Expanding Freedom and Democracy
Freedom on the Net 2023

Germany

Free
77
100
A Obstacles to Access 23 25
B Limits on Content 28 35
C Violations of User Rights 26 40
Last Year's Score & Status
77 100 Free
Scores are based on a scale of 0 (least free) to 100 (most free). See the research methodology and report acknowledgements.

header1 Overview

The overall state of internet freedom in Germany remains strong. Germans have been targeted by pro-Kremlin disinformation, which has intensified since Russia’s full-scale invasion of Ukraine in February 2022. The media and civil society frequently and openly discuss the state of internet freedom. Issues, such as the European Union (EU) order to block Russian-state owned media outlets, are often given great prominence in widely read online news publications, though some controversial surveillance issues receive less coverage. An independent court system provides oversight on regulatory measures adopted by the executive and the legislature.

Germany is a representative democracy with a vibrant political culture and civil society. Political rights and civil liberties are largely assured both in law and practice. The political system is influenced by the country’s totalitarian past, with constitutional safeguards designed to prevent authoritarian rule. Although Germany has generally been stable since the mid-20th century, political tensions have grown in recent years. following a sharp increase in the number of asylum seekers in the country, the growing popularity of right-wing populist movements, the Kremlin’s full-scale invasion of Ukraine, and debates about sustainability and the climate.

header2 Key Developments, June 1, 2022 – May 31, 2023

  • Throughout the coverage period, a disinformation campaign originating from Russia shared links to fake versions of prominent German news sites across social media platforms; the links contained pro-Kremlin propaganda about the invasion of Ukraine (see B5).
  • In June 2022, the government refused to acknowledge whether the Federal Criminal Police Office (BKA) had used NSO Group’s Pegasus spyware, after September 2021 media reports confirmed the government had purchased the surveillance tool (see C5).
  • After opening an office to handle cases stemming from April 2021 amendments to the Network Enforcement Act (NetzDG), which compels companies to report certain nationalist and extremist content to the BKA, the agency had received significantly fewer reports than anticipated as of August 2022 (see C6).

A Obstacles to Access

A1 1.00-6.00 pts0-6 pts
Do infrastructural limitations restrict access to the internet or the speed and quality of internet connections? 6.006 6.006

Germany’s network infrastructure for information and communication technologies (ICTs) is well developed, and its overall internet penetration rate is above the EU average; in 2022, 93 percent of German residents used the internet.1 According to 2022 data from the Organization for Economic Cooperation and Development (OECD), the fixed broadband penetration rate was 44.4 percent while the mobile broadband penetration rate was 94.8 percent.2

For years, the government struggled to make significant progress toward providing high-speed internet access to every household.3 In November 2021, the newly elected coalition of the Social Democratic Party (SPD), Alliance 90/The Greens (Bündnis 90/Die Grünen), and Free Democratic Party (FDP) announced their plan to offer widespread fiber-optic connections by focusing on regional “white spots” and reducing bureaucratic barriers.4 In March 2022, the Federal Ministry for Digital and Transport (BMDV) promised to triple connections by 2025 and provide countrywide to-the-home connections by 2030.5 After significant international investments,6 access to fiber-optic connections reached a new high of 26 percent in 2022.7

According to the 2022 report from the Federal Network Agency (BNetzA), the telecommunications regulator, the most widely used mode of fixed-line internet access is still DSL (digital subscriber line), with 24.7 million connections, accounting for 66 percent of all fixed-line connections in 2022.8 Connections with speeds of more than 50 Mbps are available in about 93.2 percent of German households.9

However, the recent investment boom has led to inefficiencies in the roll-out of fiber optics. The formerly state-owned Deutsche Telekom competes with regional providers and repeatedly lays its own fiber-optic cable in particularly lucrative areas, despite existing agreements concerning the mutual lease of the cables.10

The availability of public internet connections has been historically low in Germany compared to other industrialized countries.11 However, legal changes have led to an increase of publicly available Wi-Fi hotspots, including in cafés and high-speed trains (see B3). The decision to designate free community Wi-Fi providers as not-for-profit enterprises—which was initially proposed by the Bundesrat (Federal Council) in 2017 and approved in December 2020—entails considerable tax advantages (see A2).

According to May 2023 data from Ookla’s Speedtest, the median download speed for a fixed-line broadband connection in Germany was 83.44 Megabits per second (Mbps), while the median download speed for a mobile broadband connection was 55.92 Mbps.12

A2 1.00-3.00 pts0-3 pts
Is access to the internet prohibitively expensive or beyond the reach of certain segments of the population for geographical, social, or other reasons? 3.003 3.003

Telecommunications services prices stagnated from 2021 to 2022, according to the most recent official statistics.1 In 2022, expenses for such services amounted to 2.3 percent of available household income.2 Economist Impact’s 2022 Inclusive Internet Index ranks Germany 19th out of 100 countries in affordability, defined by cost of access relative to income and the level of competition in the internet marketplace.3

Persistent differences in internet usage based on income demonstrate that prices remain a barrier for people with low incomes and the unemployed.4

The gender and age gap in internet usage has converged in recent years. The difference between men and women remained at 2 percent in 2022, with 95 percent of men and 93 percent of women using the internet.5 In the 16-to-44-year age group, daily internet usage remained stable at 98 percent, while frequent usage increased from 79 percent to 83 percent among those aged 65 to 74 in 2022.6

Although differences in internet use continue to exist between Germany’s western and eastern regions, popular internet usage in the former German Democratic Republic (DDR) increased from 81 percent in 2020 to an average of 87 percent in 2021.7 Meanwhile, the gap in internet use between urban centers (with at least 500,000 residents) and rural areas stands at 4 percent.8

A3 1.00-6.00 pts0-6 pts
Does the government exercise technical or legal control over internet infrastructure for the purposes of restricting connectivity? 6.006 6.006

The German government does not impose restrictions on ICT connectivity. Germany’s telecommunications infrastructure is largely decentralized and the variety of regional providers is unique. There are more than 100 internet-backbone providers in the country.1

Privatized in 1995, Deutsche Telekom remains the only company that acts as both a backbone provider and an internet service provider (ISP). However, the German state owns less than a third of its shares, which crucially limits government control.2 There are several connections in and out of Germany, the most important being the DE-CIX (German Commercial Internet Exchange), which is located in Frankfurt. It is privately operated by Eco, the professional association of the German internet industry.3

According to the BNetzA, there was no legal basis for internet shutdowns or connectivity restrictions on the federal level as of 2016.4 However, some state-level legislation on police powers grants limited restriction measures (see C5).

