Germany’s network infrastructure for information and communication technologies (ICTs) is well developed, and its overall internet penetration rate is above the European Union (EU) average; in 2021, 92 percent of German residents used the internet.1 According to 2021 data from the International Telecommunication Union (ITU), the fixed broadband penetration rate was 44.2 percent while the mobile broadband penetration rate was 94.3 percent.2

The most widely used mode of fixed-line internet access is still DSL (digital subscriber line), with 25.9 million connections in 2021.3 Fiber-optic connections are becoming more widespread.4 Connections with speeds of more than 50 Mbps are available in about 93.2 percent of German households.5

Despite earlier government promises to quickly provide high-speed internet access to every household,6 the government failed to hit its target of ensuring every household had access to a connection speed of at least 50 Mbps by the end of 2018.7 For years, the government struggled to make significant progress towards that goal, with 13.8 percent of German households having access to a fiber-optic connection, compared to an EU average of 33.5 percent.8 In November 2021, the newly elected coalition of the Social Democratic Party (SPD), Alliance 90/The Greens (Bündnis 90/Die Grünen), and Free Democratic Party (FDP) announced their plan to offer widespread fiber-optic connections by focusing on regional “white spots” and reducing bureaucratic barriers.9 In March 2022, the Federal Ministry for Digital and Transport (BMDV) promised to triple connections by 2025 and provide countrywide to-the-home connections by 2030.10

In 2021, internet access via mobile devices increased further: 82 percent of citizens aged 14 and upwards are online via mobile devices, increasing from 80 percent the year before.11

The availability of public internet connections has been historically low in Germany compared to other industrialized countries.12 However, recent legal changes have led to an increase of publicly available Wi-Fi hotspots, including in cafés and high-speed trains (see B3). The decision to designate free community Wi-Fi providers as not-for-profit enterprises—which was initially proposed by the Bundesrat (Federal Council) in 2017 and approved in December 2020—entails considerable tax advantages (see A2).

According to January 2022 data from Statista, the median download speed for a fixed-line broadband connection in Germany was 69.52 Mbps.13

Score Change: The score improved from 2 to 3 because the gap in internet penetration rates between western Germany and eastern Germany narrowed during the coverage period.

Telecommunications services prices stagnated from 2020 to 2021, according to the most recent official statistics.14 In 2020, expenses for such services amounted to 2.6 percent of available household income.15 Economist Impact’s 2022 Inclusive Internet Index ranks Germany 20th out of 120 countries in affordability, defined by cost of access relative to income and the level of competition in the internet marketplace.16

Persistent differences in internet usage based on income demonstrate that prices remain a barrier for people with low incomes and the unemployed.17 While 98 percent of employed German residents use the internet, only 81 percent of the unemployed do.18 In relation, 98 percent of German residents with university degrees use the internet, while 76 percent of residents without secondary school degrees do.19

The gender and age gap in internet access has converged in recent years. The development stagnated at a 2 percent difference, with 95 percent of men and 93 percent of women using the internet in 2021.20 In the 16-to-44-year age group, daily usage of the internet remained stable at 98 percent, while frequent usage increased from 76 percent to 79 percent among those aged 65 to 74 in 2021.21

Although differences in internet use continue to exist between Germany’s western and eastern regions, popular internet usage in the former German Democratic Republic (DDR) increased from 81 percent in 2020 to an average of 87 percent in 2021.22 Meanwhile, the gap in internet use between urban centers (with at least 500,000 residents) and rural areas stands at 4 percent.23

The German government does not impose restrictions on ICT connectivity. Germany’s telecommunications infrastructure is largely decentralized and the variety of regional providers is unique. There are more than a hundred internet-backbone providers in the country.24

Privatized in 1995, the formerly state-owned Deutsche Telekom remains the only company that acts as both a backbone provider and an internet service provider (ISP). However, the German state owns less than a third of its shares, which crucially limits government control.25 There are a number of connections in and out of Germany, the most important being the DE-CIX (German Commercial Internet Exchange), which is located in Frankfurt. It is privately operated by Eco, the professional association of the German internet industry.26

According to the Federal Network Agency (BNetzA), there was no legal basis for internet shutdowns or connectivity restrictions on the federal level as of 2016.27 However, some state-level legislation on police powers grants limited restriction measures (see C5).

The telecommunications sector was liberalized in the 1990s with the aim of fostering competition. Commercial service providers must notify the BNetzA before launching services, but do not need licenses.28

Deutsche Telekom’s share of the fixed-line broadband market decreased slightly to 38.7 percent in 2021.29 Vodafone held 30.2 percent in 2021. Other ISPs with significant market share include 1&1 with 11.7 percent and O2-Telefónica with 6.3 percent.30 Public subsidies for increasing broadband connectivity have been criticized for favoring Deutsche Telekom.31

German residents seeking mobile services can choose from three major service providers: Vodafone, with a 38.7 percent market share; Telefónica Deutschland, with 29.6 percent, and T-Mobile (Deutsche Telekom), with 31.7 percent.32 In August 2019, Drillisch Netz AG (a subsidiary of 1&1 Drillisch) joined Deutsche Telekom, Vodafone, and Telefónica Deutschland in securing fifth-generation (5G) technology spectrum frequency blocks, diversifying the mobile market.33 The transmission infrastructure for 5G was expanded in 2021 with 29,959 wireless base stations, compared to 139 in 2019 and 19,150 in 2020. In its 2021 annual report, BNetzA disclosed that 16 percent of transmission stations were 5G ready.34

Internet access, both fixed-line and mobile, is regulated by BNetzA, which has operated since early 2014 under the Federal Ministry for Economic Affairs and Energy (now known as the Federal Ministry for Economic Affairs and Climate Action, or BMWK).35 The president and vice president of the agency are appointed to five-year terms by the federal government following recommendations from an advisory council consisting of 16 members from the Bundestag (federal parliament) and 16 representatives from the Bundesrat.36 The German Monopolies Commission and the European Commission (EC) have both criticized this highly political structure and the concentration of important regulatory decisions in the presidential chamber of the BNetzA.37 The European Court of Justice (ECJ)—the EU’s supreme court and a part of the Court of Justice of the European Union (CJEU)—upheld a complaint by the EC, ruling in September 2021 that the BNetzA would need to become more independent. The BNetzA is now restructuring their operations, while upholding the former law during the interim period.38

In addition, regulatory decisions by the BNetzA have been criticized for providing a competitive advantage to Deutsche Telekom, the former state-owned monopoly,39 most recently in 2015.40

In January 2021, federal legislators amended the Act against Restraints of Competition (Competition Act, or GWB) via the GWB Digitization Act, which created specific antitrust protocols for digital platforms “with overwhelming importance for competition across multiple markets.”41

Score Change: The score declined from 5 to 4 to reflect the government’s implementation of a European Union regulation ordering member states to block the websites of RT and Sputnik, as well as their local subsidiaries.

