It has been known for some time that it is not easy for victims of "digital violence" – from character assassination to revenge porn – to effectively enforce their rights. The recent allegations against a well-known television personality in Germany have once again fuelled the debate about effective legal protection on the Internet. The Federal Ministry of Justice and Consumer Protection (Bundesministerium für Justiv und Verbraucherschutz - "BMJV") is now also taking this line with its proposal for a "Law to Strengthen Civil and Criminal Protection against Digital Violence" (Entwurf eines Gesetzes zur Stärkung des zivilrechtlichen und strafrechtlichen Schutzes vor digitaler Gewalt - "GgdG-E"), the draft bill of which was published on 16 April 2026.
The draft does not create a new general platform supervisory law. Instead, the GgdG is intended to make it easier for those affected to enforce their rights individually through private law. This means that obligated companies – operators of online platforms as well as providers of hosting services and, in some cases, Internet access services in Germany – are subject to additional review, information, security and implementation obligations, which we explain here.
Who is affected?
The addressees of the additional obligations are to be companies that operate online platforms and web and cloud hosting services (collectively defined as "service providers", § 1 para. 2 GgdG-E). A characteristic feature of both types of service is that they can be used to disseminate information on the Internet that may be infringing legal requirements. In addition, Internet access providers are held accountable as far as the association of IP addresses with their holders is concerned (§§ 1 para. 3, 2 para. 1 GgdG-E). Here, the draft goes beyond classic platforms and – despite all the assurances in the draft law’s official reasoning – changes the meaning of (supposed) anonymity in online discourse.
Territorially, the obligations are linked to the jurisdiction of German civil courts – providers outside Germany and even outside the EU can therefore be affected if they provide their services in Germany.
Legal background
Since 17 February 2024, the framework of obligations for the moderation of online content derives primarily from the Digital Services Act ("DSA"; Regulation (EU) 2022/2065). In addition to various transparency obligations, the DSA provides in particular for the mandatory establishment of a notice-and-action mechanism, and for providers of online platforms also an internal complaint-handling system and participation in out-of-court dispute resolution.
What the DSA does not regulate, however, is the individual civil law enforcement of claims by victims of digital violence against service providers. It contains neither a procedure with which data subjects can determine the identity of anonymous infringers, nor a judicially enforceable claim for the blocking of individual user accounts in the event of serious violations of personal rights (although possibly for damages in the event of breaches of obligations, cf. Art. 54 DSA).
For the identification of persons who commit infringements in the digital space and the rapid securing of digital content as the basis for civil law claims, Section 21 paras. 2 to 4 of the Telecommunications-Digital-Services-Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetzes - "TDDDG") has so far provided for an enabling provision under data protection law. Service providers may hand over user data to affected persons upon judicial order – however, the TDDDG does not establish a substantive claim of the affected person to the provision of information. This information procedure is now to be replaced by a new regulation specially tailored to digital violence.
While the DSA primarily structures the regulatory responsibility of intermediary services, the GgdG-E aims at the procedural enforceability of individual claims. Companies must therefore not only ensure compliance with obligations under the DSA, but also prepare for judicial information, security, deletion and blocking orders under the new GgdG regime.
The central innovations in civil law enforcement
Concept of infringement of rights
The civil procedural instruments of the GgdG-E presuppose in each case that there is an "infringement of rights". The draft does not define this term autonomously, but refers to a legally defined catalogue of criminal offences. This includes, among other things, insult, defamation (§§ 185-189 StGB) and stalking (§ 238 Criminal Code – Strafgesetzbuch, “StGB”) as well as violations of the right to one's own image (§ 33 KunstUrhG) and data protection law (§ 42 BDSG). The catalogue also includes the criminal offences created or expanded by the new draft law itself. Central innovations – but only indirectly relevant for companies due to the expansion of the term "infringement of rights" – are the reform of Section 184k StGB-E, which in future will also cover the production and making available of sexualised deepfakes, and the new Section 201b StGB-E, which is intended to make the dissemination of deceptive content that violates personal rights a punishable offence.
It is true that there are probably only a few cases in which platform operators can be criminally liable under these – including the new – criminal offences. However, the expansion of the catalogue increases the risk for companies of being confronted with court orders in favour of affected persons.
The new judicial information procedure
The heart of the civil procedure innovations is the new information procedure. In the future, those affected will be able to obtain users' identity data much more easily if those users have committed criminal infringements of rights in the digital space. A judicial order remains a prerequisite.
Particularly relevant for the providers concerned is the extended scope of the data to be disclosed. In the future, not only classic master data such as name, date of birth, address, e-mail address or telephone number will be included, but also the IP address used in the infringement, including port number and the last IP address used. Internet access providers are then supposed to associate this data with the respective holder and hand over the corresponding personal details. In contrast to the previous procedure under Section 21 TDDDG, which required two separate court orders, this will be possible in a single procedure in the future.
