The guiding principle of treating online and offline enterprises the same also runs like a red
thread through the Federal Ministry for Economic Affairs’ Green Paper on Digital Platforms.25
This might be acceptable if there were an easy answer to the following crucial question: Can
offline and online transactions be treated the same or is there a fundamental difference
between the two which not only justifies but requires that they be treated differently? All too
often the need for equal treatment is presupposed, cutting off all further discussion, not least
because it is borne by the central idea that the law is uniform, that it applies equally to all – a
maxim adopted by the French Revolution which quite rightly still has a formative influence.
The unexceptionalists are also referred to as “contractualists”. They seek to overcome the
challenges which technology poses by defining a contract as something which is concluded
consensually and autonomously between two people. The crucial maxims here are self-
responsibility and the freedom to contract, i.e. self-regulation rather than state regulation.
What applies to contract law in principle also ought to apply to all other relevant legal fields.
As a result, the focus is put on introducing sectoral rules for the Internet, telecommunications
and energy, an approach which the EU has been forcefully promoting for the last 30 years. In
the same way as the basic rules of contract law cannot be understood until rules applicable
to consumer goods purchases have been incorporated, focusing on the horizontal relevance
of anti-trust law or fair trading law obscures a multitude of special rules which are applicable
to regulated markets and/or consumers. After all, the power of the claim to general
application is specifically its rationality. Any deviation needs to be justified. It is
telecommunications law in particular which causes upheavals in the course of digitalisation,
because key digital services are excluded from the specific sectoral rules.26 The all-important
question is whether digitalisation means we need to adopt a new perspective which is
entirely oriented to the specifics of the digital world and which places the focus on the
changes made compared to the old world and old law. Put another way: What if what is
“special” becomes the “new normal” or if this special law continues expanding and leads to a
fragmentation of the law, which only leaves the new normal with having a catch-all
function?27

     2. Disruption
Is disruption happening? Will it happen? How will it manifest itself – as evolution or
revolution? Those who proclaim that a rupture with the past is occurring argue that the
phenomenon of digitalisation can best be captured by means of the formula “from atoms to
bits”.28 Prior to digitalisation, the universe comprised only two levels or layers: a physical and
a social. The physical layer comprises atoms and all material things, houses, automobiles,
people and animals. The social layer comprises all those phenomena which the law
describes as immaterial, that is rights, enterprises and status-related rules. Digitalisation
adds a third layer. In the words of A. Murray: “Much as atoms can be used in the physical
world to construct everything from the human liver to an Airbus 380, bits are the basic
building blocks of the information society.”29
M. Hildebrandt speaks of a “new animism”30 which characterises the “onlife” world:31

25
   In particular Schweitzer <https://www.bmwi.de/BMWi/Redaktion/PDF/G/gruenbuch-digitale-
plattformen,property=pdf,bereich=bmwi2012,sprache=de,rwb=true.pd> (last retrieved 24 Nov. 2016).
26
   Chapter 4 (Challenges for Telecommunications Law) is convincing
<https://www.bmwi.de/BMWi/Redaktion/PDF/G/gruenbuch-digitale-
plattformen,property=pdf,bereich=bmwi2012,sprache=de,rwb=true.pdf> (last retrieved 24 Nov. 2016).
27
   Luhmann and Teubner, following Luhmann, both repeatedly stress that the stratification of society,
as reflected in fragmented law, is irreversible. Teubner also makes it clear that new irritants keep
popping up, see “Legal Irritants: Good Faith in British Law or How Unifying Law Ends Up in New
Divergences” (1998), 61 Modern Law Review, 1998, p. 11.
28
   Searle, The Construction of Social Reality, (Allan Lane, The Penguin Press, 1995).
29
   Murray, Information Technology Law: The Law and Society, 2nd ed. (OUP, 2013), p. 5.
30
   Hildebrandt, Smart Technologies and the End(s) of Law (Cheltenham: Edward Elgar, 2015) viii.
31
   Hildebrandt (op. cit., fn. 30), p. 8.
                                                                                                   14