The government rarely blocks websites or internet content,42 however, during the coverage period it blocked the websites of Russian state-owned media outlets in response to an EU regulation. All major social media platforms and international blog-hosting services are freely available.

In early March 2022, following the Russian government’s brutal invasion of Ukraine, the EU Council issued Regulation 2022/350, ordering member states to “urgently suspend the broadcasting activities” of Russian-state owned websites, including RT, Sputnik, RT France, RT Germany, RT Spanish, and RT UK, and to block their websites because they “engaged in continuous and concerted propaganda actions targeted at civil society.”43 The order applied to ISPs and mobile operators in Germany.44 In June 2022, after the coverage period, the European Union adopted a new package of sanctions, which also included directives to block Rossiya RTR/RTR Planeta, Rossiya 24/Russia 24, and TV Centre International.45

In February 2022, prior to the EU ban on Russian state-funded outlets, Germany’s regulatory media supervisor banned RT Germany, which included the blocking of their channel’s website, because German law does not allow media channels to operate if they are completely owned by the government (see B6).46

In February 2018, a regional court in Munich instructed Vodafone to block the video-streaming website kinox.to, in response to a film distributor’s complaint that the site was hosting content in violation of copyright law.47 The injunction marked the first court-ordered blocking of a pirate website in Germany. A 2015 Federal Court of Justice (BGH) ruling empowered copyright holders to seek such injunctions against pirate websites (see B3).48

Vodafone has continued to block streaming and file-sharing websites, including bs.to and s.to, beginning in 2018,49 and boerse.to, in 2019, in response to complaints from rights holders.50

Most content-removal issues in Germany relate to the removal of search engine results (deindexing) rather than actual deletions of content. However, pressure on social media companies to remove content from their platforms has increased since the implementation of NetzDG, which imposes severe fines if certain illegal content is not removed promptly (see B3).

Under the law, social media companies that receive over 100 content-related complaints each year must disclose how they handled those complaints every six months. These complaints come from either users or complaints bodies, such as children’s rights watchdog Jugendschutz.net. According to a November 2018 analysis from the Center for European Policy Studies, “NetzDG has failed to generate any additional press reports of dubious false positives” since a series of January 2018 controversies.51 However, the effectiveness of NetzDG is difficult to measure.52

Since NetzDG came into effect in January 2018, controversial content removals—particularly those involving satirical posts and accounts—have occasionally been reported.53 These removals illustrate a fundamental problem with the law: if taken out of context, posts on social media platforms may fall within the scope of hate speech provisions embedded in the criminal code.54

Between July and December 2021, social media platforms disclosed that thousands of items had been removed or blocked because of complaints originating from Germany. In this period, Facebook reported 1,08255 blocked or removed items, Twitter reported that it blocked or removed 75,822 items during the same period,56 and Google disclosed 43,847 items were blocked or removed on YouTube.57 Likewise, TikTok blocked or removed 27,436 items.58 Other than Facebook and TikTok, the other companies did not differentiate how many items were removed due to NetzDG in their reports.

Separately, the government also issues content removal requests. According to Google’s Transparency Report, the company received 260 takedown requests from government agencies and courts in the first half of 2021 and removed 41.2 percent of requested content. Google received 302 takedown requests in the second half of 2021, removing 64.5 percent of request content. The most common cause for requests was defamation. Meanwhile, Twitter received 47 content removal requests from German authorities and courts in the first half of 2021, complying with 72 percent of those requests, and 17 requests in the second half of 2021, complying with 76 percent.59 In 2021, Facebook restricted 603 items for violating the Youth Protection Law, 14,461 items related to misinformation, 13 items related to hate speech, 32 items in response to court orders, and 21 items for violating local law based on requests originating from Germany.60

Under a 2014 CJEU decision on the “right to be forgotten” (RTBF),61 Google and other search engines are required to remove certain search results if they infringe on the privacy rights of a person and that person formally requests the action (see B3).

From the date of the ruling to the end of May 2021, Google had assessed some 1,296,521 requests to delist search results across the EU, affecting more than 5 million URLs, with 213,157 requests coming from Germany alone.62 For Germany, nearly 60 percent of the URLs requested removed during this report’s coverage period resulted in a delisting by Google. Between July and December 2021, Microsoft received 772 RTBF delisting requests, covering 2,229 URLs.63 The company delisted 39 percent of those URLs.

Throughout 2021, the government called for content to be removed from the encrypted messaging app Telegram, which has been historically reluctant to moderate content. In efforts to ban calls for violence, the federal police issued takedown requests. Telegram responded by taking down 64 channels for violations of local laws for the first time in Germany. These included channels by a well-known German conspiracy theorist.64 In January 2022, the minister of the interior threatened to request that Apple and Google remove Telegram from app stores, but shortly after said that her threat was only meant to pressure Telegram. Meanwhile, the Federal Police began to identify suspects who put out hate speech or violent threats via the platform.65

German copyright law has been criticized repeatedly for its use to hinder the publishing of sensitive information on topics of public interest, especially as many online platforms automatically remove content that reportedly breach copyright law so as to avoid lawsuits. In May 2021, the Cologne Higher Regional Court ruled that nonprofit platform FragDenStaat (Ask the State), which was sued in December 2019 by the Federal Institute for Risk Assessment (BfR) for publishing a government-issued report on health risks caused by the herbicide glyphosate, had lawfully published the report under the freedom to quote and freedom to report.66

In June 2021, the EU Copyright Directive was transposed into German law. The COVID-19 pandemic has amplified the public and political debate on copyright law.67 Education and cultural institutions, as well as the Bundesrat, have criticized the law for restricting digital access to knowledge and cultural participation.68