A4 1.00-6.00 pts0-6 pts
Are there legal, regulatory, or economic obstacles that restrict the diversity of service providers? 5.005 6.006

The telecommunications sector was liberalized in the 1990s with the aim of fostering competition. Commercial service providers must notify the BNetzA before launching services, but do not need licenses.1

Deutsche Telekom’s share of the fixed-line broadband market increased slightly in 2022, to 39.8 percent,2 while Vodafone’s decreased slightly, to 29 percent. Other ISPs with significant market share include 1&1, with 11.3 percent, and O2-Telefónica, with 6.2 percent.3 Public subsidies for increasing broadband connectivity have been criticized for favoring Deutsche Telekom.4

German residents seeking mobile services can choose from three major service providers: Vodafone, with a 38.3 percent market share; Telefónica Deutschland, with 28.2 percent, and T-Mobile (Deutsche Telekom), with 33.5 percent.5 In August 2019, Drillisch Netz AG (a subsidiary of 1&1 Drillisch) joined Deutsche Telekom, Vodafone, and Telefónica Deutschland in securing fifth-generation (5G) technology spectrum frequency blocks, diversifying the mobile market.6 In its 2022 annual report, BNetzA disclosed that 21 percent of transmission stations were 5G-ready.7

A5 1.00-4.00 pts0-4 pts
Do national regulatory bodies that oversee service providers and digital technology fail to operate in a free, fair, and independent manner? 3.003 4.004

Internet access, both fixed-line and mobile, is regulated by BNetzA, which has operated since early 2014 under the Federal Ministry for Economic Affairs and Climate Action, or BMWK (previously known as the Federal Ministry for Economic Affairs and Energy).1 The president and vice president of the agency are appointed to five-year terms by the federal government following recommendations from an advisory council consisting of 16 members from the Bundestag (Federal Parliament) and 16 representatives from the Bundesrat.2 The German Monopolies Commission and the European Commission (EC) have both criticized this highly political structure and the concentration of important regulatory decisions in the presidential chamber of the BNetzA.3 In September 2021, the European Court of Justice (ECJ)—the EU’s supreme court and a part of the Court of Justice of the European Union (CJEU)—upheld a complaint by the EC, ruling that the BNetzA would need to become more independent. The BNetzA is now restructuring their operations, while applying the former law during the interim period.4

In addition, regulatory decisions by the BNetzA have been criticized for providing a competitive advantage to Deutsche Telekom, the former state-owned monopoly,5 most recently in 2015.6

In January 2021, federal legislators amended the Act against Restraints of Competition (Competition Act, or GWB) via the GWB Digitization Act, which created specific antitrust protocols for digital platforms “with overwhelming importance for competition across multiple markets.”7

B Limits on Content

B1 1.00-6.00 pts0-6 pts
Does the state block or filter, or compel service providers to block or filter, internet content, particularly material that is protected by international human rights standards? 4.004 6.006

The government rarely blocks websites or internet content;1 however, it has blocked the websites of Russian state-owned media outlets in response to an EU regulation. All major social media platforms and international blog-hosting services are freely available.

In early March 2022, following the Russian government’s full-scale invasion of Ukraine, the EU’s European Council issued Regulation 2022/350, ordering member states to “urgently suspend the broadcasting activities” of Russian-state owned websites, including RT, Sputnik, RT France, RT Germany, RT Spanish, and RT UK, and to block their websites because they “engaged in continuous and concerted propaganda actions targeted at civil society.”2 The order applied to ISPs and mobile operators in Germany.3 In June 2022, the EU adopted a sixth package of sanctions, which also included directives to block Russian state-owned broadcasters Rossiya RTR/RTR Planeta, Rossiya 24/Russia 24, and TV Centre International.4 After the ninth package of sanctions in December 2022, which again tackled Russian media spreading disinformation, the Germany-based production company behind RT Germany announced it would cease its journalistic activities.5

RT Germany provides advice on how to bypass the block on its website and in a newsletter. For example, users are told how to bypass the country block by using a virtual private network (VPN) and how to circumvent the domain name system (DNS) block; they are also told which mirror pages are online. The Russian state media channel pursued this strategy intensively in Germany and Spain; however, the BNetzA only irregularly updates the lists of mirror sites that are online, which the providers use as a basis for blocking.6 Not only are RT pages attracting traffic,7 but disinformation and conspiracy theories shared by these pages are also gaining traction (see B5).8

In February 2018, a regional court in Munich instructed Vodafone to block the video-streaming website kinox.to, in response to a film distributor’s complaint that the site was hosting content in violation of copyright law.9 The injunction marked the first court-ordered blocking of a pirate website in Germany. A 2015 Federal Court of Justice (BGH) ruling empowered copyright holders to seek such injunctions against pirate websites (see B3).10

Vodafone has continued to block streaming and file-sharing websites, including bs.to and s.to, beginning in 2018,11 and boerse.to, in 2019, in response to complaints from rights holders.12

B2 1.00-4.00 pts0-4 pts
Do state or nonstate actors employ legal, administrative, or other means to force publishers, content hosts, or digital platforms to delete content, particularly material that is protected by international human rights standards? 2.002 4.004

Most content-removal issues in Germany relate to the removal of search engine results (deindexing) rather than actual deletions of content. However, pressure on social media companies to remove illegal content from their platforms has increased since the implementation of NetzDG, which imposes severe fines if certain illegal content is not removed promptly (see B3).

Under the law, social media companies that receive over 100 content-related complaints each year must disclose how they handled those complaints every six months. These complaints come from either users or complaints bodies, such as children’s rights watchdog Jugendschutz.net. According to a November 2018 analysis from the Center for European Policy Studies, “NetzDG has failed to generate any additional press reports of dubious false positives” since a series of January 2018 controversies.1 However, the effectiveness of NetzDG is difficult to measure and remains a concern.2

Since NetzDG came into effect in January 2018, controversial content removals—particularly those involving satirical posts and accounts—have occasionally been reported.3 These removals illustrate a problem with the law: if taken out of context, posts on social media platforms may fall within the scope of hate speech provisions embedded in the criminal code.4

Between July and December 2022, social media platforms disclosed that thousands of items had been removed or blocked because of NetzDG complaints. In this period, Facebook reported 34,8065 blocked or removed items, and Twitter reported 153,416 blocked or removed items.6 Google disclosed that 32,150 items were blocked or removed on YouTube,7 and TikTok blocked or removed 16,757 items.8

Separately, the government also issues content removal requests. According to Google’s Transparency Report, the company received 182 takedown requests from government agencies and courts in the first half of 2022 and removed 74 percent of the requested content. Google received 293 requests in the second half of 2022 and removed 68.2 percent of the requested content.9 The most common reason for requests was defamation. In the first half of 2022, Facebook restricted 6,021 items based on requests under local German law, including 855 items that violated the Youth Protection Law, 162 items from Russian state media sources that violated EU-imposed sanctions, 7 items that violated hate speech laws, and 2,717 items in response to court orders.10 Twitter did not produce a transparency report that covered the reporting period.

Throughout 2021, the government called for content to be removed from the encrypted messaging app Telegram, which has been historically reluctant to moderate content. In efforts to ban calls for violence, the federal police issued takedown requests. In January 2022, the minister of the interior threatened to request that Apple and Google remove Telegram from app stores, but shortly after stated that her threat was only meant to pressure Telegram. In October 2022, the Federal Office of Justice (BfJ) imposed two fines totaling €5.125 million ($5.022 million) on Telegram for noncompliance with NetzDG obligations (see C6). Telegram objected, arguing that it is not a social network, and brought the issue to court in January 2023. The case had not been settled by the end of the coverage period.11 Meanwhile, the Federal Police began to identify suspects who disseminated hate speech or violent threats on the messenger.12

In April 2023, the BfJ also initiated fines against Twitter because the company allegedly failed to remove insults, noting “a systemic failure of [Twitter’s] complaint management.” The case also remained ongoing as of the end of the coverage period.13 Previously, in December 2022, a court ruled in favor of Michael Blume, the anti-Semitism commissioner of the state of Baden-Württemberg, in his case against Twitter. He experienced significant harassment on Twitter and the court found the platform failed to take the necessary action (see C7).