“… our life world is increasingly populated with things that are trained to foresee
      our behaviours and pre-empt our intent. These things are no longer stand-alone
      devices; they are progressively becoming interconnected via the cloud, which
      enables them to share their ‘experience’ of us to improve their functionality. We
      are in fact surrounded by adaptive systems that display a new kind of mindless
      agency. (...) The environment is thus becoming ever more animated. At the same
      time we are learning slowly but steadily to foresee that we are being foreseen,
      accepting that things know our moods, our purchasing habits, our mobility
      patterns, our political and sexual preferences and our sweet spots. We are on the
      verge of shifting from using technologies to interacting with them, negotiating
      their defaults, pre-empting their intent while they do the same to us.”32
In this onlife (not online) world, the consumption of products is personalised, anticipatory and
automated. Of course, this new world of consumption will always need a contract or at least
a legal relationship which humans conclude/enter into via a service. From the moment a
human enters the digital world, though, smart technology takes over. In the onlife world the
boundaries between the offline and online worlds become blurred, the distinction between
consumer transactions which are negotiated by humans and those which are managed and
implemented by software agents even more so.
One can and must go very much further and ask whether, in the onlife world, consumer
protection regulations will be replaced by smart technologies. Instead of consumer protection
by law and legislation we will have consumer protection by technology and self-regulation or,
to put it more succinctly: regulation by technology. The perspective shifts again. The focus is
on technologies such as blockchain, Bitcoin and smart contracts, which have not yet become
established beyond the fringes of the business world (speed trading) and in particular have
not yet entered consumer law. Estimates as to what chances legislation has of being
replaced by technology vary greatly. G. Spindler’s assessment is cautiously sceptical,
because the law cannot be translated into the black and white logic on which software is
based.33 W. Blocher, by contrast, is quite euphoric when it comes to the prospects of
regulation by technology, not least in the sense of its inherent possibilities for (re)gaining
autonomy and for reversing legal relationships (from B2C to C2B).34
Those who get a sense that fundamental technological and social changes are close at hand
must, logically, be described as exceptionalists. They seek what is “new” and feel that the
world has changed, that the relationship between humans and technology has been entirely
redefined. They call for a Digital Code “to safeguard civil liberties in the age of Internet
capitalism”.35 Cyberbutlers,36 our constant companions who still sounded rather utopian back
in 2000, have long since become a reality. However, our contracts with service providers
often have decade-long terms. Our legal system is not set up to cope with these kinds of
temporal dimensions. You do not have to look to the future to draw this consequence. Most
of us have been using Google on a daily basis for years, the same goes for Facebook.
Google and Facebook have collated data about our lives, and these form the basis of their
business models. Digital services contracts, that is in so far as they are contracts in the


32
   Hildebrandt (op. cit., fn. 30), at viii-ix.
33
   Spindler, (op. cit., fn. 22), likewise Idelberger, Connected Contracts Reloaded – Blockchains as
Contractual Networks, talk given at the SECOLA Conference in Tartu in 2016, publication in
preparation.
34
   Blocher “The next big thing: Blockchain – Bitcoin – Smart Contracts – Wie das disruptive Potential
der Distributed Ledger Technology (nicht nur) das Recht fordern wird” (2016), 8+9 Anwaltsblatt,
p. 612.
35
   Graf von Westphalen (op.cit., fn. 9), p. 626, though very much focused on the risks which
digitalisation incurs for humans (especially making reference to Schirrmacher, Technologischer
Totalitarismus, Suhrkamp Verlag, 2014).
36
   Ford, “Save the Robots: Cyber Profiling and Your So-Called Life” (2000), 52 Stanford Law Review,
p. 1572.
                                                                                                   15

sense of a two-sided legal transaction, establish a continuing obligation which stands
alongside traditional types of contracts such as rental, credit and energy agreements.37

     III. Possible consequences of the debate around continuity v. disruption
What are the consequences for the legislature of this tension between the old and new,
between continuity and disruption? Do we need legal regulations for contracts which
consumers conclude with their cyberbutler? Do we need more and more far-reaching
interference on the part of the legislature in order to control self-regulation or self-regulation
which is becoming increasingly independent ex ante? If so, then the advocates prove to be
regulators: Instead of freedom of contract and self-regulation they want the legislature to be
responsible for ex-ante scrutiny and supervision, perhaps coupled with the need for
competent governmental agencies to rectify self-regulation ex post where necessary.
Where does the European Commission stand on this issue and how far has the German
legislature got in terms of its planning and deliberations? The European Commission is
rushing ahead, saying there is a strong need to continue developing contract law. Its
Communication dated May 2015 is very telling:38
       “Digital contracts for Europe – Unleashing the potential of e-commerce”
Further on:39
       “4. ACTING BEFORE IT IS TOO LATE
       “We need to act now on the digital dimension...
       “The pace of commercial and technological change due to digitalisation is very
       fast, not only in the EU, but worldwide. The EU needs to act now to ensure that
       business standards and consumer rights will be set according to common EU
       rules respecting a high level of consumer protection and providing for a modern
       business friendly environment. It is of utmost necessity to create the framework
       allowing the benefits of digitalisation to materialise, so that EU businesses can
       become more competitive and consumers can have trust in high-level EU
       consumer protection standards. By acting now, the EU will set the policy trend
       and the standards according to which this important part of digitalisation will
       happen.”
The Commission has gone further than merely making announcements: In December 2015 it
put forward two proposals, one on the regulation of digital content and one on online and
other distance sales of goods.40 Both Proposals aim at full harmonisation, and both are the
subject of intense legal policy and academic debate.41 That debate revolves around the
canon of questions which the Association of German Jurists already raised, namely meeting

