Germany’s network infrastructure for information and communication technologies (ICTs) is well developed, and its overall internet penetration rate is above the European Union (EU) average; in 2020, 95 percent of German residents used the internet.1 According to the BNetzA, the country’s mobile broadband penetration rate is 96.5 percent.2 According to 2020 data from the International Telecommunication Union (ITU), the fixed broadband penetration rate was 43 percent.3

The most widely used mode of fixed-line internet access is still DSL (digital subscriber line), with 25.6 million connections in 2020.4 Fiber-optic connections are becoming more widespread. According to the BNetzA, around 13.9 percent of German households currently have a fiber-optic connection, which is still far behind the EU average of 33.5 percent.5 Connections with speeds of more than 50 Mbps are available in about 93.3 percent of German households.6 However, assessments have shown that many households still do not receive the maximum data transmission rate as stated by providers.7 Despite earlier government promises to quickly provide high-speed internet access to every household,8 the government failed to hit its own target of ensuring every household had access to a connection speed of at least 50 Mbps by the end of 2018.9 Andreas Scheuer, the federal transport and digital infrastructure minister since March 2018, has been criticized for misallocating federal funds earmarked for improving broadband connectivity.10 A reliance on copper-cable vectoring by domestic internet service providers (ISPs) has also been criticized as potentially impeding fiber-optic expansion.11

In 2020, internet access via mobile devices increased further: 80 million people in Germany regularly accessed the internet via universal mobile telecommunications service (UMTS) or long-term evolution (LTE) technology compared to 74 million in the previous year.12 The total data volume increased by 44 percent, from 2.7 billion GB in 2019 to 3.9 billion GB, in 2020.13

In April 2020, the BNetzA found that all three German LTE providers failed to fully meet obligations to cover 98 percent of all households, and all motorways and railways, with a minimum transmission rate of 50 Mbps by the end of 2019. By August 2020, the BNetzA announced that Telefónica and Deutsche Telekom had reached their interim goals of providing 3,040 LTE stations and expanding 50 Mbps coverage to 97 percent of households, respectively.14

The availability of public internet connections has been historically low in Germany compared to other industrialized countries.15 However, recent legal changes have led to an increase of publicly available Wi-Fi hotspots, including in cafés and high-speed trains (see B3). The decision to designate free community Wi-Fi providers as not-for-profit enterprises— which was initially proposed by the Federal Council (Bundesrat) in 2017 and approved in December 2020—entails considerable tax advantages and is expected to further increase the availability of public internet connections (see A2).

According to March 2021 data from Ookla, the average download speed for a fixed-line broadband connection in Germany was 115.83 Mbps, while that of a mobile broadband connection was 64.04 Mbps.16 Despite the increase, average speeds in Germany remain slower than those in neighboring France, but higher than those in the United Kingdom.

Telecommunication services have recently become slightly less expensive, decreasing in price by about 1.6 percent from 2019 to 2020, according to the most recent official statistics.17 In 2020, expenses for such services amounted to 2.6 percent of available household income.18 The Economist Intelligence Unit’s 2021 Inclusive Internet Index ranks Germany 22nd out of 120 countries in affordability, defined by cost of access relative to income and the level of competition in the internet marketplace.19

Persistent differences in internet usage based on income demonstrate that prices remain a barrier for people with low incomes and the unemployed.20 While 97 percent of employed German residents use the internet, only 74 percent of the unemployed do.21 The industrial initiative D21 found a significant discrepancy in access between households that earn less than €1,000 ($1,200) per month, compared to households that make €3,000 ($3,600) or more per month according to its 2020–21 Digital Index.22 Relatedly, 98 percent of German residents with university degrees use the internet, while 70 percent of residents without secondary school degrees do.23 Although the Federal Court of Justice (BGH) has ruled that access to the internet is fundamental for everyday life, the cost of internet access is still not adequately reflected in basic social benefits.24

The gender and age gaps in accessing the internet have reduced significantly over the last year. While 93 percent of men used the internet every day or almost every day in 2021, representing a 2 percent increase, 91 percent of women did, representing a 3 percent increase.25 In the 16-to-44-year age group, daily usage of the internet remained stable at 98 percent, while frequent usage increased from 70 percent to 76 percent among those over 65 in 2020.26 The recent increase could be a result of the COVID-19 pandemic, which has forced people across age groups to communicate online.

Nevertheless, slight differences in internet use continue to exist between Germany’s western and eastern regions. In the former German Democratic Republic (DDR), popular internet usage is still lower, hovering around 80 percent. This gap has remained stable over the past few years.27 Meanwhile, the gap in internet use between urban centers (with at least 500,000 residents) and rural areas stands at 6 percent.28

The German government does not impose restrictions on ICT connectivity. Germany’s telecommunications infrastructure is largely decentralized and the variety of regional providers is unique. There are more than a hundred internet-backbone providers in the country.29

Privatized in 1995, the formerly state-owned Deutsche Telekom remains the only company that acts as both a backbone provider and an internet service provider (ISP). However, the German state owns less than a third of its shares, which crucially limits government control.30 There are a number of connections in and out of Germany, the most important being the DE-CIX (German Commercial Internet Exchange), which is located in Frankfurt. It is privately operated by Eco, the professional association of the German internet industry.31

According to the BNetzA, there was no legal basis for internet shutdowns or connectivity restrictions on the federal level as of 2016.32 However, some state-level legislation on police powers grants limited restriction measures (see C5).