After a report by news outlet Tagesschau in March 2022, TikTok admitted that it used a word filter blocklist for at least 19 terms, that including “gay,” “LGBTQ,” “Holocaust,” and “Auschwitz,” in an attempt to regulate harmful content in Germany.14

The EU’s Digital Services Act (DSA), which came into effect across the EU in August 2023,15 after the coverage period, will harmonize member states’ legislation regarding hate speech and other illegal content. The DSA will supersede certain parts of NetzDG (see B3) when it comes into effect at the national level in Germany in February 2024.16

Under a 2014 CJEU decision on the “right to be forgotten” (RTBF),17 Google and other search engines are required to remove certain search results if they infringe on the privacy rights of a person and that person formally requests the action (see B3). Since 2018, the right to be forgotten is part of European privacy law under the General Data Protection Regulation (GDPR).

From the date of the ruling to January 2022, Google had assessed some 1,433,925 requests to delist search results across the EU, affecting more than 5.5 million URLs, with 233,158 requests coming from Germany alone.18 For Germany, 56.3 percent of the URLs requested removed during this report’s coverage period resulted in a delisting by Google. Between July and December 2022, Microsoft received 777 RTBF delisting requests, covering 1,896 URLs.19 The company delisted 42 percent of those URLs.

German copyright law has been criticized repeatedly for its use to hinder the publishing of sensitive information on topics of public interest, especially as many online platforms automatically remove content that reportedly breach copyright law so as to avoid lawsuits. In May 2021, the Cologne Higher Regional Court ruled that nonprofit platform FragDenStaat (Ask the State), which was sued in December 2019 by the Federal Institute for Risk Assessment (BfR) for publishing a government-issued report on health risks caused by the herbicide glyphosate, had lawfully published the report under the freedom to quote and freedom to report.20 In June 2021, the EU Copyright Directive was transposed into German law.

In December 2021, a court sentenced eight defendants, who stood trial for running the CyberBunker data center—a “bulletproof hosting” operation that was housed in a Cold War–era military bunker—to prison time ranging from two years and four months to five years and nine months.21 A criminal code amendment, proposed by the Federal Ministry of Justice and Consumer Protection (BMJV) in February 2021, that criminalized the provision of server infrastructure for illegal online marketplaces was included as a separate paragraph to the criminal law after revisions by the Bundestag. Providers of online marketplaces looking to promote criminal activities can face several years in jail according to the new law (see C2).22

German police conducted raids on the homes of individuals who had posted hateful messages aimed at politicians during the 2021 federal elections and forced them to delete those messages (see C3).23

Also, in March 2022, major online media platforms, including Facebook, TikTok,24 Twitter,25 and YouTube,26 restricted access to RT and Sputnik across the EU in response to an order from the European Union (see B1).

B3 1.00-4.00 pts0-4 pts
Do restrictions on the internet and digital content lack transparency, proportionality to the stated aims, or an independent appeals process? 3.003 4.004

Restrictions on online content in Germany generally meet minimum requirements for transparency, proportionality, and independent appeal.

NetzDG, which went into effect in January 2018, obliges social media platforms with more than two million registered users in the country to investigate and delete flagged content shortly after being reported, or otherwise face hefty fines (see B6).1 If the flagged content is “obviously illegal,” the company must block or remove it within 24 hours; if not obviously illegal, the content must be investigated and blocked or removed within seven days. Under NetzDG, illegality is defined in relation to 22 articles in Germany’s criminal code (see C2).2 After deciding to delete or preserve flagged content, the company has to inform both the complainant and the user who uploaded the content. If it fails to meet any of those requirements, the company could face fines of up to €50 million ($51.8 million) (see B6).3

Additionally, June 2021 amendments to NetzDG add extra transparency requirements for social media platforms and expand the mandate of NetzDG to include video-sharing services to align with the EU Audiovisual Media Services Directive. The amendments also provide users with an avenue to appeal content-removal decisions, though the appeal must be filed within two weeks.4

An amendment to NetzDG passed in June 2020 required companies to share with the Federal Criminal Police Office (BKA) the personal information of users reported for hate speech or illegal content (see C6). The Cologne Administrative Court in March 2022 ruled that measures in the amendments were not in line with EU legislation.5

In April 2023, the Ministry of Justice announced plans to propose a law on “digital violence” (“Gesetz gegen digitale Gewalt”), which is broadly defined. The proposed law would compel platforms to block users who engage in online harassment and, in some cases, provide law enforcement and victims with the users’ internet protocol (IP) addresses. According to the announcement, courts could order platforms to block users who repeatedly perpetrate such harassment (see C2 and C4).6

The EU’s DSA, which will come into force in February 2024 (see B2), will regulate online and illegal speech across the EU, and will supersede parts of NetzDG in Germany. Politicians and children’s rights groups have advocated for the continued enforcement of the stricter NetzDG, which has a broader definition for illegal content and compels online platforms to remove a wider swath of content than the DSA, even after the DSA passed.7 For example, the nongovernmental organization (NGO) National Coalition Germany, a network of children’s rights groups, put forward a letter demanding that the stricter German youth protection laws should be allowed to remain in place.8

In March 2021, major internet providers operating in Germany and associations of companies in the entertainment industry formed the Clearing House for Copyright on the Internet (CUII), a joint initiative to initiate DNS blocks against “structurally copyright-infringing” websites.9 While blocking requests were previously considered by judges, the BNetzA now assesses CUII recommendations and determines whether the blocking violates the principle of net neutrality.

The new policy has elicited criticism from politicians and activists.10 Critics question the BNetzA’s suitability for this role, since the agency is responsible for regulating telecommunications networks to ensure fair competition and net neutrality rather than assessing fundamental rights regarding copyright.11 There have also been concerns about normalizing this type of instrument and the initialization of the DNS4EU project, which will also operate with filter lists and network blocks across the EU, demonstrates that similar measures could take effect at the European level.12 The Federal Cartel Office (BKartA) did not object to the new initiative, though it is monitoring the development of the practice.13

Issues related to copyright law have figured prominently in discussions around internet freedom in Germany. The EU Directive on Copyright in the Digital Single Market, which the Council of the EU approved in April 201914 and Germany enacted in June 2021 (see B2), imposes a so-called link tax, which grants online publishers the right to charge aggregators like Google News for excerpting proprietary content, such as news articles (see B6).15

In May 2021, the federal and state parliaments passed laws amending the Copyright Act and the Collecting Societies Act to align with the new EU directive (see B2). The amendments require companies with large amounts of user-generated content to use “upload filters,”16 which will preemptively block copyright-infringing online content.17 The law came into effect in June 2021 but the implementation of the upload filters was narrowed by an ECJ judgment in April 2022, which stipulated that states must build in safeguards that protect fundamental rights so legal uploads are not blocked.18 Upload filters cannot reliably make this distinction.

