A close-up of Germany’s regulatory approach to data governance, content moderation, competition, artificial intelligence, and more.
The “DPA Digital Digest” series provides concise summaries of each G20 nation’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.
Germany, the European Union’s largest economy, boasts a digital sector worth EUR 224 billion. According to digital association Bitkom, the sector has grown by 4.4% in the past year – over three times faster than the rest of the economy.
Germany’s international priorities, enshrined in its strategy for international digital policy, include the protection of human and fundamental rights and access to a free and uncensored internet. Germany’s Digital Strategy for 2022-2025 strives for artificial intelligence, microchips, and quantum computing “made in Germany.”
But what do Germany’s domestic digital policies stand for? Our Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Germany-specific points of emphasis.
Data governance: Germany is considering updates to its data protection law and guiding the implementation of the EU-US Data Privacy Framework.
Content moderation: Germany is implementing both its own landmark law and the EU Digital Services Act, as well as considering measures on digital violence and deepfakes.
Competition policy: Germany is implementing its dedicated regime for large digital firms and pursuing a strict enforcement approach through novel oversight powers.
Artificial intelligence: Germany is preparing the implementation of the EU AI Act and issuing guidance on AI-related issues across policy areas.
Germany’s points of emphasis include minor protection and cloud computing.
Jump directly to the section that interests you most:
Discover the details of Germany’s regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Tommaso Giardini, Nils Deeg, and Maria Buza. Edited by Johannes Fritz.
The European Union’s General Data Protection Regulation (GDPR) applies in Germany. The amended Data Protection Act aligned domestic law with the GDPR, specifying obligations for private bodies. As of March 2024, the federal parliament is considering amendments to the Act to prohibit the use of sensitive data in credit scoring and institutionalising the role of the Conference of the Data Protection Authorities (DSK).
The Health Data Utilisation Act, in force since March 2024, regulates the conditions for the use of health data, including the use of patient data by health institutions. The Act introduces requirements for the use of health data for research purposes, including pseudonymisation and anonymisation, and prohibits the commercial use of such data. The Act also establishes an office responsible for maintaining a public metadata catalogue about available health data.
The National Data Strategy, published in August 2023, outlines plans to improve the availability, effective use, and interoperability of data. The government strives to regulate data access for research, establish a right to open data, and adopt legislation on improving transparency and employee data protection. In July 2023, the government announced a law on mobility data. Currently, the government is establishing a federal data institute to coordinate the availability and standardisation of data.
In March 2024, Germany introduced a law to implement the EU’s NIS2 Directive that would expand the powers for the Federal Office for Information Security. Since December 2021, the Telecommunications-Telemedia Data Protection Act (TTDSG) imposes a duty of confidentiality on telecommunications and telemedia providers. The TTDSG also regulates consent, a topic on which the government has issued a guidance and is developing an ordinance. The amended Telecommunications Act, implemented simultaneously, requires consent for the use of non-essential cookies and similar tracking technologies. Court rulings, however, invalidated data retention requirements regarding client traffic and location data. Since May 2021, the amended IT Security Act requires preventive cyber resilience measures from critical infrastructure providers and enables the government to ban foreign-made components that endanger public security.
German authorities have focused mainly on the EU-US Data Privacy Framework (DPF). The DPF was negotiated to enable transatlantic data transfers following the invalidation of the Privacy Shield in 2020. In July 2023, the European Commission issued an adequacy decision based on the DPF, enabling such data transfers. German authorities have since issued guidance explaining the adequacy decision and the DPF.
During the DPF negotiations, the federal data protection authority echoed concerns voiced by the European Data Protection Board regarding mass data collection in the US. The regional data protection authority of Baden-Wuerttemberg questioned EU citizens’ ability to pursue legal action under the US Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities and scrutinised its complaint mechanism in view of unclear standards, limited information and judicial independence.
Guidelines and enforcement are divided between the federal data protection authority, which covers public bodies and telecommunication providers, and the 16 regional authorities that oversee private entities. The federal and regional authorities convene as the Conference of the Data Protection Authorities (DSK) to conduct coordinated enforcement action and issue non-binding guidelines.
The DSK has issued guidance on secondary use of genetic data, website subscription models, e-commerce data collection practices and encryption requirements for emails, among others. The federal data protection authority has outlined rules for the telecommunications sector, while regional data protection authorities have issued guidelines on data protection in recruitment and on data transfers, among others. In addition, the Federal Office for Information Security has issued guidelines on cyber resilience for manufacturers, cyberattacks for critical infrastructure providers, energy providers and auditing firms, and preventive security requirements in healthcare.
Enforcement action on salient issues is often coordinated at the national level. The DSK investigated third-country access to personal data and Microsoft 365 products, raising concerns regarding transparency and data transfers. A coordinated inquiry into EU-US data transfers raised questions concerning data transfers, hosting, webtracking and internal data sharing.
At the regional level, cases specify data protection rules for commonplace online functionalities.