The telecommunications sector was liberalized in the 1990s with the aim of fostering competition. Commercial service providers must notify the BNetzA before launching services, but do not need licenses.33

Deutsche Telekom’s share of the fixed-line broadband market remained at 38.9 percent in 2020.34 Vodafone held 30.3 percent in 2020 after it acquired cable company Unitymedia and expanded from its 19.9 percent share in 2018 to 30.6 percent in 2019. Other ISPs with significant market share include 1&1 with 12.3 percent and O2-Telefónica with 6.2 percent.35 Public subsidies for increasing broadband connectivity have been criticized for favoring Deutsche Telekom.36

German residents seeking mobile services can choose from three major service providers: Vodafone with a 36 percent market share; Telefónica Deutschland with 31.5 percent, and T-Mobile (Deutsche Telekom) with 32.5 percent.37 In August 2019, Drillisch Netz AG joined Deutsche Telekom, Vodafone, and Telefónica in securing fifth-generation (5G) technology spectrum frequency blocks, diversifying the mobile market.38 The transmission infrastructure for 5G has expanded in 2020 with 19,510 wireless base stations, compared to 139 in 2019. In its 2020 annual report, BNetzA disclosed that 9 percent of transmission stations were 5G ready.39

Internet access, both fixed-line and mobile, is regulated by BNetzA, which has operated under the Federal Ministry of Economic Affairs and Energy since early 2014.40 The president and vice president of the agency are appointed for five-year terms by the federal government, following recommendations from an advisory council consisting of 16 members from the Bundestag and 16 representatives from the Bundesrat.41 The German Monopolies Commission and the European Commission (EC) have both criticized this highly political structure and the concentration of important regulatory decisions in the presidential chamber of the BNetzA.42

In addition to these institutional concerns, regulatory decisions by the BNetzA have been criticized for providing a competitive advantage to Deutsche Telekom, the former state-owned monopoly.43 These concerns were amplified in late 2015, when BNetzA presented a proposal to allow Deutsche Telekom to implement vectoring, a technology that is capable of boosting the bandwidth of DSL connections on preexisting copper lines.44 This arrangement sparked criticism given that, in order to function as intended, the technology requires a single operator to remain in charge of all copper lines. In turn, unbundling and redistributing individual connections becomes more difficult, and the managing operator (Deutsche Telekom) would end up in a privileged market position.45 After the Monopolies Commission first voiced its concerns in December 201546 and the EC instigated formal review proceedings in early 2016,47 the Federal Chancellery finally announced the end of public support for vectoring in March 2018.48

In January 2021, federal legislators amended the Act against Restraints of Competition (GWB) via the GWB Digitization Act, which created specific antitrust protocols for digital platforms “with overwhelming importance for competition across multiple markets.”49

The government rarely blocks websites or internet content,50 though a few blocks have been imposed by state actors in recent years. All major social media platforms and international blog-hosting services are freely available.

In February 2018, a regional court in Munich instructed Vodafone to block the video-streaming website kinox.to, in response to a film distributor’s complaint that the site was hosting content in violation of copyright law.51 The injunction marked the first court-ordered blocking of a pirate website in Germany. A 2015 BGH ruling empowered copyright holders to seek such injunctions against pirate websites (see B3).52

Vodafone has continued to block streaming and file-sharing websites, including bs.to and s.to beginning in 201853 and boerse.to in 2019, in response to complaints from rights holders.54

Most content-removal issues in Germany relate to the removal of search engine results (deindexing) rather than actual deletions of content. However, pressure on social media companies to remove content from their platforms has increased since the implementation of the NetzDG, which imposes severe fines if certain illegal content is not removed promptly (see B3).

Under the law, social media companies that receive over 100 content-related complaints each year must disclose how they handled those complaints every six months. These complaints come from either users or complaints bodies, such as children’s rights watchdog Jugendschutz.net. According to a November 2018 analysis from the Center for European Policy Studies, “NetzDG has failed to generate any additional press reports of dubious false positives” since a series of January 2018 controversies.55 However, the effectiveness of the NetzDG is difficult to measure and remains a concern.56

Since NetzDG came into effect on January 1, 2018, controversial content removals—particularly those involving satirical posts and accounts—have been reported.57 These removals illustrate a fundamental problem with the law: if taken out of context, posts on social media platforms may fall within the scope of hate speech provisions embedded in the criminal code.58

Between July and December 2020, social media platforms disclosed that thousands of items had been removed or blocked because of complaints. Between July and December 2020, Facebook reported 1,27659 blocked or removed items, while Twitter reported that it blocked or removed 118,797 items during the same period,60 Google disclosed 73,477 items were blocked or removed on YouTube.61 Likewise, TikTok blocked or removed 26,440 items.62 Additionally, TikTok reported a significant increase in complaints with 246,434 cases during the latter half of 2020, compared to 1,050 in the latter half of 2019.

Separately, the government also issues content removal requests. According to Google’s transparency report for the second half of 2020, the company received 186 takedown requests from courts and other public authorities. Additionally, 82 requests were made because of court orders directed at third parties. The most common reason for requests (102 cases) was defamation. Google acceded to 61.8 percent of these requests.63 Meanwhile, Twitter received 20 content removal requests from German authorities in the second half of 2020, complying with 37 percent of these requests.64 In the second half of 2020, Facebook restricted 729 pieces of content that violated the Youth Protection Law and related to Holocaust denial.65

Under a 2014 Court of Justice of the European Union (CJEU) decision on the “right to be forgotten” (RTBF),66 Google and other search engines are required to remove certain search results if they infringe on the privacy rights of a person and that person formally requests the action (see B3).

From the date of the ruling to the end of May 2021, Google had assessed some 1,115,877 requests to delist search results across the EU, affecting more than 4.3 million URLs, with 183,174 requests coming from Germany alone.67 For Germany, 60.5 percent of the 89,864 URLs requested to be removed during this report’s coverage period resulted in a delisting by Google. The majority of requests—89.4 percent—were made by private individuals. Between July and December 2020, Microsoft received 460 RTBF delisting requests, covering 1,705 URLs.68 The company delisted 53 percent of those URLs.

German copyright law has been criticized repeatedly for its use to hinder the publishing of sensitive information on topics of public interest, especially as many online platforms automatically remove content that reportedly breach copyright law, so as to avoid lawsuits. In December 2019, the Federal Institute for Risk Assessment (BfR) sued the platform FragDenStaat for publishing a government-issued report on health risks caused by the herbicide glyphosate, alleging copyright infringement. The BfR won a previous copyright lawsuit over the report, which was obtained under the Information Freedom Act, but their court injunction was cancelled due to a procedural error.69 In May 2021, the Cologne Higher Regional Court ruled that the report’s publication was lawful, being covered by the freedom to quote and the freedom to report.70

In January 2020, a federal administrative court dismissed a lawsuit challenging the ban of the platform linksunten.indymedia for lack of standing; former interior minister Thomas de Maizière had ordered the ban, alleging that the platform violated the law of association by organizing violent riots during the G20 summit in Hamburg. The operators of the website were forced to shut down its host server and social media accounts in August 2017 in order to enforce the ban.71

In June 2020, the Federal Ministry of Justice and Consumer Protection (BMJV) introduced a new draft law transposing the EU Copyright Directive into German law, which was enacted in June 2021 (see B3). Additionally, the COVID-19 pandemic has amplified the public and political debate on copyright law.72 Education and cultural institutions, as well as the Bundesrat, have criticized the draft law for restricting digital access to knowledge and cultural participation.73

In October 2020, eight defendants stood trial for running the CyberBunker data center, a bulletproof hosting operation that was housed in a Cold War–era bunker. The defendants are accused of aiding and abetting crimes in nearly 250,000 cases because they provided hosting services to websites conducting illegal activity. The verdict could set a precedent that makes the operation of data centers that host illegal platforms punishable.74 Additionally, a criminal code amendment proposed by the BMJV in February 2021, criminalizing the provision of server infrastructure for illegal online marketplaces, might impact the verdict in this case. A verdict had not been reached as of the end of the reporting period.