37
   Nogler/Reifner (eds), Life Time Contracts, <http://www.eusoco.eu/wp-
content/uploads/2013/10/eusoco_book_outline.pdf> (last retrieved 24 Nov. 2016).
38
   European Commission, Communication from the Commission to the European Parliament, the
Council and the European Economic and Social Committee – Digital contracts for Europe –
Unleashing the potential of e-commerce, COM(2015) 633 final, Brussels, 9.12.2015.
39
   COM(2015) 633 final (op. cit., fn. 38).
40
   European Commission, Proposal for a Directive of the European Parliament and of the Council on
certain aspects concerning contracts for the supply of digital content, COM(2015) 634 final, Brussels,
9.12.2015; and European Commission, Proposal for a Directive of the European Parliament and of the
Council on certain aspects concerning contracts for the online and other distance sales of goods,
COM(2015) 635 final, Brussels, 9.12.2015.
41
   EuCML has addressed this subject matter in a number of publications. Three books deserve special
mention: Wendehorst/Zöching, Ein neues Vertragsrecht für den digitalen Binnenmarkt,
Wendehorst/Zöching (eds) (Manz Verlag, 2016); Franceshi, European Contract Law and the Digital
Single Market, The Implications of the Digital Revolution, (Intersentia Verlag, 2016); and
Schulze/Staudenmayer, Digital Revolution: Challenges for Contract Law in Practice, (Nomos Verlag,
2016).
                                                                                                   16

the digital challenges by means of contract law. What is behind this strong rhetoric? Is the
EU calling for a new legal order?
R. Brownsword42 looked at both Proposals with a view to the difference between
unexceptionalists and exceptionalists and came to the conclusion that the European
Commission has to be classed as an unexceptionlist. What is more relevant from a
consumer policy perspective is that the Commission is attempting, with the help of these two
Proposals, to roll back the previously guaranteed level of consumer protection in regard to
online purchase contracts in favour of trade and commerce. More specifically, there is a
certain degree of tension between the Consumer Goods Directive 1999/44/EC on the one
hand and the Consumer Rights Directive 2011/83/EU, which regulates direct and distances
sales, on the other. The two Proposals interleave the two Directives. Yet again, the much-
criticised objective of full harmonisation leads to less protection, this time, though, less
protection as already guaranteed in EU directives. In other words, online trade serves to
harmonise consumer law for the online and offline worlds, to the consumer’s detriment. The
new technology and the proclaimed need to expand online trade serve to legitimise the
Commission’s approach.
The Federal Government’s 2016 Consumer Policy Report43 does not address the
fundamental question, namely regulation of the “onlife” world. However, the report does state
the following, much in the same vein as the European Commission:
      “Digitalisation doubtless does also have its economic advantages, but it poses
      new challenges when it comes to consumer protection. It is the job of policy-
      makers to put in place the regulatory framework for binding and effective
      consumer protection standards in the digital world. Strengthening self-
      determination, guaranteeing freedom of choice and transparency, comprehensive
      and comprehensible consumer information, and security in the Internet are
      decisive. That is the key to more consumer confidence, which is necessary if new
      business models and digital innovations are to succeed. Consumer data
      protection is of particular relevance in this regard.”
The report addresses neither of the two Commission Proposals. The measures announced
by the Federal Government make no reference whatsoever to the fundamental problem, nor
to the question of whether digital legal relations require specific rules, to name just this
example from the context of possible regulatory approaches. The Federal Government
restricts itself to the correction of details, as do the vast majority of legal scholars.
The approach adopted by the Federal Ministry for Economic Affairs and Energy in its Green
Paper on Digital Platforms appears to be much more fundamental in its approach, because it
is more open in the matter itself.44 That may well be down to the nature of a green paper,
which seeks to ask questions rather than to provide answers. These are expected to be
delivered in the upcoming White Book in the spring of 2017. We will have to wait and see
whether they will be exceptionalist or unexceptionalist answers. Questions around the
Guidelines on Data Sovereignty – Input for the Creation of Private Digital Autonomy and the
call for a digital agency are particularly relevant from the point of view of consumer
protection:45
      “A digital agency in the guise of a high-performing and internationally
      interconnected federal-level centre of expertise could have these remits. It could
      support other specialist authorities (such as the Federal Cartel Office and