Companies can be held liable for illegal content under the Telemedia Act (TMG). The law distinguishes between full liability for one’s own content and limited “breach of duty of care” (störerhaftung) for service providers and host providers of third-party content.19 The courts have held that if the business model of a service aims to facilitate copyright infringement, the company is considered less worthy of immunity from intermediary liability.20 As a consequence, hosting providers are required to monitor their own servers and search for copyright-protected content as soon as they have been notified of a possible violation.21

While ISPs are not required to proactively monitor the information of third parties on their servers, they become legally responsible as soon as they gain knowledge of violations or violate due diligence requirements.22 In 2015, the BGH ruled that the blocking of a website may be ordered as a last resort if it is the only means for a copyright holder to effectively end rights infringement on that website.23 In such cases, the owner of the copyright may ask an ISP to block the website in question. If the provider refuses, a court can intervene.

The protection of minors constitutes an important legal basis for extant regulation of online content.24 Youth protection on the internet is principally addressed at the state level through the Interstate Treaty on the Protection of Human Dignity and the Protection of Minors in Broadcasting and Telemedia (JMStV), which bans content, including the glorification of violence and sedition, and provides a framework for age restrictions on content without specifying measures to implement them.25 A controversial provision of the JMStV reflects the regulation of broadcast media: adult-only content on the internet, including pornography, may only be made available after verifying the age of the user.26 The JMStV enables the blocking of content if other actions against offenders fail and if such blocking is expected to be effective. In late 2021, the Commission for Youth Media Protection ordered five internet providers to block popular pornography website xHamster.com, as it failed to provide an age verification process. All providers have announced they plan to challenge this decision or have it examined in court.27 The media regulators labelled the effort a “failure” because the porn site was moved to similar URLs. Unlike copyright law in Germany, youth protection law requires individual URLs to be blocked separately, even if they contain identical content to URLs that are already blocked.28

In April 2021, the European Parliament (EP) adopted a regulation aimed at “tackling the dissemination of terrorist content online” which, among other things, would require platforms to delete content within one hour of receiving a removal order from authorities.29 Platforms that routinely fail to do so could be fined 4 percent of their overall annual revenue (see B6). Critics have voiced concerns that ambiguity surrounding the definition of “terrorist content” and the short timeline for removing such content will lead companies to “remove speech first and ask questions later,” possibly through automatic filters.30 The resolution entered into force in June 2021 and became applicable as of June 2022.31

B4 1.00-4.00 pts0-4 pts
Do online journalists, commentators, and ordinary users practice self-censorship? 4.004 4.004

To date, self-censorship online has not been a significant or well-documented problem in Germany. Still, there are some rules reflected in the publishing principles of the German press that may confine some journalists’ online speech. This self-binding code of ethics forms the basis for the evaluation of possible complaints from the public. It includes 16 provisions and is centered on the protection of human dignity.1

In May 2020, the new Interstate Media Treaty (MStV) introduced an obligation for self-regulatory institutions to penalize the repeated publication of disinformation (see B6), which could lead to self-censorship to avoid sanctions in some cases.2

NetzDG has been criticized for leading to a potential chilling effect on content posted online (see B3).3 There is, however, a lack of evidence that these restrictions have led to significant levels of self-censorship.

B5 1.00-4.00 pts0-4 pts
Are online sources of information controlled or manipulated by the government or other powerful actors to advance a particular political interest? 3.003 4.004

Germany’s online information landscape has witnessed content manipulation, which in some cases has been linked to the far right.

Russian disinformation campaigns targeted Germany more intensively after the Kremlin’s full-scale invasion of Ukraine. A September 2022 report by Meta, which owns Facebook, Instagram, and WhatsApp, found that a Russia-based influence operation known as Doppelganger used “false media sites” mimicking those of prominent publications in the EU, including the German publications Der Spiegel, T-Online, and Die Welt, to target readers in the EU with pro-Russian propaganda. The campaign spent around $100,000 on advertisements and sponsored pages that spread narratives about a potential energy crisis in Europe and claimed that war crimes committed by the Russian military in Ukraine did not happen. In some cases, the German-language pages were clearly not run by German users.1 Meta’s Adversarial Threat Report for the second quarter of 2023, published in August 2023, noted that this operation continued to target audiences in across Europe, churning out relatively low-quality content at a high volume.2

A May 2023 joint investigation conducted by a group of European news outlets, including Süddeutsche Zeitung, NDR, and WDR in Germany, revealed that Russian government agents had attended protests in Germany and other European cities, holding signs in support of the Kremlin’s full-scale invasion of Ukraine, even though the protests were unrelated. The report also noted that the Kremlin had these “agents” pose as Ukrainians, and organized smaller protests against Turkish President Recep Tayyip Erdoğan. These photos were then shared on social media; the news outlets linked content shared from these protests to three social media accounts based in St. Petersburg.3

A March 2022 report from the Institute for Strategic Dialogue also found that far-right Telegram channels had shared pro-Kremlin disinformation, even prior to the start of the war. Additionally, it noted that RT Germany’s following on Telegram grew in the immediate wake of the blocking of the website.4

In March 2021, German news outlet Netzpolitik reported that the Poland-based website Our Central Europe, which disseminated conspiracies about climate change, COVID-19, and refugees in Germany, has links to the Mecklenburg–Western Pomerania wing of the right-wing populist party Alternative for Germany (AfD). The site is formally operated by London-based New Network Communications, an apparent front company, and has connections with a former employee of the Freedom Party of Austria (FPÖ), a right-wing Austrian political party.5

While there were concerns about the proliferation of disinformation leading up to the September 2021 federal elections, Paris-based think tank Institut Montaigne found that “there was no singular, big disinformation narrative.”6 Previous concerns about electoral disinformation prompted legislators to push for controversial legal solutions with potential implications for freedom of expression online. The MStV (see B6) obliges operators to mark social bots, if they use them, but definitions and labelling requirements are often imprecise, and the policy could impact human accounts.7

B6 1.00-3.00 pts0-3 pts
Are there economic or regulatory constraints that negatively affect users’ ability to publish content online? 2.002 3.003

While individual internet users face few economic or regulatory obstacles to publishing content online, German law exposes companies such as social media platforms or hosting providers to substantial financial penalties.

NetzDG and the EU regulation regarding dissemination of terrorist content online (see B3), which was adopted in March 2021,1 could make it more difficult for new platforms to enter the German market. NetzDG imposes fines on social media companies that fail to comply with content-removal and reporting requirements. Facebook, Google, Twitter, and TikTok collectively employ thousands of people to review complaints submitted under NetzDG. However, the DSA, which will come into effect in Germany in February 2024 and supersede NetzDG (see B2 and B3), only includes the strictest reporting requirements for platforms with over 45 million monthly users.