In Hessen, the data protection authority issued a notice flagging that cloud-based writing support tools in web browsers could illegally transfer personal data abroad.
A Bavarian court declared the use of Google Fonts on websites illegal due to the transmission of dynamic IP addresses without explicit consent.
Hamburg’s data protection authority notified the non-compliance of Google’s cookie banners because the button for acceptance was larger and required a click less than for rejection.
A Munich court similarly ruled that user consent was not obtained freely because a cookie banner rendered opting out more burdensome.
In April 2022, the Court of Justice of the EU preliminarily ruled that consumer protection associations can initiate legal proceedings for data protection violations based on German domestic law, without preclusion by the GDPR.
The landmark Network Enforcement Act (NetzDG) requires user-content platforms with over 2 million users in Germany to implement a flagging mechanism for users to report “unlawful content.” Unlawful content is determined by the Criminal Code, not the NetzDG, and includes propaganda, terrorist symbols, and violence, among others. Platforms must remove or block access to unlawful content within 24 hours and notify both the flagging and the posting user. Platforms must also appoint a local representative, store data on content removals and, if they receive over 100 complaints a year, report to authorities every 6 months.
In March 2022, a court invalidated several NetzDG provisions for violating EU law. The violations concern the EU E-Commerce Directive’s "country of origin” principle, subjecting companies only to domestic laws in their European headquarters, and the EU Audio-Visual Media Services Directive’s requirement for media authorities’ independence, which the Federal Office of Justice does not fulfil.
In February 2022, the NetzDG underwent two amendments. Platforms must since establish a procedure enabling users to contest moderation decisions – to both remove or not remove flagged content. In addition, platforms must report unlawful content and the corresponding IP address to authorities, due to an amendment aiming to counter right-wing extremism and hate crime. Further measures against online hate and right-wing extremism, adopted in February 2024, demand reporting to the Federal Criminal Police Office.
In June 2024, a bill criminalising the creation of deepfakes without consent was introduced. In April 2023, the Federal Ministry of Justice announced a law against digital violence that would require platforms to identify culprits. Recently, Germany adopted legislation to implement the EU Digital Services Act and designated the Federal Network Agency as the national “digital services coordinator” overseeing the DSA.
Germany’s enforcement focuses on both content moderation and user speech rights.
In April 2023, the Federal Office of Justice upheld its EUR 5.1 million fine against messaging provider Telegram for failing to implement a content flagging mechanism and appoint a local representative (under appeal).
Also in April 2023, the Federal Office of Justice opened an investigation into Twitter for failing to moderate defamatory tweets.
Beyond the NetzDG, the Federal Court of Justice ruled in 2022 that YouTube can be held liable for copyright violations if it is aware of repeat violations but does not take adequate preventive (rather than reactive) measures.
The Federal Court ruled in 2021 that Facebook's Terms and Conditions on post deletion and account blocking are invalid because they did not sufficiently inform users and enable them to respond.
Also in 2021, a Cologne court prohibited YouTube from deleting two videos of a COVID-19 policy transparency campaign for failing to provide sufficient information on specific violations of its guidelines.
In November 2023, the eleventh amendment to the Act against Restraints of Competition was implemented. The amendment empowers the competition authority (BKA) to issue orders following sectoral inquiries and coordinate enforcement cooperation with the European Commission on the Digital Markets Act. In addition, the amendment introduces a presumption that companies violating competition rules attain an advantage of 1% on domestic sales, obliging companies to pay 1% of their profits on top of fines.
In 2021, the tenth amendment established Germany’s digital competition approach. The amendment introduced the concept of companies "of paramount significance” for competition across markets, subjecting such companies to enhanced scrutiny by the BKA. The BKA determines companies’ significance for five years, considering factors including access to data and intermediary functions. For significant companies, the BKA can take ex-ante action and prohibit specific types of conduct, such as combining data, creating information deficits or denying data portability. To date, the BKA has designated Google (January 2022), Meta (May 2022), Amazon (July 2022, appealed), and Apple (April 2023, appealed). The BKA is still determining the status of Microsoft.
The tenth amendment also amended merger control notification thresholds, to annual local turnover over EUR 50 million for one party and annual local turnover over EUR 17.5 million for the other (previously EUR 25 and 5 million, respectively). The BKA can request the notification of mergers below these thresholds in specific economic sectors, following a sectoral inquiry.
The BKA’s enforcement focuses on unilateral conduct, with a special focus on data combination.
In July 2023, in a seminal case on the intersection of data protection and competition law, the Court of Justice of the EU ruled that the BKA can consider data protection rules in its competition cases. Specifically, the BKA had ruled that Facebook abused its dominant position by combining user data from its platforms (Facebook, WhatsApp and Instagram), third-party websites, and Facebook Analytics, without user consent.
In October 2023, the BKA closed its investigation into Google in view of commitments to give users the ability to consent to specific options regarding data combination across services. The investigation concerned allegations that Google combined user data from its services (e.g. Google Search, Google Maps, and YouTube) and third-party applications without giving users a transparent choice to consent to or limit cross-service data combination.
