New technologies. Political, legal, economic and factual impact in Germany

New technologies influence the insurance sector in Germany in many ways. This is also reflected in changes in the legal framework. For example, the German legislator has introduced new rules for highly and fully automated driving. In the future, autonomous driving will raise the question of the effects of the fact that there is no longer a driver on liability and insurance. The article shows that the German system of owner (“holder” or “keeper”) liability in combination with compulsory liability insurance also offers a convincing solution for this challenge, especially with regard to an effective protection of traffic victims. Another field is cyber risks. They have led to the development of a new insurance cover. Digitalisation presents new opportunities for the contract conclusion process and the regulation of insurance claims, but there are also some legal challenges to be addressed. Last but not least, the use of robots and nanotechnology is leading to new types of risks and to modified coverage concepts. This article deals with current developments in Germany.


Liability pursuant the German Road Traffic Act and its recent amendments
As the focus of German legislation and practice with regard to both classical and automated driving is on motor vehicles rather than on vessels, the present paper focusses on vehicles as well. The German Road Traffic Act (RTA; Straßenverkehrsgesetz, StVG) ensures that both the driver and the so-called keeper (Halter)-who is the registered holder of the car who decides on its use and who bears the running expenses, and who will often but not necessarily be its owner at the same time-1 of a motor vehicle are liable for damages caused by the use of the vehicle. 2 The provisions of the RTA were originally aimed at regulating the use of vehicles that are fully controlled by a human being as driver. The liability of the driver is thus designed for situations in which the driver has full control over the vehicle and therefore may be held liable if due to a negligent use of the vehicle a damage is caused to a third party. 3 In contrast, the liability of the keeper does not require any kind of negligent behaviour. 4 In 2017 the RTA was amended in order to include rules for automated driving (see infra, 2).

General rules on liability of drivers and keepers
a. Liability of the driver The liability of the driver is regulated in Sect. 18 RTA. According to that provision the driver has to compensate any third party for damages and financial losses that were caused negligently by the driver during the use of the vehicle on public roads. There is a legal presumption of negligence, 5 which however leaves the driver the possibility to prove that there was no negligence. The liability is in general limited to C 5 Mio. in case of death or physical injury of one or more victims of the accident, and to C 1 Mio. in case of damage to property. 6 b.

Liability of the car keeper
Since the use of motor vehicles on public roads, while it offers the advantage of high mobility, is a dangerous activity, Sect. 7 RTA states that the keeper of a vehicle is liable for any damage inflicted in relation to its use, regardless of whether or not the keeper was driving the car. Hence, Sect. 7 RTA disposes a strict liability of the keeper since liability does not require any kind of negligent action of the keeper or the driver. 7 In contrast to the driver, the keeper is not given any option to exculpate himself. This is to ensure that in case where the driver succeeds in exculpating him-or herself, the victim of the accident nevertheless does not go uncompensated. It is only if the accident was caused by an act of God 8 or if the vehicle was driven by an unauthorized person and this was not due to negligent behaviour of the keeper 9 , that the keeper may avoid liability. However, similarly to the driver, responsibility is limited in scope.

Recent changes to the act with regard to automated driving
As already demonstrated, the liability system of the RTA is based on two pillars: First of all, there is fault-based liability of the driver with a presumption of negligence, and secondly, there is strict liability of the keeper. The German legislator recently addressed the question whether the use of highly or fully automated vehicles on public roads requires modifications to this system. In fact on 21 June 2017 a number of new rules addressing this question entered into force, in particular the new Sect. 1a and 1b RTA. 10 a. New rules for the use of highly or fully automated vehicles Sect. 1a RTA states that highly or fully automated (though not autonomous, see infra, b) vehicles may be used on public roads under the condition that the automated functions are working properly. The legislator left the abovementioned liability system untouched in its essence. 11 Hence, drivers and keepers of highly or fully automated vehicles will be held liable for damages the use of a driver assistance system causes, e.g. due to a malfunction, under the conditions mentioned above.

b. No admission of fully autonomous cars on public roads
Even after the recent changes to the RTA, the German legal framework does not allow fully autonomous cars access to the use on public roads. "Fully autonomous" in this context means that the car drives by itself without any option for a human being to intervene and take over control during the ride. In other words, there are just passengers but no driver. According to the recently amended Art. 8 para. 5bis of the Vienna Convention on Road Traffic of the United Nations 12 , which has been transformed into national law and is thus directly applicable, the driver must at all times be able to control his vehicle and to switch off the automated function. Consequently, for the time being a fully autonomous car that drives all on its own and leaves no possibility for a driver to regain control cannot be admitted on German public roads. c.

Definition of highly of fully automated vehicles
The newly implemented Sect. 1a RTA does not distinguish between the various stages of automatization of a vehicle. Rather, Sect. 1a para. 2 RTA only defines which vehicles are categorized as highly or fully automated in the sense of the wording of the RTA. According to Sect. 1a para. 2 RTA, vehicles are only highly or fully automated if they have technical equipment, (1) which can control the respective motor vehicle after activation in order to cope with the driving task, including longitudinal and transverse guidance, (2) which is able to comply with the traffic regulations relating to vehicle guidance during the highly automatic or 10 For details, see Ch. Armbrüster, The future of motor liability and insurance for automated and autonomous driving-with an analysis of the new German legislation, Lloyd's Maritime and Commercial Law Quarterly (LMCLQ) 2020, pp. 86 et seq. 11 Armbrüster, Automatisiertes Fahren-Paradigmenwechsel im Straßenverkehrsrecht, Zeitschrift für Rechtspolitik (ZRP), 2017, pp. 83 et seq. 12 See https://www.unece.org/fileadmin/DAM/trans/conventn/crt1968e.pdf (last checked on 11 May 2020).
fully automated vehicle control, (3) which can be manually overridden or deactivated at any time by the vehicle operator, (4) which can detect the necessity of the vehicle's own control by the vehicle driver, and (5) which can indicate visually, acoustically, tactilely or otherwise perceptibly to the vehicle operator the requirement of the vehicle control unit with sufficient time before the vehicle control is handed over to the driver; and 6. which refers the driver to a use contrary to the system description.
The car manufacturers are obliged to explicitly confirm the compliance of their vehicles with the aforementioned requirements in the system description. 13 Furthermore, the legislator has expressly pointed out that the use of one or more driver assistance systems leaves the classification of the person enabling these systems as driver of the vehicle unaffected. This is meant to prevent an interpretation of the RTA that would automatically exculpate the person who makes use of the assistance systems from the liability as driver of the vehicle. d. Liability of driver when using highly or fully automated vehicles The recent amendments of the RTA also establish some important obligations of the driver when using driver assistance systems in a highly or fully automated vehicle. According to Sect. 1b RTA the driver is not allowed to turn his attention completely away from the traffic. This means that he (or she) must not rely entirely on the automated driving system. In case the driver notices or has to notice due to obvious circumstances that the preconditions for the use of the highly or fully automated mode are no longer met, he is obliged to take back control over the car. The same is true if the vehicle itself advises the driver to switch off the assistance system. 14 Those requirements specify the standard of care when using highly or fully automated driving systems. They leave the presumption of negligence laid down in Sect. 18 RTA unaffected. This means that if the use of an automated driving system results in any damages caused to third parties, the driver must prove compliance with Sect. 1b RTA in order to avoid liability. Taking into account the fact that the danger automated cars bring along cannot be fully estimated yet, the legislator decided to double the maximum liability for personal damage from C 5 to 10 Mio. 15 e. Liability of the keepers of highly or fully automated vehicles The RTA does not impose any special obligations on the keeper of the vehicle when he allows third parties to use the highly or fully automated vehicle. As the general principles of Sect. 7 RTA prevail, the keeper is still responsible for any damage caused by the use of the highly or fully automated vehicle. This holds true even in cases where the driver is exculpated, which is reasonable since the malfunction of a driver assistance system is undoubtedly part of the general danger the use of vehicles on public roads entails. Sect. 7 RTA aims at protecting accident victims efficiently by ensuring that they always can raise claims at least against the keeper of the vehicle, who takes benefit from holding the car and deciding about 13 Sect. 1a para. 2 sent. 2 RTA.
14 Sect. 1b para. 2 RTA. 15 Sect. 12 para. 1. its use. The victims' need for protection is neither higher or lower in comparison to cases where the damage is caused by the use of a non-automated vehicle.

