On 19 December 2019, the German Ministry of Justice published on its website a draft law to combat right-wing extremism and hate crime (the Draft). The Draft aims to put German criminal law enforcement authorities in a position to more intensively and effectively prosecute hate crimes that are committed online. It wants to achieve this by imposing changes to German criminal, criminal procedure and internet related laws, specifically by providing law enforcement in Germany with new tools to investigate online crimes and by forcing social media providers to report criminal hate speech on their platforms to the police.
Reporting obligation for social media providers
Central to the Draft is a new obligation of social media providers to proactively report certain criminal content from their websites or apps to the Federal Criminal Police.
This is a derogation from the principle in German criminal law that commercial enterprises are generally not obliged to report crimes they become aware of. Social media providers thus join a small circle of industries in Germany obliged to actively notify criminal law enforcement of suspicions companies have against their customers (others are e.g. financial institutions under Anti Money Laundering rules).
Already today, social media providers, who do business in Germany, are obliged to delete certain hate speech posts under the current Network Enforcement Act. The draft, however, deems that beyond this an active reporting obligation is necessary, as in the past too many cases have gone without prosecution.
Under the Draft, the reporting obligation should exist in all cases in which there has been a complaint claiming illegal content and this complaint has led the social media provider to delete or block access to the post. In addition, there must be concrete indications that the content of the deleted post fulfills one of several crimes set out in the Draft. Thus, the social media provider must conduct a concise criminal law analysis of the content of the post.
If all conditions are met, the social media provider must transmit the content and – if available – the user’s IP address and port number electronically to the Federal Criminal Police, who are to set up a special interface with social media companies for this purpose.
Under the Draft, a social media provider failing to set up the reporting system as set out above could be fined with up to EUR 50m.
Internet companies to provide user’s passwords on court orders
The Draft has gained immediate and widespread criticism in news media and legal circles, namely because of one aspect:
Under the Draft, internet companies (i.e. companies which fall under the scope of the Telemedia Act, e.g. companies which offer products or services that can be ordered online) can be forced in criminal and administrative offence proceedings to provide their customers’ user data, traffic data and even passwords to law enforcement based on a court order.
The Draft achieves this by proposing to extend measures of the Code of Criminal Procedure that can today only be directed against telecommunication providers (e.g. mobile and landline phone operators) on all internet companies.
Criminal law changes
In addition to increasing the procedural powers available to law enforcement agencies, the draft also makes certain conduct punishable for the first time.
For example, under the draft it would be a crime to endorse a criminal offence in an online post - unlike today - even if it referred to a crime which was not actually (yet) committed. Insults in public online forums could, under the Draft, carry a heavier sentence than insults committed in real life.
Practical effects on companies doing business in Germany
Number of requests from law enforcement authorities will likely rise
Should the Draft become law, it will impose even further regulatory requirements on social media providers and likely burden all companies doing online business in Germany with increased information requests from criminal law enforcement authorities. We have seen prosecutions jump on and make avid use of new tools provided to them by the legislator, namely the information requests for telecommunication providers (Section 100g and 100j German Code of Criminal Procedure), which will now be extended on all internet companies. We thus expect the number of letters internet companies receive from law enforcement to go up.
Only limited effectiveness in combating hate speech
However, time will tell whether the much-criticized obligation to provide passwords to criminal law authorities will have a far-reaching practical impact.
Firstly, law enforcement can only directly enforce such requests in Germany and would usually have to go through the applicable mutual legal assistance procedure to get data stored on servers abroad.
Secondly, even today prosecutions in criminal proceedings can get access to all data stored in a company in Germany, including passwords, if they apply for surrender requests, search warrants, or summon employees charged with data processing as witnesses, as is done quite often in practice.
Most importantly, however, companies usually store passwords and sensitive data on their servers fully encrypted, often without themselves holding a key to decrypt. Encryption of stored passwords is called for by German and European data protection law and it is even mandatory for a cloud service provider in order to receive a certification from the German Cyber Security authority (BSI). Therefore, in many cases, information requests for passwords under the Draft would gain nothing as the internet company simply could not provide an unencrypted password to the police.
Officials from the Ministry of Justice have signaled that they understand this conflict and that they do not intent to introduce an obligation for companies to be able to decrypt their user’s passwords in future. Despite this assurance, it seems advisable to pay close attention to all developments in this regard in the future.
Given all this, it seems likely that the Draft will – while imposing further burden on private corporations – be of limited effectiveness in advancing the prosecution of online hate speech, even though through the reporting obligation on social media providers case numbers will likely go up.
A clear legal basis for data requests could be welcome
On a more positive note, the Draft could make it easier for companies to comply with information requests pertaining to data from law enforcement. Today, companies facing (often invalid) data requests from police or other law enforcement authorities must strike a fine balance between matching their duties to surrender data under complex criminal procedure rules and at the same time complying with their obligations towards their customers under contract and data protection law. Often, companies find themselves in a situation where they are not allowed to disclose what they do not have to disclose. Navigating through this can be complex, time consuming and entail risks. Any clarity a future law would bring in this regard, would therefore be welcome.
The Draft is a proposal by the Ministry of Justice. It will still have to be agreed upon in the entire government (the Federal Cabinet), who is expected to discuss it in its Mid-February meeting before the Draft can formally enter the legislative process and be voted on in the Bundestag.
The German Minister of Justice, Christine Lambrecht, already made it clear in interviews that she was open to corrections to the Draft. Given the criticism mentioned above, we expect the draft to be revised before it eventually becomes law (which – if it goes through – could be in the second half of 2020).