Germany’s draft act to combat digital violence: What online platforms and hosting providers need to know

As online platforms and hosting providers continue building out their compliance infrastructure under the EU's Digital Services Act ("DSA") – which has applied in full since February 2024 – a new layer of national obligations is now on the horizon in Germany. The German Federal Ministry of Justice has published a draft Act to Strengthen Civil and Criminal Law Protection Against Digital Violence (Gesetz zur Stärkung des zivilrechtlichen und strafrechtlichen Schutzes vor digitaler Gewalt, "GgdG-E"). The GgdG-E aims to implement a commitment in the current coalition agreement of the German federal government and is partly driven by Directive (EU) 2024/1385 on combating violence against women and domestic violence.

The GgdG-E pursues two parallel pillars: a criminal law pillar introducing three new offences into the German Criminal Code (Strafgesetzbuch, "StGB"), and a civil law pillar creating a self-contained set of judicial instruments which affected individuals can invoke directly against online service providers and Internet access providers ("IAPs"). Providers subject to these obligations must prepare for material changes in how they handle court-ordered user data disclosures, content copies, evidence preservation and, in some cases, account suspensions.

Background

Whilst the DSA provides the primary regulatory framework for content moderation by online intermediaries, it does not materially address individual civil law enforcement of claims by affected individuals. The existing provision under Sec. 21(2) – (4) of the Telecommunications Digital Services Data Protection Act ("TDDDG") partially fills this gap, permitting providers to disclose user data pursuant to a court order — but only on a data protection authorisation basis, not a substantive disclosure right, and currently requires two separate court proceedings. The GgdG-E replaces this framework with a purpose-built regime in which individual civil claims against providers are actionable in a single, streamlined proceeding before the competent Regional Courts.

Who is affected?

The obligations introduced by the GgdG-E apply to the following addressees:

• Service providers: Operators of: (i) online platforms within the meaning of Art. 3(i) DSA – including social networks, video-sharing platforms and online marketplaces; (ii) web-hosting services; and (iii) cloud or file-hosting services. Mere conduit services, caching services, search engines and purely interpersonal communication services such as instant messengers and email are excluded in the explanatory memorandum.
• IAPs: Brought into scope for the limited but operationally significant purpose of attributing IP addresses to account holders.

Two of the more demanding obligations – account suspension and the requirement of a domestic representative who is authorised to accept service – are confined to the narrower category of social networks.

The territorial reach is significant: obligations attach wherever German civil court jurisdiction applies, meaning providers headquartered outside Germany – including outside the EU – may fall within scope if they offer their services in Germany.

The criminal law pillar: Three new offences

The GgdG-E adds three new provisions to the StGB which primarily address individual perpetrators. Nonetheless, tech companies whose products may be used to commit these offences should review their product design, consent flows and content moderation measures accordingly.

• Sec. 184k StGB (revised): Image-based sexual abuse: Recast as the central StGB rule on this topic, criminalising (up to two years' imprisonment or a fine) the unauthorised creation or disclosure of images depicting sexual acts, uncovered intimate body parts, sexually determined images of clothed intimate body parts, and sexualised deep fakes. The existing requirement that recordings take place in a space protected against view is removed, bringing recordings in publicly accessible areas (saunas, beaches, changing rooms) into scope.
• Sec. 201b StGB (new): Deceptive content violating personality rights: Criminalises the unauthorised making available of computer-generated or computer-altered content that creates the impression of depicting an actual event involving another person and is suitable to cause significant reputational damage. The provision is technology-neutral, covers non-sexualised deepfakes and depictions of deceased persons, is subsidiary to provisions carrying heavier penalties, and addresses the limits of existing law – notably Sec. 33 (Kunsturhebergesetz, "KUG") – when applied to convincing AI-generated content.
• Sec. 202e StGB (new): Unauthorised surveillance: Criminalises the repeated or continuous unauthorised monitoring of another person's location or activities via information and communications technology where likely to cause serious harm, targeting GPS trackers and stalkerware. Vendors of legitimate tracking, fleet-management, parental-control or anti-theft products should verify that their default settings, consent flows and technical safeguards reliably keep their products outside the offence's reach.

The new offences are also directly relevant to the civil law pillar: the GgdG-E's civil instruments are triggered by the same statutory offence catalogue, meaning the addition of new offences correspondingly expands the range of situations in which providers may face court-ordered obligations.

The civil law pillar: Key mechanisms

What constitutes an "infringement" under the GgdG-E?

Each civil procedure instrument requires the existence of an "infringement" within the meaning of Sec. 1(1) GgdG-E. The draft refers to a statutory catalogue of criminal offences covering the principal digital violence phenomena – hate speech, doxing, cyberstalking, image-based abuse, defamation, threats and identity misuse – drawn from Sec. 185 et seq. StGB, Sec. 238 StGB, Sec. 33 KUG, Sec. 42 of the German Federal Data Protection Act (Bundesdatenschutzgesetz "BDSG"), and the three new offences described above.

Judicial identity disclosure

Upon an order from the competent Regional Court, service providers and IAPs must disclose under Sec. 2 GgdG-E to the affected individuals the data necessary to enforce civil claims against the relevant user. The scope of disclosable data under the new regime is materially broader than under the existing TDDDG procedure, covering subscriber data (name, date of birth, address, email address, telephone number) as well as the IP address (including port number) used at the time of the infringement, and the IP address used at the last login before service of the order, each with a timestamp. Where the platform-level IP address is dynamic, the IAP is ordered for attribution to the relevant subscriber. Proceedings are free of court costs and do not require mandatory legal representation, which is supposed to facilitate enforcement for individuals.

Evidence preservation, content copies and the deletion regime

Once a disclosure procedure under Sec. 2 GgdG-E is pending and there are sufficient factual indications of an infringement, the court must – ex officio and without delay – issue a preservation order requiring the providers to: (i) refrain from deleting data within the disclosure set; and (ii) create a copy of the challenged content. Preserved data and content copies are transmitted directly to the court, not to the applicant. The legislature hereby intends to prevent providers from deleting data between the filing of a disclosure request and the conclusion of the proceedings, obstructing the disclosure request.

Account suspensions

The most novel element of the draft is the civil law claim by affected individuals for judicial suspension of user accounts. Where a user commits an infringement that severely impairs the affected individual's personality rights, that individual may require the social network – subject to a court order – to suspend all known accounts of that user for a reasonable period where necessary to prevent further violations. The provider must also take measures – to the extent technically and economically reasonable – to prevent the user from opening new accounts during the suspension period. Courts must consider whether milder measures (e.g. demotion, demonetisation or partial restrictions) would be sufficient.

Domestic representative who is authorised to accept service

The draft retains and recalibrates the obligation for social networks to designate a domestic representative who is authorised to accept service. Social networks not established in an EU Member State must designate such a representative and prominently identify them in their German offering upon commencing services in Germany. For providers established in another EU Member State, designation may only be required by court order on a case-by-case basis for a specific pending proceeding.

Conclusion

The GgdG-E represents a significant sharpening of individual civil law enforcement tools in the digital sphere in Germany, placing online platforms and hosting providers at the centre of a new wave of judicial proceedings. Clients should use the publication of the draft as an opportunity to identify operational gaps without waiting for final adoption. As the account suspension provisions in particular may be subject to revision during the legislative and notification process, close monitoring of developments will be essential. Calibrating compliance programmes appropriately will be key to managing both operational and regulatory risk as the GgdG moves through the further legislative process.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2026 White & Case LLP}