Restrictions on online content in Germany generally meet minimum requirements for transparency, proportionality, and independent appeal.

NetzDG, which was approved in June 201775 and came into effect on January 1, 2018, obliges social media platforms with more than 2 million registered users in the country to investigate and delete flagged content shortly after being reported, or otherwise face hefty fines (see B6).76 If the flagged content is “obviously illegal,” the company must block or remove it within 24 hours; if otherwise illegal, the content must be blocked or removed within seven days. Under NetzDG, illegality is defined in relation to 22 articles in Germany’s criminal code (see C2).77 After making a decision to delete or preserve flagged content, the company has to inform both the complainant and the user who uploaded the content. If it fails to meet any of these requirements, the company could face fines of up to €50 million ($58.5 million) (see B6).78 An amendment to NetzDG passed in June 2020 requires companies to share the personal information of users reported for hate speech or illegal content to the BKA (see C6).

Additionally, In March 2021, lawmakers passed amendments to NetzDG which add additional transparency requirements for social media platforms and expands the mandate of NetzDG to include video-sharing services to align with the EU Audiovisual Media Services Directive. The act, which came into effect in June 2021, also provides users with an avenue to appeal content-removal decisions, though an appeal must be filed within two weeks.79

In March 2021, major internet providers operating in Germany and associations of companies in the entertainment industry formed the CUII, a joint initiative to initiate DNS blocks against “structurally copyright-infringing” websites.80 While blocking requests were previously considered by judges, the BNetzA now assesses CUII recommendations and determines whether the blocking violates principle of net neutrality. The new policy has elicited criticism from politicians and activists.81 The Federal Cartel Office (BKartA) did not object to the new initiative, though it is monitoring the development of the practice.82 Critics question the BNetzA’s suitability in this process, since the agency is responsible for regulating telecommunications networks to ensure fair competition and net neutrality rather than assessing fundamental rights regarding copyright.83 Concerns are growing that the CUII might pave the way for further extrajudicial restrictions on freedom of communication. 84

In April 2021, the European Parliament (EP) adopted a regulation aimed at “tackling the dissemination of terrorist content online” which, among other things, would require platforms to delete content within one hour of receiving a removal order from authorities.85 Platforms that routinely fail to do so could be fined 4 percent of their overall annual revenue (see B6). Critics have voiced concerns that ambiguity surrounding the definition of “terrorist content” and the short timeline for removing such content will lead companies to “remove speech first and ask questions later,” possibly through automatic filters.86 The resolution entered into force in June 2021, after the coverage period, but it will not be applicable until June 2022.87

Issues related to copyright law have figured prominently in discussions around internet freedoms in Germany. In March 2019, the EP passed the Directive on Copyright in the Digital Single Market, which the European Council approved in April 2019.88 The directive imposes a so-called link tax, which grants online publishers the right to charge aggregators like Google News for excerpting proprietary content, such as news articles (see B6).89 EU member states are obliged to incorporate the directive into national law by June 2021.

In May 2021, the federal and state parliaments passed laws amending the Copyright Act and the Collecting Societies Act to align with the new EU directive. The amendments require companies with large amounts of user-generated content to use “upload filters,”90 which will preemptively block copyright-infringing online content.91 While the political parties comprising the current federal government—the Christian Democratic Union (CDU), its Bavarian sister party, the Christian Social Union (CSU), and the Social Democratic Party (SPD)—had pledged to prevent the implementation of upload filters,92 the Federal Cabinet approved the draft law, which included the use of upload filters, submitted by the BMJV.93 Although the law came into effect in June 2021, after the coverage period, the implementation of upload filters could still be invalidated because the advocate general of the ECJ recently argued against the liability of platform operators and the ECJ has not yet reached a judgment on the legality of Article 17 of the Copyright Act.94

Civil society organisations, researchers, artists, and the public continue to voice concerns objecting to the recent changes to the law.95

Companies can be held liable for illegal content under the Telemedia Act. The law distinguishes between full liability for one’s own content and limited “breach of duty of care” (störerhaftung) for service providers and host providers of third-party content.96 Additional blocking and filtering obligations for hosting providers were put in place by the BGH in the 2012 Alone in the Dark case.97 In this case, game publisher Atari sued the file-hosting service Rapidshare for copyright violations concerning the Alone in the Dark title. Though the court did not hold Rapidshare liable for direct infringement, they found that Rapidshare neglected its monitoring obligations under the “breach of duty of care” standard.98 A subsequent decision substantiated and further extended the duties of the content host: if the business model of a service aims to facilitate copyright infringement, the company is considered less worthy of immunity from intermediary liability.99 As a consequence, hosting providers are required to monitor their own servers and search for copyright-protected content as soon as they have been notified of a possible violation.100

While ISPs are not required to proactively monitor the information of third parties on their servers, they become legally responsible as soon as they gain knowledge of violations or violate due diligence requirements.101

In 2015, the BGH ruled that the blocking of a website may be ordered as a last resort if it is the only means for a copyright holder to effectively end rights infringement on that website.102 In such cases, the owner of the copyright may ask an ISP to block the website in question. If the provider refuses, a court can intervene. The decision has been subject to criticism, with detractors noting that blocking is considered easy to circumvent and thus ineffective.103

The protection of minors constitutes an important legal basis for extant regulation of online content.104 Youth protection on the internet is principally addressed at the state level through the Interstate Treaty on the Protection of Human Dignity and the Protection of Minors in Broadcasting and Telemedia (JMStV). The JMStV bans content similar to that outlawed by the criminal code, such as the glorification of violence and sedition, and provides a framework for age restrictions on content without specifying measures to implement them.105 A controversial provision of the JMStV reflects the regulation of broadcast media: Adult-only content on the internet, including pornography, may only be made available after verifying the age of the user.106 The JMStV enables the blocking of content if other actions against offenders fail and if such blocking is expected to be effective.