42
   Brownsword, The E-Commerce Directive, Consumer Transactions, and the Digital Single Market:
Questions of Regulatory Fitness, Regulatory Disconnection and Rule Redirection, talk given on 18
June 2016 at the SECOLA Conference in Tartu, Estonia, http://www.secola.org/.
43
   Bundestag Printed Paper 18/9495, 25 Aug. 2016, p. 10.
44
   As at May 2016; a white book containing concrete proposals is set to be published in spring 2017,
p. 64.
45
   Faust (op. cit., fn. 7) p. 66.
                                                                                                   17

consumer protection offices) in the digitalisation process and also identify and
         eliminate obstacles to implementing policy strategies. Like the Federal
         Environment Office and the Federal Office for Migration and Refugees, a new
         digital agency can help to meet one of the key social challenges we face.”
The impetus for the latter came in the autumn of 2015 from the Federal Ministry for
Economic Affairs and Energy/Federal Ministry of Justice and Consumer Protection’s
Programme of Measures for More Security, Sovereignty and Self-determination in the Digital
Economy – Challenges and Action for Society, Business and Consumers.46 Depending on
their interpretation and orientation, data sovereignty, digital autonomy and the digital agency
could become milestones in the development of digital consumer law.



Part III Legal relationships in regard to digital services
The micro perspective seeks to address the well-known and mounting problems as regards
consumer law, including consumer data protection law. The focus is increasingly being
placed on four topics which are oriented to social issues and not to a system of classification
of whatever shape or form which is predetermined by the legal system. This list of topics is,
however, not necessarily to be regarded as exhaustive. The Internet of Things is becoming
the ostensible phenomenon in which consumer law and data protection law are increasingly
becoming intertwined. “A new dimension has been added to the world of information and
communication technologies: from anytime, anyplace connectivity for anyone, we will now
have connectivity for anything.”47 According to a report published by the UK Government,48
more than 14 billion devices worldwide were already connected to the Internet in 2014.
This deterritorialised connectivity of things which is also devoid of any temporal context gives
rise to numerous problems. For example, ethical issues raise the fundamental question of
how we as humans should act and behave.49 The Internet of Things is of relevance to ethical
issues on account of the changes made to key terms because of how technology connects
the world of things with our everyday lives. The fact that things can communicate with each
other entails a considerable loss of control on the part of humans. This raises questions
around social justice, trust, the blurring of contexts and the lack of consumers’ and citizens’
neutrality and autonomy.
Part III of this report addresses the legal questions which arise from this deterritorialised
connectivity. They concern the conclusion of contracts, contracting parties, problems around
the legal classification of the actions of platforms, liability for defects, IT security, data
protection and problems regarding the enforcement of rights in deterritorialised contexts. The
following issues will be discussed against this backdrop:
     •    Issues around the conclusion of a contract and liability,
     •    The role and function of platforms,
     •    Data protection and IT security and
     •    The deterritorialisation of consumption. (Consumers often do not know where an
          enterprise is domiciled; if it is domiciled abroad, a complicated set of legal building

