Germany’s Internet Watchlist: Navigating Data Protection and Surveillance in 2026
Berlin, 8 January 2026 – As Germany grapples with rapid advancements in digital technology, the concept of an “internet watchlist” encompasses a range of regulatory measures aimed at monitoring online activities, from data protection laws to facial recognition and chat control proposals. These initiatives seek to enhance cybersecurity and combat threats like child exploitation, but they raise significant concerns about privacy and fundamental rights. Recent developments, including EU regulations and national implementations, highlight the tension between security imperatives and individual freedoms.
EU Gigabit Regulation and Broadband Expansion
Since 12 November 2025, a new EU regulation has accelerated fibre-optic infrastructure rollout in Germany, capping approval procedures at four months and mandating cooperation among network operators. This aims to achieve continent-wide gigabit coverage by 2030, with Germany classifying fibre expansion as a matter of “overriding public interest” until the end of 2030. Starting February 2026, all newly built residences must include fibre-ready infrastructure. While existing contracts remain unaffected, the regulation promises long-term benefits, such as faster internet speeds and reduced disruptions, though challenges persist in reaching half of German households still reliant on DSL connections.
Data Protection Developments in 2025
The year 2025 marked significant shifts in EU and German data protection frameworks, influenced by digital regulations and artificial intelligence. Key rulings included the German Federal Court of Justice’s decisions on data transfers to credit agencies and unauthorised advertising emails, emphasising compensation limits and non-material damage claims. The Data Act, applicable since 12 September 2025, harmonises data access for IoT users, while AI-related legislation, such as the draft AI Market Surveillance and Innovation Promotion Act (KI-MIG), outlines supervisory structures, with the Federal Network Agency as a central authority. Transitional periods for AI transparency obligations extend into 2026.
Freedom on the Net and Digital Violence Laws
Germany’s Freedom on the Net 2024 report noted ongoing efforts to supplement the Digital Services Act (DSA) with a proposed law against digital violence, compelling platforms to block harassing users and disclose IP addresses in severe cases. However, criticisms highlighted its potential overbreadth and incompatibility with EU law, following the European Court of Justice’s rulings on national jurisdiction over platforms like X. The Bundesnetzagentur oversees DSA implementation, supported by agencies like the Federal Commissioner for Data Protection and Freedom of Information.
Facial Recognition and Surveillance Concerns
Facial recognition technologies (FRTs) remain unregulated at the EU level for law enforcement, but data protection laws like the GDPR and Law Enforcement Directive apply. Guidelines from the European Data Protection Board stress proportionality, legal basis, and data subject rights, warning against broad applications that could infringe on privacy. In Germany, video surveillance rules under the BDSG face scrutiny for non-compliance with GDPR, prompting calls for reforms to ensure adequate safeguards against mass surveillance.
Chat Control Debates and Opposition
The EU’s Chat Control proposal, aimed at detecting child sexual abuse material, faced renewed scrutiny in 2025. Critics, including privacy advocates and organisations like Signal and the Chaos Computer Club, argued that client-side scanning undermines encryption and enables mass surveillance, posing national security risks. Despite Germany’s historical opposition, the Danish Presidency pushed for a vote in October 2025, with compromises not fully addressing concerns over end-to-end encryption. The German government has yet to clarify its stance, amid fears of a policy reversal.
Key Facts and Statistics
| Aspect | Details |
|---|---|
| Broadband Penetration | Half of German households still use DSL (up to 250 Mbit/s); fibre aims for gigabit speeds. |
| Data Protection Fines | GDPR allows fines up to 4% of global turnover or €20 million. |
| AI Act Implementation | Market surveillance authorities to be established by August 2025; KI-MIG draft published in September 2025. |
| Freedom on the Net Score | Germany scored high in 2024, but faces challenges with digital violence laws. |
Frequently Asked Questions
What is the EU Gigabit Infrastructure Regulation?
It is a 2025 EU law accelerating fibre rollout in Germany, with strict time limits for approvals and mandatory infrastructure sharing to reduce costs and disruptions.
How does Germany’s data protection law handle AI?
The draft KI-MIG assigns the Federal Network Agency as the central authority for AI market surveillance, ensuring cooperation with data protection bodies and implementing EU AI Act requirements.
What are the concerns with Chat Control?
It proposes scanning encrypted messages for child abuse material, but critics argue it creates backdoors, endangers privacy, and could be exploited by hackers, contradicting Germany’s privacy stance.
Are there exemptions for surveillance in Germany?
Yes, exceptions exist for national security and law enforcement under the BDSG and EU directives, but they must comply with proportionality and fundamental rights.
How can individuals access data under the Data Act?
Since September 2025, IoT users have rights to access data generated by their devices, promoting transparency and control over personal information.