Authors: Markus Kaulartz, Jonas Gross, Constantin Lichti, Philipp Sandner, Stephan Raubach
In this article, we analyze from a legal perspective whether information systems such as computers or IT infrastructure technologies such as blockchain technology are subject to a legal obligation for audits or some other form of functional verification prior to their use. In addition to general audit requirements, we examine in particular the direct obligation and the indirect obligation for the execution of audits. Also, we address further aspects such as privacy and data protection consequences, the role of certificates, warranty rights, and claims based on tort. The article assumes the application of German laws.
This article is the fourth publication of the series “legal aspects of blockchain technology” by the Frankfurt School Blockchain Center (FSBC), Datarella, and CMS Hasche Sigle. This research is part of the KOSMoS project, a research project funded by the German Federal Ministry of Education and Research (BMBF) under the funding code 02P17D020. The Frankfurt School Blockchain Center gGmbH and Datarella GmbH are part of the “KOSMoS” consortium. Together with partners from the industry (Schwäbische Werkzeugmaschinen GmbH, Alfred H. Schütte GmbH & Co. KG, ASYS Automatisierungssysteme GmbH), academia (Universität Stuttgart, Hochschule Furtwangen), and software development (inovex GmbH, Ondics GmbH), they create a blockchain-based solution allowing manufacturing companies to establish a DLT-based framework for producing machines in order to a) execute dynamic leasing contracts, b) provide transparent maintenance documentation and c)ensure high-quality documentation of manufactured products.
Blockchain technology holds immense potential and will be an important building block of the advancing digitization in the future due to its wide range of possible applications. However, as blockchain applications become more and more important in the business world, fundamental questions arise for both consumers and companies regarding issues such as audits, guarantees of functionality, and possible legal claims in the event of non-compliance with said functionality. In order to ensure a legally secure basis for all parties and participants, it is therefore important to clarify any questions of liability, for example in the event of damages. Without absolute certainty in these matters, companies will find it difficult to implement blockchain-based business models. Therefore, in this article, we discuss related issues and draw conclusions based on current German law.
In principle, there is no formal obligation under German law to test a computer, IT infrastructure or blockchain (hereinafter simply referred to as the “system”) prior to using or to verifying its functionality otherwise. However, there are some exceptions, which will be discussed in the following sections. Furthermore, there can also be an indirect obligation to audit such systems under certain circumstances, which will be analyzed in the second part of this article.
Direct obligation for audits
When an audit is conducted to assess a company, the audit is always an independent examination of its financial information. Regardless of its size or legal form, and regardless of whether the company being audited is a for-profit company or not.
Assessment of privacy and data protection consequences
The party responsible for privacy and data protection must, if necessary, carry out an assessment of the consequences of the intended processing operations for the protection of personal data before commissioning a system in accordance with Section 35 (1) of the General Data Protection Regulation (GDPR). This is primarily the case when a form of processing, in particular when new technologies are used, is likely to present high risks concerning the rights and freedoms of natural persons due to the nature, scope, context, and purposes of the processing. However, the data protection impact assessment is mainly a legal assessment of the processing situation, including for example risks and measures (Art. 35 (7) GDPR). Its focus is therefore not on the technical assessment of a system. In any case, it also requires that personal data is processed in the first place, i.e., information relating to an identified or identifiable natural person (Art. 4 (1) GDPR). This is not the case for machine data without any reference to a natural person.
Certificates can play a role in proving compliance with certain rules or minimum standards. Article 32 GDPR, for example, stipulates the technical and organizational measures that are to be implemented to protect personal data. Such measures can be verified, at least in part, by ISO 27001 certification. Certificates can also help prove that the statutory requirements for IT have been implemented, for example with regard to the BAIT which must be implemented by financial service providers (including companies that offer factoring or finance leasing). However, certificates are typically not strictly mandatory, but IT compliance can also be demonstrated by other measures.
If a company sells or rents an item or produces a good, it must be done in such a way that the item or product has the agreed quality at the time of the transfer of risk, e.g., the act of purchase and/or exchange of goods (Kaufrecht, § 434 (1) 1 (BGB) and Werkvertragsrecht, § 633 (2) 1 BGB). Further, the suitability for contractual use must not be reduced (Mietrecht, § 536 (1) 1 BGB). Otherwise, the person concerned may have warranty rights, such as the right to subsequent performance, reduction, withdrawal, or even claims for damages (purchase: § 437 BGB, rent: §§ 536, 536a BGB, contract for work: § 634 BGB). A notice period is typically required. Claims for damages based on product liability law are also possible if a product is defective, i.e., if it does not offer the safety that can reasonably be expected, taking into account all the circumstances, in accordance with § 3 of the German Product Liability Act (ProdHaftG).
