Smart Contracts - Function, Rules & Audit

Smart contracts are the execution medium of the future, with a significant impact on the digital world of work - especially in the Internet of Things. They have huge disruptive potential and their use is only just beginning. Comprehensive advice will keep you legally on the safe side.

Request a non-binding introduction now!

What is a Smart Contract?

A smart contract is software that automatically executes legal relationships or parts of them - such as certain contractual obligations - according to certain paradigms ('self-enforcing'). Strictly speaking, it is not a contract, but software that represents and executes a contractual agreement. Typical codes are those that apply contractual obligations and the consequences of breaches as binary 'if/then' rules: If a contractual condition is met, then a predetermined consequence is triggered.

How do Smart Contracts work?

In a traditional client-server architecture, the server operator is responsible for executing the smart contract as a third party independent of the specific contractual relationship. The contracting parties have to trust it. The situation is different when a smart contract is implemented on the blockchain. This is a decentralised database in which blocks are linked together in time. The blockchain is distributed across many computers ('nodes') within the network and stored as a copy ('distributed ledgers'). When a new block is added, it must be accepted in every copy in the network. The smart contract is executed autonomously by the nodes in the network.

Since neither the parties nor a third party can subsequently alter the blockchain, it is tamper-proof. This strengthens trust between the contracting parties. The decentralised blockchain architecture eliminates the need for intermediaries. This allows individuals who do not know each other to enter into agreements over the internet using tokens (digital units of value).

Example: car leasing

One example is the leasing contract for a car whose lock is only unlocked by a smart contract if the leasing instalment has been paid beforehand (smart lock). In the event of a verifiable, clearly identifiable breach of duty, further access is denied. This is achieved in the so-called Internet of Things (‘IoT’) using objects networked with each other via the Internet. Smart contracts also act as ‘quasi-trustees’, for example by collecting cryptoassets when a contract is concluded, but only transferring them after a cancellation period has expired. If an investor acquires a security that is embodied in a token, it is also possible to programme the investor's rights (e.g. consumer cancellation or termination rights) into the smart contract underlying the token. Another application scenario is the automated payment in the event of an insurance claim.

The examples show that smart contracts are particularly useful where services are provided purely digitally or where their provision should at least be digitally monitored and controlled.

Ethereum Smart Contract chain

A popular blockchain solution for smart contracts is the Ethereum chain. It is characterised by the fact that it provides a low-cost infrastructure in which any type of smart contract for any type of value exchange can be created using lean code. The programming language developed specifically for Ethereum smart contracts is called Solidity. Contract clauses can be designed according to a modular principle and technically combined in various ways. Data interfaces, known as oracles, can also be used to provide additional information required for execution, such as payment and delivery status, environmental conditions, securities prices and the like. A structure consisting of several smart contracts nested in each other to form complex structures is called a DAO (Decentralised Autonomous Organisation).

Smart Contracts work without blockchain

Even though the prototype of a smart contract can ideally be programmed on a blockchain, the concept of smart contracts does not necessarily have anything to do with blockchain technology. The application example of car access control shown above can also be implemented in the IoT without blockchain technology. The smart contract would then be monitored and executed on a central server or cloud system.

What regulations and legislation exist for Smart Contracts?

From a contract law perspective, it is necessary to distinguish between the legal conclusion of a contract and its technical execution through a smart contract. In practice, these processes may coincide. The conclusion of a contract according to §§ 145 ff. BGB (German Civil Code) is prepared by the technical implementation of the smart contract. The contract is concluded at least tacitly (implied) at the latest when it is executed, for example by payment of an insurance premium. Every smart contract is therefore based on an (implied) contract, which forms the legal basis for the service provided.

Data Act

Regulation (EU) 2023/2854 on harmonised rules for fair access to and use of data, or the Data Act for short, came into force on 11 January 2024. The regulation focuses on data access and data sharing rights in favour of users of IoT devices. This means that all manufacturers of connected products will be covered by the Data Act. This includes autonomous vehicles and their components, virtual assistants, industrial systems, household appliances, medical devices and providers of related services that enable individual functions of the connected product, for example.

However, in order to give those affected who fall within the scope of the Data Act sufficient time to adapt to the new regulations and take the necessary measures, the regulations will not apply until 12 September 2025 (Art. 50 para. 2 Data Act).

For the first time, smart contracts are legally defined (Art. 2 No. 39 DSG) and regulated (Art. 36 DSG).