The search engine delisting process under RTBF follows guidelines developed by an advisory group of experts, aiming to strike a balance between RTBF and freedom of expression and information.107 Under the new General Data Protection Regulation (GDPR), which took effect on May 25, 2018, RTBF is now part of codified data protection law across the EU.108 In July 2020, the BGH ruled that the right must be assessed on a case-by-case basis.109

In June 2017, the ruling federal coalition enacted a law that abolished most legal liability for hotspot providers. While the new law was generally viewed positively by experts, it could allow copyright holders to coerce hotspot providers to shut down access to certain content or set up password locks and user registration mechanisms.110 This was reinforced by the BGH in 2018 (see A1).111

To date, self-censorship online has not been a significant or well-documented problem in Germany. Still, there are some rules reflected in the publishing principles of the German press that may constrain some journalists’ online speech. This self-binding code of ethics forms the basis for the evaluation of possible complaints from the public. It includes 16 provisions and is centered on the protection of human dignity.112 In May 2020, the new Interstate Media Treaty (MStV) introduced an obligation for self-regulatory institutions to penalize the repeated publication of disinformation (see B6). Critics have raised concerns that this policy could further censorship, as it gives the state a new mechanism for removing content.113

The criminal code and JMStV clearly define and prohibit content such as child sexual abuse imagery, racial hatred, and the glorification of violence.

NetzDG has been criticized for leading to a potential chilling effect on content posted online (see B3).114 There is, however, a lack of evidence that these restrictions have led to significant levels of self-censorship.

Score Change: The score declined from 4 to 3 to reflect new reports linking far-right political parties to the spread of disinformation.

Germany’s online information landscape has witnessed an increased content manipulation, which in some cases has been linked to the far right.

In March 2021, German news outlet Netzpolitik reported that the Poland-based website “Our Central Europe,” which disseminated conspiracies about climate change, COVID-19, and refugees in Germany, has links to the Mecklenburg–Western Pomerania wing of the right-wing populist AfD. According to the report, the site uses text seen in AfD press releases and has faced problems placing advertisements on Facebook for violating the company’s policy on political advertising. The site is formally operated by London-based New Network Communications, an apparent front company, and has connections with a former employee of the Freedom Party of Austria (FPÖ), a right-wing Austrian political party.115

While there were concerns about the proliferation of disinformation leading up to the September 2017 federal elections, no decisive impact was documented. Nevertheless, those concerns prompted legislators to push for controversial legal solutions with potential implications for freedom of expression online. The new MStV (see B6) obliges operators to mark social bots, if they use them, but definitions and labelling requirements are often imprecise and the policy could impact human accounts.116 Additionally, researchers have voiced doubts about the impact of social bots on public opinion.117

While individual internet users face few economic or regulatory obstacles to publishing content online, German law exposes companies such as social media platforms or hosting providers to substantial financial penalties.

NetzDG (see B3) imposes hefty fines on social media companies that fail to comply with content-removal and reporting requirements. Moreover, the law has forced social media companies to set up expensive internal systems to comply with its requirements. Facebook, Google, Twitter, and TikTok collectively employ thousands of people to review complaints submitted under NetzDG. NetzDG and the EU terrorist content regulation (see B3), which was adopted in March 2021,118 make it more difficult for new companies to enter the German market.

In May 2020, the heads of German state governments signed the MStV to replace the Interstate Broadcasting Treaty—which regulates radio broadcasting in Germany—and to establish regulations for new forms of media outlets. The MStV came into effect in November 2020 and was ratified by state parliaments. Media outlets that are not part of any self-regulatory bodies are now subject to direct supervision by state media institutions and can face penalties for refusing to comply with the measure or for the repeated distribution of disinformation. The MStV also introduced a license requirement for those who create online video content that consistently reaches at least 20,000 viewers. The MStV expands the scope of such obligations to almost any commercial form of publication. Observers have criticized the unequal treatment of new self-regulatory bodies compared to the established German Press Council, as well as the involvement of media institutions as supervisory authorities.

The MStV also imposes algorithmic transparency and nondiscrimination requirements on major online platforms that aggregate third-party content, such as those operated by Google, Facebook, and Apple.119 Politicians and civil society organizations have voiced their concerns regarding freedom of speech and media choice. A consortium of representatives from the press and digital media have criticized the MStV for taking an anticonsumer stance and for limiting user autonomy.120

In April 2017, the federal parliament incorporated EU rules on net neutrality into domestic law.121 However, observers remarked that several plans from ISPs and mobile service providers, such as Deutsche Telekom’s “Stream On,” Vodafone’s “Vodafone Pass,” and O2’s “Unlimited” plan, violate strict net neutrality by favoring certain services, including video-streaming services.122 BNetzA subsequently prohibited parts of “Stream On” for breaching net neutrality principles.123 Fines for violating net neutrality laws can reach a maximum of €500,000 ($550,800), relatively low compared to other European states.124 After a summary proceeding in the regional court of Nordrhein-Westfalen, Deutsche Telekom was forced to implement the official requirements in August 2019. The lawsuit was moved to the ECJ and was still pending at the end of the coverage period.

The governing federal coalition has reiterated its support for ancillary copyright for publishers (Leistungsschutzrecht für Presseverleger), in force since 2013.125 The regulation allows publishers to monetize excerpts that search engines display as part of their search results.126 Some fear this infringes upon constitutionally protected rights to freedom of expression and information.127 In order to limit monetization, search engines began excluding results leading to the websites of publishers that monetized their links or displayed links without the corresponding excerpts.128 In response, a publishers’ collecting society, VG Media, started antitrust proceedings against Google. In September 2015, the BKartA decided that Google was not in violation of antitrust laws.129 Ultimately the case was referred to the ECJ and dismissed due to a formal error in September 2019.130 However, the issue remains somewhat unsettled, for ancillary copyright for publishers was included in the EU Copyright Directive, which was approved in April 2019 and implemented in national law in June 2021 (see B3).131

Germany is home to a vibrant internet community and blogosphere. Local and international media outlets and news sources are accessible and represent a diverse range of opinions.

