As of today, German law does not provide a definition for “artificial intelligence” (AI). However, being a member of the European Union, the main definition that may be relied upon could be taken from the EU AI Act which was adopted by the European Parliament on March 13, 2024: An “AI system” means “a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.” This definition is based on the OECD definition of an AI system published in the Recommendation of the Council on Artificial Intelligence. While the EU Commission’s initial proposal focused on listed technologies, the  definition developed by the EP is technology neutral and relies on functional qualities. According to the AI Act, AI systems are designed to operate with varying levels of “autonomy”, meaning that they have some degree of independence of action from human involvement and the ability to operate without human intervention. As explained in recital 12 of the AI Act, a key characteristic of AI systems is their capability to infer, which transcends basic data processing and enables learning, reasoning or modelling.

This definition provides flexibility in order to take into account rapid developments. However, the breadth of this definition may lead to room for interpretation on a case-by-case basis.

As of today, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – “BSI”) refers to the definition developed by the EU Commission’s High-Level Expert Group on AI (HLEG) describing AI systems as “software and hardware systems that use artificial intelligence to act “rationally” in the physical or digital world. Based on perception and analysis of their environment, they act with a certain degree of autonomy to achieve certain goals”.

The German AI strategy draws on the concepts of a “weak” and “strong” AI, whereby there is a clear focus on weak AI, i.e. “solving specific application problems based on methods from mathematics and computer science, whereby the developed systems are capable of self-optimization. To this end, aspects of human intelligence are also modelled and formally described, or systems are constructed to simulate and support human thinking”.

Key topics of the national strategy are:

– supporting research and development in Germany (“AI made in Germany”),

– creating EU innovation clusters and participating in EU innovation competition (“AI made in Europe”),

• Knowledge transfer to the economy, strengthening SMEs (e.g. by implementing a targeted funding programme for AI-based start-ups)
• Shaping change at the workplace: Strengthening training opportunities and attracting qualified professionals
• Adapting administrative competences and using AI in governmental administration
• Facilitating use and processing of data, making data available
• Adapting legal framework
• Setting standards
• National and international networking
• Engaging in dialogue with society.

Furthermore, several federal states have implemented specific AI strategies (Bayern, Niedersachsen, Rheinland-Pfalz, Sachsen, Schleswig-Holstein) or included AI oriented intentions and measures in their general innovation strategy or digital strategy.

In 2023, the Federal Ministry of Education and Research published an “Action Plan Artificial Intelligence” in order to “translate Germany’s excellent foundations in the areas of research and skills into visible and measurable economic success and tangible benefits for society” and in order to “most effectively interlink AI with [Germany’s] existing assets.”

European approaches

As a member of the European Union, Germany is subject to the EU Artificial Intelligence Act, which will be binding in its entirety and directly applicable in all Member States. The AI Act provides clear requirements and obligations regarding specific uses of AI for i.a.

• providers (Art. 3 Nr. 3 AI Act) placing on the market or putting into service AI systems or general-purpose AI models in the EU, irrespective of whether those providers are established or located within the EU or in a third country, and
• deployers (Art. 3 Nr. 4 AI Act) of AI systems that have their place of establishment or are located within the EU, or in a third country when the output produced by the AI system is used in the EU, and
• importers and distributors of AI systems.

The AI Act follows a risk-based approach, meaning that the scope of regulation depends on the intensity of the risks posed by the respective AI system: Whereas some artificial intelligence practices (e.g. social scoring) are entirely prohibited due to their unacceptable risk (Art. 5 AI Act) and strict technical and organizational requirements apply to high-risk AI systems (Art. 6 et seq. AI Act), other AI systems with lower risk are only subject to certain transparency and information obligations. In addition, there are specific rules for general-purpose AI models (Art. 51 et seq. AI Regulation) including those generating synthetic audio, image, video or text content. Further obligations may apply for providers of general-purpose AI models with systemic risk (Art. 55 et seq. AI Act) once the EU AI Office will have developed codes of practice together with providers of general-purpose AI models as well as national authorities and other relevant stakeholders (these codes of practice are to be expected 9 months after entry into force of the AI Act). In order to support innovation, great consideration is given to the interest and needs of SMEs and start-ups (Art. 57 et seq. AI Act).