The intention of the EU legislator is to promote smart contracts for the automated execution of agreements on the transfer or provision of data (recital 104 of the Data Act). In terms of regulation, the Data Act does not distinguish between blockchain-based and centrally controlled smart contracts; both technical variants are subject to uniform regulation.

In IoT practice, smart contracts can facilitate data exchange through coded access rules. Appropriate programming can ensure that certain data is only made available to authorised recipients and to a defined extent (technical role and authorisation concept for data portability using smart contracts). In addition, all data accesses can be logged (blockchain-based, tamper-proof).

According to Art. 2 no. 39 DSG, smart contracts are computer programs used for the automated execution of an agreement or part thereof. This involves the use of a sequence of electronic data records whose integrity and the correctness of their chronological order are guaranteed.

As a rule, the "agreement" will be a data exchange contract in which, for example, the availability of data and protective measures within the meaning of the Data Act are technically controlled by a smart contract.

Art. 36 Data Act regulates the essential requirements for smart contracts for the execution of data sharing agreements. The standard aims to simplify data exchange by defining standardised requirements and ensuring a high level of security for smart contracts.

The application of the provisions of civil, contract and consumer protection law to data sharing agreements remains unaffected by the use of smart contracts (Recital 104 aE Data Act). For example, the German Civil Code (BGB) will continue to apply in the event of default if the content of a data transfer agreement is incorrectly implemented by a smart contract.

EU Product Liability Directive and GDPR

In addition, defective smart contracts are covered by the amendment to the EU Product Liability Directive. This explicitly includes software in its scope. The requirements of the GDPR apply to the processing of personal data by a smart contract.

In addition to the requirements of Art. 36 para. 1 Data Act (e.g. NIS 2 Directive, etc.).

What are the risks of using Smart Contracts?

The legal definition of smart contracts is very broad, which leads to a certain lack of contours and vagueness. There is a risk that Art. 36 of the Data Act, which sets out the essential requirements for smart contracts for data sharing agreements, covers a large number of conventional IT systems and programmes, particularly in the automotive and financial sectors. Therefore, there is currently a risk that Art. 36 of the Data Act will create additional bureaucracy for numerous software products without specific potential risks, which is disproportionate to the benefits of the intended interoperable data portability. As a result, there is a risk of disincentives to innovation.

The Data Act makes clear that a smart contract is not a contract in the legal sense, but rather a technical implementation mechanism. However, it is not clearly defined whether the corresponding computer program must also be a stand-alone software application or whether it is sufficient to be (only) part of marketed software. In view of the far-reaching obligations and consequences of Art. 36 of the Data Protection Act, such as the declaration and assessment of conformity, this may have different economic consequences:

If each smart contract were always considered a stand-alone software product, all vendors would be required to perform a conformity assessment, among other things. This would be a complex, costly and time-consuming process. For example, a single smart contract that regulates the technical control of the scope of data access is unlikely to warrant a conformity assessment of the corresponding software.

On the other hand, if smart contracts are considered as part of a larger software application that is placed on the market, the legal obligations would only apply to the entire product. This would be both practical and resource efficient.

What is a Smart Contract Audit?

A smart contract audit is used to check whether a smart contract complies with the relevant legal requirements and can be used in a lawful manner. As explained above, the Data Act sets out specific legal and technical design requirements for smart contracts. The audit will ensure compliance with these requirements. A key aspect of the audit is also the adaptation of the data transfer agreements associated with the smart contract. This is the only way to ensure that the smart contract is implemented smoothly and compliantly in practice.

If no smart contracts have been developed yet, but development is planned, it is also advisable to carry out a pre-audit. This assesses whether a smart contract is suitable for the intended use case at all. If this is the case, it is then analysed whether the desired contractual agreement can be legally and technically represented by a smart contract. The pre-audit helps to identify potential legal hurdles and technical challenges in advance, so that it can be ensured from the outset that the use of a smart contract is not only technically feasible, but also legally permissible and sensible. This ensures that significant resources are not invested in the development of a smart contract that ultimately does not meet legal requirements or cannot be used in the intended context.

How does a smart contract audit work?

Review of the data transfer agreement

With regard to the Data Protection Act, the audit is based on the requirements of Art. 36 of the Data Act. The scope of the Act is thus opened when smart contracts are used to execute a data sharing agreement. The scope is therefore limited to smart contracts that involve automated data exchange, data access or data use as defined by the Data Act.