With regard to the law on sales and contracts for work and services, only the moment of handover or acceptance is relevant, whereas, with regard to a rental contract as a continuing obligation, the suitability of the rented object must even be ensured for the entire duration of the contract. The same applies to product liability law for a period of ten years after placing the product on the market (§ 13 (1) 1 ProdHaftG).
If an audit is carried out before handover and the system is thus tested in advance to ensure that it is free of defects, such warranty rights and claims for damages could possibly be avoided. Consequently, an indirect obligation to audit systems can be derived from this.
In addition to contractual claims for damages due to insufficient performance (see warranty rights), a claim against the operator of the system could also arise from the fact that he or she unlawfully and wrongfully violates the legal duty to maintain safety. Another scenario is that he or she markets software that does not meet the state of the art. In contrast to contractual claims, a tort claim is generally available to any injured party, regardless of whether or not this party has priorly concluded a contract with the operator of the system. An audit that checks the security of the systems in advance can prevent claims against the operator.
 Gupta, Kamal (November 2004). Contemporary Auditing. McGraw Hill. p. 1095.
KOSMoS is a research project funded by the German Federal Ministry of Education and Research (BMBF) under the funding code 02P17D020. More information about the project can be found on the website.
If you like this article, we would be pleased if you would forward it to your colleagues or share it on social networks. More information about the Frankfurt School Blockchain Center on the Internet, on Twitter or on Facebook.
Dr. Markus Kaulartz used to be a software developer and is now a lawyer at CMS Hasche Sigle. He specializes in IT and data privacy laws and focuses on challenges arising from the increasing digitalization (FinTech, Blockchain, Smart Contracts, AI, SaaS, etc.). Since Markus’ clients are both innovative startups and tier one global players, he has gained a lot of experience in advising on legal issues of future technologies and new business models, such as blockchain and artificial intelligence. Markus has particular tech expertise and insights that contribute to his legal advisory practice. His input is often sought where challenges arise at the interface of technology and law. Markus is co-editor of the legal handbook on smart contracts and the legal handbook on artificial intelligence and machine learning.
Jonas Gross is a project manager and research assistant at the Frankfurt School Blockchain Center (FSBC) and also works for the KOSMoS research project. His fields of interests are primarily crypto currencies. Besides, in the context of his Ph.D., he has been analyzing the impact of blockchain technology on the monetary policy of worldwide central banks. He mainly studies innovations as central bank digital currencies (CBDC) and central bank crypto currencies (CBCC). You can contact him via email (email@example.com), LinkedIn (https://www.linkedin.com/in/jonasgross94/) and via Twitter (@Jonas__Gross).
Constantin Lichti is a research assistant and project manager at the Frankfurt School Blockchain Center (FSBC), and also works for the KOSMoS research project. Furthermore, he is responsible for project proposals and grants as well as studies published at the FSBC. As a doctoral candidate his research interests include public blockchains and their individual adoption, as well as how the discourse on blockchain technology is reflected in (social) media. He graduated from the Technical University of Munich with a master’s degree in industrial engineering and management. You can contact him via email (firstname.lastname@example.org) and LinkedIn.
Prof. Dr. Philipp Sandner is head of the Frankfurt School Blockchain Center (FSBC) at the Frankfurt School of Finance & Management. In 2018, he was ranked as one of the “Top 30” economists by the Frankfurter Allgemeine Zeitung (FAZ), a major newspaper in Germany. Further, he belongs to the “Top 40 under 40” — a ranking by the German business magazine Capital. The expertise of Prof. Sandner, in particular, includes blockchain technology, crypto assets, distributed ledger technology (DLT), Euro-on-Ledger, initial coin offerings (ICOs), security tokens (STOs), digital transformation and entrepreneurship. You can contact him via mail (email@example.com), via LinkedIn (https://www.linkedin.com/in/philippsandner/), or follow him on Twitter (@philippsandner).
Stephan Raubach works in the business development department of a Lichtenstein-based blockchain incubator. In addition to his studies in business administration at the Frankfurt School of Finance & Management with a focus on digital business, he gained experience through his work at the Liechtenstein blockchain startup Amazing Blocks, especially in the field of tokenization. You can contact him via email (firstname.lastname@example.org) and LinkedIn.