Under the MStV, which came into effect in November 2020, media outlets that are not part of any self-regulatory bodies are now subject to direct supervision by state media institutions and can face penalties for refusing to comply with the measure or for the repeated distribution of disinformation. The MStV also introduced a license requirement for those who create online video content that consistently reaches at least 20,000 viewers. The MStV expands the scope of such obligations to almost any commercial form of publication. Observers have criticized the unequal treatment of new self-regulatory bodies compared to the established German Press Council, as well as the involvement of media institutions as supervisory authorities.

The MStV also imposes disclosure of underlying criteria of algorithms and nondiscrimination requirements on major online platforms that aggregate third-party content, such as those operated by Google, Facebook, and Apple.2

At the beginning of February 2022, prior to the EU-wide ban of RT and Sputnik (see B1), Russian state-owned RT’s German-language network, which regularly spreads disinformation, was banned from broadcasting by the Commission for Licensing and Supervision for lack of a media law license in Germany. However, the station has no prospect of obtaining the necessary broadcasting license as the MStV stipulates that licenses cannot be issued to public and state bodies in Germany and abroad.3

In April 2017, the federal parliament incorporated EU rules on net neutrality into domestic law.4 However, observers remarked that several plans from ISPs and mobile service providers, such as Deutsche Telekom’s Stream On, Vodafone’s Vodafone Pass, and O2’s Unlimited plan, violate strict net neutrality by favoring certain services, including video-streaming services.5 BNetzA subsequently prohibited parts of Stream On for breaching net neutrality principles.6 Fines for violating net neutrality laws can reach a maximum of €500,000 ($518,100), which is relatively low compared to other European states.7 After a summary proceeding in the regional court of North Rhein-Westphalia, Deutsche Telekom was forced to implement the official requirements in August 2019. The lawsuit was moved to the ECJ, which ruled in September 2021 that the plans offered by Vodafone and Deutsche Telekom were unlawful.8

The governing federal coalition has reiterated its support for ancillary copyright for publishers (Leistungsschutzrecht für Presseverleger), in force since 2013.9 The regulation allows publishers to monetize excerpts that search engines display as part of their search results.10 Some fear this infringes upon constitutionally protected rights to freedom of expression and information.11 In order to limit monetization, search engines began excluding results leading to the websites of publishers that monetized their links or displayed links without the corresponding excerpts.12 The EU Copyright Directive, which was and implemented into national law in June 2021, includes ancillary copyright for publishers (see B3).13

B7 1.00-4.00 pts0-4 pts
Does the online information landscape lack diversity and reliability? 4.004 4.004

Germany is home to a vibrant internet community and blogosphere. Local and international media outlets and news sources are accessible and represent a diverse range of opinions.

During the COVID-19 pandemic, misinformation about the coronavirus spread through social media platforms and messaging services. A false narrative regarding the effect of the anti-inflammatory drug ibuprofen on COVID-19 patients originated in Germany in March 2020.1

B8 1.00-6.00 pts0-6 pts
Do conditions impede users’ ability to mobilize, form communities, and campaign, particularly on political and social issues? 6.006 6.006

During the coverage period, several civil society initiatives used the internet to conduct advocacy campaigns related to political and social issues in Germany.

Social media has also played a crucial role in the growth of the climate protection movement. The student protest movement Fridays for Future, which originated in Sweden and combines weekly school strikes and marches, largely organizes through social media. In Berlin, protests were held regularly beginning in September 2018.1 The movement has placed the issue on the national political agenda and significantly influenced public perception of the climate crisis.2 Additionally, climate activists, such as the group Letzte Generation (Last Generation), which engages in civil disobedience, are mostly organized through messaging apps, including Signal and Telegram.3

Germany has also witnessed protests against COVID-19-related restrictions and legislation. A group of deniers under the Querdenken (Lateral Thinking) banner formed during the pandemic, largely communicating and mobilizing against pandemic restrictions online.4

Germans also used social media platforms and Telegram groups to organize and pool efforts for refugees and people residing in Ukraine following the brutal Russian invasion of Ukraine.5 Throughout 2021 and 2022, under the hashtag #IchBinHanna (I am Hanna), researchers protested against fixed-term employment contracts and the Temporary Employment Contract Act (Zeitvertragsgesetz).6 Users described their precarious working conditions and raised their issue in the Bundestag.7

C Violations of User Rights

C1 1.00-6.00 pts0-6 pts
Do the constitution or other laws fail to protect rights such as freedom of expression, access to information, and press freedom, including on the internet, and are they enforced by a judiciary that lacks independence? 5.005 6.006

Article 5 of the Basic Law guarantees freedom of expression and freedom of the media. Judicial bodies operate independently and generally support the protection of basic rights.

Since 2016, the Office of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) has been an independent supreme federal authority.1 Since its founding, the agency has tripled its capacities and enlarged its staff to strengthen the supervision of security authorities.2

The controversial Federal Intelligence Service (BND) Law (see C5), which expands the legal justification for surveillance, has been criticized by journalists demanding improvements, including better protection for reporters abroad as well as their sources. In May 2020, the Federal Constitutional Court (BVerfG) found the law to be unconstitutional, forcing the government to revise the law. Reporters Without Borders (RSF) launched a campaign against the new draft law under the hashtag #NotYourSource, arguing that the vague wording of the revised paragraphs still poses risks to journalists. The amendment was approved by the Bundestag and Bundesrat in March 2021 and went into effect in January 2022.3 In January 2023, RSF filed a new complaint to the Federal Constitutional Court, saying protections for journalists remained too weak.4

C2 1.00-4.00 pts0-4 pts
Are there laws that assign criminal penalties or civil liability for online activities, particularly those that are protected under international human rights standards? 2.002 4.004

The German criminal code includes numerous prohibitions that apply to the online realm, such as Section 130, which penalizes calls for violent measures against minority groups and assaults on human dignity.1 This provision is seen as legitimate in the eyes of many Germans, particularly because it is generally applied in the context of Holocaust denial.2 NetzDG defines illegal online content in relation to 22 provisions in the German criminal code, including Section 130. Other provisions prohibit defamation, forming a criminal or terrorist organization, and “using symbols of unconstitutional organizations.”3 In the context of NetzDG, many activists, politicians, and officials have expressed concern that these provisions are too broad. In addition to facilitating content removals, these provisions carry penalties in the form of fines and, in some cases, jail time.

