The Federal Ministry of Justice has published the draft bill for an Act against digital violence (GgdG). The draft imposes obligations on providers of digital services and internet access services and includes amendments to the German Criminal Code (StGB) as well as other German laws.
What is it about?
On 17 April 2026, the Federal Ministry of Justice presented a draft bill to strengthen civil and criminal law protections against “digital violence”. The draft bill uses the term digital violence as a broad term that includes, among other things, hate speech, doxing, cyberstalking, cyberbullying, cyberflashing, image-based sexualized abuse (including “revenge porn” and sexualized deepfakes), grooming, and identity theft.
On the one hand, the draft provides new legal remedies for persons affected by digital violence to enforce civil claims against perpetrators and protect themselves against serious violations of the law as defined by the bill. Obligations of service providers are subject to judicial review.
On the other hand, new criminal offenses are being added to the Criminal Code (StGB). In particular, the creation and distribution of artificially generated images that appear authentic and are capable of harming another person are intended to be criminalized in the future.
The draft is at a very early stage. The bill has been sent to the federal states and associations, and interested parties now have the opportunity to submit comments by May 22, 2026.
Legal Background
In the legislature’s view, existing civil and criminal law provisions do not provide sufficient protection against violations of personal rights in the digital sphere that cross the threshold of criminal liability. The draft bill aims to facilitate the enforcement of civil claims by allowing applications for court orders to compel the disclosure of user data, to preserve evidence, and in case of serious violations of personality rights to block user accounts.
Furthermore, with reference to other European legal systems, the draft bill supplements the German Criminal Code (StGB) with several new criminal offenses to adapt criminal provisions to “the new phenomena of the digital age.” In the future, the distribution of certain non-consensual intimate recordings and AI-generated images will be punishable by law. Furthermore, the dissemination of “non-sexualized deepfakes” that manipulate a person’s appearance or voice for harmful purposes constitutes a serious violation of the personal rights of the affected person, which should be punished in a coherent and transparent manner. Finally, the draft intends to addresse the risk of being constantly or repeatedly covertly monitored using digital tools (e.g., trackers, smart home applications, remote audio/video surveillance) to control, intimidate, or seriously harm individuals.
Who is affected?
The draft bill primarily establishes obligations for providers of online platforms (including social networks), web or cloud hosting services, as well as providers of internet access services (who are subject to specific obligations). This is because these entities are capable of sharing infringing content with an undefined audience. Services that do not host user content fall outside the scope of the bill – in particular, transmission services (e.g., VPN providers), caching services, search engines, and communication services for messaging, email, video conferencing, and internet telephony.
What obligations are imposed on service providers?
Service providers must, upon a court order, disclose certain user data to victims of specific criminal offenses to the extent necessary to assert civil claims (e.g., claims for injunctive relief or damages). The information to be disclosed includes, among other things, the user’s name, date of birth, address, email address, and phone number, as well as the perpetrator’s IP address (including port number), timestamps if applicable, and a copy of the infringing content.
Upon a court order, service providers must also secure certain data. They may not delete this data, must make a copy of it, and must submit it to the court. Providers of internet access services may be required to match the data received from the court with the corresponding customer record and to store this record.
Social network providers may also, under certain conditions, be required to suspend the user accounts of anyone who has used at least one of their accounts to commit serious infringements. The provider must also, to the extent that this is technically and economically feasible and reasonable, prevent the user from opening and operating new accounts while their accounts are suspended.
Social networks not based in the EU must also appoint a representative to whom court orders can be served. Failure to comply may result in a fine of up to 5 million euros.
What should service providers do?
The draft is in an early stage and has not yet entered into force. However, the government has committed to enacting the law, so its entry into force is likely. Individual provisions may still change during the legislative process.