During the COVID-19 pandemic, misinformation about the coronavirus spread through social media platforms and messaging services. A false narrative regarding the effect of the anti-inflammatory drug ibuprofen on COVID-19 patients originated in Germany in March 2020. Although it was debunked by medical officials soon after, it spread across European borders. French health minister Olivier Véran notably warned COVID-19 patients not to use anti-inflammatory drugs including ibuprofen in a March 2020 Twitter post.132

During the coverage period, several civil society initiatives used the internet to conduct advocacy campaigns related to political and social issues in Germany.

Social media has also played a crucial role in the growth of the climate protection movement. The student protest movement “Fridays for Future,” which originated in Sweden and combines weekly school strikes and marches, largely organizes through social media. In Berlin, protests were held regularly beginning in September 2018.133 The movement has placed the issue on the national political agenda and significantly influenced public perception of the climate crisis.134 Due to the coronavirus outbreak, most protest marches and public interventions in 2020 were cancelled and replaced with multiplatform online campaigns and protests.135

In 2020, the climate protest movement Extinction Rebellion organized and coordinated multiple strikes and roadblocks in Berlin, shutting down main roads and tourist attractions for days.136 Supporters also campaigned and held gatherings online.137

In the summer of 2020, protests against racially motivated police violence, held under the #BlackLivesMatter banner, were organized and coordinated through online platforms.138

Germany has also witnessed protests against COVID-19-related restrictions and legislation. A group of opponents under the Querdenken (Lateral Thinking) banner formed during the pandemic, largely communicating and mobilizing against pandemic restrictions online.139

Article 5 of the Basic Law guarantees freedom of expression and freedom of the media. Judicial bodies operate independently, and generally support the protection of basic rights.

Since 2016, the Office of the Federal Commissioner for Data Protection and Freedom of Information has been an independent supreme federal authority.140 Since its founding, the agency has tripled its capacities, and enlarged its staff to strengthen the supervision of security authorities.141

Online journalists are largely granted the same rights and protections as journalists in print or broadcast media. The official press card is primarily available to “professional” journalists, meaning those whose journalistic activities account for at least 51 percent of their income.142 Alternatively, associations, including the German Association of Press Journalists (DVPJ), offer press cards to part-time journalists, bloggers, YouTubers, and media professionals.143 These cards are often connected to granting rights of privileged access for journalists, for example, to demonstrations. Similarly, the German criminal code grants the right to refuse testimony solely to individuals who have “professionally” participated in the production or dissemination of journalistic materials.144

After two journalists from the online outlet Netzpolitik briefly faced criminal proceedings for alleged treason in 2015, then justice minister Heiko Maas announced a bill with the aim of explicitly excluding journalists from the scope of the treason provision in the criminal code. However, at the end of the coverage period, the promised reform had still not made any progress.145

The controversial BND Law (see C5), which expands the legal justification for surveillance, has been criticized by journalists demanding improvements, including better protection for reporters abroad as well as their sources. In May 2020, the Federal Constitutional Court (BVerfG) found the law to be unconstitutional, forcing the government to revise the law. Reporters Without Borders (RSF) launched a campaign against the new draft law under the hashtag #NotYourSource, arguing that the vague wording of the revised paragraphs still poses risks to journalists. The amendment was approved by the Bundestag and Bundesrat in March 2021 and is scheduled to come into effect on January 1, 2022.146

The German criminal code includes numerous prohibitions that apply to the online realm, such as Section 130, which penalizes calls for violent measures against minority groups and assaults on human dignity.147 This provision is seen as legitimate in the eyes of many Germans, particularly because it is generally applied in the context of Holocaust denial.148 NetzDG defines illegal online content in relation to 22 provisions in the German criminal code, including Section 130. Other provisions prohibit defamation, forming a criminal or terrorist organization, and “using symbols of unconstitutional organizations.”149 In the context of NetzDG, many activists, politicians, and officials have expressed concern that these provisions are too broad. In addition to facilitating content removals, these provisions carry penalties in the form of fines and, in some cases, jail time.

After satirist Jan Böhmermann came under criminal investigation in 2016 for a provocative poem mocking Turkish president Recep Tayyip Erdoğan, the federal parliament abolished a provision of the criminal code that penalizes insulting foreign leaders.150 Erdoğan also filed a civil libel lawsuit against Böhmermann, which led to a ban on three-fourths of the controversial poem and its deletion from the website of the television channel on which Böhmermann performed.151 Both parties appealed the judgment. In May 2018, the judgment was upheld, with an appellate court rejecting Böhmermann’s request to repeal the partial ban. At the same time, the court ruled that Erdoğan had no right to have the entire poem prohibited.152 In January 2019, Böhmermann launched a complaint with the BGH challenging the rejection.153 The BGH dismissed the appeal in July 2019, after which Böhmermann filed a complaint with the BVerfG, Germany’s highest court, which had not yet ruled as of the end of the coverage period.154

In the context of the 2018 refugee crisis, previous years saw a surge in law enforcement investigations invoking the provision on “incitement to hatred” in the German criminal code, mostly related to hate speech against asylum seekers on social media platforms such as Facebook. As a result, there have been considerably more convictions for incitement to hatred.155 Official crime statistics documented 4,486 of these cases in 2018.156 In 2020, the BKA documented 2,607 posts that fit the criminal code definition of hate speech from that year, 62 percent of which were categorized as being politically right-wing.157 According to the BKA, 3.7 percent of politically motivated crimes in 2019 were hate postings.158 A survey on hate speech from the Forsa Institute, a market research and opinion polling company, found that three-quarters of internet users came into contact with hate speech online in 2020.159

In June 2018, police in 10 German states conducted raids against 29 social media users for alleged hate speech.160 Similar raids have happened every year since across the country.161 The March 2020 amendment to NetzDG requires larger platforms to disclose personal user data associated with postings of certain illegal content, including online hate speech, to the BKA (see B3 and C6).162

User anonymity is compromised by SIM card registration rules under the Telecommunications Act of 2004, which requires purchasers to submit their full name, address, international mobile subscriber identity (IMSI) number, and international mobile station equipment identity (IMEI) number.163 Nonetheless, the principle of anonymity on the internet is largely upheld as a basic right. A 2014 decision by the BGH further strengthened this right, confirming that an online ratings portal was under no obligation to disclose the data of anonymous users.164