In April 2021, an amendment to the criminal code concerning hate speech and threats online came into effect. The law includes a broader definition of threats and longer prison sentences for insults against other people, which can lead to a sentence of up to two years instead of one year. Additionally, it explicitly criminalizes defamation, insult, and slander against politicians and expanded the scope of the law to include politicians on the municipal level.4 In June 2021, parliament passed a new amendment to the criminal code, criminalizing “operating criminal platforms on the internet” (see B2). Individuals operating these platforms for noncommercial purposes can be sentenced to up to 5 years, while individuals who operate them commercially can be punished with up to 10 years in prison.5

The Ministry of Justice released “key” points that should be included in a potential draft law combatting online violence, a broad term that encompasses activities ranging from insult to doxing, in April 2023. The law would enable users of online platforms to be prosecuted for harassing other users (see B3 and C4).6

C3 1.00-6.00 pts0-6 pts
Are individuals penalized for online activities, particularly those that are protected under international human rights standards? 5.005 6.006

Users are rarely prosecuted for their online activity, but are sometimes fined. In 2021, the BKA documented 2,411 posts from that year that fit the criminal code definition of hate speech, 52 percent of which were categorized as being politically right-wing.1 According to the BKA, 4.4 percent of politically motivated crimes in 2021 were hate postings.2

The German police regularly conduct raids on individuals who have posted hateful messages and insults against politicians, opening over 8,500 cases and charging more than 1,000 people since 2018. In March 2022, in the wake of the 2021 federal election, police conducted raids on approximately 100 homes of individuals who posted hateful messages against politicians during the 2021 election.3 These raids took place across 13 federal states; the police seized individuals’ devices and, in some cases, forced them to delete these messages (see B2).4 In cases where individuals phones are confiscated, the authorities can use technology by Israeli firm Cellebrite to search them if their owners refuse to open them.

Based on information obtained during the subsequent investigations, individuals can be convicted for their actions online. For example, in September 2022, a man who celebrated the murder of two police officers in early 2022 by writing "that was awesome” to the police office by email, and announced he was founding an association called “cop hunters” on social media, was sentenced to one year and three months in jail.5 In December 2021, eight defendants in the CyberBunker case (see B2), which concerned an online hosting platform that provided hosting services to criminal websites, were sentenced to between two years and four months to five years and nine months in prison. However, most cases only involve fines.

In the 2021 Pimmelgate (Penisgate) case, which drove national debate about such raids, police searched the home of a man who tweeted that city senator Andy Grote was “such a penis.” Another man had his house raided after he posted a picture of a mural that activists had painted containing the phrase in response to a post from a far-right politician that criticized Muslims.6

C4 1.00-4.00 pts0-4 pts
Does the government place restrictions on anonymous communication or encryption? 3.003 4.004

User anonymity is compromised by SIM card registration rules under the Telecommunications Act (TKG) of 2004, which requires purchasers to submit their full name, address, international mobile subscriber identity (IMSI) number, and international mobile station equipment identity (IMEI) number.1 Nonetheless, the principle of anonymity on the internet is largely upheld as a basic right. A 2014 decision by the BGH, confirming that an online ratings portal was under no obligation to disclose the data of anonymous users, further strengthened that right.2

Website owners and bloggers are not required to register with the government, but most websites and blogs need to have an imprint naming the person in charge and providing a contact address. The anonymous use of email services, online platforms, and wireless internet access points is legal. A proposed amendment to the TKG (see C6) suggested by the Federal Ministry of the Interior and Community (BMI) included the obligation to provide an identity when registering for an email account,3 but this measure did not make it into the final law, which came into effect in December 2021, after criticism from activists and the media.4

Different arms of the German government have repeatedly called for mandatory backdoors for encrypted messaging services. Most recently, in December 2021 the interior ministers of the states repeated their demand for countrywide legislation to be introduced.5 The new governing coalition’s agreement, presented in November 2021, stated that there will be a “right to encryption.”6 However, no law on the right to encryption had been proposed as of the end of the coverage period.7

In May 2022, the European Commission proposed legislation concerning the fight against child sexual abuse.8 The proposal includes a provision for a client-side scanner (CSS), which would require messenger services, like Signal and WhatsApp, to install technology that can scan users’ messages before they send them. In October 2022, 23 NGOs as well as youth organizations of political parties started the campaign “Stop Chat Control” to protest this provision.9 In March 2023, experts from civil society organizations and academia presented statements to the German parliament, the majority of which claimed the technology would violate the right to privacy.10

In January 2023, a new draft by the Federal Ministry of the Interior and Homeland in response to the EU legislation excluded client-side scanning, but still included surveillance of non-encrypted communication.11

In April 2023, an expert study commissioned by the EP and a legal study by the Council of the EU both found the commission's plan would inadequately protect the privacy rights of citizens and undermine end-to-end encryption.12

In the same month, the Ministry of Justice proposed “key points” for a draft law that would force platforms to provide the IP addresses of users who engage in “online violence,” which is defined quite broadly (see B3 and C2).

C5 1.00-6.00 pts0-6 pts
Does state surveillance of internet activities infringe on users’ right to privacy? 2.002 6.006

Intelligence agencies conduct mass surveillance and have taken measures to expand the breadth of data they can monitor. Article 10 of the Basic Law guarantees the privacy of letters, posts, and telecommunications. These articles generally safeguard offline as well as online communication. A groundbreaking 2008 BVerfG ruling established a new fundamental right regarding the “confidentiality and integrity of information technology systems” as part of the general right of personality under Article 2 of the Basic Law.1

A 2016 law explicitly granted the BND permission to monitor domestic internet traffic so long as it targets non-German citizens.2 Nevertheless, the law has been scrutinized for its impact on the privacy of German internet users.3

While the BND is mainly tasked with foreign intelligence collection, one of the main concerns is that the law permits monitoring of all network traffic channeled through the Frankfurt-located DE-CIX—the world’s largest internet exchange point—which would at least unintentionally affect communications by German citizens as well. Furthermore, press freedom groups argued that the law threatens the constitutionally protected work of foreign journalists reporting in Germany and outside the country4 and, in January 2018, several NGOs and foreign journalists filed a constitutional complaint.5

The BND had also previously stored and processed bulk metadata records of phone calls via its traffic-analysis system, VerAS. In response to a lawsuit filed by RSF Germany,6 in December 2017, the BVerwG outlawed such intelligence gathering, prohibiting the BND from collecting and processing communications metadata for want of sufficient legal basis.7 In May 2018, the BND officially announced that it would end the practice.8

In May 2020, the BVerfG ruled that the BND is still bound by the fundamental rights of the Basic Law when conducting telecommunications surveillance of foreigners in other countries, finding that the BND had acted unlawfully in monitoring the communications of foreign journalists.9

However, in June 2021, an amended version of the BND Law, which expands the scope of BND activities and allows the interception of up to 30 percent of the transmission capacity of all global telecommunications networks, was enacted.10 While the law protects “individual communications of natural persons,” it allows the BND to collect and process various kinds of information, including inventory, traffic, and content data, enabling the monitoring of communications behavior, financial transaction data, and movement of individuals in Germany and abroad. Furthermore, the law enables federal police to hack communication providers abroad and to use malware against citizens without criminal histories.11 The insufficient protection of journalists, criticized by the BVerfG, is regulated in an added paragraph. However, the Federal Data Protection Commissioner, opposition politicians, and legal observers have criticized vague exceptions in the protection clause, making it ineffective.12

In July 2021, amendments to the Federal Constitutional Protection Act that provide intelligence agencies with “additional powers of investigation through the regulation of source telecommunication monitoring, including messenger services” came into effect.13 The amendments allow all 19 German intelligence agencies to use the Quellen-TKÜ Plus Staatstrojaner, or a type of malware that can read and collect ongoing communications and data as well as communications that happened before the software’s installation but after authorization of the surveillance order. It also obliges internet providers to help with the installation and allows police to preventively surveil a suspect. The measures—which were developed largely in response to right-wing extremism—were met with criticism and concern from civil rights groups.14 The law was met by strong criticism by the opposition at the time, big tech companies, and NGOs, some of which considered filing complaints before the Federal Constitutional Court.15