In December 2021, a court sentenced eight defendants, who stood trial for running the CyberBunker data center, a “bulletproof hosting” operation that was housed in a Cold War–era military bunker, to prison time ranging from two years and four months to five years and nine months.69 The defendants were found guilty of forming and participating in a criminal organization but were acquitted of aiding and abetting crimes in nearly 250,000 cases because they provided hosting services to websites conducting illegal activity. The verdict set a legal milestone that could make the operation of data centers that host illegal platforms punishable.70 A criminal code amendment proposed by the Federal Ministry of Justice and Consumer Protection (BMJV) in February 2021, criminalizing the provision of server infrastructure for illegal online marketplaces, was included as a separate paragraph to the criminal law after revisions by the Bundestag. Providers of online marketplaces looking to promote criminal activities can face several years of jail according to the new law (see C2).71

In March 2022, German police conducted raids on the homes of individuals who had posted hateful messages aimed at politicians during the 2021 federal elections and forced them to delete those messages (see C3).72

In March 2022, major online media platforms, including Facebook, TikTok,73 Twitter,74 and YouTube,75 restricted access to RT and Sputnik across the EU in response to an order from the European Union (see B1).

Restrictions on online content in Germany generally meet minimum requirements for transparency, proportionality, and independent appeal.

NetzDG, which was approved in June 201776 and went into effect in January 2018, obliges social media platforms with more than 2 million registered users in the country to investigate and delete flagged content shortly after being reported, or otherwise face hefty fines (see B6).77 If the flagged content is “obviously illegal,” the company must block or remove it within 24 hours; if not obviously illegal, the content must be investigated and blocked or removed within seven days. Under NetzDG, illegality is defined in relation to 22 articles in Germany’s criminal code (see C2).78 After making a decision to delete or preserve flagged content, the company has to inform both the complainant and the user who uploaded the content. If it fails to meet any of those requirements, the company could face fines of up to €50 million ($58.5 million) (see B6).79

Additionally, in March 2021, lawmakers passed amendments to NetzDG that add additional transparency requirements for social media platforms and expands the mandate of NetzDG to include video-sharing services to align with the EU Audiovisual Media Services Directive. The amendments, which went into effect in June 2021, also provide users with an avenue to appeal content-removal decisions though the appeal must be filed within two weeks.80

A new law, which came into effect in June 2021, amends NetzDG by requiring companies to share the personal information of users reported for hate speech or illegal content with the BKA (see C6). In March 2022, the Cologne Administrative Court ruled that measures in the amendments were not in line with EU legislation.81

The European Union’s Digital Services Act (DSA), which the European Parliament (EP) adopted in July 2022,82 seeks to harmonize member states’ legislation regarding hate speech. Yet NetzDG, which has a broader definition for illegal content, compels online platforms to remove a wider swath of content than the DSA. Politicians and children’s rights groups have advocated for the continued enforcement of the stricter NetzDG measurements even after the DSA passed.83 For example, the nongovernmental organization (NGO) National Coalition Germany, a network of children’s rights groups, put forward a letter demanding that the stricter German youth protection laws should be allowed to remain in place.84

In March 2021, major internet providers operating in Germany and associations of companies in the entertainment industry formed the Clearing House for Copyright on the Internet (CUII), a joint initiative to initiate domain name system (DNS) blocks against “structurally copyright-infringing” websites.85 While blocking requests were previously considered by judges, the BNetzA now assesses CUII recommendations and determines whether the blocking violates the principle of net neutrality. The new policy has elicited criticism from politicians and activists.86 The Federal Cartel Office (BKartA) did not object to the new initiative, though it is monitoring the development of the practice.87 Critics question the BNetzA’s suitability in this process, since the agency is responsible for regulating telecommunications networks to ensure fair competition and net neutrality rather than assessing fundamental rights regarding copyright.88

Since its inception, the CUII has been criticized for potential antitrust violations and the limits it could place on freedom of communication.89 There have also been concerns about normalizing this type of instrument and the initialization of the DNS4EU project, which will also operate with filter lists and network blocks across the European Union, demonstrates that similar measures could take effect at the European level.90

In April 2021, the EP adopted a regulation aimed at “tackling the dissemination of terrorist content online” which, among other things, would require platforms to delete content within one hour of receiving a removal order from authorities.91 Platforms that routinely fail to do so could be fined 4 percent of their overall annual revenue (see B6). Critics have voiced concerns that ambiguity surrounding the definition of “terrorist content” and the short timeline for removing such content will lead companies to “remove speech first and ask questions later,” possibly through automatic filters.92 The resolution entered into force in June 2021 and became applicable as of June 2022.93

Issues related to copyright law have figured prominently in discussions around internet freedom in Germany. The EU Directive on Copyright in the Digital Single Market, which the Council of the EU approved in April 201994 and Germany enacted in June 2021 (see B2), imposes a so-called link tax, which grants online publishers the right to charge aggregators like Google News for excerpting proprietary content, such as news articles (see B6).95

In May 2021, the federal and state parliaments passed laws amending the Copyright Act and the Collecting Societies Act to align with the new EU directive (see B2). The amendments require companies with large amounts of user-generated content to use “upload filters,”96 which will preemptively block copyright-infringing online content.97 Although the law came into effect in June 2021, the implementation of upload filters could still be invalidated because the advocate general of the ECJ recently argued against the liability of platform operators and the ECJ had not yet reached a judgment on the legality of Article 17 of the Copyright Act as of the end of the coverage period.98

Companies can be held liable for illegal content under the Telemedia Act (TMG). The law distinguishes between full liability for one’s own content and limited “breach of duty of care” (störerhaftung) for service providers and host providers of third-party content.99 The courts have held that if the business model of a service aims to facilitate copyright infringement, the company is considered less worthy of immunity from intermediary liability.100 As a consequence, hosting providers are required to monitor their own servers and search for copyright-protected content as soon as they have been notified of a possible violation.101

While ISPs are not required to proactively monitor the information of third parties on their servers, they become legally responsible as soon as they gain knowledge of violations or violate due diligence requirements.102

In 2015, the BGH ruled that the blocking of a website may be ordered as a last resort if it is the only means for a copyright holder to effectively end rights infringement on that website.103 In such cases, the owner of the copyright may ask an ISP to block the website in question. If the provider refuses, a court can intervene.