46
   Federal Ministry for Economic Affairs and Energy/Federal Ministry of Justice and Consumer
Protection, (op. cit., fn. 3).
47
   <http://www.itu.int/osg/spu/publications/internetofthings/InternetofThings_summary.pdf> (last
retrieved 17 Nov. 2016).
48
   <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/409774/14-1230-
internet-of-things-review.pdf> (last retrieved 17 Nov. 2016).
49
   This paragraph is based on Haarkötter, “Eine neue Ethik für das Internet der Dinge?”:
https://www.bpb.de/dialog/netzdebatte/198471/eine-neue-ethik-fuer-das-internet-der-dinge (last
retrieved 18 Nov. 2016).
                                                                                                   18

blocks is available which has a great deal to offer legal scholars but is of very little
          benefit to consumers.)
Part III concludes with a discussion of viable solutions. So far, enterprises have in practice
dictated the matter by way of their terms and conditions, advertising and regulation by
design. The field has now recently also come to the attention of jurists. The result is an
overwhelming array of suggestions for solving certain legal issues, or not as the case may
be. Only the EU has so far reacted to this development by making any legislative proposals
in the form of the General Data Protection Regulation and its 2015 Proposal on digital
content in consumer contracts. The Association of German Jurists has looked into the
matter. However, it has not really been in any position to make any suggestions for solving
what are as yet unanswered questions.

     I.   Conclusion of contract
This section addresses the civil-law problems which arise in connection with Internet of
Things devices. In particular, they include the packaging of services, the obligations on digital
service providers offering “as is” services50 regulated by means of terms and conditions, and
the special problem of the classification, under civil law, of declarations of intent when
automated systems are used in the Internet of Things.

      1. Information and packaging
Hardware and software
Today, when consumers purchase technical devices the software is generally pre-installed.
The practice of packaging services is not ruled out per se under fair trading law; the incentive
effect of a good offer is always a desirable consequence of performance-based
competition.51 The European Court of Justice (ECJ) recently ruled that pre-installed software
on a computer was not an unfair commercial practice. The case revolved around the
question of whether the lack of price information regarding individual programs represents a
misleading commercial practice within the meaning of Article 5(4)(a) and Article 7 of the
Unfair Commercial Practices Directive 2005/29/EC. The ECJ came to the conclusion that the
mere lack of price information did not result in any misleading of consumers, since the lack of
information regarding individual programs was neither suited to preventing consumers from
making an informed transaction decision, nor to causing them to take a transaction decision
which they would otherwise not have taken. The price of individual programs did not,
therefore, represent material information within the meaning of Article 7(4) of Directive
2005/29/EC and the omission of that information was not misleading.52 This interpretation is
contestable because it misconstrues the role and function of Article 7(4), which not least
demands transparency ahead of the conclusion of a contract in order to permit competition.
Accordingly, an informed decision is one which not only serves the consumer but also
potential competition between the suppliers of the individual price components.
Services and data
Another much-debated issue which needs to be addressed in the context of digital services,
whether they are provided by commodity dealers, app stores or other platforms, is that of
“data as payment”. This problem is, firstly, discussed in the context of the debate on
consumer sovereignty and in the debate on data protection v. data sovereignty; secondly,



50
   Consumers have no influence on the service provided. The supplier can adapt the service at any
time.
51
   Ohly, “Das neue UWG – Mehr Freiheit für den Wettbewerb?”, (2004), Gewerblicher Rechtsschutz
und Urheberrecht, Vol. 11, p. 889–900, p. 897, with further references.
52
   Case C-310/15, Vincent Deroo-Blanquart v. Sony Europe Limited, successor in law to Sony France
SA, EU:C:2016:633.
                                                                                               19

legal problems arise when characterising contracts and their termination. The focus in the
following will be on consumer law issues.53
Many contracts for digital services turn out to be “free of charge”, either in the case of the
purchase of free apps or the free use of platforms. At the same time most business models
are built around consumer data being used to optimise digital services. This begs the
question of whether consumers are not in fact “paying” for the use of the app or platform and
what consequences that has for consumer protection law.
Section 312 (1) of the German Civil Code provides that sections 312 to 312h of the Code are
only applicable to non-gratuitous contracts, as a result of which “data as payment” would
lead to the applicability of a variety of other consumer protection provisions. However, this
provision is likely not compatible with Community law.54 Non-gratuitousness may also have
consequences for the liability standard applied (see, e.g., sections 521 and 599 of the
German Civil Code).55 However, the reductions in liability in the German Civil Code appear
not to fit, at least not to a contract of use concluded between a platform operator and a
consumer. A relationship between a supplier and consumer will generally lead to a typical
“contract under the German Civil Code”.