The AI Act will be published in the Official Journal of the European Union in July 2024 and shall enter into force on the 20^th day following that of its publication. However, there will be several stages for its application: Six months from the date of entry into force of the AI Act, AI system with unacceptable risks will be prohibited, before 12 months from the date of entry into force i.a. the obligations for general-purpose AI models will apply, whereas the most of the remaining provisions of the AI Act will apply 24 months after its entry into force.

National approaches

Beyond the AI Act, the use of AI-based technologies and information systems is not subject to any specific laws and regulations in Germany but governed by general regulations (e.g. General Data Protection Regulation (GDPR), the Civil Code (BGB), the Act against Unfair Competition (UWG), the Act on Copyright and Related Rights (UrhG), the Administrative Procedure Act (VwVfG), the Act on Liability of Defective Products (ProdHaftG), the Road Traffic Act (StVG), the General Act on Equal Treatment (AGG) and the Works Constitution Act (BetrVG)).

Still, limited sector-specific regulation exists. In the healthcare sector, persons with a statutory health insurance are entitled to the provision with medical devices of lower and higher risk whose main function is essentially based on digital technologies and which are intended to support the detection, monitoring, treatment or alleviation of illnesses (so called: digital health applications). Statutory health insurance providers are also allowed to develop digital innovations in order to improve the quality and cost-effectiveness of care.

Furthermore, specific rules were introduced in the automotive sector, allowing the operation of autonomous vehicles (SAE Level 4). Systems that permanently take over the guidance of the vehicle, and which can also cover longer distances within a defined operating zone without human intervention are permitted. Thus far, the actual use of AI for SAE Level 4 vehicles is limited, but would be permitted in Germany.

Germany also played a leading role in the development of the “Hiroshima Process International Code of Conduct for Organizations Developing Advanced AI System” of the Group of the Seven (G7). The Code of Conduct aims to promote safe, secure, and trustworthy AI worldwide and provides voluntary guidance for actions by developers of advanced AI systems. The non-exhaustive list of actions include i.a. early identification and mitigation of risks and vulnerabilities, transparency about the capabilities and limitations of AI, responsible information sharing and reporting of incidents, development of AI governance and risk management policies, implementation of security controls, labelling of AI-generated content and prioritization of AI development for global benefit. In view of the rapidly evolving technology, the Code of Conduct is to be further elaborated on the basis of specific requirements.

In 1989, Germany implemented a special liability regime for defective products based on the European Product Liability Directive 85/374/EEC. Accordingly, any defective AI system embodied in a product causing a defect of the product may be subject to the Produkthaftungsgesetz (ProdHaftG, Act on Liability of Defective Products) This.

The requirements for liability according to Section 1 ProdHaftG are:

• Damage to a protected legal interest (person’s death, injury to person’s body or health, damage to an item of property)
• Caused by a defect in a product
• resulting in (financial) damages, and
• no legal exception applies.

In view of increasing AI technologies, new rules to address liability issues related to AI systems have been discussed on EU level, resulting in a new Directive on Liability for Defective Products, which was formally endorsed by the Parliament in March 2024 and after formal approval by the Council, will apply to products placed on the market 24 months after entry into force of the Directive. The updated directive i.a. extends the definition of “product” to digital manufacturing files and software (except free and open-source software) and simplifies the burden of proof for people claiming compensation: While the injured person would usually have to prove that the product was defective, the damage suffered and the causal link between the defectiveness and the damage, the court may now presume that the product was defective in certain circumstances (e.g. if the injured person faces excessive difficulties, in particular due to technical or scientific complexity, to prove the defectiveness of the product or the causal link between its defectiveness and the damage (or both). Furthermore, the court may, upon request of the injured person, order the defendant to disclose relevant evidence.

Besides specific product liability, claims may be based on contractual obligations (if such exist) and liability in damages according to Section 823 of the German Civil Code (BGB). Violations of requirements under the AI Act, e.g. regarding high-risk AI systems according to Art. 8 et sequ. AI Act, may lead to damage claims (Sec. 823 para 2 BGB)

The applicable civil rules depend significantly on the actual damage caused and legal interest concerned.