The BKA is still investigating Apple’s "App Tracking Transparency” framework for potential self-preferencing. The framework requires third-party applications to obtain user consent for cross-app data tracking, while Apple’s applications can combine data across services without consent.
The BKA is currently investigating large digital firms, having recently concluded investigations with behavioural remedies, rather than fines.
Currently, the BKA is investigating Google for restricting the combination of Google Automotive Services and Google Maps with third-party services. Amazon is also the subject of two investigations, concerning its influence on third-party sellers through price control and algorithms, as well as exclusivity agreements to sell brand name merchandise (“brandgating”).
In June 2023, the BKA imposed remedies on rail operator Deutsche Bahn (DB), including to share data with third-party mobility platforms and permit them to carry out their own discount campaigns.
In December 2022, the BKA closed its investigation into Google News Showcase following commitments to entitle publishers to ancillary copyrights and collective enforcement.
In November 2022, the BKA partly closed the investigation into Meta’s virtual reality headsets after Meta stopped making the use of headsets conditional on the creation of a Facebook account.
In July 2023, the BKA closed its investigations into food delivery platform Lieferando’s price parity clauses. The clauses prohibit restaurants from offering products for lower prices on other channels but do not constitute a serious market entry barrier.
Regarding mergers, the BKA has recently approved several transactions in digital markets.
In November 2023, the BKA approved plans by Bosch, Infineon, and NXP to invest in the European Semiconductor Manufacturing Company. A month earlier, the BKA approved software provider SAP’s acquisition of LeanIX, a company specialised in enterprise architecture management.
In August 2023, the BKA approved the merger between online food retail companies Knuspr and Bringmeister.
In November 2023, the BKA decided that Microsoft’s investment into OpenAI is (currently) not subject to German merger control (see below).
In February 2022, the BKA approved the Meta/Kustomer acquisition, explicitly referencing the European Commission’s approval thereof.
The EU’s landmark AI Act will apply in Germany. At the national level, the government adopted a law on autonomous driving in 2021. It introduced requirements for the construction, condition, and equipment of autonomous vehicles to be eligible for licensing. Another law adopted in 2021 regulates the use of AI in operational contexts, enabling employee representatives to be informed on and request expert assessments of firms' AI use.
AI is a core concern for data protection authorities, which have issued numerous guidelines.
In June 2024, data protection authorities in Hamburg and North-Rhine Westphalia issued statements on Meta’s new privacy policy, which enables Meta to train AI based on user data from Facebook, Instagram, and Threads. The Irish data protection authority is currently reviewing the policy’s legality.
In May 2024, the DSK issued a guide on AI and data protection. Regarding enforcement, in April 2023, a number of regional authorities launched a coordinated action scrutinising OpenAI/ChatGPT's data processing. Authorities in Rheinland-Palatinate, Baden-Württemberg, Hesse, Schleswig-Holstein, and North Rhine-Westphalia issued requests for information, the latter mentioning a coordinated DSK investigation due to the importance of the application. In late 2023, the authorities from Hesse and Rheinland-Palatinate issued a second set of requests for information.
AI-related enforcement action spans across policy areas, including competition, labour law, and intellectual property.
In November 2023, the BKA concluded that the relationship between Microsoft and OpenAI is not currently subject to German merger control. The BKA left open the possibility of revisiting its decision if the extent and terms of their cooperation changed in the future.
In January 2024, the Hamburg Labour Court ruled on the use of ChatGPT by employees and the intersection thereof with co-determination rights under German labour law. The court found that employees’ use of AI tools does not violate co-determination rights if it occurs voluntarily and via private accounts.
In June 2024, the Federal Court of Justice held that only a natural person can be the inventor of a patent, even if AI assists the invention process.
Germany pursues online minor protection through service access restrictions and content moderation. Since May 2022, the second amendment to the Act on Youth Protection Act requires online service providers with over 1 million users in Germany to ensure age-appropriate content through precautionary measures, parental controls, and user reporting mechanisms. Further, the Law requires providers to implement age verification for user-generated content self-rated as appropriate for users over 18 years.
Enforcement by the Commission for the Protection of Minors in the Media has focused on pornographic sites, including several blockings for failing to implement age verification. Finally, since September 2021, the distribution and possession of child sexual abuse material is subject to criminal liability.
Cloud computing is central to Germany’s pursuit of technological sovereignty, which it links to independence, self-determination, and safety. In May 2023, the Conference of the Data Protection Authorities issued criteria for “sovereign clouds,” including traceability through transparency, data controllability, openness, predictability, and reliability.
With the goal of cloud sovereignty, Germany collaborates with France on GAIA-X, a European data infrastructure. In addition, the Federal Office for Information Security issued minimum standards to reduce risks and ensure information security when relying on foreign cloud service providers, while the Federal Financial Supervisory Authority issued a notice on cloud outsourcing.