Liability of the producers of highly or fully automated vehicles
If an accident has solely resulted from the malfunction of a driver assistance system the keeper of the car may be able to take recourse against its producer. Currently, there are no specific rules for product liability with regard to highly or fully automated vehicles. The Product Liability Act (PLA; Produkthaftungsgesetz, Prod-HaftG), a statute by which the EU Product Liability Directive 16 was transformed into German law, states in Sect. 1 para. 1, that when a defective product causes a person's death, bodily injury or health damage, or damage to property, the producer has to compensate the damage. In case of damage to property, however, this only applies if the damage was caused to an item of property different from the defective product itself, and if this other item of property is of a type ordinarily intended and actually disposed for private use or consumption. Similarly to Sect. 7 RTA the liability pursuant to Sect. 1 PLA is of strict nature, which means that it does not require negligence of the producer. In fact his liability is linked to the general dangers that result from putting defective products into circulation. The amount of damages the producer may be held liable for is limited to C 85 Mio. in cases of personal injuries. If the damages in total exceed this limit the claim of each individual will be reduced pro rata.
However, under certain circumstances which have to be proven by the producer he will be able to escape strict liability. An important case with regard to automated driving is Sect. 1 para. 2 no. 5 PLA. According to this provision, which transposes Art. 7 lit. e of the Product Liability Directive into German law, the liability of a producer is excluded if the state of scientific and technical knowledge at the time when the product was put into circulation was not such as to enable the defect to be discovered (so called development risk defense).
Therefore, if an automated driving system has been designed according to the state of the art at the time when the product was put into circulation, the producer can avoid any claims of victims of traffic accidents resulting from a malfunction (e.g. sensor defects due to interferences with other signals). In that case the keeper of the car-and in practice his motor liability insurer (see infra, III 1)-will not be able to have recourse to the producer.

Compulsory insurance
Are there any specific laws already adopted in your jurisdiction, or proposals for laws, relating to compulsory insurance coverage for injuries inflicted by the use of such vehicles or vessels? If so, please provide a short explanation. Comment: Answers may relate to motor vehicle insurance and product liability insurance.

Motor vehicle insurance
In accordance with EU directives, German law requires the keeper of a car to obtain liability insurance cover (Sect. 1 Compulsory Insurance Act [CIA, Pflichtversicherungsgesetz, PflVG]). 19 This rule applies for highly or fully automated vehicles as well. It is therefore mandatory to conclude an insurance contract that covers personal injuries as well as property damage resulting from operating the car on public roads. This means essentially cover for the liability according to Sect. 7, 18 RTA which was presented above (supra, I 1; third party liability cover).
The aforementioned rule is aimed at offering victims of traffic accidents a solid basis for their claims to be compensated by the insurance company, that is generally a potent debtor, independently of the financial situation of the driver or keeper of the car. Since Sect. 7, 18 RTA are applicable to liability of drivers and keepers of highly or fully automated vehicles as well, the obligation to sign corresponding insurance cover addresses them in the same way as is the case with non-automated cars.
The insurance cover has to include damages caused by an unauthorized driver. Furthermore, the CIA establishes minimum standards with regard to the insurance sum and the obligations the insurance contract may contain. Clauses that deviate from the compulsory provisions are void. This minimum obligatory cover is flanked by a direct claim of the victim against the insurer (Sect. 115 Insurance Contract Act, ICA [Versicherungsvertragsgesetz, VVG]).
As a rule, this claim may even be brought forward in cases where the insurer is wholly or partially released from liability vis-à-vis the policyholder, e.g. due to 18 20 An exception is made only if the accident was caused intentionally. 21 However, even then the victim is not unprotected since Sect. 12 para. 1s. 1 no. 3 CIA grants a claim against a compensation fund which the motor insurance industry has been required to set up for such cases. In practice this system offers accident victims a swift, uncomplicated and reliable compensation of their damages.
In contrast, other car related insurance contracts, i.e. property insurance which covers damages suffered by the policyholder himself in case of an accident, are not mandatory under EU or German law. This underlines the fact that the German legislator generally cares about victim protection but, as a rule, does not intend to impose self-protection via insurance on vehicle keepers. Having said this, it should it be noted that in practice car insurance products are often sold as a package combining third party liability insurance and property insurance in Germany.

Product liability insurance
With regard to product liability neither the EU nor the German legislator require producers to take insurance against product liability risks. Hence, in cases of widespread product defects it is not assured that all damages will be covered by insurance.

Future of motor vehicle insurance
How do you envisage the future of personal lines in motor vehicle insurance in the next 5-10 years in your jurisdiction? Comment: You may wish to comment on the future of motor vehicle insurance and the plans being made by the industry for new products There has been a lot of speculation recently about the question whether motor insurance as we know it will persist nonwithstanding the increasing use of digitalization in vehicles. Some authors argue that a massive shift from motor insurance to product liability insurance will take place in the near future given the new risks for producers who put highly or fully automated cars into circulation. 22 While the relevance of product liability insurance might in fact rise, however, this does not mean that motor insurance will symmetrically become less important. There are currently no legislative initiatives in Germany that aim at banning the legal obligation of a car keeper to procure motor liability insurance.
With regard to the political goal of accident victim protection the system of compulsory motor insurance that covers the keeper's strict liability seems to be the K only option. This is true at least as long as product liability insurance remains to be mandatory and there is neither strict product liability nor a direct claim against producers, which might offer a similarly high level of protection (subject to solvency, which is legally better ensured for insurance companies than for car manufacturers). In addition, while the absolute number of accidents is expected to decrease when automated systems become more widespread, the average damage per incident is likely to rise due to the additional digital features which might be damaged in an accident. 23 Thus there are sound reasons to assume that motor liability insurance will continue to fulfill its function as a reliable and well-established concept for an effective protection of accident victims. It is a different matter that driver assistance systems and their quality may significantly influence the premium, and that they might even replace the traditional system of no-claim bonuses.