A verdict by the European Court of Human Rights concerning a complaint against the British Secret Service found that their mass data retention violates the right to privacy. The ruling stated that there would need to be a better evaluation of the principle of proportionality for the retention and that the scope of the information retained must be restricted.16 News outlet Netzpolitik put forward a freedom of information request for documents concerning discussion of the case in the German government, and concluded that there does not appear to be an intent to change the German law according to the verdict.17

Surveillance conducted by intelligence services under the Act for Limiting the Secrecy of Letters, Posts, and Telecommunications (G10 Act) has continued to decline.18 The BVerfG’s May 2020 judgment regarding the BND’s domestic surveillance activity involving foreigners raised hopes for a successful ruling against the G10 Act.19 In November 2020, the nonprofit Society for Civil Rights filed a constitutional complaint arguing that any change to the G10 Act that allows German secret services to use Staatstrojaner, or state-administered spyware, “is unconstitutional.20 No verdict was reached by the end of the coverage period.

Telecommunications interception by state authorities for criminal prosecutions is regulated by the criminal code and may only be employed for the prosecution of serious crimes for which specific evidence exists and when other, less intrusive investigative methods are likely to fail.

A 2008 BVerfG ruling establishing a new fundamental right to the “confidentiality and integrity of information technology systems” also found that covert online searches are only permitted in exigent circumstances.21 Based on that ruling, the federal parliament passed a law in 2009 authorizing the BKA to conduct—with a warrant—covert online searches to prevent terrorist attacks and to employ other methods of covert data collection, including the surveillance of private residences and the installation of software on a suspect’s computer that intercepts their communications at the source.22

In June 2017, the federal parliament enacted the “law for more effective and more practical criminal proceedings.” Most significantly, it included an extensive list of criminal offenses that would allow for the deployment of spyware on suspects’ mobile phones, tablets, and computers in order to enable monitoring of written and spoken text as well as the copying of data.23 Critics consider the law unconstitutional due to its expansive scope and long list of applicable offenses.24 In accordance with the law, the BKA has been permitted to install Staatstrojaner on suspects’ devices since January 2018.25 BKA hackers have reportedly breached Telegram and are targeting WhatsApp, although intelligence services have previously accessed WhatsApp without using a state Trojan.26 Complaints and lawsuits against the law and similar state laws have been filed at the BVerfG by data protection organizations and activists.27

In June 2022, the government had refused to tell if police and security authorities used the spyware Pegasus, which is developed by the Israeli company NSO group and enables the attacker to gain remote access to the target’s device without the user clicking a link.28 A September 2021 report, originally published in Die Zeit, found that the BKA had purchased Pegasus spyware in 2019.29 The EU’s spyware investigation committee had invited member states to come to a meeting in January 2023, but all member states declined.30

In Bavaria, Germany’s second-largest state by population, the governing CSU introduced a bill in 2018 that grants the Bavarian police vastly expanded powers, including the authority to access any information technology system preventively in the event of a broadly defined imminent danger without concrete evidence of a specific crime.31 Critics allege that the bill would blur the line between police and intelligence services, a strict distinction placed into the constitution as a consequence of Nazi-era abuses.32 Since then, similar laws granting police forces vastly expanded powers to access communications have been passed in several other states.33 In some cases, these laws permit police to use Staatstrojaner. In March 2022, the Bavarian police faced criticism by the Bavarian commissioner for data protection after introducing software produced by US company Palantir, which has been criticized for facilitating rights violations, to connect several police databases. Other states, such as Hessen or North Rhine-Westphalia, have been using Palantir software as well.34

In February 2023, the Constitutional Court ruled that bills in Hessen and Hamburg that regulated data mining and predictive policing were unconstitutional. The court found police were allowed to cross reference personal data in general, but that the laws did not specify the conditions. Hessen uses Palantir’s “Gotham” software under the name “HessenDATA.”35

In February 2023, the Constitutional Court declared that some parts of a bill that grants surveillance rights to police were unconstitutional, ruling they could only use Staatstrojaner and place housing areas under surveillance if there was a concrete threat. The NGO Gesellschaft für Freiheitsrechte (GFF), which was one of the plaintiffs, argued that this could have consequences for bills in other German states as well.36

The Bundestag approved a bill in December 2019 expanding the powers of customs authorities to conduct communications surveillance, including through monitoring software and device searches.37 The law also provides a legal basis to obtain user data from telecommunications providers without the user’s knowledge, and it permits customs authorities to use IMSI catchers, which mimic cell phone towers in order to collect data from proximate devices.38 The law’s phrasing vaguely describes the circumstances justifying the application of spyware, providing only that customs authorities may use technical means, if necessary, to intervene in information technology systems. Federal Commissioner of Data Protection and Freedom of Information Ulrich Kelber criticized the almost unconditional and unprompted collection and enrichment of data.39

Newly arrived migrants and refugees are also targeted by measures that infringe on their privacy rights. According to 2017 amendments to the asylum law, an arriving refugee’s electronic device data, including location data, may be copied and analyzed in order to determine the person’s place of origin if he or she does not provide identity documents.40 With the support of the GFF, several refugees affected by this practice have taken legal action against the Federal Office for Migration and Refugees and filed a complaint with Kelber.41 In June 2021, the Berlin Administrative Court declared the practice could only be used if there were no available “milder measures,” such as asking for more documents or getting speech analysis.42 The practice is still continuing, although the majority of searches do not lead to the identification of nationality. Since 2020, the Berlin Foreigner’s Registration Office has been using a software by Cellebrite that previously had been used only by security authorities.43

C6 1.00-6.00 pts0-6 pts
Does monitoring and collection of user data by service providers and other technology companies infringe on users’ right to privacy? 3.003 6.006

The German government established a legal framework to protect personal data in 1990, though several laws require companies to provide user data to authorities. Since 2018, German privacy law is dominated by the European General Data Protection regulation. German and European law require the localization of some telecommunication data.1

In December 2021,2 amendments to the TKG that compel email and messenger services to provide any user identification information to law enforcement came into force. The law also stipulates that messenger services based outside of Germany are subject to the law.3

In April 2021, amendments to NetzDG that require companies to report to the BKA the personal data of users who post certain types of illegal content (see B3), including far-right nationalist and extremist content, went into effect. The amendments state that personal data includes usernames, IP addresses, port numbers and—with a judicial order—passwords.4 Digital rights associations criticized the amendments, saying that the public prosecutor’s offices would have difficulty processing the expected masses of user data flowing to the BKA.5 President Frank-Walter Steinmeier had initially refused to sign a package of laws after the parliament’s research service declared parts of the proposal unconstitutional for breaking regulations on the disclosure of inventory data,6 but the inventory data disclosure process was reorganized and approved in March 2021, legalizing the transfer of data to the BKA.7