Website owners and bloggers are not required to register with the government, but most websites and blogs need to have an imprint naming the person in charge and providing a contact address. The anonymous use of email services, online platforms, and wireless internet access points is legal. However, a proposed amendment to the telecommunications law suggested by the Federal Ministry of Interior (BMI) includes the obligation to provide identity when registering for an email account.165

In May 2019, the BMI brought forward a new initiative on mandatory backdoors for encrypted messaging services.166 The proposal has been widely criticized by civil society organizations and industry professionals, including the iRights.Lab, as it would mark the departure from longstanding proencryption policy. Experts also criticized a 2017 legislative proposal by the governing coalition to allow civil lawsuits to reveal an alleged offender’s legal name tin suits related to violations of the right of personality online, especially defamation. Observers voiced concern that this might infringe on the right to anonymity online, if interpreted broadly.167 Discussions on this topic were still ongoing at the end of the reporting period. Due to a lack of support from within the CDU-CSU and SPD, a final decision on the initiative is unlikely until after the September 2021 general election.168

In October 2019, a man live-streamed an antisemitic attack on a synagogue in Halle, Saxony-Anhalt, via the streaming platform Twitch. Following the attack, politicians from several states introduced legislation to the Bundesrat in February 2020 to require social networks and gaming platforms to collect users’ names, addresses, and dates of birth, as well as proof of identity, and to hand them over to the police upon request.169 With further amendments to NetzDG implemented in 2020 and 2021 (see B3 and C6), the federal government has been criticized for widening the BKA’s ability to access personal user data through private companies. In an open letter, 13 associations concerned with digital rights urged the Ministry of Justice and Consumer Protection to focus on the origin of hate crimes in general, and to stop outsourcing hate-speech prevention to foreign companies.170

In March 2019, the Bundesrat proposed a bill against illegal online marketplaces. It would add a new criminal penalty for offering services via the dark web that contribute to or enable other crimes, such as the distribution of illegal drugs, explosives, or child sexual abuse imagery.171 The bill specifically mentioned the use of Tor as a vehicle to access such services. Due to its broad language, legal observers argued the scope of the bill would encompass potentially all dark-web services and therefore severely hinder the effective use of Tor to anonymize users’ online communication.172 Public criticism increased following the draft's first approval by the Bundesrat later in 2019, but progress on the draft stalled as it lacked support from the federal governing coalition.173 In February 2021, the government proposed and passed a new draft criminalizing dark-web marketplaces. In contrast to earlier proposals, it also makes the providers of server infrastructures accountable for any illegal transactions (see B2).174

In July 2020, it was revealed that the French and Dutch police hacked EncroChat phones, which offer unique encryption software and are often used by criminal networks. Following the hacking, 750 arrests related to the gun and drug trade were made in multiple German states as of July 2021, after the coverage period.175

Article 10 of the Basic Law guarantees the privacy of letters, posts, and telecommunications. These articles generally safeguard offline as well as online communication. A groundbreaking 2008 BVerfG ruling established a new fundamental right regarding the “confidentiality and integrity of information technology systems” as part of the general right of personality under Article 2 of the Basic Law.176

A German parliamentary commission of inquiry on intelligence practices—established after former US National Security Agency (NSA) contractor Edward Snowden leaked documents exposing the various activities of US, British, and German intelligence services in 2013—completed its work in 2017.177 While the governing coalition concluded that the conduct of both the allied foreign intelligence services and the BND had been and continued to be within the bounds of the law, the opposition argued that ongoing mass surveillance was unlawful. Both sides drew criticism for not demanding sufficient steps to end the practice in Germany.178

A 2016 law granted the BND explicit permission to monitor domestic internet traffic so long as it targets foreign citizens.179 Press freedom groups argued that the law threatens the constitutionally protected work of foreign journalists reporting in Germany180 and, in January 2018, a number of nongovernmental organizations (NGOs) and foreign investigative journalists filed a constitutional complaint.181 The 2016 BND Law has also been scrutinized for its impact on the privacy of German internet users.182 While the BND is mainly tasked with foreign intelligence collection, one of the main concerns is that the law permits monitoring of all network traffic channeled through the DE-CIX in Frankfurt—the world’s largest internet exchange point—which would at least unintentionally affect communications by German citizens as well. In 2016, before the new law’s enactment, the operators of DE-CIX had sued the BND in the Federal Administrative Court (BVerwG), arguing that the intelligence service’s practices were unconstitutional.183 In May 2018, the court dismissed the claims, declaring that monitoring of the exchange point was lawful.184

In May 2020, the BVerfG ruled that the BND is still bound by the fundamental rights of the Basic Law when conducting telecommunications surveillance of foreigners in other countries, finding that the BND had acted unlawfully in monitoring the communications of foreign journalists.185

Public perception of the May 2020 ruling has been largely positive, welcoming the court’s verdict as a reinforcement of the Basic Law.186

However, in March 2021, the Bundestag and Bundesrat approved an amended version of the BND Law. The new law, which was initially proposed at the end of 2020, expands the scope of BND activities, allowing the interception of up to 30 percent of the transmission capacity of all global telecommunications networks.187 While the law protects “individual communications of natural persons,” it allows the BND to collect and process various kinds of communication data, including inventory, traffic and content data enabling the monitoring of communications behavior, financial transaction data, and movement data of individuals in Germany and abroad. Furthermore, the law, which came into effect after the coverage period in June 2021, enables federal police to hack communication providers abroad and to use malware against citizens without criminal histories.188 The insufficient protection of journalists, criticized by the BVerfG, is regulated in an added paragraph. However, the Federal Data Protection Commissioner, opposition politicians, and legal observers have criticized vague exceptions in the protection clause, making it ineffective.189 NGOs have already announced legal complaints against the revised BND Law.190

In June 2021, after the coverage period, the Bundestag passed amendments to the Law of the Office for the Protection of the Constitution, which provides intelligence agencies with “additional powers of investigation through the regulation of source telecommunication monitoring, including messenger services.”191 The measure—which was developed largely in response to right-wing extremism and would also allow state security agencies to use malware—was met with criticism and concern from members of the public192 after it was initially approved by the federal cabinet in September 2020.193

