The German Federal Ministry of Justice has published a draft bill for an Act against Digital Violence (Gesetz gegen digitale Gewalt (GgdG)). The draft imposes obligations on digital service providers and contains amendments to the German Criminal Code (StGB) and other German statutes.
What is new?
On 17 April 2026, the Federal Ministry of Justice presented a draft bill to strengthen civil and criminal protection against “digital violence”. Digital violence is broadly defined and encompasses includes hate speech, doxing, cyberstalking, cybermobbing, cyberflashing, image‑based sexualized abuse (incl. “revenge porn” and sexualized deepfakes), grooming, identity misuse and similar online attacks.
The draft pursues a two‑pillar approach to protect victims: On the one hand, victims are given new means to enforce private-law claims against service providers. In this regard, victims can petition a court to order the service providers to provide information, to preserve evidence or to block a user account that infringes the petitioner’s rights.
On the other hand, new criminal offences are added to the German Criminal Code (StGB). In particular, the distribution and artificial creation of certain images will be subject to criminal charges: The creation and distribution of computer-generated or manipulated content that appears authentic and is capable of harming another person will constitute a criminal offence.
The draft is at a very early stage. Stakeholders are invited to submit comments until 22 May 2026.
Legal background
According to the legislature, existing remedies under private and criminal law do not sufficiently protect against digital personality rights violations. While victims of digital violence in theory have private law claims against perpetrators, enforcement in practice is often burdensome. Thus, the draft bill intends to facilitate the enforcement of private law claims by streamlining the process of requesting certain information about the perpetrator directly from the service provider as well as requesting the preservation of evidence and the blocking of accounts where further violations are likely.
The draft bill further introduces a criminal law reform to address gaps in the current protection against digital abuse. It strengthens protection against image-based sexualized abuse by covering a broader range of non-consensual intimate recordings and AI-generated images. In doing so, it aligns German law with approaches taken in other European jurisdictions. In addition, it tackles non-sexualized deepfakes that manipulate a person’s likeness or voice for harmful purposes and clarifies that such conduct constitutes a serious violation of personality rights and should be addressed in a more coherent and transparent way. Finally, the draft responds to the growing misuse of digital tools for covert surveillance (e.g. trackers, smart-home applications, remote audio/video monitoring) by explicitly targeting repeated or continuous monitoring that can be used to control, intimidate or seriously harm individuals.
Who is affected?
The bill primarily affects service providers of online platforms (including social networks), web or cloud hosting services but also internet access providers (being subject to specific obligations). According to the explanatory memorandum, the services of these providers are typically used to commit acts of digital violence. Services that do not host user content fall outside the scope – in particular transmission services (e.g. VPN providers), caching services, search engines and communication services such as messaging, e-mail, video conferencing and internet telephony.
What needs to be done?
Service providers and access providers whose services may be used to commit an infringement of personality rights must, if ordered by a court, disclose defined user data to the victim, insofar as this is necessary to assert civil claims (e.g. for injunctions or damages claims). Disclosable information may include the user's name, date of birth, address, email address and phone number, as well as IP address (including port number), timestamp and a copy of the infringing content.
In addition, service providers need to implement procedures to preserve evidence. In particular, providers must refrain from deleting the relevant data, create a copy of it and submit both the data and the infringing content to the court. Internet access providers may be required to match any data received by the court with the corresponding customer record.
Social networks can also be ordered to block user accounts that belong to the perpetrator where there is a substantial risk that the person will continue to infringe the petitioner’s personality rights. The obligation extends to all accounts known to the platform that are attributable to the perpetrator, except where there is no realistic prospect of similar violations from a given account. The platform must also, to the extent technically and economically feasible, prevent attempts by the user to open and operate new accounts during the blocking period.
Social networks not established within the EU further have to appoint a representative on whom court orders can be served. Non-compliance can be sanctioned with a fine of up to EUR 5 million.
What should service providers do?
The draft is at an early stage and has not yet been enacted. However, the government has committed to introducing the Act, and its eventual enactment is therefore likely. Individual provisions may still change in the course of the legislative process.
Stakeholders may submit comments to the German Federal Ministry of Justice until 22 May 2026.
