation between aids that assist humans and "creative" machines arises again. The increasing processing power of modern computers and, above all, the availability of large amounts of data, which are necessary for teaching the AI applications, are increasingly blurring a clear demarcation. Compared to traditional technical aids, namely, AI has a much stronger influence over the creative process. It remains to be seen whether case law or legislative intervention will provide such a demarcation in the future. In all events, it is uncertain at present whether the respective products are accessible to copyright or not. Ultimately, it will only be possible to clarify this on the basis of case-by-case decisions.

The influence of research into the explicability of AI should not be underestimated in this context. For the question of attribution, namely, it is of paramount importance that the technical processes in the systems are understood. Research into the so-called black box is therefore likely to be desired by AI artists in particular.

Conclusion

The decision as to whether a copyright is created in the respective product of artificial intelligence will ultimately have to be made on a case-by-case basis. The tendency is for the greater obscurity of AI systems, i.e. the growth of the much propagated black box, to preclude copyright. However, since research into the explicability of AI is being strongly advanced at the same time, it cannot be ruled out that a consistent classification of this new technology will be possible in the future.

Dr. Axel Grätz

Back

2. Cybersecurity in German companies: new obligations through planned new regulations of the German Act on the Federal Office for Information Security (BSIG) 

Advancing digitisation is leading to an ever increasing networking in all areas of life and the economy. However, this networking is also leading to dependencies and creating new targets for criminal attacks in the digital world. Such attacks are particularly critical in central areas of the economy and the state. For example, if the IT infrastructure of the operator of a large number of hospitals were to be disrupted - even if only for a few hours – this would put human lives at risk.

In order to counter the growing cyber threat and protect the functioning of its own internal market and security of supply, the European Union adopted on 14 December 2022 Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, the so-calledNIS-2 Directive. The aim of the NIS-2 Directive is to achieve a uniform, high level of cybersecurity for the highly fragmented internal market.

In connection with the planned implementation of the NIS-2 Directive, an unofficial draft bill of the Federal Ministry of the Interior and Community (Bundesministerium des Innern und für Heimat) has been circulating since July of this year, which in particular significantly expands the previous regulations of the German Act on the Federal Office for Information Security Act (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) – “BSIG” for short.

1. Does my company fall within the scope of the new BSIG?

The draft new regulations of the BSIG (hereinafter “BSIG-E”) extend the scope of application to an anticipated total of 18 sectors, based on the sectors specified in the NIS-2 Directive. If one compares these with the current BSI-Ordinance on the Protection of Critical Infrastructures (“BSI-KritisV”), the primary sectors space, chemicals, production and manufacturing, among others, are being added. Exactly which sub-sectors will be covered by BSIG-E is as yet unknown. In continuation of the previous system, these will doubtlessly be represented in a BSI-KritisV adapted to the BSIG-E.

The fundamentally required minimum size of the enterprise is also being raised and will apply from classification as a medium-sized enterprise. According to Section 2 BSIG-E, this is a company that

a) employs at least 50 and at most 249 employees and also has an annual turnover of less than EUR 50 million or an annual balance sheet total of less than EUR 43 million, or

b) employs fewer than 50 employees and has an annual turnover and an annual balance sheet total of at least EUR 10 million each, and an annual turnover of no more than EUR 50 million and a balance sheet total of no more than EUR 43 million.

Operators of critical facilities are also covered, regardless of their size.

Companies that do not fall under the legal scope of application must also urgently address the issue of the obligations of the BSIG-E. Section 30 (4) No. 4 BSIG-E currently stipulates that companies that fall under the BSIG-E are required to take measures that also include security of the supply chain. It is to be feared that, in cases of doubt, companies will extend the provisions of the BSIG-E to their entire supply chain across the board as a precautionary measure.

Irrespective of this "indirect" effect, the legislator assumes that around 30,000 companies will fall under the regulations of the BSIG-E for the first time.

2. What will change for affected companies and what now needs to be done?

The BSIG-E contains a comprehensive catalogue of measures, see Sections 30 et seq. BSIG-E, which affected companies must observe. The new regulation extends the existing obligations.

Compared to the previous obligations for reporting security incidents, Sections 31 and 35 BSIG-E explicitly stipulate short deadlines of a maximum of 24 hours for the initial report and stipulate successive follow-up reports with assessment obligations.