The protection of minors constitutes an important legal basis for extant regulation of online content.104 Youth protection on the internet is principally addressed at the state level through the Interstate Treaty on the Protection of Human Dignity and the Protection of Minors in Broadcasting and Telemedia (JMStV), which bans content, including the glorification of violence and sedition, and provides a framework for age restrictions on content without specifying measures to implement them.105 A controversial provision of the JMStV reflects the regulation of broadcast media: adult-only content on the internet, including pornography, may only be made available after verifying the age of the user.106 The JMStV enables the blocking of content if other actions against offenders fail and if such blocking is expected to be effective. In late 2021, the Commission for Youth Media Protection ordered five internet providers to block popular pornography website xHamster.com, as it failed to provide an age verification process. All providers have announced they plan to audit this decision or have it examined in court.107 The media regulators labelled the effort a “failure” because the porn site was moved to similar URLs. Unlike copyright law in Germany, youth protection law requires individual URLs to be blocked separately, even if they contain identical content to URLs that are already blocked.108

To date, self-censorship online has not been a significant or well-documented problem in Germany. Still, there are some rules reflected in the publishing principles of the German press that may constrain some journalists’ online speech. This self-binding code of ethics forms the basis for the evaluation of possible complaints from the public. It includes 16 provisions and is centered on the protection of human dignity.109 In May 2020, the new Interstate Media Treaty (Medienstaatsvertrag, or MStV) introduced an obligation for self-regulatory institutions to penalize the repeated publication of disinformation (see B6), which could lead to self-censorship.110

NetzDG has been criticized for leading to a potential chilling effect on content posted online (see B3).111 There is, however, a lack of evidence that these restrictions have led to significant levels of self-censorship.

Germany’s online information landscape has witnessed content manipulation, which in some cases has been linked to the far right.

Russian disinformation campaigns targeted Germany after the Kremlin’s brutal invasion of Ukraine. For example, a September 2022 Meta report noted that a Russian influence operation used “false media sites” mimicking those of prominent publications in the European Union, including the German publications Der Spiegel, T-Online, and Die Welt, to target users in Germany and the European Union with Russian propaganda. The campaign spent around $100,000 on advertisements and sponsored pages that spread narratives about the potential energy crisis in Europe and claimed that war crimes committed by the Russian military in Ukraine, which have been documented by rights groups, did not happen. Ultimately, the network had little influence within the European Union, and in some cases, the German-language pages were clearly not run by German users.112

In March 2021, German news outlet Netzpolitik reported that the Poland-based website Our Central Europe, which disseminated conspiracies about climate change, COVID-19, and refugees in Germany, has links to the Mecklenburg–Western Pomerania wing of the right-wing populist Alternative for Germany (AfD). According to the report, the site uses text seen in AfD press releases and has faced problems placing advertisements on Facebook for violating the company’s policy on political advertising. The site is formally operated by London-based New Network Communications, an apparent front company, and has connections with a former employee of the Freedom Party of Austria (FPÖ), a right-wing Austrian political party.113

While there were concerns about the proliferation of disinformation leading up to the September 2021 federal elections, Paris-based think tank Institut Montaigne found that “there was no singular, big disinformation narrative.”114 Previous concerns about electoral disinformation prompted legislators to push for controversial legal solutions with potential implications for freedom of expression online. The MStV (see B6) obliges operators to mark social bots, if they use them, but definitions and labelling requirements are often imprecise, and the policy could impact human accounts.115

While individual internet users face few economic or regulatory obstacles to publishing content online, German law exposes companies such as social media platforms or hosting providers to substantial financial penalties.

NetzDG and the EU regulation regarding dissemination of terrorist content online (see B3), which was adopted in March 2021,116 could make it more difficult for new companies to enter the German market. NetzDG imposes hefty fines on social media companies that fail to comply with content-removal and reporting requirements. Moreover, the law has forced social media companies to set up expensive internal systems to comply with its requirements. Facebook, Google, Twitter, and TikTok collectively employ thousands of people to review complaints submitted under NetzDG.

Under the MStV, which came into effect in November 2020, media outlets that are not part of any self-regulatory bodies are now subject to direct supervision by state media institutions and can face penalties for refusing to comply with the measure or for the repeated distribution of disinformation. The MStV also introduced a license requirement for those who create online video content that consistently reaches at least 20,000 viewers. The MStV expands the scope of such obligations to almost any commercial form of publication. Observers have criticized the unequal treatment of new self-regulatory bodies compared to the established German Press Council, as well as the involvement of media institutions as supervisory authorities.

The MStV also imposes algorithmic transparency and nondiscrimination requirements on major online platforms that aggregate third-party content, such as those operated by Google, Facebook, and Apple.117 A consortium of representatives from the press and digital media have criticized the MStV for taking an anti-consumer stance and for limiting user autonomy.118

In April 2017, the federal parliament incorporated EU rules on net neutrality into domestic law.119 However, observers remarked that several plans from ISPs and mobile service providers, such as Deutsche Telekom’s Stream On, Vodafone’s Vodafone Pass, and O2’s Unlimited plan, violate strict net neutrality by favoring certain services, including video-streaming services.120 BNetzA subsequently prohibited parts of Stream On for breaching net neutrality principles.121 Fines for violating net neutrality laws can reach a maximum of €500,000 ($550,800), relatively low compared to other European states.122 After a summary proceeding in the regional court of North Rhein-Westphalia, Deutsche Telekom was forced to implement the official requirements in August 2019. The lawsuit was moved to the ECJ, which ruled in September 2021 that the plans offered by Vodafone and Deutsche Telekom were unlawful.123

The governing federal coalition has reiterated its support for ancillary copyright for publishers (Leistungsschutzrecht für Presseverleger), in force since 2013.124 The regulation allows publishers to monetize excerpts that search engines display as part of their search results.125 Some fear this infringes upon constitutionally protected rights to freedom of expression and information.126 In order to limit monetization, search engines began excluding results leading to the websites of publishers that monetized their links or displayed links without the corresponding excerpts.127 The EU Copyright Directive, which was approved in April 2019 and implemented into national law in June 2021, includes ancillary copyright for publishers (see B3).128

At the beginning of February 2022, prior to the EU-wide ban of RT and Sputnik (see B1), RT DE (previously RT Deutsch), a Russian state–owned website that regularly spreads disinformation, was banned from broadcasting by the Commission for Licensing and Supervision for lack of a media law license in Germany. However, the station has no prospect of obtaining the necessary broadcasting license as the MStV stipulates that licenses cannot be issued to public and state bodies in Germany and abroad.129

Germany is home to a vibrant internet community and blogosphere. Local and international media outlets and news sources are accessible and represent a diverse range of opinions.