The BND had also been storing and processing bulk metadata records of phone calls via its traffic-analysis system, VerAS. In response to a lawsuit filed by RSF Germany,194 in December 2017, the BVerwG outlawed such intelligence gathering, prohibiting the BND from collecting and processing communications metadata for want of sufficient legal basis.195 In May 2018, the BND officially announced that it would end the practice.196 RSF Germany also lodged a parallel complaint with the European Court of Human Rights, alleging that the intelligence service had been unlawfully monitoring the NGO’s own email correspondence.197

Surveillance conducted by intelligence services under the Act for Limiting the Secrecy of Letters, Posts, and Telecommunications (the G10 Act) has continued to decline.198 The BVerfG’s May 2020 judgment regarding the BND’s domestic surveillance activity involving foreigners raised hopes for a successful ruling against the G10 Act.199 In November 2020, the Society for Freedom Rights filed a constitutional complaint arguing that any change to the G10 Act, that allows German secret services to use Bundestrojaner (”a federal Trojan horse”) is unconstitutional.200 No verdict was reached by the end of the coverage period.

Telecommunications interception by state authorities for criminal prosecutions is regulated by the criminal code and may only be employed for the prosecution of serious crimes for which specific evidence exists and when other, less intrusive investigative methods are likely to fail.

A 2008 BVerfG ruling establishing a new fundamental right to the “confidentiality and integrity of information technology systems” also found that covert online searches are only permitted “if factual indications exist of a concrete danger” that threatens “the life, limb, and freedom of the individual” or “the basis or continued existence of the state or the basis of human existence.”201 Based on this ruling, the federal parliament passed a law in 2009 authorizing the BKA to conduct—with a warrant—covert online searches to prevent terrorist attacks and other methods of covert data collection, including the surveillance of private residences and the installation of software on a suspect’s computer that intercepts their communications at the source.202 Separately, antiterrorism legislation that was first passed after the September 11, 2001 terrorist attacks in the United States—which, among other provisions, obliges banks or telecommunications operators to disclose customer information to the authorities—was once again extended in 2015 through 2021.203

In June 2017, the federal parliament enacted the “law for more effective and more practical criminal proceedings.” Most significantly, it included an extensive list of criminal offenses that would allow for the deployment of spyware on suspects’ mobile phones, tablets, and computers in order to enable monitoring of written and spoken text as well as the copying of data.204 Critics consider the law unconstitutional due to its expansive scope and long list of applicable offenses.205 In accordance with the law, the BKA has been permitted to install Bundestrojaner on suspects’ devices since January 2018.206 So far, three different types of Bundestrojaner have been developed.207 BKA hackers have reportedly breached the encrypted messaging app Telegram and are targeting WhatsApp, although intelligence services have previously accessed the WhatsApp without using a state trojan.208 Complaints and lawsuits against the law and similar state laws have been filed at the BVerfG by data protection organizations and activists.209

In Bavaria, Germany’s second-largest state by population, the governing CSU introduced a bill in 2018 that grants the Bavarian police vastly expanded powers, including the authority to access any information technology system preventively in the event of a—broadly defined—imminent danger, without concrete evidence of a specific crime.210 Critics allege that the bill would blur the line between police and intelligence services, a strict distinction placed into the constitution as a consequence of Nazi-era abuses.211 Federal interior minister Horst Seehofer, a former minister-president of Bavaria and a CSU member, has stated that he intends to use the Bavarian law as a model for police laws in all German states.212 Since then, similar laws granting police forces vastly expanded power to access communications have been passed in Saxony, North Rhine–Westphalia, Lower Saxony, Bremen, Brandenburg, Hesse, Mecklenburg–Western Pomerania, Rhineland-Palatinate, Saxony-Anhalt, and Baden-Württemberg, while others remain under discussion in Berlin and Schleswig-Holstein.213 In some cases, these laws permit police to use Bundestrojaner.

The Bundestag approved a bill in December 2019 expanding the powers of customs authorities to conduct communications surveillance, including through monitoring software and device searches.214 The law also provides a legal basis to obtain user data from telecommunications providers without the knowledge of the persons concerned, and it permits customs authorities to use IMSI catchers, which mimic cell phone towers in order to collect data from proximate devices.215 The law’s phrasing vaguely describes the circumstances justifying the application of spyware, providing only that customs authorities may use technical means to intervene in information technology systems if necessary. Federal Commissioner of Data Protection and Freedom of Information (BfDI) Ulrich Kelber criticized the almost unconditional and unprompted collection and enrichment of data.216

Newly arriving migrants and refugees are also targeted by measures that infringe on their privacy rights. According to 2017 amendments to the asylum law, an arriving refugee’s electronic device data, including location data, may be copied and analyzed in order to determine the person’s place of origin if he or she does not provide identity documents.217 With the support of the Society for Freedom Rights, several refugees affected by this practice have taken legal action against the Federal Office for Migration and Refugees and filed a complaint with BfDI Ulrich Kelber.218

In June 2020, the health ministry launched the Corona-Warn-App,219 a COVID-19 contact tracing app that adopted data minimization principles and relied on decentralized proximity tracing.

The German government established a legal framework to protect personal data in 1990, though several laws require companies to provide user data to the authorities. German law requires the localization of some telecommunications data.220

In April 2021, the amendment to NetzDG that requires companies report the personal data of users who post certain types of illegal content (see B3), including far-right nationalist and extremist content, to the BKA came into effect. The amendments, which were passed in June 2020,221 state that personal data includes usernames, internet protocol (IP) addresses, port numbers and—with a judicial order—passwords.222 Digital rights associations have criticized that the expected masses of user data, which will flow to the BKA, can hardly be processed by the public prosecutor’s offices.223 While President Frank-Walter Steinmeier initially refused to sign a package of laws after the parliament’s research service declared parts of the proposal unconstitutional for breaking regulations on the inventory data disclosure,224 the inventory data disclosure process was reorganized and approved in March 2021, legalizing the transfer of data to the BKA.225

Despite a 2014 CJEU decision that struck down the EU Data Retention Directive,226 the federal parliament enacted a law on data retention in 2015.227 Both the parliamentary opposition and data protection officials had fiercely objected to the legislative proposal, maintaining that it contradicted civil laws and violated the guidelines established by the CJEU. The federal parliament’s own research service repeatedly concluded that the law does not conform to guidelines is thus contrary to EU law and the Basic Law.228 Under the law, different sets of data would have to be stored on servers located within Germany for 10 weeks229 and providers have to retain the numbers, as well as the dates and times, of phone calls and text messages. ISPs are also required to retain the IP addresses of all users, as well as the dates and times of connections. The location data of mobile phone connections must be saved for four weeks. The requirements exclude sites accessed, email traffic metadata, and the content of communications.