The law is now also making cybersecurity a "management issue". Section 38 BSIG-E explicitly stipulates the management’s personal liability towards the company (see for details the article "Cyber risk management - an obligation for every management"). In addition, the management is obliged to participate in appropriate training measures. 

For companies that will fall within the scope of application in the future in particular, it is advisable for them to check their IT security structure for any necessary action in good time. The BSIG-E is expected to come into force in October 2024.

Are you unsure whether your company falls within the scope of the NIS-2 Directive or the BSIG-E? Please do not hesitate to contact us for an answer. 

Christian Saßenbach 

Back

3. ECJ specifies scope of right to information and copies pursuant to Art. 15(1) and (3) GDPR

Companies regularly process and respond to requests for information from employees, customers and other third parties. According to Article 15(1) and (3) GDPR, a data subject is entitled to request confirmation from the controller as to whether their personal data are being processed. If so, the data subject is entitled to receive information and a copy of the personal data being processed. The European Court of Justice (ECJ) has concretised the scope of this right to information and copies in several decisions this year.

Controller must state specific recipients of data

According to Article 15(1)(c) GDPR, the controller must provide information on the recipients or categories of recipients of the data subject's personal data. According to the wording of the law, it could previously be argued that the controller can choose whether to name the specific recipients or only the categories of recipients.

In its judgement of 12 January 2023 (Case No. C 154/21), the ECJ ruled that when responding to a request for information, data controllers are generally obliged to name specific recipients to whom they have disclosed or will disclose the personal data of the requesting data subject. Merely naming the categories of recipients, in contrast, is not sufficient, or only in exceptional cases.

The ECJ initially clarified that the wording of Article 15(1)(c) GDPR does not support either the one opinion or the other. However, it was already clear from the 63rd recital to the GDPR that the data subject must have a right to know who is receiving their personal data.

Furthermore, the ECJ pointed out that the right to information does not require the information about the specific recipients be disclosed in all cases. Under certain circumstances, it may be impossible to disclose the identity of the specific recipients - especially if they are not yet known. In these cases, according to the ECJ, it suffices if the information is limited to categories of recipients.

Is a data subject entitled to a copy of an entire document?

In addition, the ECJ had to clarify whether companies are also obliged to provide copies of documents containing personal data of the data subject upon the data subject’s request for information pursuant to Article 15(3) GDPR, or whether a copy of a list of personal data processed is sufficient.

The ECJ (judgement of 4 May 2023 - C-487/21 ) initially ruled that the right to a "copy" of the personal data processed pursuant to Article 15(3) GDPR entitles the data subject to a faithful and intelligible reproduction of their processed data. This also means that excerpts from documents or databases or even complete documents in which personal data were processed must be transmitted as a copy in order to ensure the required transparency and easy comprehensibility of the information, and to thereby also enable the data subject to effectively exercise the rights granted to them by the GDPR. Above all, such a right exists when personal data are generated from other data and the context in which the data were processed is essential for purposes of transparent information and comprehensible presentation.

According to the ECJ, data subjects are entitled to receive copies of the document (or excerpts therefrom) containing personal information about them if this is essential for them be able to effectively exercise the rights conferred on them by the GDPR. To be borne in mind in this context is that the rights or freedoms of other persons may not be impaired when providing such copy (Article 15(4) GDPR).

Is the data subject allowed to learn which employees have requested data?

Finally, on 22 June 2023 (Case No. C-579/21), the ECJ ruled on the question of whether the data subject is also entitled to know at what time and for what reasons the employees of a controller have requested information on their personal data.

The procedure originated with a bank employee. In addition to his employment relationship, this employee also had an account with the bank in question. He learned that other employees of the bank had requested his customer data several times. The data subject subsequently wished to know which employees had requested his customer data.

The ECJ stated in its decision that the aim of the right to information is to ensure fair and transparent processing. The data subject should be able to obtain information about the processing operation as such. The right to information also includes information that is necessary to ensure transparent processing.

Thus, according to the ECJ, the time of processing can also be a necessary information. However, the ECJ pointed out that employees of a controller are not recipients within the meaning of Article 15(1)(c) GDPR. The data subject's right to information only applies to the latter. Thus, according to the ECJ, the data subject has no right to information about specific employees who have accessed the personal data. 