Other technological innovations and their impact on the insurance industry
Driverless cars and autonomous vehicles apart, how do you assess the following technological developments that are expected to not only reshape the auto sector but also the insurance industry around it? -connected cars (i.e., Internet enabled vehicles, (IEV)) -automated driver assistance systems (ADAS) -car/ride sharing -alternative fuel vehicles Comment: answers may include identifying the legal and regulatory regime and provisions in your jurisdiction.

Connected cars
Vehicles that communicate with their environment will evidently revolutionize not only the car industry but also the insurance business. For instance, the technology needed to facilitate "car to X" or "car to car" communication is vulnerable to interferences from the outside, be it an intentional cyber attack or a mere interference with other signals that disrupt communication. This is especially dangerous with regard to communication systems that allow automated steering of the car. Aside from the expectation that judges (or the legislator) will find ways to deal appropriately with such scenarios when it comes to liability, 24 more specific insurance solutions might be desirable, such as specific cyber coverage for automated cars. Thus the insurance sector may play a key part in establishing minimum security standards of connected 23 Ch. Armbrüster, Automatisiertes Fahren-Paradigmenwechsel im Straßenverkehrsrecht, Zeitschrift für Rechtspolitik (ZRP), 2017, pp. 83 (85). 24 In case of a cyber attack it may be discussed whether or not the strict liability of the keeper of a car may be excluded in analogy to Sect. 7 para. 3 RTA. cars. However, for the time being special regulations concerning connected cars are not in effect in the EU or in Germany.

Driver assistance systems
Driver assistance systems are an integral part of vehicle automation. Cars that are partially or fully operated by such systems can be granted admission to be used in public road traffic when meeting the requirements of Sect. 1a para. 2 RTA (see supra, I 2). As mentioned before, while the use of such assistance systems is expected to reduce the absolute number of accidents, the damage resulting from the malfunction of such a system can be high. Insurance companies will thus have to rethink their actuarial calculation, which will most likely affect the premium payable by the keeper of a car using assistance systems. Plus, the number of recourses by motor liability insurance companies to car producers will increase in cases where it is solely the malfunction of an assistance system that has caused the insured event.

Car/Ride sharing
Car and ride sharing have been practiced for quite a while now. Those modern concepts of mobility originally created demand for ad hoc insurance, which means that e.g. the driver can choose on the spot to start driving with the basic insurance package or add other elements (insurance on demand). Nowadays, however, car sharing services usually include sufficient insurance coverage. It seems accurate to assume that the effect of those mobility schemes on the insurance sector will be small. While some mobility services like "Uber" have faced legal challenges before the courts in Germany, 25 special regulations concerning car/ride sharing are not in effect in the EU or in Germany.

Alternative fuel vehicles
Taking into account the proven effects of human-made greenhouse gas emission on climate change, and in the wake of the Diesel scandal, German car producers as well as politicians have recently increased their efforts to replace the use of fossil fuels such as petrol or diesel with alternative fuels. In this context there is a focus on renewable energy sources. New technologies support those ambitions. There is a variety of rules regulating the use of alternative fuels. However, for the time being no impact on the insurance sector may be identified, and the regulatory system governing the use of such fuels does not address insurance issues.

Cyber risks 2.1 Legislation concerning cyber risks
Identify the concerns have emerged in your jurisdiction as a result of cyber risks. Is there any legislation in place or under consideration that might affect such risks? Comment: possible matters include cyber-terrorism, hacking, computer or software failure and financial fraud.
The threat of cyber risks has recently moved up high on the political agenda of Governments worldwide. It is widely recognized that a comprehensive cyber security strategy is indispensable to meet the increasing global threats. In Germany, various statutory regulations which aim at protecting public safety and order and the domestic economy provide an obligation for members of specific business sectors to apply a proper risk management procedure to prevent information security breaches.

IT security act
With particular focus on the economic dimension of a potential breakdown of certain industrial sectors by massive cyber-attacks, in June 2015 the German legislator enacted the IT Security Act (IT-Sicherheitsgesetz) 26 . This statute mainly aims at improving the IT security of companies. In this context, amendments were made to the various existing acts 27 .
A main focus is put on protecting so-called critical infrastructure, including energy and water supplies, healthcare systems, information technology and telecommunications, food and transportation as well as finance and insurance. A potential breakdown or an impairment of supply services in these areas is expected to have dramatic consequences on the economy, the State and society in Germany. The precise scope of application (for services) within these sectors is specified by an ordinance (KritisV) 28 issued by the Federal Ministry of the Interior, considering their respective importance and the required supply levels. 29 However, microenterprises 30 have been excluded from the scope of its application. 26 IT Security Act of 17 June 2015 (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme), BGBl. 2015 I Nr. 31. 27 In particular, BSI Act (BSIG), Telecommunication Act (TKG), Energy Economic Act (EnWG), Atomic Energy Act (AtG). 28 The BSI Kritis ordinance (BSI KritisV) uses specific criteria to govern which operators meet the standards of the IT Security Act, cf. BGBl. 2016 I No. 20 p. 958 (including definitions of the sectors of energy, information technology and telecommunications as well as water and food), BGBl. 2017 I No. 40 p. 1903 (including definitions of the sectors of transport and traffic, health, finance and insurance). 29 Sect. 2 para. 10 sent. 2 in conjunction with sect. 10 para. 1 BSI Act. 30 A microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed C 2 Mio., according to appendix Art. 2 para. 1 Nr. 3 of the EC recommendation No. 2003/361.