Several constitutional complaints against the data retention legislation have been filed and are pending at the BVerfG.230 After ISP Spacenet filed a lawsuit against its obligation to start storing its customers’ data, the Higher Administrative Court of North Rhine–Westphalia, which had jurisdiction over this question, decided in June 2017 that the German legislation contradicts EU law and is thus not applicable to Spacenet’s conduct.231 Since then, the application of the law has de facto been suspended; ISPs never stored any data based on the retention legislation. In November 2019, the BNetzA disclosed that many providers stored extensive customer data for multiple months and shared them with authorities on request.232 In October 2020, the CJEU ruled that data retention is forbidden in principle but still permissible if strict requirements are met. It can only be used against serious crimes like terrorism.233 The ruling has led to new legislative attempts at the EU level. On a national level, a ruling from the BVerfG is expected in by the end of 2021.234

A December 2019 law establishes a legal basis for customs authorities to obtain user data from telecommunications providers without the knowledge of the persons concerned (see C5).235 The amended Telecommunications Act of 2013 regulates “stored data inquiry” requirements.236 Under this law, approximately 250 registered public agencies, among them the police and customs authorities, are authorized to request both contractual user data and sensitive data from ISPs. Several studies have shown that judicial review does not actually take place in a majority of instances when it is required.237

In July 2020, the CJEU issued a judgement declaring the EU-US Privacy Shield invalid. The Privacy Shield framework, established by the EC, allowed the transfer of personal data of Europeans to the US if companies complied with EU law.238 The 2020 ruling resulted from a lawsuit filed by Austrian lawyer and activist Max Schrems against Facebook.239 Public perception of the court’s verdict has been largely positive, welcoming the protection of personal data. However, in practical terms, it also meant that, under the GDPR, most US service providers cannot be used without knowledgeable consent by users.240 Meanwhile, this consent is obtained in many cases via cookie banners giving users a differentiated choice on what data to share.

There were few reported cases of direct physical intimidation or violence against online journalists or other ICT users in retaliation for their activities during the coverage period.

In August 2020, several journalists and press photographers were insulted and harassed by demonstrators protesting COVID-19 measures in Berlin. The European Centre for Press and Media Freedom reported an increase in harassment of journalists online and counted 26 incidents of intimidation or assault between March and October 2020.241

RSF downgraded Germany by two places to 13th in its annually published Press Freedom Index. For the first time, Germany’s press freedom no longer ranks as ”good“ but only “satisfactory“ due to increasing incidents of reporters being attacked by conspiracy theorists at antilockdown protests.242

In October 2019, law enforcement shut down Germany’s biggest filesharing platform, Share-Online.biz, and seized its website and servers. After police raided their offices and employees’ apartments, the operators were charged with commercial unauthorized use of copyright protected works.243 In August 2020, Europol raided the office of the Sparks Group, 244 one of the world’s largest piracy groups, which had servers based in Germany.245

In June 2018, police raided the offices and homes of the Zwiebelfreunde (Onion Friends), an activist association promoting online anonymity tools—an action a court later ruled illegal. Police seized documents containing names, addresses, and bank details of Zwiebelfreunde supporters, in the context of a case in which they were classified as witnesses. Following criticism from press freedom and internet rights activists, the State Court in Munich ruled the searches and seizures illegal and ordered all seized material to be returned.246

A June 2019 study on hate speech reported that immigrants, Muslim people, women, and LGBT+ people are predominantly targeted by harassment online. Men reported experiencing online harassment more frequently than women, which might stem from different online behavior.247 When it comes to cases of online discrimination of LGBT+ people, Germany ranks relatively low when compared to other European countries.248

Human rights activists and NGOs are rarely victims of cyberattacks or other forms of technical violence that are aimed at stifling freedom of expression. However, government institutions and the business sector have been targeted by cyberattacks.249 Due to the shift towards online communication during the COVID-19 pandemic, the risks of cyberattacks have increased. The CDU has suffered several attacks during their 2021 party conference, during which they elected a new party leader.250 Thus, concerns about the safety of the federal electoral campaign increased.251

The Federal Office for Information Security (BSI) reported that ransomware, spam, and bot networks remain a constant threat and are becoming more efficient in design. Between June 2019 and May 2020, roughly 35,000 emails containing malware were intercepted in German administrative networks each month.252 During the pandemic, there have been several documented phishing campaigns, which have tried to scam targets out of their money.253 The BSI stated that risks have increased during the COVID-19 pandemic as remote work is more common and digital tools are relied on in education, medicine, and administration. Additionally, information security experts have repeatedly raised concerns to the government regarding the shortage of security specialists, inadequate policy, and insufficient regulatory infrastructure.254

In March 2021, the BSI alerted industry professionals and the public about critical vulnerabilities in various versions of Microsoft's Exchange server product.255 Exploiting these unpatched vulnerabilities, attackers were able to read emails, write arbitrary files, and execute remote code on the servers.256 The hack has been attributed to a group called Hafnium, which initially targeted US health-care institutions, civil society organizations, education institutions, and defense contractors. The US Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have stated that Hafnium is linked to the Chinese government. However, since the vulnerabilities became known, the exploits have been used against thousands of targets worldwide. Due to the extent of the problem, the BSI began contacting more than 9,000 German companies affected by the hack shortly thereafter.257

In December 2018, the personal data of parliamentarians, politicians, television personalities, activists, and YouTube artists were published online.258 An individual who confessed to the leaks, a German citizen, was arrested shortly after the case received public attention in January 2019.259 The case led to public discussions about online safety, since much of the retrieved data was protected by weak passwords such as “1234.”260

IT security in the health-care sector has become a subject of debate during the reporting period. In September 2020, hackers encrypted about 30 servers of the Düsseldorf University clinic, causing the hospital’s IT system to fail. According to a report by the North Rhine–Westphalia Ministry of Justice, a patient who had to be taken to a hospital further away died as a consequence of the hack.261