It could also be of practical significance that those affected are to be able to be represented by civil society organisations (§ 7 GgdG-E). This could reduce the factual hurdle for the assertion of claims, as could the fact that information proceedings under the GdgG will be free of court costs and not subject to the obligation to be represented by a lawyer.
If the draft law is implemented, companies will therefore have to check whether their internal processes allow them to implement court orders at short notice and in compliance with data protection regulations.
Preservation of evidence becomes an operational duty
In addition to the information procedure, the GgdG-E provides for orders to preserve evidence, which affect the service provider at an early stage of the proceedings. As soon as such proceedings are pending and there are sufficient factual indications of an infringement, the court is to order that the service provider does not delete the relevant user data and makes a copy of the challenged content. This data and the copy of the contents shall be transmitted to the court; they may not be passed on to the applicant at first.
The obligation to preserve evidence is less a question of legal assessment than of internal governance: data must be identified, secured, transmitted and irreversibly deleted after the conclusion of the proceedings.
It is striking, however, that the draft does not provide for an independent sanction provision for the disregard of information orders and orders to preserve evidence. For the enforcement of the substantive obligations, only the general coercive measures under § 35 FamFG apply – penalty payments that may not exceed EUR 25,000 in individual cases. Since the GgdG-E also has providers based abroad in mind (see below), it will be interesting to see whether even stricter enforcement or sanction rules will be added in the course of the legislative process.
Judicial account bans
Platform operators are already familiar with account bans from the DSA. Article 23 para. 1 DSA obliges providers of online platforms to temporarily suspend the provision of their services to users if they often provide manifestly illegal content. The GgdG-E takes up this instrument, but goes beyond it by providing for a civil law claim of affected persons against providers of social networks for the blocking of user accounts. While Art. 23 para. 1 DSA is linked to frequent and manifest abuse, according to § 4 para. 1 GgdG-E, it should be possible to block accounts even in the event of a first-time infringement (even if a risk of repetition remains a prerequisite). The GgdG-E thus shifts the account blocking from a platform-side moderation measure under the DSA to a judicially enforceable instrument of private law enforcement.
It is questionable whether such a national special regulation is permissible at all in addition to the DSA. As a directly applicable regulation, the DSA claims a far-reaching harmonisation of the rules for a safe and trustworthy online environment. Against this background, there are some indications that § 4 GgdG-E could collide with Art. 23 DSA because the national draft provides for lower requirements for account blocking. The fact that § 4 para. 4 sent. 3 GgdG-E clarifies that measures under Art. 23 DSA remain possible in addition only mitigates this tension to a limited extent. For service providers, the question would nevertheless arise as to whether they would be exposed to more extensive blocking claims in Germany than in other EU Member States. The detailed argumentation in the official reasoning of the draft law shows that the legislator is also aware of this risk.
Authorised representatives
The draft obliges social network providers based outside the EU to designate a domestic authorised representative at the latest when they offer the service in Germany and in an easily recognizable manner. Violations can be punished with a fine of up to EUR 500,000 – for legal entities, this limit increases tenfold to up to EUR 5 million via Section 30 para. 2 sent. 3 OWiG.
For providers based in an EU member state, the situation is more nuanced: Here, designation is not to be required in an abstract and general way, but only on the basis of a court order in the individual case. This differentiation goes back to the CJEU’s judgment of 9 November 2023 (C-376/22). According to this decision, an EU Member State may not impose abstract general obligations on service providers based in another EU Member State – the regulatory competence lies with the provider's country of domicile.
Since judicial service of documents within the EU usually takes a longer period of time than IP addresses in particular remain stored by the Internet access provider, this has a considerable influence on the practical effectiveness of the GgdG, especially with regard to providers based in Ireland and other EU Member States. It remains to be seen whether the separate draft law for the introduction of IP address storage, which is currently in the legislative process and is intended to oblige Internet access providers to store IP addresses for three months as a precautionary measure, can alleviate this time problem.
Recommendations for action for companies
The GgdG-E is relevant for service providers particularly because it sharpens civil law enforcement in the digital space and pushes platform operators into a central implementation role. The obligations are far-reaching, even if enforcement mechanisms against providers are limited.
By linking the tightening of criminal law motivated by Directive (EU) 2024/1385 with the civil procedure amendments, the BMJV has significantly increased the "chances of survival" of the draft. Even though the draft is still in the legislative process and changes are possible, affected companies should therefore take its publication as an opportunity to examine where there may be a need for adjustment. This applies in particular to the ability to implement requests for information and orders to preserve evidence at short notice, technical processes for data assignment, data securing, deletion and blocking processes, and the design of interfaces between the organizational units affected within the company.
Particularly with regard to the issue of authorised representatives, service providers should carefully monitor the legislative process due to the comparatively high range of sanctions and, if necessary, check at an early stage whether the existing servicing and procedure organisation meets the new requirements.
Forward
