The German Federal Court of Justice (FCJ) has recently clarified important legal standards for companies providing digital services. In its ruling (VI ZB 79/23), the court addressed the responsibilities of digital services when faced with requests from businesses or individuals seeking to identify users behind critical or allegedly defamatory posts particularly on social media platforms and online review sites. The focus of this judgment is Section 21 of the German Telecommunications Digital Services Data Protection Act (TDDDG). This provision allows private individuals, not law enforcement authorities, to request the disclosure of subscriber data from digital services providers. The implications of the data disclosure to a third party raise important questions about the balance between privacy and individual rights and interests. 

1. Strict Requirements for User Data Disclosure

Under Section 21 (2) TDDDG, digital services are only obliged to disclose subscriber data if the content in question fulfills the criteria of specific criminal offenses, such as defamation (Section 185–187 StGB).  This means that not every negative or critical review justifies a data disclosure request. The threshold is high: the statement must clearly constitute a criminal offense, not merely be unpleasant or damaging to reputation. 

2. Distinction Between Opinion and Fact

The court emphasized the crucial distinction between protected opinions and factual assertions. If a review is classified as a subjective opinion, even if harsh or generalizing, it is generally protected under freedom of expression (Article 5 GG).  Only verifiable false factual claims may trigger a right to data disclosure. In cases of ambiguity, courts will favor the interpretation that protects free speech. 

3. Context Matters

The FCJ highlighted that statements must be interpreted in their full context. On review platforms, users typically expect subjective, personal assessments.  Even if a statement uses plural forms or generalizations, it may still be seen as an opinion rather than a concrete factual claim, especially if it is embedded in a broader, emotional critique.

4. Procedural Requirements under Section 21 (3) TDDDG

Once the material requirements for a request under Section 21 (2) TDDDG are fulfilled, the TDDDG also imposes certain formal requirements: 

• Judicial Order Required: According to Section 21 (3) TDDDG, the disclosure of user data is not at the sole discretion of the digital service. A judicial order is required before any data can be released.
• Application Process: The injured party (e.g., the subject of a negative review or insulting post) must apply to the competent court for an order permitting and obliging the digital service operator to disclose the relevant user data.
• Court Review: The court will independently review whether the substantive requirements of Section 21 (2) TDDDG are met, specifically, whether the content constitutes a criminal offense as listed in the statute. 
• Binding Decision: Only after a positive court decision is the digital service legally permitted and required to disclose the user’s data. 

5. Practical Implications for Digital Services

• No Voluntary Disclosure: Digital services may not voluntarily disclose user data in these cases; a judicial order is mandatory.
• Internal Procedures: Digital services should have clear internal processes to handle such requests, ensuring that no data is disclosed without a valid judicial order and that the content in question is carefully assessed for its legal character (opinion vs. fact, criminal relevance). 
• User Protection: These requirements reinforce the protection of user anonymity and freedom of expression, ensuring that data disclosure is an exception, not the rule.

Conclusion

This decision strengthens the protection of user anonymity and freedom of expression on digital services. Companies should be aware that legal avenues to unmask their users are narrow and only available in exceptional cases.  Under Section 21 (2) and (3) TDDDG, digital services are only required and permitted to disclose subscriber data if a court, upon application by the injured party, finds that the content in question clearly fulfills the elements of a listed criminal offense.  The process is strictly regulated to protect user rights and ensure that freedom of expression is not unduly restricted. 

At Reed Smith's Emerging Technologies Group, we are dedicated to guiding you through the complexities of data and digital-related challenges. Stay informed on the latest developments in privacy and platform litigation by subscribing to our authors and following #TechLitigationNews.