Patrick Schwarze

Back

4. Legal tech and the law governing the legal profession

With the rapid advancement of developments in the field of legal technology, the question arises as to the compatibility of using digital tools with the principles of the law governing the legal profession.

Legal tech tools have already been gaining importance in various forms for several years now. For example, portals such as wenigermiete.de or flightright.de enable laypersons to easily enforce their legal claims in mass proceedings at the click of a mouse. Law firms and legal departments are also increasingly using legal tech tools, for example to create standard contracts automatically. These forms of use fall under the term "legal tech 2.0", which primarily supports and maps standardised processes or greatly simplifies access to the law in mass claims through digitisation.

However, the real legal tension between legal tech and the law governing the legal profession is arising from the increasing use of "legal tech 3.0" tools, as these tools are using artificial intelligence (AI) to process even highly complex legal problems.

1. Legal-tech litigation in Austria

A current example of the tension between law and technology is the Austrian legal tech company incaseof.law, which provides lawyers with suggested solutions for legal enquiries.

The legal dispute in Austria against incaseof.law illustrates the legal issues arising between legal tech and the requirements of the law governing the legal profession. The Austrian Bar Association had filed a lawsuit against incaseof.law GmbH. The central question was whether advice for lawyers generated by AI systems was permissible. The court fundamentally affirmed this, emphasising that lawyers are also allowed to obtain advice from external sources, regardless of whether such advice comes from humans or machines. However, the final decision on how these suggestions are to be used to enforce the client's interests must be taken anew by the lawyer on a case-by-case basis.

This court decision in Austria may have significant consequences for the relationship between lawyers and legal tech 3.0. It illustrates the need to bring the legal framework for the use of AI in the legal sector into line with the law governing the legal profession.

2. Admissibility of legal tech 3.0 under German law

What is the situation as regards the legal admissibility of legal tech 3.0 tools in Germany and the tension between such tools and the law governing the legal profession? The decisive question here is whether the services provided by these programmes can be classified as legal services within the meaning of Section 2(1) of the German Legal Services Act (Rechtsdienstleistungsgesetz, “RDG”). This is the case if the service is provided in specific third-party matters and requires a legal examination of the individual case. Here, the decisive issue is whether and to what extent automated legal services or answers generated by AI can be subsumed under this.

As far as automated legal services are concerned, the Federal Court of Justice (FCJ) (Bundesgerichtshof, “BGH”) first ruled in the Smartlaw case in 2021 that this specific business model does not constitute a legal service. This type of platform uses predefined text modules and does not carry out a specific examination of the individual case. It merely responds to abstract cases and cannot deal with complex factors deviating from the norm.

This might not be the case for legal tech 3.0 tools. Programmes like Chat-GPT, which are based on artificial intelligence, have the ability to react to individual deviations from established sets of rules. They analyse a volume of data in real time and are thus fundamentally able to respond to specific third-party matters. In its ruling on Smartlaw, the FCJ stated that machines are capable of performing activities, whereby the content of the service rendered is decisive, irrespective of whether it is rendered by a human or a machine.

Users' expectations also play a significant role in classifying the services of legal tech tools. Chat-GPT, for example, explicitly points out that the answers it generates do not constitute legal advice. Nevertheless, the content of the generated answers and thus also the advice given can be influenced or manipulated by the type of questions asked, so-called "prompting".

The FCJ’s previous case law on legal tech business models cannot be directly applied to ChatGPT, as it independently generates results from extensive amounts of data and thus lacks a standard of comparison.

The threshold for introducing AI-based legal services will be crossed when specific legal tech tools capable of dealing with concrete legal issues come onto the market. Given the current pace of progress in this field, this can be expected in the near future.

3. Conclusion and outlook

The admissibility of legal advice by means of artificial intelligence is still an essentially unresolved issue. In view of current trends and developments, however, case law will have to answer this question sooner rather than later. It is already evident from the German Legal Services Act that the regulation of legal tech and artificial intelligence is proving to be difficult.

The FCJ’s previous decisions on legal tech business models show a fundamentally positive and forward-looking attitude of case law. However, in view of the advancing technical developments and the parallel ongoing regulatory debate on the AI Act at the European level, it remains to be seen how the legal framework and thus the case law on this topic will develop.