If privacy issues are concerned, the GDPR and the respective German national act, the Datenschutz-Grundverordnung (DSGVO) provide for the basic remedies (see topics …).

If damage is caused to a person, the Produkthaftungsgesetz (ProdHaftG) and “standard” civil liability according to e.g. Section 823 Bürgerliches Gesetzbuch (BGB, German Civil Code) apply in parallel to any contractual obligations (see topic no. 4).

In terms of intellectual property rights, the use of AI systems can result in copyright infringement, trademark infringement, design infringement, patent infringement etc. It may also raise issues concerning the right of publicity and other personality rights, e.g. if images of persons are used without consent.

Outlook: At the end of 2022, the EU Commission released a proposal for a directive governing non-contractual civil liability for artificial intelligence, the “AI Liability Directive” COM (2022) 496. The aim of this Directive is to complement and modernize the liability framework and to harmonize it EU-wide. (see topic no. 7 regarding procedural aspects).

In terms of criminal law, the use of AI as an instrument in criminal activities does not exclude liability. Those responsible for the manufacture of AI products have the same duties of care as for conventional technical products, whereby the slightest possibility that autonomous actions of an AI might lead to criminally relevant actions will increase those duties of care.

In terms of product liability (see topic no. 4), the new Directive on Liability for Defective Products will provide for a tired system of liability. Accordingly, liable are the manufacturer, the quasi manufacturer or any party that substantially modifies the product. Moreover, for products manufactured outside of the EU the importer, the authorized representative of the manufacturer and where those are not available fulfilment service providers are liable. Finally, liability can extend under certain circumstances to all distributors involved and even to online platforms.

The user of AI can also be responsible for any harm caused by the AI system. According to German law, each party in the “liability chain” may claim compensation from the party on the higher level, e.g. the user of the AI from the supplier, the supplier from the manufacturer.

In general, the party claiming damages has to show not only that it had suffered damages but also that the other party is responsible for the damages caused. This, in particular, is the case if claims are asserted against the user of the AI, who is not the manufacturer.

Given that this is typically difficult, at least in product liability matters, the claimant can rely on certain means to ease the burden of proof. For instance, the claimant of a product liability claim does not have to show that the other side acted intentionally or negligently. It is sufficient to show that the product was defective. Given the specifics of AI, however, this can still be an issue, since the information to show that the system/product is defective requires not only access to the program but also inside knowledge about its functioning.
In light of the issues that are accompanied with showing that a product has a defect, German case law developed the concept of the so called “manufacturer liability” according to Section 823 BGB. On the basis of “manufacturer liability”, the injured party can rely on a reversal of the burden of proof. In such cases, the manufacturer has to show that its product is actually not defective. AI systems may require a further development of this case law, since the question will arise at what point in time the defect is no longer in the sphere of the manufacturer – considering the learning process of the AI.

Outlook: The AI Liability Directive intends to create a ‘presumption of causality’, which can be rebutted by the defendant. Its objective is to ease the burden of proof for anyone who suffered harm from AI systems. The AI Liability Directive also seeks to establish means for courts to order disclosure of information in respect to AI systems allegedly having caused damage.

Yes, the use of AI can be subject to insurance. Certain insurance companies in Germany already offer specific AI insurance, such as backed performance guarantees.

We expect more and more insurance products, in particular also covering damages caused by the use of AI, to become available in the course of further development and a more wide-spread use of AI in daily life.

So far, no. In its decision No. 11 W (pat) 5/21, the Federal Patent Court found that only natural persons can be designated as an inventor on patent applications with the German Patent and Trademark Office (GPTO). The Court also did not allow the omission of the designation of inventor, as such designation is required by German patent law. In case of doubt, the applicant should designate himself as the inventor. Finally, the Court allowed a designation of inventor where the applicant designated himself, with an addition that he had caused (or prompted, arranged for) an AI system to generate the invention. However, the Court indicated that the GPTO is not required to consider the addition in publications, for example in the Register and in the publication of a granted patent.