a. IT security requirements for critical infrastructures
According to Sect. 8a para. 1 of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) Act, operators of critical infrastructure must provide reasonable organizational and technical precautions to prevent disruption of the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes. Such statutory provisions do not and cannot provide sufficiently detailed guidelines on the preventive technical security measures that have to be implemented; the provisions rather refer to the current state of the art. Organizational and technical precautions should therefore be considered as appropriate if the required effort is not disproportionate to the negative consequences of a potential breakdown of the respective critical infrastructure.
According to the wording of Sect. 8a para. 1 sent. 2 BSI Act, providers of critical infrastructures "shall" comply with the current state of the art. The choice of the word "shall" implies that deviations are possible in justified exceptional cases. This takes account of the fact that providers of critical infrastructures are sometimes prevented from taking measures that are considered as the current state of the art from a security point of view. This applies, for example, in the case of the installation of security updates for operating systems with regard to the uncertainty of their impact to business processes. 31 Beyond that, according to Sect. 8a para. 2 BSI Act, the providers of critical infrastructures and their industry associations are authorized to set out detailed requirements and guidelines regarding IT security which will be approved by the BSI after consultation with other authorities. In this respect, members of critical infrastructures are obliged to prove compliance with the above-mentioned security requirements periodically. 32 Proof can be supplied by presenting recently undertaken security audits, recurring inspections or certifications. 33 In case of detection of security lacks, the BSI is empowered to order their clearance in accordance with the respective authorities. Further control mechanisms have also been implemented to ensure the obligation to establish appropriate security standards. 34 Non-compliance with the rules on IT security requirements is punishable with fines of up to C 100,000. 35

b. Obligation to notify security breaches
Apart from the development of a high IT security level, members of critical infrastructures are obliged to notify security breaches to the BSI (Sect. 8b para. 4 BSI Act ture recognizes a significant disruption of the availability, integrity, authenticity or confidentiality of their information technology system that could cause or already has caused a breakdown or an impairment of his respective critical infrastructure. 36 The notification should be made by the company's notified contact office 37 , which is responsible for procuring administrative support to the BSI. During the legislative procedure, the industry persistently demanded for the opportunity of pseudonymous notification in order to protect the company's reputation. 38 However, Sect. 8b para. 4 sent. 3 BSI Act provides for this option solely in cases where critical infrastructures are not charged with an impairment of functionality by a security incident. The notification obligation of telecommunication providers is even stricter since they do not have any right to report a security incident anonymously. In addition, following the amendment of the Telecommunications Act (Telekommunikationsgesetz, TKG) 39 , telecommunication providers now are obliged to inform users even in cases of suspected impairments of user systems, e.g. potential risks of botnets. 40

c. Federal Office for Information Security (BSI)
In order to meet legislative targets, the IT Security Act strengthens the position of the BSI, particularly by extending duties and powers as stated above. Sect. 8b BSI Act clarifies that the BSI is the central reporting office for members of critical infrastructures in the field of information technology. For this purpose, the BSI is supposed to collect, inter alia, all relevant information concerning the prevention of dangers regarding the IT security of critical infrastructures, detected security lacks as well as malware, and to transfer this knowledge to the various recipients and the respective authorities. 41 In order to fulfill its duties, the BSI is also authorized to carry out compliance checks on products in terms of their safety. 42 In the event of security breakdowns, the BSI is even entitled to force the producer of the respective IT systems to corporate if necessary. 43 The legislative objective was to create a stronger obligation on software manufacturers to provide security patches. 44 It is also worth mentioning that the BSI 36 Spindler, IT-Sicherheitsgesetz und zivilrechtliche Haftung, Computer und Recht (CR) 2016, pp. 297 (300); see also the official justification by the German Federal Parliament, BT-Drs. 18/4096, p. 27 f. 37 See the obligation to notify a contact office in Sect. 8b para. 3 IT Security Act. 38  is obliged to draw up an annual report on current threats in the field of information technology. This serves both for public information and also in order to achieve a higher level of security. 45 d.

Sector-specific provisions
In addition to the statutory framework for the protection of critical infrastructures from risks which may arise in the event of cyber attacks, the German legislator and the competent administrative authorities have enacted further specific rules on cyber security in different acts. 46 While a complete overview would go beyond the scope of this report, individual sectors have already been mentioned, such as telecommunication providers. Another notable sector concerns the area of telemedia providers.
According to Sect. 13 para. 7 Telemedia Act (Telemediengesetz, TMG), commercial telemedia providers have to provide technical and organizational measures to prevent unauthorized access as well as breaches of personal data and disruptions to technical systems wherever technically possible and economically reasonable. This is of particular importance because of the broad term of telemedia providers. 47 Public WLAN hotspots in the hospitality sector, for instance, are sufficient to fit in with the term of commercial telemedia providers. The aim of the provision is to prevent the danger of unperceived transmission of malware merely by the call of single web pages (so called "drive-by downloads"). 48 Infringements against these security measures may incur fines of up to C 50,000. 49

NIS directive
In July 2016, the EU Directive on Security of Network and Information Systems (NIS Directive) passed the European Parliament. This directive has to be implemented into national laws by EU member states by April 2018. As the obligations laid down in the German IT Security Act and the NIS Directive are widely identical (the former is actually a premature implementation of the latter), major amendments to the German IT Security Act are not to be expected.
However, in several aspects, changes to the present German law have been required. 50 In particular, the scope of operators of critical infrastructure concerning the IT Security Act does not entirely mirror the respective requirements of the NIS Directive. One substantial amendment is the extension for providers of digital 45  services as defined in Sect. 2 para. 11 BSI Act. These particularly include online marketplaces, online research engines as well as cloud-computing services. Similarly to the provisions that apply to critical infrastructures, specific requirements concerning preventive measures are provided in Sect. 8c BSI Act.

Data protection law
EU and German Data Protection law also contains IT security requirements to protect personal data, however not with a particular focus on cyber threats. Part B Sect. 32 to 34 EU General Data Protection Regulation (Datenschutzgrundverordnung, DSGVO) draws up provisions regarding security of personal data. Even though the requested measures are not defined in detail but rather depend on criteria of reasonability, the regulation does mention some specific actions, e.g. the encryption of personal data, the ability of data recovery in cases of technical incidents or proof of efficacy concerning security measures.
The notification of a personal data breach to the supervisory authority (unless the fact that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons) is of particular importance with regard to cyber risks. 51 If, however, the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the company responsible for data processing shall communicate the personal data breach also to the affected parties without undue delay. The latter obligation may apply in cases of unauthorized perusal of confidential data (e.g. bank details). Corporations that process personal data must also be aware of the high level of potential fines in cases of non-compliance with data protection provisions. 52

Product liability of software manufacturers
In response to the impact of cyber risks, the issue of liability of software manufacturers is largely recognized in the political debate. In Germany, the political debate has been encouraged especially by a serious cyber attack in November 2016, that hit many router devices provided by Deutsche Telekom. There are calls for an obligation of software manufacturers to monitor their products after they have been placed on the market, and to force the manufacturers to supply a regular patch management. 53 Appropriately, the European Commission has conducted a consultation on the effectiveness of the Product Liability Directive 54 in terms of damages caused by new technology developments (e.g. autonomous driving, Internet of Things, non-51 Differently to Sect. 42a Federal Data Protection Act (Bundesdatenschutzgesetz) which requires an anticipated severe impairment for the rights or legitimate interests of the affected person. 52 See Sect. 83 EU General Data Protection Regulation. 53 Cf. GDV position paper relating to smart home products, retraceable under https://www.gdv.de/ resource/blob/8254/346747549f0b20cd6a28b6a806a04152/anforderungen-smart-home-iot--900514353data.pdf (last checked on 11 May 2020). 54 Directive 85/374/EEC, OJ 1985, L 210 p. 29. embedded software). 55 Based on the legal discussion in Germany, uncertainties are especially recognized with regard to the question whether non-embedded software falls within the term of "product" according to Art. 2 Product Liability Directive. 56

Reactions to cyber risks
How has the insurance industry responded to cyber risks? In particular: a) do property policies cover losses from cyber risks, or is special insurance required? b) is insurance and reinsurance readily available? c) are there any special restrictions imposed on cyber risks, e.g. event limits or deductibles?

