On January 1, 2002, Germany's new law on e-commerce (Gesetz zum elektronischen Geschäftsverkehr – EGG) came into force. Germany has also amended its Civil Code, its law on electronic signatures, its Teleservices Data Protection Act and other laws, introducing provisions specifically focused on e-commerce transactions. With this new legislation, Germany has fully implemented the European Directive on E-commerce - 2000/31/EG (the "Directive") and has altered certain of the German legal foundations for conducting transactions and providing services through the Internet and other electronic means.
Country of Origin Principle
One of the cornerstones of the new e-commerce law is the "country-of-origin" principle, which provides that the online practices of any service provider located in a European Union member state will be governed by the laws of the country where its place of business is located. For any non-EU company, the rules of international private law (conflict of laws) will be used to determine the applicable law. Note, however, that if a non-German service provider maintains its website from outside Germany but has a German subsidiary, it is possible that the subsidiary would be held responsible for the content of a website that violates German law, even though the content complies with the laws of the country where the service provider has its place of business.
The country-of-origin principle does not prohibit the parties from choosing a different body of law to govern a contract concluded online, except in the context of a consumer transaction, where consumer protection legislation in the consumer’s home country may take precedence. For example, German consumer protection laws (now mostly incorporated in the German Civil Code) remain applicable to any transaction with German consumers, regardless of the place of business of the provider.
Information Obligations of Service Providers
Under the new e-commerce law, providers must make available to users detailed information about the identity of the service provider. This information includes, among other things, the service provider's address, e-mail contact details, the identity of the service provider's executive officers, and the service provider's company registration and VAT numbers. This information may be made available on a website and does not have to be specifically provided to each user. If the service provider is a non-German company with no subsidiary or branch in Germany, these information obligations do not apply. It is unclear whether maintaining a branch operation in Germany will subject a non-German company to the information obligations.
Commercial communications (e.g., advertisements or marketing materials) sent by electronic means must be clearly marked as such, and the vendor that has sponsored or authorized such communication must be named in the communication. The new law provides a monetary fine up to € 50,000 per incident for a breach of these obligations.
Consumer Contracts and E-commerce
Substantial revisions have been made to the commercial contracts sections of the German Civil Code, effective January 1, 2002, in order to bring the Code into compliance with the Directive. The following provisions now apply to all German transactions carried out over the Internet, and are mandatory (i.e., may not be altered by contract) for transactions with German consumers:
- The vendor must inform the customer of the technical steps that must be taken to complete an online contract. The vendor must also provide a customer engaged in an online transaction with adequate technical means to recognize and correct any improper entries before submitting an order.
- The vendor must inform the customer whether a copy of the completed contract will be stored by the service provider, and whether it will be accessible by the customer.
- If the customer has the option of selecting the language of the contract, the vendor must inform the customer of the language options available.
- The vendor must also notify the customer if any vendor policies (e.g., privacy policies) apply and, if so, provide on-line access to these policies. The terms and conditions applicable to the contract must also be made available in a way that allows the customer to store and reproduce them.
- Any order submitted by a customer must be confirmed immediately by the vendor using electronic means.
The changes described above are not intended to supersede other applicable laws and regulations. In particular, mandatory consumer protection laws, such as the Law on General Contract Terms and the Law on Distance Purchases (both incorporated within, and slightly changed by, the amended German Civil Code), remain applicable.
The Law on Distance Purchases, which covers online purchases as well as other purchases made other than in person, grants a customer important rights to withdraw from a contract or to return products. These rights of withdrawal or return must be exercised within two weeks from the date of the agreement or, in the case of a purchase of goods, within two weeks of delivery of the goods. However, if the vendor has not properly informed the customer of his right to withdraw, or if the customer has not expressly signed the document describing these withdrawal and return rights (in the case of e-commerce, by a qualified electronic signature in accordance with the Law on Electronic Signatures), then the two-week period to withdraw from the contract or to return the goods is extended to six months.
Liability and Responsibility for Information
Under the new e-commerce law, online service providers are responsible for their "own information" and "own content," i.e., information that they make available on the Internet. However, providers have no obligation to monitor and generally have no liability with respect to third-party information that they transmit or store on behalf of others. The new e-commerce law clarifies the providers' responsibilities with regard to information of third parties to which the providers enable access or provide hosting or caching services.
Access and network providers who act as a "mere conduit" of information are not liable for the content of that information unless the provider has initiated the transmission, has selected the receiver of the transmission, or has selected or modified the transmitted information. Similarly, a provider will not have liability for cached information unless the provider has modified the information or has not complied with applicable access and updating rules with respect to the information. However, a provider must act without undue delay, once it becomes aware of illegal information under its control, to remove or disable access to such information. Note that the provider does not have to have actual knowledge that the information is illegal - it only has to have actual knowledge that the information is on the site. A provider may therefore heighten its own obligations with respect to illegal information by monitoring the content of its hosted sites.
Data Protection Issues
The new e-commerce law also amends sections of the Teleservices Data Protection Act. The amended data protection law requires a service provider to inform the user at the beginning of any session about the extent of data collection and processing being conducted. In particular, the provider must inform the user if the data being gathered will be processed or used outside the European Union. If the user does not specifically consent to the collection, processing and use of data the service provider may not proceed with the collection. The consent can be provided by electronic means.
Companies engaged in e-commerce in Germany should consider whether they need to restructure or adjust their German Internet presence or practices in order to comply with the new e-commerce law. An audit by specialist lawyers of websites and practices to ensure compliance with the news laws is recommended.