Since, according to German patent law, the only consequence of an incorrect designation of inventor is that the true inventor can request a correction, any uncertainty is unlikely to have a negative effect. The decision confirmed the dominant trend in other jurisdictions concerned with the matter that the designated inventor of a patent application must be a natural person and AI systems cannot be designated as inventors. The EPO came to a similar conclusion, stating in its decision No. J 0008/20 that under the EPC the designated inventor has to be a person with legal capacity.

However, by allowing the applicant Stephen Thaler, who insisted on not having made the subject invention, to be nevertheless designated as the inventor, the Federal Patent Court opened up an opportunity for him to become the patent owner.

It is highly controversial how the suggested wording, designating a natural person applicant as having prompted an AI system to generate the invention, aligns with the notion of Erfinderehre derived from human creativity and underlying the inventor’s right to be named, which was reaffirmed rather than discounted by the adjudicating Board.

German copyright law is largely based on harmonized EU law. A copyright-protected work according to the CJEU (C-683/17-Cofemel) requires an “intellectual creation reflecting the freedom of choice and personality of its author”, which effectively excludes copyright protection for an image created by AI.

Issues may arise in particular from the usage of information, specifically when information is uploaded on a cloud-based service operated by a third party. In this context, “accidental” or uncontrolled disclosure of trade secrets and other confidential data can be an issue. Should personal data be concerned, obligations under the GDPR also have to be considered. German data protection authorities require a data protection impact assessment (35 GDPR) for the processing of personal data using AI.

In the legal context, problems may be created in respect to professional codes of conduct and any additional confidentiality obligations arising therefrom. Transparency concerning the use of AI as well as the respective sources and the question of “who owns the work product” can become problematic.

Another issue is liability, as no specific information about functionality or training data used, and therefore also about the validity/accuracy of work results, may be available.

A possible dependence on AI could also become an overall problem, especially regarding critical processes. In terms of sustainability, one will also have to consider the question of energy consumption of intense server processing. Concerning the latter, costs could become an issue too.

The Works Council has to be informed in good time, should the employer plan to introduce AI. According to the Hamburg Labour Court (24 BVGa 1/24), the introduction of certain AI tools as ChatGPT does not require the Works Council’s consent, as would not allow the employer to monitor the behaviour or performance of employees.

Finally, usage of AI can affect the employee-employer relationship. It can also create internal issues if AI is perceived by the human staff as competing with their job legitimacy.

Processing vast amounts of personal data scraped from the internet for training AI, in particular Large Language Models (LLMs), significantly affects privacy rights. The application of AI will cause a plethora of further privacy issues, which we can only begin to recognize today. Already, the unique ability of an AI to take autonomous decisions, clashes with the general human expectation to only be subjected to decisions made by other humans. This is even more problematic as recent incidents show that AI is also not immune to “bias”, depending on the quality of the training data. The GDPR accordingly prohibits or at least severely restricts decisions based solely on automated processing. Similarly, the Digital Single Market Act and the Digital Service Act also require that content moderation measures on internet platforms be at least subject to human review. Possibly even more problematic is AI that does not make active decisions, but “merely” monitors human behavior or analyses personal data limited only by allocated computing power. The German Constitutional Court has developed in its ground-breaking Volkszählungsurteil, the right for informational-self-determination, which would not be ”compatible with a social order and a legal order that enables it, in which citizens can no longer know who knows what, when and on what occasion about them”. Transparency obligations are therefore a key element for AI regulation, but beyond that “bans” for specifically intrusive and discriminatory uses of AI systems are necessary, e.g. for “Real-Time” biometric identification systems, which the AI Act permits only for specific law enforcement purposes.