During the COVID-19 pandemic, misinformation about the coronavirus spread through social media platforms and messaging services. A false narrative regarding the effect of the anti-inflammatory drug ibuprofen on COVID-19 patients originated in Germany in March 2020. Although it was debunked by medical officials soon after, it spread across European borders. French health minister Olivier Véran notably warned COVID-19 patients not to use anti-inflammatory drugs including ibuprofen in a March 2020 Twitter post.130

In September 2021, YouTube removed the German version of RT from their site due to disinformation around COVID-19.131

During the coverage period, several civil society initiatives used the internet to conduct advocacy campaigns related to political and social issues in Germany.

Social media has also played a crucial role in the growth of the climate protection movement. The student protest movement Fridays for Future, which originated in Sweden and combines weekly school strikes and marches, largely organizes through social media. In Berlin, protests were held regularly beginning in September 2018.132 The movement has placed the issue on the national political agenda and significantly influenced public perception of the climate crisis.133 Due to the coronavirus outbreak, most protest marches and public interventions in 2020 were cancelled and replaced with multiplatform online campaigns and protests.134

Germany has also witnessed protests against COVID-19-related restrictions and legislation. A group of opponents under the Querdenken (Lateral Thinking) banner formed during the pandemic, largely communicating and mobilizing against pandemic restrictions online.135

Germans also used social media platforms and Telegram groups to organize and pool efforts for refugees and people residing in Ukraine following the Russian invasion of Ukraine.136 Additionally, In 2021, under the hashtag #IchBinHanna (I am Hanna), researchers protested against fixed-term employment contracts and the Temporary Employment Contract Act (Zeitvertragsgesetz). Users described their precarious working conditions and raised their issue in the Bundestag.137

Article 5 of the Basic Law guarantees freedom of expression and freedom of the media. Judicial bodies operate independently and generally support the protection of basic rights.

Since 2016, the Office of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) has been an independent supreme federal authority.138 Since its founding, the agency has tripled its capacities and enlarged its staff to strengthen the supervision of security authorities.139

The controversial Federal Intelligence Service (BND) Law (see C5), which expands the legal justification for surveillance, has been criticized by journalists demanding improvements, including better protection for reporters abroad as well as their sources. In May 2020, the Federal Constitutional Court (BVerfG) found the law to be unconstitutional, forcing the government to revise the law. Reporters Without Borders (RSF) launched a campaign against the new draft law under the hashtag #NotYourSource, arguing that the vague wording of the revised paragraphs still poses risks to journalists. The amendment was approved by the Bundestag and Bundesrat in March 2021 and went into effect in January 2022.140

Score Change: The score declined from a 3 to 2 because of an amendment to the criminal code during the last coverage period that increases punishment for insult.

The German criminal code includes numerous prohibitions that apply to the online realm, such as Section 130, which penalizes calls for violent measures against minority groups and assaults on human dignity.141 This provision is seen as legitimate in the eyes of many Germans, particularly because it is generally applied in the context of Holocaust denial.142 NetzDG defines illegal online content in relation to 22 provisions in the German criminal code, including Section 130. Other provisions prohibit defamation, forming a criminal or terrorist organization, and “using symbols of unconstitutional organizations.”143 In the context of NetzDG, many activists, politicians, and officials have expressed concern that these provisions are too broad. In addition to facilitating content removals, these provisions carry penalties in the form of fines and, in some cases, jail time.

In June 2020, parliament passed an amendment to the criminal code concerning hate speech and threats online, which came into effect in April 2021. The law includes a broader definition of threats and longer prison sentences for insults against other people, which can lead to a sentence of up to two years instead of one year. Additionally, it explicitly criminalizes defamation, insult, and slander against politicians and expanded the scope of the law to include politicians on the municipal level.144

In June 2021, parliament passed a new amendment to the criminal code, criminalizing “operating criminal platforms on the internet” (see B2). Individuals operating these platforms for noncommercial purposes can be sentenced to up to 5 years, while individuals who operate them commercially can be punished with up to 10 years in prison.145

After satirist Jan Böhmermann came under criminal investigation in 2016 for a provocative poem mocking Turkish president Recep Tayyip Erdoğan, the federal parliament abolished a provision of the criminal code that penalizes insulting foreign leaders.146

In the context of the 2018 refugee crisis, previous years saw a surge in law enforcement investigations invoking the provision on “incitement to hatred” in the German criminal code, mostly related to hate speech against asylum seekers on social media platforms such as Facebook. As a result, there have been considerably more convictions for incitement to hatred.147 Official crime statistics documented 4,486 of these cases in 2018.148 In 2021 the BKA documented 2,411 posts from that year that fit the criminal code definition of hate speech, 52 percent of which were categorized as being politically right-wing.149 According to the BKA, 4.4 percent of politically motivated crimes in 2021 were hate postings.150

The German police regularly conduct raids on individuals who have posted hateful messages and insults against politicians, opening over 8,500 cases and charging more than 1,000 people since 2018. In March 2022, in the wake of the 2021 federal election, police conducted raids on approximately 100 homes of individuals who posted hateful messages against politicians during the 2021 election.151 These raids took place across 13 federal states; the police seized individuals’ devices and, in some cases, forced them to delete these messages (see B2).152 In cases where individuals phones are confiscated, the authorities can use technology by Israeli firm Cellebrite to search them if their owners refuse to open them.

In the 2021 Pimmelgate (Penisgate) case, which drove national debate about such raids, police searched the home of a man who tweeted that city senator Andy Grote was “such a penis.” Another man had his house raided after he posted a picture of a mural activists painted containing the phrase in response to a post from a far-right politician that criticized Muslims. Separately, a man identified by the courts as Dirk B. was fined €2,400 ($2,500) for a post that said Walter Lübcke, a local politician from Hesse who was murdered in 2019 by a neo-Nazi, had himself to blame for refusing police protection ahead of his murder. In another case, police searched the home of a man who posted an image that associated a false quote about immigration with a politician.153

In December 2021, eight defendants in the CyberBunker case (see B2), which concerned an online hosting platform that provided hosting services to criminal websites, were sentenced to between two years and four months to five years and nine months in prison.