     2. Information: consent and terms and conditions
Before concluding a contract consumers are inundated with information. The problems which
they face in working through and understanding all this information have become a
commonplace in discussions around information overload.56
Using terms and conditions serves to standardise and structure information. The aim is to
make it easier to access the economic system of mass production and mass sales in the
distance selling system. The monitoring of contract terms is based on the understanding that
on account of their being structurally unequal consumers have no means of influencing the
content of those terms.57 Nevertheless, the limits to monitoring terms and conditions when it
comes to providing effective consumer protection are now well-known. The European
Commission recently published a study on problems consumers have with terms and
conditions which confirms that the majority of consumers neither read the terms and
conditions nor find out about their rights in any other way.58

     3. Information and the subject matter of the legal relationship
Many digital services are provided in the context of enduring legal relationships. This in
particular raises the question of whether and to what extent manufacturers are obliged to
make updates available for the software they produce beyond the end of the contract term,
and whether and to what extent consumers are obliged to install those updates. The 2016
Conference of the Association of German Jurists concluded that the manufacturer was to be
under no obligation to provide updates, because it is to be left to consumers to decide
whether they actually want the update.


53
   The Advisory Council will be looking into data sovereignty in the course of 2017.
54
   Faust, Digitale Wirtschaft – Analoges Recht: Braucht das BGB ein Update?, (report submitted to the
71st Conference of the Association of German Jurists in 2016), S.A12.
55
   Faust, (op. cit., fn. 54), S.A13.
56
   The debate began in sociology and psychology (see Simmel, Die Großstädte und das Geistesleben,
(1903) and Miller, “The magic number seven, plus or minus two: some limits on our capacity for
processing information”, (1956), Psychological Review, p. 81–97) but has now also been taken up in
the economic/legal literature, see, e.g., Paredes, “Blinded by the Light: Information Overload and Its
Consequences for Securities Regulation”, (2003), Washington University Law Quarterly, Vol. 81,
p. 417.
57
   See Raiser, Das Recht der Allgemeinen Geschäftsbedingungen, (Hermann Gentner Verlag, 1961)
for a fundamental approach to this issue.
58
   Elshout et al., Study on Consumers’ Attitudes towards Terms and Conditions (T&Cs), Final report,
European Commission, Directorate-General for Justice and Consumers, 21 March 2016, Brussels.
                                                                                                   20

However, at least one important exception should be made to this basic principle, and that
concerns IT security. This is due to the great vulnerability of digital services to hacking and
malware, above all on account of the low level of security mechanisms which manufacturers
provide, usually based on a standard set of default passwords. Personalised passwords for
Internet of Things devices such as refrigerators, washing machines, television sets etc. are
not yet very widespread or common. The vulnerability of the Internet of Things network as a
whole was recently made clear during the Distributed Denial-of-Service (DoS) attack on 21
October 2016, when home routers and Internet of Things devices were infected with malware
and websites such as Twitter, PayPal and Airbnb were then taken down by fake traffic. This
was possible because the malware created a botnet comprising the millions of infected
computers which were used to launch targeted attacks on one of the main servers used by
many websites.59
System and program updates could provide potential protective mechanisms against such
malware. The option of introducing a manufacturer’s obligation raises the question of
whether guaranteeing IT security is a “cardinal obligation” under the obligation pursuant to
section 241 (2) of the German Civil Code. What is clear is that the statutory obligation to
provide IT security, including software maintenance and upgrades or updates, generally
represents an obligation to protect pursuant to section 241 of the German Civil Code.60
Software maintenance comprises all those services which keep the purchased software fully
functional or restore its functionality.61
However, the technical changes to which software is subject cannot automatically give rise to
a permanent maintenance agreement.62 Section 19 of the Act against Restraints of
Competition (Gesetz gegen Wettbewerbsbeschränkungen, GWB) at most results in a
statutory obligation when the software supplier has a dominant position on the market.
Whether section 242 of the German Civil Code leads to an obligation to provide updates is
controversial. On the one hand it could result analogously in the obligation to supply spare
parts for at least five years.63 In that case it is still relevant whether the maintenance services
are only a subsidiary obligation (only claims for damages) or a separate contractual
obligation (right of fulfilment).64 According to H.-W. Moritz,65 where software maintenance is a
free service, it must generally be regarded as merely a subsidiary obligation. However, as
soon as customers have to pay a fee, it will have to be regarded as a primary obligation.
Irrespective of the criterion of whether a fee has been paid, it will likely have to be regarded
as a primary obligation if the maintenance agreement has been explicitly set out in the
software licence agreement.
On the other hand, one must ask whether consumers are obliged to protect themselves
against malware attacks by acquiring and installing important system and program updates.
Spindler affirms such an obligation at least for automatic or semi-automatic system and