Data scraping in Germany is subject to a complex regulatory framework that encompasses intellectual property and privacy laws as, in contrary to data crawling, the scraping software not only reads out the requested information from particular websites but usually also stores it in a file that may be used for other purposes. This storing requires the (temporary) reproduction of content that may or may not be copyright protected and/or contain personal data. Relevant from an IP perspective, specifically copyright law, are the text and data mining exceptions provided by Art. 3, 4 Digital Single Market Directive (DSM), which were also implemented into German law. Thereby, data mining is defined as an automatic analysis of individual or several digital or digitized works for the purpose of gathering information, in particular regarding patterns, trends and correlations. Aimed at scientific and commercial users, these exceptions permit the reproduction of copyright-protected material for data mining purposes. However, these exceptions are subject to certain conditions, in particular the legitimacy of the source and the right to opt out. The preliminary remarks to the Directive stress the significance of text and data mining for the development of new applications or technologies. Art. 53 I (c) AI Act, requires that providers of general-purpose AI models adopt a policy that they identify and comply with an opt out expressed pursuant to Article 4(3) DSM. This should conclude the discussion whether the data mining exception, would apply to the collection of training data.

German copyright law provides protection to databases under the Database Directive (Directive 96/9/EC), implemented in the UrhG (German Copyright Act). Databases that constitute the author’s own intellectual creation are protected by copyright. Even if the database does not meet this threshold, it may still be protected under the sui generis right if substantial investment has been made in obtaining, verifying, or presenting the contents. However, also in respect to databases the text and data mining exceptions apply.

The GDPR, applicable across the EU including Germany, regulates the processing of personal data. Scraping personal data without consent or other legal basis can violate the GDPR provisions.

Unfair Commercial Practices: The UWG (German Unfair Competition Act) prohibits unfair commercial practices. Scraping information from a website, in order to give users direct access to that content, is not an unfair commercial practice, unless this requires overcoming technical barriers as e.g. a paywall.

The German Federal Supreme Court had to deal repeatedly with data scrapping, but focused for procedural reasons on unfair commercial practices and copyright (database sui generis right), whereby scrapping in violation of the website terms was not sufficient to qualify the collection and use of the data as an unfair commercial practice. Still, this does not exclude that data scraping could be validly prohibited by platform terms. Those terms would have to comply with the requirements for general terms and conditions under German law. Art. 11 Data Act explicitly permits the “application of technical protection measures(…), to prevent unauthorised access to data, and to ensure compliance (…) with the agreed contractual terms for making data available” , so assuming that it was possible to show that terms prohibiting data scraping were validly agreed upon, it should  be possible to limit data scraping.

The Data Protection Conference (Datenschutzkonferenz – “DSK”) is composed of the federal and all 16 independent state data protection authorities. Already in April 2019, the DSK published the “Hambach Declaration on Artificial Intelligence”, which sets the following seven requirements for the use of AI: 1. AI must not objectify people. 2. AI must be used only for constitutionally legitimate purposes and must not circumvent the principle of purpose limitation. 3. AI must be transparent, accountable and explainable. 4. AI must avoid discrimination. 5. The principle of data minimization applies to AI. 6. Responsibilities for the use of an AI system must be identified and clearly communicated. 7. AI requires technical and organizational standards.

Following this, they have further issued a position paper on “recommended technical and organizational measures for the development and operation of AI systems” in November 2019, which addresses the whole lifecycle of an AI system, starting with the design of the AI and its components, the process of selecting raw data to create training data, the training process itself, validation and examination of the trained system, the use of the AI system and finally feedback and optimization mechanisms.

In May 2024, the DSK issued guidance on artificial intelligence and data protection primarily for those responsible for implementing AI applications. The publication may serve as a guide for the selection, implementation and use of AI applications and provides an overview of relevant criteria to take into account for the data protection-compliant use of AI applications.

The German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit – “BfDI”) as the supervisory authority for all federal public bodies as well as for certain social security institutions has not yet issued any guidelines on AI but conducted a comprehensive public consultation on the use of AI in Law Enforcement and Security.

Furthermore, there are several approaches from supervisory authorities in each of the sixteen German federal states, e.g. in November 2023, the State Commissioner for Data Protection and Freedom of Information of the state Baden-Württemberg published a working paper on the lawfulness of data processing for the training, application and use of artificial intelligence.

Not only following the temporary ban of ChatGPT by the Italian DPA, the service has been discussed among German DPAs and, according to the DPA of Hessen, shall be subject to an evaluation on a German national or preferably European level coordinated by the European Data Protection Board (EDPB). On 13 April 2023, EDPB decided to establish a taskforce to foster cooperation and exchange information on possible enforcement actions on the processing of personal data in the context of ChatGPT, which published a preliminary report on 23 May 2024.