Cyber exposure in traditional lines of insurance
Many damages relating to cyber risks are already covered by standard indemnity and property insurance policies. The cyber exposure in insurance policies that have not excluded damages resulting from cyber risks is often referred to as the "silent cyber risk". In order to get an idea of what cyber exposure really means, first of all it is necessary to describe the scope of the term of "cyber risk". Cyber risks can be both cyber related losses resulting from malicious cyber attacks, such as infecting an IT system with malicious code (e.g. ransomware), and non-malicious acts like loss of data caused by negligent behavior or data breaches in cases of accidental release of personal/confidential data. 57 Against this background, it is more precise to use the term "information security breach" (Informationssicherheitsverletzung). This term establishes a connection to potential damages, while the term "cyber risk" rather could be seen as a peril resulting from the transformation of processes, products as well as services through an intensified use of modern information and communication systems.
The term information security breach is used to describe an impairment of the availability, integrity and confidentiality of data or of information processing systems. A potential damage that may occur in that case is e.g. a business interruption caused by the non-availability of business data or processes. The essential question therefore is whether damages caused by information security breaches are covered in traditional lines of insurances, such as the property and technical insurances as well as liability and fidelity insurances.

a. Property Insurance
As the name implies, property as well as technical insurance policies basically cover damages to property. So far, as traditional policies covering these risks don't contain a general exclusion of damages caused by information security breaches in the event of cyber attacks, property as well as technical insurance cover the related losses.
However, unless insurance policies do not provide specific conditions, the occurrence of a material damage (Sachschaden) is necessary for a claim of insurance benefits. 58 A prominent example is the malfunction or overheating of technical machines of a major steel plant triggered by a takeover of control devices by hackers. Certainly, the situation may be different if the insurance coverage is restricted to damages caused by named perils, e.g. explosion. In this case, the material damage has to be caused by any such event, although the coverage is not excluded if an information security breach has occurred immediately prior to an insured risk. However, usually losses from cyber risks occur independently of a material damage to property. In such cases, there is basically no insurance coverage provided by traditional property as well as technical insurances.
In addition, it should be noted that the International Association of Engineering Insurers (IMIA) has developed a risk exclusion regarding damages directly or indirectly caused by cyber incidents. 59 At the same time, the IMIA developed particular terms for a subsequent re-inclusion. The idea of the IMIA advanced cyber exclusion is to offer underwriters an overview of the wide range of cyber perils. This is aimed at facilitating a consideration within the risk assessment and the premium calculation.

b. Third-party Liability Insurance
A third-party liability insurance provides coverage if the policyholder is held liable by a third party for a loss occurrence that has resulted in personal injury, property damage or pure financial losses arising therefrom. Basically, damages resulting from information security breaches are covered if they fall within the insured risk and are not excluded. Claims for damages resulting from the exchange, transmission or provision of electronic data are mainly covered on the basis of the supplementary conditions for the use of IT technologies relating to the general business liability insurance. 60 Some specific types of liability insurance are extended to claims for compensation of strictly pecuniary losses. Since they do not exclude claims for damages resulting 58 S. Erichsen, Cyber-Risiken und Cyber-Versicherung: Abgrenzung und/oder Ergänzung zu anderen Versicherungssparten, Corporate Compliance (CCZ) 2015, pp. 247 (249). 59 Cf. the endorsement regarding the IMIA advanced cyber exclusion https://cyber-risk-insurance.com/ wp-content/uploads/2018/09/Endorsement-IMIA-Advanced-Cyber-Exclusion-2018-final-24-09-2018. pdf (last checked on 11 May 2020). 60 Cf. the general terms and conditions provided by the German Insurance Association (GDV), https:// www.gdv.de/resource/blob/6200/645bc427462231614fe4a523f6fd0a33/10-zusatzbedingungen-zurbetriebshaftpflichtversicherung-fuer-die-nutzer-von-internet-technologien-data.pdf (last checked on 11 May 2020). from an information security breach-which is not the case at the present time in Germany-, insurance cover is provided under the terms of these policies.
One example is the Directors & Officers liability insurance (D&O insurance). 61 If negligent disregard of IT security measures become apparent during a cyber attack and if one or several of the company's managing and/or supervisory board members are responsible for this breach of duty, a D&O policy will usually cover their liability for financial damages caused to the company (internal liability). Furthermore, various types of professional liability insurance cover third-party claims for compensation of strictly pecuniary losses (reine Vermögensschäden). This is true e.g. for the professional risks of lawyers, notaries public or insurance intermediaries. As a result, cyber risks are also extensively covered in these sectors. Of course, with respect to compulsory insurance it has to be considered that insurance sums which are primarily reserved for damages caused by genuine professional activities could be exhausted by indemnifying losses arising from cyber-attacks.

c. Fidelity insurance
Meanwhile cyber risks have evolved beyond traditional hacking to include sophisticated social engineering methods that rely on undeliberate representatives to effectuate fraud. Social engineering is a method of gathering information by manipulation. In recent years, major companies have more and more been victims of multi-million-dollar fraud schemes concerning financial transactions that were perpetrated online using social engineering. 62 Those risks as well as financial losses caused by deliberative fraud of company representatives are covered by specific fidelity and fraud insurance policies.

Specific cyber insurance coverage concepts
Today, a modern business's most valuable asset frequently exists in cyberspace without physical form. Therefore the perils that these businesses face are not the traditional perils of fires, floods, and other physical forces. 63 The existing insurance concepts are often not able to handle these new perils appropriately. For instance, coverage for pecuniary losses is merely fragmentary, a material damage to property is often required (e.g. in classic business interruption policies which do not include extensions) 64 , and the need for assistance services in the event of cyber attacks, which help to mitigate the loss or damage that occurred, is not addressed. Against this background, the German Insurance Industry Association (Gesamtverband der deutschen Versicherungswirtschaft, GDV) has recently developed specific model terms and conditions of cyber risk insurance, 65 which have been published as noncommittal recommendations for the industry. This cyber risk insurance covers financial losses caused by an information security breach. Designed as a crosssegment multi-line-policy cyber risk insurance contains several elements from traditional lines of insurance such as liability, property and technical insurances. The concept adopts a modular structure and consists of four components: a basic component (A1), a component for reimbursable expenses (A2), a component for insurance cover against third-party liability (A3), as well as against first-party damage (A4).
The basic component of the cover draws up general provisions, which apply to all modules (e.g. the subject-matter of the insurance, the definition of the insured event, general exclusions, the policyholder's obligations, etc.). The component for reimbursable expenses includes, inter alia, costs for forensic investigations to determine an insured security breach, expenses related to crisis management in the purpose of restoration of public reputation, costs for notification in the event of data breach and finally costs for call management. In addition, measures to prevent a forthcoming security breach are also covered up to an agreed sublimit.
Being limited to pure pecuniary losses, a cyber insurance also covers third party damages, for example if a customer or a business partner submits a claim against the policyholder on the basis of a breach of privacy. Finally, the policy concept provides insurance cover against business losses (first-party damage), such as a damage caused as a result of an interruption to business operations. In case of loss of data or data alteration caused by an information security breach, expenses for data recovery are covered too.