User anonymity is compromised by SIM card registration rules under the Telecommunications Act (TKG) of 2004, which requires purchasers to submit their full name, address, international mobile subscriber identity (IMSI) number, and international mobile station equipment identity (IMEI) number.154 Nonetheless, the principle of anonymity on the internet is largely upheld as a basic right. A 2014 decision by the BGH, confirming that an online ratings portal was under no obligation to disclose the data of anonymous users, further strengthened that right.155

Website owners and bloggers are not required to register with the government, but most websites and blogs need to have an imprint naming the person in charge and providing a contact address. The anonymous use of email services, online platforms, and wireless internet access points is legal. A proposed amendment to the TKG (see C6) suggested by the Federal Ministry of the Interior and Community (BMI) included the obligation to provide an identity when registering for an email account,156 but this measure did not make it into the final law, which came into effect in December 2021, after criticism from activists and the media.157

In May 2019, the BMI brought forward a new initiative on mandatory backdoors for encrypted messaging services.158 The proposal has been widely criticized by civil society organizations, such as iRights.Lab, and industry professionals as it would mark a departure from long-standing pro-encryption policy. Experts also criticized a 2017 legislative proposal by the governing coalition to allow civil lawsuits to reveal an alleged offender’s legal name in suits related to violations of the right of personality online, especially defamation. Observers voiced concern that this might infringe on the right to anonymity online if interpreted broadly.159 Although discussions have been ongoing for years, no legislation has been introduced. In December 2021, the interior ministers of the states repeated their demand for countrywide legislation to be introduced.160

In October 2019, a man live streamed an antisemitic attack on a synagogue in Halle, Saxony-Anhalt, via the streaming platform Twitch. Following the attack, politicians from several states in February 2020 introduced legislation to the Bundesrat to require social networks and gaming platforms to collect users’ names, addresses, and dates of birth as well as proofs of identity, and to hand them over to the police upon request.161

In July 2020, it was revealed that French and Dutch police had hacked EncroChat phones, which come installed with a unique encrypted messaging service, and are often used by criminal networks. Following the hacking, 750 arrests related to the gun and drug trade were made in multiple German states as of July 2021.162

Intelligence agencies conduct mass surveillance and have taken measures to expand the breadth of data they can monitor. Article 10 of the Basic Law guarantees the privacy of letters, posts, and telecommunications. These articles generally safeguard offline as well as online communication. A groundbreaking 2008 BVerfG ruling established a new fundamental right regarding the “confidentiality and integrity of information technology systems” as part of the general right of personality under Article 2 of the Basic Law.163

A German parliamentary commission of inquiry on intelligence practices—established after former US National Security Agency (NSA) contractor Edward Snowden in 2013 leaked documents exposing the various activities of US, British, and German intelligence services—completed its work in 2017.164 While the governing coalition concluded that the conduct of both the allied foreign intelligence services and the BND had been and continued to be within the bounds of the law, the opposition argued that ongoing mass surveillance was unlawful. Both sides drew criticism for not demanding sufficient steps to end the practice in Germany.165

A 2016 law granted the BND explicit permission to monitor domestic internet traffic so long as it targets non-German citizens.166 Press freedom groups argued that the law threatens the constitutionally protected work of foreign journalists reporting in Germany and outside the country167 and, in January 2018, a number of NGOs and foreign investigative journalists filed a constitutional complaint.168 The 2016 BND Law has also been scrutinized for its impact on the privacy of German internet users.169 While the BND is mainly tasked with foreign intelligence collection, one of the main concerns is that the law permits monitoring of all network traffic channeled through the Frankfurt-located DE-CIX—the world’s largest internet exchange point—which would at least unintentionally affect communications by German citizens as well.

In May 2020, the BVerfG ruled that the BND is still bound by the fundamental rights of the Basic Law when conducting telecommunications surveillance of foreigners in other countries, finding that the BND had acted unlawfully in monitoring the communications of foreign journalists.170

Public perception of the May 2020 ruling has been largely positive, welcoming the court’s verdict as a reinforcement of the Basic Law.171

However, in March 2021, the Bundestag and Bundesrat approved an amended version of the BND Law. The new law, which was initially proposed at the end of 2020, expands the scope of BND activities, allowing the interception of up to 30 percent of the transmission capacity of all global telecommunications networks.172 While the law protects “individual communications of natural persons,” it allows the BND to collect and process various kinds of information, including inventory, traffic, and content data enabling the monitoring of communications behavior, financial transaction data, and movement data of individuals in Germany and abroad. Furthermore, the law, which came into effect June 2021, enables federal police to hack communication providers abroad and to use malware against citizens without criminal histories.173 The insufficient protection of journalists, criticized by the BVerfG, is regulated in an added paragraph. However, the Federal Data Protection Commissioner, opposition politicians, and legal observers have criticized vague exceptions in the protection clause, making it ineffective.174 NGOs have already announced legal complaints against the revised BND Law.175

A verdict by the European Court of Human Rights concerning a complaint against the British Secret Service found that their mass data retention violates the right to privacy. The ruling stated that there would need to be a better evaluation of the principle of proportionality for the retention and that the scope of the information retained must be restricted.176 Journalistic outlet Netzpolitik put forward a freedom of information request for documents concerning discussion of the case in the German government, and concluded that there does not seem to be an intent to change the German law according to the verdict.177

In July 2021, amendments to the Federal Constitutional Protection Act that provide intelligence agencies with “additional powers of investigation through the regulation of source telecommunication monitoring, including messenger services” came into effect. 178 The measures—which were developed largely in response to right-wing extremism and also allow state security agencies to use malware—were passed by the Bundestag in June 2021 and were met with criticism and concern from rights group179 after they were initially approved by the federal cabinet in September 2020.180

The BND had also stored and processed bulk metadata records of phone calls via its traffic-analysis system, VerAS. In response to a lawsuit filed by RSF Germany,181 in December 2017, the BVerwG outlawed such intelligence gathering, prohibiting the BND from collecting and processing communications metadata for want of sufficient legal basis.182 In May 2018, the BND officially announced that it would end the practice.183

Surveillance conducted by intelligence services under the Act for Limiting the Secrecy of Letters, Posts, and Telecommunications (or G10 Act) has continued to decline.184 The BVerfG’s May 2020 judgment regarding the BND’s domestic surveillance activity involving foreigners raised hopes for a successful ruling against the G10 Act.185 In November 2020, the nonprofit Society for Civil Rights (Gesellschaft für Freiheitsrechte, or GFFF) filed a constitutional complaint arguing that any change to the G10 Act that allows German secret services to use Staatstrojaner (federal Trojan horse) is unconstitutional.186 No verdict was reached by the end of the coverage period.