Google and Meta issued urgent motions against the amendments, resulting in a March 2022 ruling by the Cologne Administrative Court that the amendments contradict EU law in regard to home state regulations. Therefore, Google and Meta will not have to comply; Twitter and TikTok have ongoing motions that had not been ruled on by the end of the coverage period.8

The BKA had opened a central reporting office with 200 public servants for the anticipated reports. While the government expected 250,000 reports leading to about 150,000 criminal procedures, as of August 2022, the BKA had only received and worked on 1,950 reports. Of these reports, 75 percent have been assessed as chargeable. Facebook, Google, TikTok, and Twitter all refused to send “suspicious content” to the office.9

While platforms such as Facebook, Instagram, and TikTok have cooperated with the state prosecution departments, Telegram has not increased cooperation and at times failed to assist with direct requests. In October 2022, the BfJ fined Telegram a total of €5.125 million for failing to take action to curb illegal content on the platform. In January 2023, Telegram appealed the fine; the appeal is under review by the agency (see B2).10

Several constitutional complaints against data retention legislation have been filed and are pending at the BVerfG.11 Despite a 2014 CJEU decision that struck down the EU Data Retention Directive,12 the federal parliament had enacted a law on data retention in 2015.13 Under the law, different sets of data would have to be stored on servers located within Germany for 10 weeks,14 and providers have to retain the numbers, as well as the dates and times, of phone calls and text messages. ISPs are also required to retain the IP addresses of all users, as well as the dates and times of connections. The location data of mobile phone connections must be saved for four weeks. The requirements exclude sites accessed, email traffic metadata, and the content of communications. In October 2020, the CJEU ruled that data retention is forbidden in principle but permissible if strict requirements are met; for example, to combat serious crimes like terrorism.15

A coalition of activists made adjustments to its 2016 complaint following the amendments to the TKG that went into effect in December 2021.16 In September 2022, CJEU ruled against data retention legislation again: Without cause, citizens’ communications data should only be stored under strict conditions.17 As of the end of the coverage period, it is unclear how the governing parties will address the CJEU ruling (see C5).18

The German government is currently discussing alternatives to data retention.19 In October 2022, Minister of Justice Marco Buschmann presented a bill that includes a “quick freeze process.” Instead of mass data retention, telecommunication companies would be obligated to save traffic data—including IP addresses, location data, and metadata—for one month. During that period, authorities would be able to get a court order for the desired data.20 While the ministers of justice of the German federal states support the draft,21 coalition partner SPD and Minister of the Interior Nancy Faeser demand mass retention for IP addresses adhere to the ECHR’s verdict.22

A December 2019 law establishes a legal basis for customs authorities to obtain user data from telecommunications providers without the knowledge of the person concerned (see C5).23 The amended Telecommunications Act of 2013 regulates “stored data inquiry” requirements.24 Under this law, approximately 250 registered public agencies, among them the police and customs authorities, are authorized to request both contractual user data and sensitive data from ISPs. Several studies have shown that the required judicial review does not actually take place in a majority of cases.25

Separately, antiterrorism legislation that was first passed after the September 11, 2001, terrorist attacks in the United States—legislation that, among other provisions, obliges banks or telecommunications operators to disclose customer information to authorities—was once again extended in 2015 until 202126 . This was followed by an indefinite extension in November 2020. Expert witnesses criticized the lack of evaluation of the legislation.27

C7 1.00-5.00 pts0-5 pts
Are individuals subject to extralegal intimidation or physical violence by state authorities or any other actor in relation to their online activities? 4.004 5.005

There were few reported cases of direct physical intimidation or violence against online journalists or other ICT users in retaliation for their activities during the coverage period.

Since 2021, Germany has declined from “good” to “satisfactory” in RSF’s annual Press Freedom Index due to increasing incidents of reporters being attacked by conspiracy theorists at anti-lockdown protests.1

In August 2020, several journalists and press photographers were insulted and harassed by demonstrators protesting COVID-19 measures in Berlin. In 2022, the European Centre for Press and Media Freedom reported 97 violations of media freedom, noting that 60 of them involved attacks against journalists at protests.2

A June 2019 study on hate speech reported that immigrants, Muslim people, women, and LGBT+ people are predominantly targeted by harassment online. Men reported experiencing online harassment more frequently than women, which might stem from different online behavior.3 When it comes to cases of online discrimination against LGBT+ people, Germany ranks relatively low when compared to other European countries.4 A study on the impact of NetzDG (see B2 and B3) published in December 2021 found there has been about a 10 percent decrease in hate speech comments on Twitter since the law took effect. The researchers looked at a time frame from 2016 to 2019 and focused in particular on tweets containing the terms “Islam,” “Migration,” and “Displacement.”5

In December 2021, the Federal Constitutional Court ruled in favor of Renate Künast, a politician who was harassed after a right-wing blogger disseminated a fake quote that insinuated she supported pedophilia. The Berlin Regional Court initially ruled that the comments did not constitute insults because they contained a “factual reference to the discussion” and refused to turn over user information after Künast filed a civil suit.6

In December 2022, Michael Blume, the anti-Semitism commissioner of Baden-Württemberg, won a defamation case against Twitter after experiencing excessive harassment on the platform (see B2). Accounts accused Blume of being "part of an anti-Semitic pack” and "close to pedophilia.”7

C8 1.00-3.00 pts0-3 pts
Are websites, governmental and private entities, service providers, or individual users subject to widespread hacking and other forms of cyberattack? 2.002 3.003

Human rights activists and NGOs are rarely victims of cyberattacks or other forms of technical violence that are aimed at stifling freedom of expression. However, government institutions and the business sector have been targeted by cyberattacks.1

In September 2021, a cyberattack targeted the Federal Statistical Office, whose director is also the Federal Returning Officer overseeing elections. According to the BMI, the server in question was separate from servers relating to the election.2 In the month of the federal elections, cyberattacks on several EU member states, politicians, and journalists took place. These attacks were attributed to the hacker group Ghostwriter, which has been linked to both the Russian and Belarusian secret service, and were strongly condemned by the EU.3 After the start of the war in Ukraine, the German domestic intelligence services warned about new attacks by the group, which had gained access to data of some members of the Bundesländer (German states) parliaments by targeting them with phishing attacks.4

An October 2022 report on cybersecurity by the Federal Office for Information Security (BSI) noted that threats had intensified, especially in terms of ransomware and blackmailing. Since the start of Russia’s full-scale invasion of Ukraine, the BSI did not witness any major cyberattacks against German targets. However, in March 2022, an attack on a satellite provider caused a brief outage of German wind turbines.5

In January 2023, the government published key points for a new law for the Central Office for Information Technology in the Security Sector (ZITiS), which provides cybersecurity support to federal agencies. The law does not explicitly prevent ZITiS from helping security agencies conduct surveillance. The opposition Left Party also criticized the lack of parliamentary control of ZITiS in the new draft.6

On Germany

See all data, scores & information on this country or territory.

See More

Country Facts

  • Global Freedom Score

    94 100 free

  • Internet Freedom Score

    77 100 free

  • Freedom in the World Status

    Free

  • Networks Restricted

    No

  • Websites Blocked

    Yes

  • Pro-government Commentators

    No

  • Users Arrested

    No