59
   Regarding the general risks, see Spindler, Verantwortlichkeiten von IT-Herstellern, Nutzern und
Intermediären, (study commissioned by the Federal Office for Information Security) p. 30 et seqq.
60
   Schmidl, Corporate Compliance Handbuch der Haftungsvermeidung in Unternehmen,
Hauschka/Moosmayer/Lösler (eds), (3rd ed., 2016, C.H. Beck Verlag), margin no. 129 in section 28 on
the law of IT security.
61
   Moritz, Computerrechtshandbuch Informationstechnologie in der Rechts- und Wirtschaftspraxis,
Kilian/Heussen (eds), (32nd supplement, 2013, C.H. Beck Verlag), margin no. 190 et seqq. regarding
claims for defects in the case of hardware and software contracts.
62
   See Moritz, (op. cit., fn. 61), margin no. 199 et seq. regarding claims for defects in the case of
hardware and software contracts.
63
   Hoeren, Vertragsrecht und AGB-Klauselwerke, Graf von Westphalen/Thüsing (eds), (38th
supplement, 2016, C.H. Beck Verlag), margin no. 77 regarding IT contracts.
64
   Schmidl, BGB-Schuldrecht Kommentar, Dauner-Lieb/Langen (eds), 3rd ed., 2016, Nomos Verlag,
margin no. 137 regarding the German Civil Code, Annex IV re sections 535 to 580a: The Law of
Software Contracts.
65
   Moritz, (op. cit., fn. 61), margin nos 196 to 197 regarding claims for defects in the case of hardware
and software contracts.
                                                                                                     21

program updates which can be installed via an update service embedded in the system, as
such installation is economically reasonable.66
The interplay between a manufacturer’s and a consumer’s obligations when it comes to the
safety of the IT network and the devices which are produced and used complement public-
law regulation in the field of product safety and civil-law product liability.

     4. The special issue of the Internet of Things: use of e-people
One issue which needs to be clarified when it comes to the conclusion of contracts in the
Internet of Things is whether the rules set out in the German Civil Code are sufficient to
cover declarations of intent made by automated or autonomous systems or liability issues in
the case of defaults and damage. Can a washing machine make a declaration of intent to
purchase washing detergent by means of an order process which is triggered automatically?
Can a refrigerator be held liable for automated but incorrect purchases? Can a self-driving
car be held liable in the case of an accident?
Conclusion of contract: declarations of intent
A basic distinction needs to be drawn in the Internet of Things between two different
systems: automated systems in which users themselves determine the outcome by setting
parameters and autonomous systems which control the extent of their own behaviour and
can act without any input from the user.67 Taking the example of an Internet-connected
washing machine in a smart home that would mean that if the washing machine
independently orders washing detergent once the fill level drops below a certain point which
has been predetermined by the user (brand, size of package and online shop), it represents
an automated system. If the washing machine can order the washing detergent
independently, then it is acting autonomously.
The rules in the German Civil Code ought, for the time being, to be sufficient to cover to
specifics as regards the conclusion of contract. The example of the automated ordering of
washing detergent “by the washing machine” is, in principle, the converse of a contract
concluded for vending machines.68 The washing machine’s user makes an anticipated offer
within the meaning of sections 133 and 157 of the German Civil Code under the condition of
the proper functioning and availability of the specific washing detergent from the specific
dealer and, possibly, at a specific price (section 158 (1) of the German Civil Code). The
online shop then accepts the offer at the latest when it sends the goods to the customer
(sections 133 and 157 of the German Civil Code).
Liability in tort
When it comes to contractual liability, it is the type of underlying contract with the respective
contracting partner (see below regarding the problem of platforms) which is decisive. When it
comes to the liability of the producer, it is in particular the rules of section 823 of the German
Civil Code which are relevant. According to those provisions, the manufacturer must ensure,
within the bounds of what is technically feasible and economically reasonable, that the
absolute rights of the users of the product are not violated (on account of the trader creating
a source of risk by placing a faulty product on the market) or that a third party’s absolute