Technical and legal synchronisation

The implementation of smart contracts requires a direct technical link to the full or partial execution of the relevant agreements. This may include both the technical implementation of key performance obligations, such as the scope of data access, and the implementation of other protection obligations, such as technical measures against unauthorised access or use, in accordance with the relevant agreement. However, not all obligations of a data supply agreement need to be fully implemented by smart contracts. The legal passage on 'partial' implementation makes this clear.

IT security law review

The primary legal consequence of Art. 36 Data Act is the individual obligation to comply with certain technical requirements for smart contracts. These requirements are characterised by IT security aspects. Smart contracts must be designed in such a way that they have sufficient robustness and effective access control mechanisms to prevent malfunctions and withstand manipulation by third parties. However, this requirement does not apply to the data processed by the smart contracts that serve as the object of exchange or to oracles.

Kill switch

As smart contracts implement the execution of a data provision agreement, it must be possible to terminate them if required by the underlying contract. This so-called "kill switch" was the subject of controversial discussions during the legislative process. The crypto community saw the kill switch clause as a threat to blockchain-based smart contracts, as this requirement is diametrically opposed to the decentralisation and immutability of the blockchain. The technical feasibility of this requirement for smart contracts on public blockchains is indeed problematic, as they cannot be terminated externally. In practice, however, it can be assumed that the tension between blockchain and Art. 36 Data Act is less than generally assumed. This is due to the fact that smart contracts for the management of cryptocurrencies generally do not constitute data exchange agreements within the meaning of Art. 36 Data Act. Their primary purpose is the processing of financial transactions, not the exchange of data in the Internet of Things (IoT).

Data archiving and continuity

The law also regulates requirements for data archiving and data continuity. If the data in question also includes personal data, the GDPR's retention periods must be taken into account when archiving the data.

Conformity assessment

The provider or user of smart contracts for data provision agreements is obliged to carry out a conformity assessment in order to meet the essential requirements set out in Art. 36 para. 1 Data Act. An EU declaration of conformity must then be issued. The conformity assessment and the issuance of the declaration of conformity are carried out by the provider itself (internal conformity assessment). The content of the conformity assessment must relate to the requirements specified in para. 1. The issuance of the EU declaration of conformity implies the provider's responsibility for the fulfilment of the essential requirements according to Art. 36 par. 1 of the Data Protection Act. The civil law consequences of a missing or incorrect declaration of conformity are to be assessed in accordance with the German Civil Code. For example, the absence of a declaration of conformity may be considered a defect.

Who should have a smart contract audit performed?

The addressee and obligor under Art. 36 of the Data Protection Act is, on the one hand, the provider of an application in which smart contracts are used (financial, automotive, electricity companies, etc.) and, on the other hand, the person whose commercial, business or professional activity involves the use of smart contracts for third parties (developers, software companies). Due to the broad scope of the legal definition, traditional computer programs are also subject to regulation. Companies using smart contracts for data exchange and data access/use should therefore ensure that their smart contracts are reviewed. Stakeholders need to ensure that their contracts comply with the new legal requirements and that the programmes do not have any IT security gaps. An audit will ensure that the implementation is both technically correct and legally compliant, providing protection against potential legal and financial risks.

What does SRD Rechtsanwälte's advice on smart contracts involve?

Smart contracts have been specifically made subject to regulation under the Data Act because they have the potential to provide both data owners and data recipients in the IoT with assurance that the conditions for data sharing are reliably met. The benefits of smart contracts can be realised as long as compliance requirements are consistently adhered to. This requires specialised consultants with both legal and technical expertise.

As part of a smart contract audit, we create or review your data sharing agreement and synchronise it with the smart contract as the technical execution medium in a legally compliant manner. As shown above, it is not enough for data to be exchanged during the execution of the contract. Rather, the main object of the contract must explicitly focus on the provision, transfer or exchange of data. In addition, the question of who should be able to trigger the "kill switch" and under what circumstances must be urgently addressed.

As a result, the individual contractual provisions for terminating data exchange need to be mapped. Unauthorised activation of the kill switch may constitute a breach of contract. As part of the more comprehensive smart contract audit, we ensure that all requirements of Art. 36 Data Act and other legal requirements are fully met. On this basis, you can then issue your declaration of compliance.