Telecommunications interception by state authorities for criminal prosecutions is regulated by the criminal code and may only be employed for the prosecution of serious crimes for which specific evidence exists and when other, less intrusive investigative methods are likely to fail.

A 2008 BVerfG ruling establishing a new fundamental right to the “confidentiality and integrity of information technology systems” also found that covert online searches are only permitted in exigent circumstances.187 Based on that ruling, the federal parliament passed a law in 2009 authorizing the BKA to conduct—with a warrant—covert online searches to prevent terrorist attacks and to employ other methods of covert data collection, including the surveillance of private residences and the installation of software on a suspect’s computer that intercepts their communications at the source.188

In June 2017, the federal parliament enacted the “law for more effective and more practical criminal proceedings.” Most significantly, it included an extensive list of criminal offenses that would allow for the deployment of spyware on suspects’ mobile phones, tablets, and computers in order to enable monitoring of written and spoken text as well as the copying of data.189 Critics consider the law unconstitutional due to its expansive scope and long list of applicable offenses.190 In accordance with the law, the BKA has been permitted to install Staatstrojaner on suspects’ devices since January 2018.191 BKA hackers have reportedly breached Telegram and are targeting WhatsApp, although intelligence services have previously accessed WhatsApp without using a state Trojan.192 Complaints and lawsuits against the law and similar state laws have been filed at the BVerfG by data protection organizations and activists.193

In June 2021, the Christian Democratic Union/Christian Social Union (CDU/CSU) and SPD coalition passed a law allowing all 19 German intelligence agencies to use the Quellen-TKÜ Plus Staatstrojaner, which can read and collect ongoing communications and data as well as communications that happened before the software’s installation but after authorization of the surveillance order. It also obliges internet providers to help with the installation and allows police to preventively surveil a suspect. The law was followed by strong criticism by the opposition at the time, big tech companies, and NGOs, some of which considered filing complaints before the Federal Constitutional Court.194 An open letter demanding the government deploy better legislation for encryption and safe communication was published ahead of the law by NGOs, trade associations, and big tech companies—a rather unusual broad alliance within the realm of tech policy in Germany.195

In Bavaria, Germany’s second-largest state by population, the governing CSU introduced a bill in 2018 that grants the Bavarian police vastly expanded powers, including the authority to access any information technology system preventively in the event of a broadly defined imminent danger without concrete evidence of a specific crime.196 Critics allege that the bill would blur the line between police and intelligence services, a strict distinction placed into the constitution as a consequence of Nazi-era abuses.197 Since then, similar laws granting police forces vastly expanded powers to access communications have been passed in a number of other states.198 In some cases, these laws permit police to use Staatstrojaner. In March 2022, the Bavarian police faced criticism by the Bavarian commissioner for data protection after introducing software produced by US-based company Palantir, which has been criticized for facilitating rights violations, to connect several police databases. Other states, such as Hessen or North Rhine-Westphalia, have been using Palantir software as well, but the Bavarian introduction of the software might lead to countrywide use, as indicated by the Bavarian police’s president.199

The Bundestag approved a bill in December 2019 expanding the powers of customs authorities to conduct communications surveillance, including through monitoring software and device searches.200 The law also provides a legal basis to obtain user data from telecommunications providers without the user’s knowledge, and it permits customs authorities to use IMSI catchers, which mimic cell phone towers in order to collect data from proximate devices.201 The law’s phrasing vaguely describes the circumstances justifying the application of spyware, providing only that customs authorities may use technical means, if necessary, to intervene in information technology systems. Federal Commissioner of Data Protection and Freedom of Information Ulrich Kelber criticized the almost unconditional and unprompted collection and enrichment of data.202

Newly arrived migrants and refugees are also targeted by measures that infringe on their privacy rights. According to 2017 amendments to the asylum law, an arriving refugee’s electronic device data, including location data, may be copied and analyzed in order to determine the person’s place of origin if he or she does not provide identity documents.203 With the support of the GFFF, several refugees affected by this practice have taken legal action against the Federal Office for Migration and Refugees and filed a complaint with BfDI Kelber.204 In June 2021, the Berlin Administrative Court declared the practice could only be used if there were no available “milder measures,” such as asking for more documents or getting speech analysis.205

In June 2020, the health ministry launched the Corona-Warn-App,206 a COVID-19 contact tracing app that adopted data minimization principles and relied on decentralized proximity tracing. An update, introduced in December 2021 to follow an EU requirement for online verification services, contains a feature to allow verification of a user’s vaccination certificate by third parties, such as airlines or event organizers. As of January 2022, no online verification provider has been approved yet.207 This feature faced some criticism regarding the promise that no personal data would leave the app and would lead to more users giving up privacy to buy tickets online instead of anonymously at the box office.208

Score Change: The score declined from 4 to 3 because of December 2021 amendments to the telecommunications act that force email and messenger services to turn over user information to authorities.

The German government established a legal framework to protect personal data in 1990, though several laws require companies to provide user data to authorities. German law requires the localization of some telecommunications data.209

In December 2021,210 amendments to the TKG that compel email and messenger services to provide user identification information (“Bestandsdaten [inventory data]”) to law enforcement in case of criminal prosecution came into force. The law, which was passed in March 2021, also stipulates that messenger services based outside of Germany are subject to the law.211 The type of user data that gets transferred is based on a court ruling by the Federal Constitutional Court, and also confined by other laws such as the December 2021 Telekommunikation-Telemedien-Datenschutz-Gesetzs (TTDSG), which combines data protection passages of the Telekommunikationsgesetz (TKG) and Telemediengesetz (TMG) to comply with the GDPR.212