Availability of insurance/Reinsurance
In principle, cyber insurance as well as reinsurance is currently available in Germany. Supply even has so far exceeded demand, as-especially in the field of small and medium-sized enterprises-business operators have only recently become more and more aware of their cyber risk exposure and of both the opportunity and the necessity to obtain adequate insurance coverage. The expected rapid growth will be likely to reduce the present difficulties in risk modelling, which are due to the absence of appropriate claims data. Particular problems are caused by the unpredictable accumulation risks that exist in the event of large-scale cyber attacks. An example is the scenario of a breakdown of a cloud service provider. In such a case, all cloud users are affected by one single loss event.
The general terms and conditions of cyber risk insurance provided by the GDV respond to this challenge by clarifying that no insurance cover is being provided for any loss resulting from failure, interruption or malfunctioning of external service providers. 66 Another example for an accumulation risk scenario is a self-reproducing computer virus. The latter includes ransomware, such as "Locky" or "WannaCry". 65 Cf. the general terms and conditions of cyber risk insurance (T&Cs Cyber) provided by the GDV, http:// www.gdv.de/wp-content/uploads/2017/04/AVB_Cyber_April_2017.pdf (last checked on 11 May 2020). 66 Cf. Sect. 2.2 para. 2T&Cs Cyber.

Special restrictions imposed on cyber risk
The insurance of ransom demands is still subject to supervisory restrictions. According to an announcement of the predecessor of the German Federal Financial Services Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) for the insurance sector, published in 1998 67 , insurance cover of ransom demands, inter alia, must not be offered in combination with other insurance products.
Since these restrictions seem to be no longer appropriate particularly with regard to the insurance of cyber risks, the Supervisory Authority has revised the administrative practice in an announcement dated 15 September 2017, confirming that the combination of ransom demand cover with cyber attack cover in one policy is admissible when certain conditions such as a ban on the promotion of the ransom demand element and increased data protection requirements are respected. 68 Apart from this, there are some special requirements concerning insurance licensing and financial reporting, which follow from the multi-line character of the cyber risk insurance. According to the German Insurance Supervision Act (Versicherungsaufsichtsgesetz, VAG) both authorization and financial reporting are required for each particular class of insurance, as defined in the classification list in Appendix 1 of the Act. Since cyber risk insurance does not constitute a separate class of insurance, insurance companies need to seek authorization as well as to perform financial reporting for any class that is addressed by the general terms and conditions of cyber risk insurance.
Finally, even if there is no explicit legislation or jurisdiction, it is noteworthy that the legal admissibility of insurance cover for financial penalties issued by public authorities e.g. in cases of data protection infringements is being discussed controversially in Germany. 69 In this context, it is often assumed that the insurance of financial penalties may create negative incentives and is therefore contrary to the preventative purpose of the respective sanctions. 70

New technologies and the insurance process
To what extent have the availability of new technologies affected the way in which insurance policies are placed? In particular:

General remarks
New technologies have already begun to disrupt the traditional distribution of insurance products by agents and brokers. A vast variety of new competitors, mainly start-ups (so called FinTechs or, more specifically, InsurTechs), have entered the distribution sector relying on new technologies, namely comparison portals, online insurers, broker apps for smartphones, etc. These newcomers have induced traditional distributors of insurance products to rethink their own means of distribution and to adopt new technology standards. It has been more and more acknowledged that via such means of distribution the insurance industry can easily assess and mobilize new costumer groups, especially youngsters, who have a genuine affinity towards digital product supply, and who would not easily be motivated to use traditional lines of distribution, such as agencies.
The effects and influences of new technologies on the traditional use of agents and brokers are immense and of a vast variety. The following remarks address selected issues that are of particular importance to the distribution sector.

Distributor or mere "tip provider"?
Distributors of insurance products (agents and brokers 71 ) need to seek permission of the local Chamber of Industry and Commerce before they start offering and distributing insurance products in Germany. 72 Carrying out such activity without formal admission can be fined up to C 5000. 73 In contrast, a mere "tip" or hint to the insurance company that a certain individual might be interested in concluding a contract, or the providing of contact data of a certain insurance company or a broker, do not qualify as distribution in the legal sense. 74 Hence, such activities may be conducted without a formal concession by the competent authorities.
Therefore, it is necessary to distinguish between mere "tip providers" (Tippgeber) and distributors, especially when online distribution is at stake, since there exists a large variety of different business schemes and models. The German Federal Court (Bundesgerichtshof, BGH) 75 has ruled that in order to achieve a high level of consumer protection the term "distribution" must not be interpreted narrowly. Nevertheless, the classification of an activity as "insurance distribution" requires at least the advice to conclude a specific contract. Accordingly, providing general information on certain insurance products does not constitute an activity of distribution, and may therefore be carried out without concession. The BGH ruling particularly concerns online distribution, and it offers guidelines for a variety of business models that deal with or are related to distance selling of insurance contracts. 71

Pre-Contractual duty to advise insurance seekers
When distributing insurance products in the physical (analogue) world, distributors have a legal duty to advise the seeker of insurance if and what kind of policy to sign so that his needs are best met. 76 During the revision of the German Insurance Contract Act (ICA, Versicherungsvertragsgesetz, VVG) in 2008, the German legislator thought that distributors relying on distance selling by means of the internet were disadvantaged when it comes to rendering qualified advice to the costumers with regard to their product choice. The prevailing opinion was that-given the technological possibilities at the time-online insurers were unable to consult and advise insurance seekers in the way the law obliges distributors and insurers to do. 77 Therefore, online insurers were expressly exempt from the pre-contractual duty to advise customers on which insurance product meets their needs best. Rather inconsistently, this statutory exception did solely apply to online insurers and not to online brokers, raising the question if such a differentiation was justified. 78 However, in the course of transforming the EU Insurance Distribution Directive 79 into national German law 80 the aforementioned exception was abolished on the basis of the finding that technological progress has now enabled online insurers to pre-contractually advise their customers properly. 81 This change has come into effect on 23 February 2018. Since then, online brokers and insurers have to precontractually advise clients to the same extent their colleagues who operate in the analogous mode are obliged to. Given the numerous digital tools provided through technological progress facilitating identification and assessment of individual risks (e.g. question tools with explanation boxes, instant chat tools, video chats, broker apps, etc.) the abolishment of the exception seems more than appropriate.