Beyond mere discussions, the Berlin DPA has already imposed a fine of EUR 300.000 against a bank that had rejected a consumer’s request to provide a detailed and comprehensible explanation for a rejection of a credit card application by an AI. The Berlin DPA considered this a violation of the transparency obligations according to Art. 22 (3), 5 (1) a and 15 (1)h GDPR.

Already in 2017, the German Federal Patent Court (11 November 2021, 11 W (pat) 5/21 “FOOD CONTAINER”) decided that an artificial intelligence cannot be an inventor within the meaning of Section 37 (1) of the German Patent Act (Patentgesetz, PatG), as only natural persons, not machines, can be inventors.  The right to be named as an inventor is intended to express recognition for being an inventor (“Erfinderehre”) and reflects the decision of the German legislator that an AI may never be named as a (co-)inventor under German patent law. A further development of the law is not required as the exclusion of an AI from the designation of inventors does not cause any economic disadvantages. This has recently been confirmed by the German Federal Supreme Court by decision of 11 June 2024 (X ZB 5/22), which further held that the designation of a natural person as an inventor shall also be possible and necessary if an AI system has been used to find the claimed technical teaching. The designation of a natural person as inventor in the official form does not satisfy the requirements of Section 37 (1) PatG if, at the same time, it is requested that the description be supplemented by an indication that the invention was generated or created by means of AI. However, a supplement to the inventor designation that the inventor has caused an AI to generate the invention does not justify the rejection of the patent application.

Most recently, the Administrative Court of Munich decided twice on the use of artificial intelligence at a university: In the Court’s decision of 28 November 2023 (M 3 E 23.4371), the claimant had initially applied for a master’s program at Technical University of Munich (TUM), submitting documents, including a contested essay with 45 % likelihood that it was written by AI. TUM excluded him from the application process, citing an attempt to influence the process through deception and stating that the essay did not meet academic standards and therefore constitutes a breach of regulations. This was supported by an expert opinion and further examined by experienced evaluators, who found the essay’s quality unusually high for a bachelor’s graduate. The essay also differed considerably from an earlier essay submitted by the claimant. The Court held that, although the burden of proof for a breach of regulations lies with TUM, both the objective and subjective requirements of an act of deception may be proven using the rules of prima facie evidence. It was therefore likely to be assumed that the submitted essay was not – in whole or in part – written by the claimant himself, thus did not meet academic standards and constitutes a breach of regulations. The second decision of 05 May 2024 (M 3 E 24.1136) reaches the same result using the prima facie evidence, but relies on the fact that individual passages of the essay differ significantly from each other in terms of (foreign) language level, conciseness, content density and structure, which, according to general experience, suggests that the essay was created with unauthorized assistance. Since the claimant expressly confirmed in the application process that the submitted essay had been prepared without the help of unidentified tools (e.g. AI tools such as ChatGPT), the Court concluded that there was a breach of regulations.

The Labor Court of Hamburg (16 January 2024, 24 BVGa 1/24) ruled that the works council of a medical technology manufacturer has no co-determination rights regarding the implementation of AI systems like ChatGPT. The works council had attempted to halt the use of these technologies through an preliminary injunction, which the court rejected. The court argued that the use of AI tools via web browsers does not directly involve the company’s computer systems and is therefore considered non-co-determined work behavior. Given the circumstances, the decision might not directly be applied to situations where employers provide access to ChatGPT to their employees.

Not being a national court, but a voluntary self-regulation organization which serves as a moral authority overseeing journalistic standards and adherence to ethical guideline, the German Press Council (Deutscher Presserat) recently issued a public reprimand for German magazine LISA (05 February 2024, ref. 0430/23/1). They had published a recipe booklet which illustrations were created using artificial intelligence but not labelled as such. The images could give the impression that they actually show prepared dishes, which have never been cooked, and are therefore misleading.