In April 2021, the amendments to NetzDG that require companies to report to the BKA the personal data of users who post certain types of illegal content (see B3), including far-right nationalist and extremist content, went into effect. The amendments state that personal data includes usernames, internet protocol (IP) addresses, port numbers and—with a judicial order—passwords.213 Digital rights associations made the criticism that the expected masses of user data that will flow to the BKA could hardly be processed by the public prosecutor’s offices.214 While President Frank-Walter Steinmeier initially refused to sign a package of laws after the parliament’s research service declared parts of the proposal unconstitutional for breaking regulations on the disclosure of inventory data,215 the inventory data disclosure process was reorganized and approved in March 2021, legalizing the transfer of data to the BKA.216 Google and Meta issued urgent motions against the amendments, resulting in a March 2022 ruling by the Cologne Administrative Court that the amendments contradict EU law in regard to home state regulations (see B2). Therefore, Google and Meta will not have to comply; Twitter and TikTok have ongoing motions that had not been ruled on by the end of the coverage period.217

Several constitutional complaints against data retention legislation have been filed and are pending at the BVerfG.218 In October 2020, the CJEU ruled that data retention is forbidden in principle but permissible if strict requirements are met. It can only be used against serious crimes like terrorism.219 A coalition of activists has made adjustments to their 2016 complaint following the inclusion of the unlawful legislation in the Telecommunications Act that went into effect in December 2021. The new government coalition is planning on discarding the passage relating to the legislation.220

Despite a 2014 CJEU decision that struck down the EU Data Retention Directive,221 the federal parliament enacted a law on data retention in 2015.222 Under the law, different sets of data would have to be stored on servers located within Germany for 10 weeks,223 and providers have to retain the numbers, as well as the dates and times, of phone calls and text messages. ISPs are also required to retain the IP addresses of all users, as well as the dates and times of connections. The location data of mobile phone connections must be saved for four weeks. The requirements exclude sites accessed, email traffic metadata, and the content of communications.

A December 2019 law establishes a legal basis for customs authorities to obtain user data from telecommunications providers without the knowledge of the person concerned (see C5).224 The amended Telecommunications Act of 2013 regulates “stored data inquiry” requirements.225 Under this law, approximately 250 registered public agencies, among them the police and customs authorities, are authorized to request both contractual user data and sensitive data from ISPs. Several studies have shown that judicial review does not actually take place in a majority of instances when it is required.226

Separately, antiterrorism legislation that was first passed after the September 11, 2001, terrorist attacks in the United States—legislation that, among other provisions, obliges banks or telecommunications operators to disclose customer information to authorities—was once again extended in 2015 until 2021227 . This was followed by an indefinite extension in November 2020. Expert witnesses criticized the lack of evaluation of the legislation.228

There were few reported cases of direct physical intimidation or violence against online journalists or other ICT users in retaliation for their activities during the coverage period.

In 2022, RSF downgraded Germany by three places to 16th in its annually published Press Freedom Index. Since last year, Germany’s press freedom no longer ranks as “good” but only “satisfactory” due to increasing incidents of reporters being attacked by conspiracy theorists at anti-lockdown protests.229

In August 2020, several journalists and press photographers were insulted and harassed by demonstrators protesting COVID-19 measures in Berlin. The European Centre for Press and Media Freedom reported an increase in harassment of journalists online and counted 26 incidents of intimidation or assault in Germany between March and October 2020.230

In October 2019, law enforcement shut down Germany’s biggest file-sharing platform, Share-Online.biz, and seized its website and servers. After police raided their offices and employees’ apartments, the operators were charged with commercial unauthorized use of copyright protected works.231 In August 2020, Europol, in coordination with authorities in other countries, shut down the Sparks Group,232 one of the world’s largest piracy groups, which had some of its servers in Germany.233

In June 2018, police raided the offices and homes of the Zwiebelfreunde (Onion Friends), an activist association promoting online anonymity tools—an action a court later ruled illegal. Police seized documents containing names, addresses, and bank details of Zwiebelfreunde supporters, as part of a case in which they were classified as witnesses. Following criticism from press freedom and internet rights activists, the Munich Regional Court ruled the searches and seizures illegal and ordered all seized material returned.234

A June 2019 study on hate speech reported that immigrants, Muslim people, women, and LGBT+ people are predominantly targeted by harassment online. Men reported experiencing online harassment more frequently than women, which might stem from different online behavior.235 When it comes to cases of online discrimination against LGBT+ people, Germany ranks relatively low when compared to other European countries.236 A study on the impact of NetzDG (see B2 and B3) published in December 2021 found there has been about a 10 percent decrease in hate speech comments on Twitter since the law took effect. The researchers looked at a time frame from 2016 to 2019 and focused in particular on tweets containing the terms “Islam,” “Migration,” and “Displacement.”237

In December 2021, the Federal Constitutional Court ruled in favor of Renate Künast, a politician who was harassed after a right-wing blogger disseminated a fake quote that insinuated she supported pedophilia. The Berlin Regional Court initially ruled that the comments did not constitute insults because they contained a “factual reference to the discussion” and refused to turn over user information after Künast filed a civil suit.238

Human rights activists and NGOs are rarely victims of cyberattacks or other forms of technical violence that are aimed at stifling freedom of expression. However, government institutions and the business sector have been targeted by cyberattacks.239 Due to the shift toward online communication during the COVID-19 pandemic, the risks of cyberattacks have increased. The CDU suffered several attacks during their 2021 party conference, when they elected a new party leader.240 Thus, concerns about the safety of the federal electoral campaign increased.241

A report on IT security by the Federal Office for Information Security (BSI) covering June 2020 to May 2021 described the situation in Germany as “serious to critical.” There have been more malware variants, ransom fees, and blackmailing.242 The IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0) which updates a 2015 law, includes stricter security guidelines for companies that are important to Germany’s infrastructure.243

In September 2021, a cyberattack targeted the Federal Statistical Office, whose director is also the Federal Returning Officer overseeing elections. According to the BMI, the server in question was separate from servers relating to the election.244 In the month of the federal elections, cyberattacks on several EU member states, politicians, and journalists took place. These attacks were attributed to the hacker group Ghostwriter, which has been linked to both the Russian and Belarusian secret service, and were strongly condemned by the EU.245 After the start of the war in Ukraine, the German domestic intelligence services warned about new attacks by the group, which had gained access to data of some members of the Bundesländer (German state) parliaments by targeting them with phishing attacks.246

In December 2018, the personal data of parliamentarians, politicians, television personalities, activists, and YouTube artists were published online.247 An individual who confessed to the leaks, a German citizen, was arrested shortly after the case received public attention in January 2019.248 The case led to public discussions about online safety since much of the retrieved data was protected by weak passwords such as “1234.”249