66
   Spindler, Verantwortlichkeiten von IT-Herstellern, Nutzern und Intermediären (op. cit., fn. 59) p. 124
et seq.
67
   Sosnitza, “Das Internet der Dinge – Herausforderung oder gewohntes Terrain für das Zivilrecht?”,
(2016), Computer und Recht, Vol. 11, p. 764–772, p. 765.
68
   Sosnitza, (op. cit., fn. 67) p. 766.
                                                                                                      22

rights are not violated.69 This category includes design fault, manufacturing defects (including
IT security gaps),70 instruction errors and product monitoring defects.71
A design fault arises when the technical concept is incorrect, for example the software in a
smart device is programmed in such a way that it does not prevent the avoidable violation of
absolute rights.72 Manufacturing defects, including IT security gaps,73 arise through faulty
manufacturing. In the case of instruction defects the manufacturer is also liable for damage
which arises on account of the fact that, contrary to its obligation, the manufacturer did not
draw the user’s attention to the risks which may arise during use despite fault-free
manufacturing of the product. IT security gaps, too, are design faults. In order to meet the
product monitoring obligation, a manufacturer must collect all the product-related information
which reveal a product’s risk features. If this information permits conclusions to be drawn
regarding the danger inherent in the product, then the manufacturer is also under the active
obligation to take measures to minimise the risk.74
The applicability of section 823 et seqq. of the German Civil Code is problematical in regard
to autonomous systems if the manufacturer is not at fault. Only in the case of lack of due
diligence would the manufacturer be liable in any way. According to Bräutigam and Klindt, in
such cases parallels might possibly be drawn to strict liability under section 933 of the
German Civil Code (animal owner’s liability).75 It is doubtful, though, whether mechanical
learning leads to comparable unpredictability. The unpredictability of a system’s decisions
would be the decisive condition for the person who set up the system to be held liable. The
crucial issue here is to what extent autonomous systems are able to take unpredictable
decisions based on their underlying algorithms or whether they are always able to choose
the “best” option from among a number of foreseen scenarios and data sets in the context of
a new, previously unforeseen scenario. The key thing is how the underlying algorithm is
constructed. Account must be taken of the fact that the design of a machine-learning system
is based on generalisation beyond those data sets which have been input into the system;
that is they build a model out of the sample inputs.76 That means that the legal interpretation
of “unpredictability” will cause problems, since an algorithm is set up in such a way that it can
react to unforeseen events, but this response is dependent on the data and “decision-making
paths” previously input by the programmer.

     II.   The role of online platforms
Legal relationships in the context of the Internet of Things are complex, and not just on
account of the IT systems which are involved. The various possible constellations of



69
   Hamm Higher Regional Court, judgment of 21 Dec. 2010 (file no. 21 U 14/08); Federal Court of
Justice, judgment of 31 Oct. 2006 (file no. VI ZR 223/05) (Karlsruhe Higher Regional Court).
70
   Spindler, beck-online. GROSSKOMMENTAR, Gsell/Krüger/Lorenz/Mayer (eds), Spickhoff (ed.), as
at 1 April 2016, C.H. Beck Verlag, margin no. 645 re section 823 of the German Civil Code.
71
   Staudinger, Bürgerliches Gesetzbuch Handkommentar, Schulze (ed.), 9th ed., 2017, Nomos Verlag,
margin no. 172 re section 823 of the German Civil Code.
72
   Liability pursuant to section 823 et seqq. of the German Civil Code also covers software, because in
the context of section 823 et seqq. of the German Civil Code the characteristics and thus the dispute is
not relevant to whether software is defined as a thing, see Spindler, “IT-Sicherheit und Produkthaftung
– Sicherheitslücken, Pflichten der Hersteller und der Softwarenutzer”, (2004), Neue Juristische
Wochenschrift, Vol. 44, p. 3145–3208, p. 3145.
73
   Conrad, Handbuch IT- und Datenschutzrecht, Auer-Reisdorff/Conrad (eds), (2nd ed., 2016, C.H.
Beck Verlag), margin no. 382 re section 33, Compliance, IT Security, Correctness of Data Processing.
74
   Nietsch, Verbraucherrecht, Tamm/Tonner (eds), (2nd ed., 2016, Nomos Verlag), margin no. 68 re
section 823 (1) of the German Civil Code.
75
   Bräutigam/Klindt, “Industrie 4.0, das Internet der Dinge und das Recht”, (2016), Neue Juristische
Wochenschrift, Vol. 16, p. 1137–1142, p. 1139.
76
   Domingos, “A Few Useful Things to Know about Machine Learning”, University of Washington,
<https://homes.cs.washington.edu/~pedrod/papers/cacm12.pdf> (last retrieved 28 Nov. 2016).
                                                                                                    23