Broker apps
Broker apps, which have virtually flooded the German distribution sector in recent years, have triggered a lot of controversy and brought up a number of legal issues. 82 In general, those apps are frequently structured as a kind of "digital insurance folder", which allows not only to conclude new contracts through the app, but also to digitalize existing policies. Therefore, app operators have concluded framework 76 Sect. 6, 61 VVG. 77  contracts with insurance companies that provide a digitalized copy of the customer's policy when having been given a brokerage mandate by the user.
This business model therefore significantly depends on the IT infrastructure of the individual insurance company since this company has to provide a digital interface in order to exchange data with the operator of the broker app. Such business models have a high market potential as long as they comply with existing rules and provisions. They might even fundamentally reshape the views on insurance selling.
Broker apps have brought up specific transparency issues. Since those apps work on the basis of a broker mandate customers need to issue such a mandate before using the app. In practice for the time being only a few of the broker apps available on the German market clearly and comprehensively explain to their users the legal consequences of such a mandate, and especially the fact that any existing mandates with another broker will be terminated once the mandate is given. Therefore traditional distributors have criticised this business model. In some cases, broker apps do not even properly offer the legally required 83 information about their status at all.
Another example for the ongoing discussion in Germany is offered by contract clauses waiving liability for the loss of policy documents. Since such apps are often commercially marketed as instruments which provide for the entire policy management, those waivers have risen concerns about their compliance with statutory law. 84 Eventually, a key issue with broker apps is the proper transmission of information to the costumers (for a closer examination of this problem see infra, sub III).

Impact of data on the underwriting process
Big data models and analysis methods, as well as new data sources, have enabled insurers and other distributors of insurance services to gather information concerning the individual risk on a large scale. Therefore, they play a key role in risk assessment. The collection of huge amounts of data, especially from public sources, and the aggregation and interlinking of those data, have noticeably facilitated the calculation of insurance products. An example is offered by telematics-based tariffs in the motor insurance sector, which rely on the constant gathering of data about the driving behaviour. 85 However, there are comprehensive legal requirements that must be met when collecting, assessing and interlinking data on such a scale for the purpose of precontractual risk assessment. The following remarks address the key issues of data protection law in Germany and in Europe with regard to big data analysis methods. 83 Sect. 11 Versicherungsvermittlerverordnung, VersVermV. Basically, any processing of personal data 86 needs to be justified either by consent or by statutory provision. Otherwise the data processing is unlawful and can be severely fined with up to C 20 Mio. or 4% of the total worldwide annual turnover of the preceding financial year, depending on which amount is higher. 87 Without consent of the data subject, the processing of ordinary personal data is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. 88 The pre-contractual risk assessment is clearly a prerequisite for the conclusion of an insurance contract. Hence, general data processing in that phase is legally allowed, even without consent.
Some more specific provisions apply to so-called special categories of data. If the personal data processed are classified as such special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation), 89 the admissibility of processing such data for the purpose of risk assessment depends-at least in the ordinary course of events-on the consent of the so-called data subject (i.e. the individual applicant).
Furthermore, data protection law limits big data analysis methods and the required gathering of large amounts of data by stating that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimization). 90 The gathering of enormous amounts of personal data just for the purpose of accidentally finding links between them is therefore forbidden under EU and German data protection law.
In addition, even when big data analysis methods comply with the principle of data minimization, the aggregation of data for the purposes of profiling is further limited and restricted by Art. 22 of the EU General Data Protection Regulation (GDPR) 91 . For the purposes of the GDRP profiling is defined as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. 92 86 Personal data is defined as any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 para. 1 GDPR). 87  The regulation grants the data subject the right to not be subject to (contractual) decisions of the controller 93 which are based solely on automated processing. An exception is made in Art. 22 para. 2 lit. a GDPR for cases where the decision is necessary for entering into or performance of a contract between the data subject and the controller meaning that even profiling is allowed as long as and to the extent automated decisions on the basis of the profiling results are necessary for contract conclusion. In case of a dispute the controller is obliged to demonstrate this necessity. These provisions are flanked by procedural requirements that aim at securing compliance with Art. 22 GDPR. 94 Finally an important development consists in the use of big data in order to improve risk assessment with regard to non-personal data that are not governed by data protection law. For instance the predictability e.g. of natural catastrophes or of the economic consequences of supply chain interruptions may be improved, and risk-adequate premiums may be calculated more precisely by collecting and evaluating such non-personal data.

Impact on the means of providing information
It is generally acknowledged that new technologies have considerably affected the way distributors and insurers provide information to their customers in Germany. This is basically due to the fact that the use of digital technology is cost efficient (or at least more efficient than providing printed information). Insurers are legally obliged to provide not only the terms and conditions of the policy, but also a so-called product information sheet (Produktinformationsblatt), as well as the documentation of any advice rendered 95 , prior to the conclusion of the contract 96 . Therefore, it is attractive for insurance companies and mediators to provide any such information through a digital channel.
Generally, German law does not prohibit the transmission of pre-contractual information via the internet. The only requirement which must be met is that all pre-contractual information has to be communicated to the customer on a durable medium (dauerhafter Datenträger). 97 A durable medium is defined as a medium that enables the recipient to retain or store any individual information included on the medium in a way that enables him to access the information for a period of time which is adequate to its purpose, and that allows the unchanged reproduction of such declaration. 98 This means that the mere presentation of the pre-contractual information on a website is not sufficient to meet these requirements. 93 Art. 4 para. 7 GDPR. 94  Hence, the discussion focuses mainly on whether or not so-called sophisticated websites can be categorized as durable mediums given that legal definition. 99 Generally, the term sophisticated website refers to two different website designs. 100 The first of these designs is an obligatory download (Zwangsdownload), which means that the applicant is required to download all pre-contractual information offered to him before transmitting his binding acceptance of the contract to the insurer. This goal can technically be achieved by blocking any further proceedings as long as such a download has not taken place. Once the applicant has initiated and completed the download, the information-then stored on the hard drive of his terminal device-has been communicated according to the statutory requirements. 101 However, such a website design might still entail difficulties when it is controversial whether the download was in fact carried out successfully. 102 Hence, insurance companies have started to create a second design, consisting of personalized storage spaces (personalisierte Bereiche) for applicants. These spaces are located on the insurers' servers, where they store the pre-contractual information. In addition, the insurer needs to inform the applicant that he can download the files by accessing the server via his personal profile (usually protected by username and password). This option aims at avoiding any controversy about downloads. 103 Having said this, it is not beyond doubt if such a private storage on servers controlled by the insurer qualifies as a durable medium. A recent ruling of the European Court of Justice (ECJ) 104 may lead to the assumption that such website designs are sufficient for the transmission of information in the way required by statutory law. Nevertheless, this ruling is based on the factual assumption that the data stored on the insurer's servers on behalf of the applicant cannot be changed once they are stored. This assumption is inaccurate. As long as the insurer controls the server this-at least factually-includes control of the information stored on that server, which might at least theoretically be modified (e.g. by exchanging General Contract Terms without the consent or even the knowledge of the policyholder). Therefore, the discussion has not yet terminated. Using such website designs thus still entails a certain legal risk. 105