As of today, there is no regulator or supervising authority for AI in Germany. However, according to Article 70 (1) and recital 153 of the AI Act, each EU Member State shall establish or designate at least one at least one notifying authority and at least one market surveillance authority as national competent authorities for the purpose of supervising the application and implementation of the AI Act. The question of who will oversee AI governance in Germany is unresolved at the submission deadline: There is an ongoing discussion about the Federal Network Agency (Bundesnetzagentur – “BNetzA”) serving as an independent federal authority that could effectively balance innovation with accountability and transparency. Additionally, the German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit – “BfDI”), the Data Protection Conference (Datenschutzkonferenz – “DSK”), the Federal Cartel Office (Bundeskartellamt – “BKartA”), and the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – “BSI”) are also under consideration. The key issue in Germany is whether to establish a federal authority without the involvement of the federal states (Bundesländer), or to pursue a cooperative approach between the federal government and the federal states to share responsibilities.

There is a lot of hesitation regarding the adoption or usefulness of AI for German businesses. According to BITKOM, still in 2023, around one third of businesses considered AI to not be relevant for them, and only 17% of businesses answered in the affirmative when asked whether they would use or plan to use AI in their businesses. At least 23 % responded that a future use was possible. It is most likely to be used in marketing, customer relations, production, procurement, accounting and IT.

Digitalization in the legal sector is lagging behind – so does the use of artificial intelligence. However, with ChatGPT and Harvey, more and more law firms are at least considering use of AI systems for daily work. The law firms which already use generative artificial intelligence have discovered its strengths as an assistance system, in particular with regard to translations, analysis and summaries of published documents, generating draft contracts and letters. So do in-house counsel who partly use the systems also for initial legal assessments.

It remains to be seen how the use of AI in legal proceedings will emerge. At the moment, there are some pilot projects and feasibility studies. However, deep learning technologies are not often used in courts. As of today, the judges agree that AI should only perform an assisting function, especially in mass proceedings (e.g. passenger rights, Dieselgate cases).

Among the 5 key challenges, we see:

1. Data privacy and security: AI tools must adhere to strict GDPR requirements and discretion obligations in attorneys’ code of conduct, ensuring data protection and privacy.
2. Costs of reliable AI systems: Developing or licensing robust AI systems can be costly, posing significant challenges for small and medium-sized firms that handle standard cases well-suited for AI.
3. Lack of knowledge and need for adoption and integration: Highly qualified lawyers and engineers may resist AI, doubting the technology’s reliability due to unclear functionality and unknown training data.
4. Lawyers must seek knowledge and develop a deeper understanding on the possibilities and limitations of AI systems, also to prevent false trust in the system and misinformation caused by training data biases or inaccurate AI content.
5. Ethical and moral considerations: AI systems can perpetuate or exacerbate biases, leading to potential discrimination. Lawyers must ensure that AI applications are transparent, adhere to ethical standards and do not violate anti-discrimination laws.

Loss of business: Simple legal advice, consulting, and routine tasks may be handled by AI, potentially reducing the need for human lawyers and driving down fees.

5 key opportunities, on the other hand:

1. Countering workforce shortages and addressing talent gaps: AI may help mitigate the shortage of qualified legal professionals, reducing personnel costs and filling skill gaps.
2. Managing complexity: AI can assist in managing increasing amounts of case law, knowledge, and data, facilitating a more effective legal practice and supporting more informed, strategic decisions.
3. Focusing on strategic work: AI can automate tedious tasks, allowing lawyers to focus on more complex legal work.
4. Increasing efficiency: AI can enhance efficiency, improving responsiveness and aligning with clients’ budget expectations and demands for quick turnarounds.
5. Facilitating creative solutions and enhancing work quality: AI can inspire new, creative legal solutions, potentially leading to higher-quality work products and innovative legal strategies.

The EU’s AI Act will be the first comprehensive set of regulations for the artificial intelligence industry. Similar to the GDPR, it is expected to serve as a model for other jurisdictions. While there is a broad consensus on the need for regulation, it remains to be seen whether the Act will actually strike a fair balance between undoubtedly necessary regulation on the one hand and innovation and adoption of new and potentially disruptive technologies on the other.