Michael Lamberty

Back

5. FCJ refers questions to ECJ on GDPR: immaterial damage in case of mere negative feelings?

In its decision of 26 September 2023 (docket No. VI ZR 97/22), the Federal Court of Justice (FCJ) (Bundesgerichtshof, “BGH”) referred several questions to the European Court of Justice (ECJ) for a preliminary ruling on the right to injunctive relief under EU law and on the interpretation of the concept of immaterial damage under the GDPR.

Factual situation

The referred questions are based on proceedings in which the plaintiff claims injunctive relief and compensation from the defendant for immaterial damage due to the disclosure of personal data. The plaintiff had applied to the defendant, a private bank, via an online portal. In the course of this application procedure, an employee of the defendant had sent a message intended for the plaintiff via the defendant’s messenger service not only to him, but also to a third person who was not involved in the application procedure. This person and the plaintiff knew each other, as they had both worked at the same holding company some time ago. Amongst other things, the message stated that the defendant could not meet the plaintiff's salary expectations.

The plaintiff claims that his - immaterial - damage does not lie in the abstract loss of control over the disclosed data, but in the fact that, as a result of the disclosure to the third party, at least one other person who knows the plaintiff as well as potential and former employers have knowledge of circumstances that are subject to discretion. He feared that the third party, who worked in the same sector, had passed on the data contained in the message or, as a competitor for possible positions, could have gained an advantage in the application process. In addition, he felt humiliated by his "defeat" in the salary negotiations and would not have passed on this information to third parties - especially not to potential competitors.

The Regional Court partially upheld the action, ordered the defendant to cease and desist in accordance with the plaintiff’s motion and affirmed a claim to immaterial damages, albeit not in the amount asserted. However, the Court of Appeals amended the first instance judgement with regard to the claim to immaterial damages and dismissed the action insofar. The plaintiff has lodged an appeal on points of law against this decision with the FCJ.

Referred questions on the concept of immaterial damage

The FCJ has stayed the proceedings and referred several questions to the ECJ for a preliminary ruling. As regards the concept of immaterial damage, the FCJ wishes clarification as to whether

1. Article 82(1) is to be interpreted as meaning that mere negative feelings such as anger, displeasure, dissatisfaction, worry and fear, which per se are general risks of life and are often part of everyday experience, are sufficient to presume immaterial damage within the meaning of such provision, or whether a disadvantage to the natural person affected that goes beyond such feelings is required in order to presume damage,
2. Article 82(1) GDPR is to be interpreted to the effect that, when assessing the amount of immaterial damage to be compensated, the degree of fault of the controller or processor or its employees constitutes a relevant criterion, and
3. Article 82(1) is to be interpreted to the effect that, when assessing the amount of immaterial damage to be compensated, the fact that the person concerned is entitled to injunctive relief in addition to the damage claim can be taken into account with the effect of reducing the claim (subject to the condition that one of the questions referred for a preliminary ruling on injunctive relief under EU law is answered in the affirmative). 

Legal classification

In its landmark judgment of 4 May 2023 (docket No. C-300/21), the ECJ had already extensively dealt with the requirements of Article 82(1) GDPR and ruled that, for a damage claim to exist under this provision, not only did a breach of the GDPR suffice - although it remains unclear whether breaches beyond the unlawfulness of the processing are included -, but also the data subject had to claim actually incurred damage caused by such breach. 

However, the ECJ explicitly stated that the damage incurred did not have to reach a certain degree of materiality. Unlike the Advocate General in his Opinion, the ECJ thus clearly rejected national thresholds - such as the triviality threshold adopted by the courts in Germany.

Even after this decision, it was and remains unclear which impairments constitute immaterial damage. With the question of whether mere negative feelings such as anger, displeasure, dissatisfaction, worry and fear are sufficient or whether a disadvantage to the person affected that goes beyond these feelings is required, the ECJ has now been given the opportunity to define the concept of immaterial damage more concretely and thus create more clarity and legal certainty. This is also welcome against the background of the rejection of a triviality threshold and the associated, perceptibly increasing incentive to claim damages in connection with violations of the GDPR.

The concept of immaterial damage will become increasingly clear over the coming months as, in addition to the FCJ’s request for a preliminary ruling, there are currently a number of other referral proceedings pending before the ECJ that deal with damage claims under Article 82(1) GDPR.

We will inform you about the developments and answers of the ECJ in our next newsletters.

Tobias Kollakowski

Back

Back to list