Genetic testing and insurance
To what extent is genetic testing regarded as important by life and accident insurers? Is there any legislation in place or in contemplation restricting requests for genetic information, and are there any relevant rules on privacy that preclude its disclosure?
Taking into account the importance of pre-contractual risk assessment, the economic significance of information about an applicant's genetic disposition is evident, especially with regard to life and health care insurance. 106 A genetic precondition might enhance the personal risk of the applicant to get a serious medical condition and thus point to a risk that may be far higher than average.
On the other hand, it is generally acknowledged that the insurer must be allowed to ask the applicant questions concerning his state of health, about any kind of medical precondition, etc. 107 For that purpose the insurer is-with consent of the applicant-even authorized to collect medical information about the applicant from health care professionals such as medical doctors or hospitals. 108 The applicant has a corresponding obligation to disclose such information asked for by the insurer as long as the information is risk-related. 109 If the answer to a question asked by the insurer in the context of pre-contractual risk assessment turns out to be inaccurate this may lead to severe remedies, such as the right of the insurer to withdraw from the contract or the right to retroactively exclude the respective risks. 110 In that context, the question arises whether or not insurers should be unrestrictedly entitled to ask applicants not only about the results of genetic testing which the applicant has already undergone, but also oblige him to carry out such tests in order to obtain insurance cover. Taking into account the right (and the obligation, with regard to other policyholders) of the insurer to assess the individual risk of the applicant properly and correctly, one would tend to grant the insurer such powers. However, Art. 2 para. 1 of the German Constitution (Grundgesetz, GG) guarantees the right of free development of the personality. This fundamental right includes the right not to know about one's own genetic dispositions, which the legislator is constitutionally obliged to protect. 111 Furthermore, the disclosure of results of genetic tests the applicant had already undergone before seeking insurance cover may lead to discrimination based on the genetic disposition of the applicant. 112 In order to address this issue, in 2010 the German legislator passed the Genetic Diagnostics Act (GDA, Gendiagnostikgesetz, GenDG). This Act strictly limits the right of the insurer to ask applicants to disclose results of tests already conducted and the right to oblige applicants to undergo genetics examination. 113 As a rule the GDA bans the insurer from asking for any kind of genetic testing or information before and after the contract is concluded. Furthermore, the insurer is not allowed to ask for results of previously taken tests. Thus the legislator aims at ascertaining that the insurer shall neither receive nor use any such information. 114 However, an exception is made with regard to life, occupational disability, disability and long-term care insurance provided that the insurance sum exceeds C 300,000 or an annuity exceeds C 30,000, as in these cases the interest of the insurer to know the results of genetic testing the applicant has already undergone surpasses the interest of the applicant not to disclose such information. This exception has been implemented in order to prevent applicants from abusing their information advantage in large policies, as this would constitute a risk of adverse selection. 115 Furthermore, in any case illnesses and pre-existing conditions need to be disclosed upon demand even if they were diagnosed by using means of genetic analysis. 116

Impact of data on claims assessment
Has the assessment of claims been affected by the availability of data? In particular, are there any industry-wide arrangements in place whereby insurers can share information on fraud?
First of all, the sheer endless availability of data has enormously influenced and reshaped the means which insurers have at their disposal when assessing individual claims. For instance, data collected by a so-called black box used for telematicsbased car insurance policies can be used in order to properly reconstruct the course of an accident giving indications about whether or not the insurer is released from liability. Another example is that data collected by so-called smart homes facilitate the assessment whether or not the policyholder has complied with contractual obligations.
Furthermore, when it comes to (attempted) fraud, the German insurance industry has established an elaborate reference and information system (Hinweisund Informationssystem der Versicherungswirtschaft, HIS). 117 The purpose of this system is to facilitate risk assessment, to prevent fraud and to secure and protect the interests of the insurer as well as the collective of policyholders. The system is compliant with EU and German data protection provisions. 118 In case it is found that a policyholder is suspected of committing fraud or attempted to commit fraud (e.g. by faking or pretending an insured event) the respective data are, under certain conditions, stored on the servers of the HIS. Other insurance companies may then access these data when pre-contractually assessing the risk of an applicant or assessing the righteousness of a claim brought before them by a policyholder. It is worth noticing that an entry in the HIS does not trigger any kind of automatism with regard to the insurer's decision to reject applications or claims. An entry might just be used as an indication for the insurer to carry out special means of risk assessment or to have a closer look at certain aspects of the claim.

Other new technology risks
Are there any other particular risks from the new technologies that have been identified in your jurisdiction? If so, is there any legislation in place or under consideration to regulate them?

Robotic
Further risks from new technologies refer to the field of robotics and artificial intelligence. A debate regarding harmonized liability rules has already started, particularly at the EU level. There is a broad consensus that EU-wide rules are needed for the fast-evolving field of robotics, e.g. in order to enforce ethical standards or to establish liability for accidents involving driverless cars. Members of the European Parliament have already asked the European Commission to propose rules on robotics and artificial intelligence in order to fully exploit their economic potential and to guarantee a uniform level of safety and security. The European Parliament has decided to adopt their resolution of 16 February 2017 with a recommendation to the Commission on Civil Law Rules on Robotics. 119 However, as mentioned above, the European Commission has already launched a consultation on the effectiveness of 117 For an overview see GDV, Hinweis-und Informationssystem der deutschen Versicherer-HIS. Was es ist und was es leistet, retraceable under https://www.gdv.de/resource/blob/22238/57a862a758a29769749157 db0fc633c9/broschuere-hinweis-und-informationssystem-der-deutschen-versicherer-his-was-es-istund-was-es-leistet-data.pdf (last checked on 11 May 2020). 118  the Product Liability Directive 120 with regard to damages caused by new technology developments.

Nanotechnology
Risks resulting from the use of nanotechnology also fall within the scope of new technology risks. Products made by using nanotechnology comprise yet unknown or unassessed risks which are hence to be categorized as emerging risks. 121 Further technological and scientific progress thus depends on reliable insurance solutions. Therefore, insurance companies play a key role with regard to setting the basis for innovation in the field of nanotechnologies. While the risk itself-at least in its entirety-may in fact hardly be assessed correctly, the contractual practice offers instruments that are suitable to address this challenge, e.g. a reasonable limitation of insurance sums and of the duration of the policy, the establishment of minimum standards for security, the definition of the insured event based on the claims made principle, etc. 122 Funding Open access funding provided by Projekt DEAL.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.
The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.