Skip to Content

European Policy, Free Expression, Privacy & Data, Reproductive Rights

CDT Europe Reacts to EU Directive on Gender-Based Violence (GBV) – New Rules to Tackle Online GBV Create Free Expression Concerns

On February 6 2024, EU lawmakers reached a political agreement on the Directive to combat violence against women and domestic violence. The law sets minimum standards for the criminalisation of certain forms of gender-based violence (GBV), including online GBV, that all EU Member States will need to transpose into national law. Online GBV is prevalent in Europe and, as CDT research has shown more globally, has been a major problem for some time now in the U.S. and around the world, with women of colour at increased risk. In this blog, CDT Europe analyses the outcomes of the political agreement by outlining recommendations for EU Member States on how to improve upon the minimum standards set, how to better align the Directive with existing international human rights standards, and assesses the potential global impact of the Directive.

Minimum Standards Set for the Criminalisation of Online GBV

The draft Directive rightly recognised the significant impact online GBV has on women, particularly those with intersecting identities or in the public sphere, such as women politicians, journalists, and human rights defenders. Though the final text of the political agreement still needs to be finalised, the law criminalises non-consensual sharing of images; cyber stalking; cyber harassment, which includes doxxing and cyber-flashing; and cyber incitement to hatred

For each of these forms of online GBV, the Directive sets harmonised standards in order to ascertain if the conduct reaches the level of criminality. This includes the prerequisite that any content in question was publicly disseminated and for the conduct to have caused serious harm (including psychological) to the victim, or caused the victim to fear for their own safety or that of their dependents in order to meet the standards for  the criminalisation. With this, EU lawmakers have rightfully tried to strike a balance in recognising the severe harm that can be caused by online GBV whilst ensuring safeguards are in place to prevent cases being inappropriately criminalised – such as when images are shared consensually.

Non-Consensual Sharing of Images

The final agreement on the Directive establishes that the non-consensual sharing of images that depict sexually explicit activities or intimate parts of a person without consent is to be criminalised within EU member states. Throughout the negotiations, EU lawmakers also wanted to ensure that this captured the non-consensual production or manipulation of content (depicting the same activities), and subsequently disseminating that content – i.e. deep fakes.  From what is understood of the political agreement, lawmakers also included the need for this provision to not undermine respect for fundamental rights, specifically freedom of expression and information – an explicit recommendation made by CDT Europe to lawmakers during negotiations.

Though the provision is in line with existing standards and civil society recommendations for how to approach the non-consensual sharing of images, it would be important for EU Member States to ensure that during transposition, it is established that the legislature establishes the intent to ‘knowingly’ disseminate such content without the victims consent and the all instances are assessed on a case-by-case basis, within the context of GBV.

Cyber Stalking

Based on what is understood about the political agreement, EU negotiators have simplified the provision from the original draft. Lawmakers have agreed to criminalise the repeated or continuous surveillance of a person without their consent, which captures the use of GPS tracking apps or secretly activating keylogging software on a device. This narrower focus brings the provision into line with the existing standards and recommendations of the Council of Europe Istanbul Convention, of which the vast majority of EU member states, and the EU itself, has ratified. 

One aspect to note however is that the political agreement indicates that there may be some circumstances in which surveillance is carried out for legitimate purposes, such as parents monitoring the online activity of their children or caregivers monitoring the health of those in their care. These can, provided the relevant safeguards be in place be relevant instances, but in the context of GBV, tools used to monitor children have been weaponized by perpetrators to continue coercive control. A key recommendation here, therefore, is for these cases to still be assessed on a case-by-case basis and for relevant experts to be consulted throughout potential judicial proceedings.

Cyber Harassment

From the initial publication of the Directive, this provision has caused intense debate due to the concerning proposal to criminalise “initiating an attack with third parties, directed at another person, by making threatening or insulting material accessible…,” without any supplementary definitions or specified safeguards to prevent the criminalisation of legitimate speech. EU negotiators convey that they have made some improvements to the text in the final agreement and have additionally criminalised the unsolicited sending of content containing the genitals of a person (i.e., cyberflashing), a prevalent issue which significantly impacts young women and girls. EU lawmakers also clarified that threatening conduct is only criminalised when it is repeated/continuous and when that conduct involves threats to commit criminal offences, however many concerns still remain. 

The most notable example is the criminalisation of ‘mob attacks’, i.e. engaging in threatening or insulting conduct with other persons. It seems that the final political agreement does not include the need for threats or insults to include repeated conduct or the threat to commit criminal conduct in order to meet the necessary standards to amount to criminalisation. Alongside this, neither ‘threatening’ nor ‘insulting’ conduct is expressly defined or linked to existing international standards. These concerning omissions lead to the potential criminalisation of counterspeech, which undermines free expression and the right to assembly and protest. We know that, unfortunately, such careless definitions ultimately can end up silencing women’s voices i.e. advocates for sexual and reproductive health rights. Without the necessary clarifications here, their online campaigns could be characterised as harassment and subsequently criminalised. Therefore, as the law is transposed and in order to prevent the unintentional criminalisation of speech, Member States should ensure the multilayered and nuanced process that a judge would undertake in order to make such a determination are firmly in place.

Cyber Incitement to Hatred

Similar to the article on Cyber Harassment, the draft Directive proposed to criminalise the incitement of violence or hatred on the basis of gender without, unfortunately, clear alignment with the thresholds laid out by the International Covenant on Civil and Political Rights (ICCPR). The final agreement does make some improvements by establishing the prerequisite that such conduct should only be criminalised if it is likely to disturb public order or is deemed to be threatening, abusive, or insulting to the victim. Once again, the issue here is that several terms (i.e. threatening and abusive) remain undefined in the text and the standards set for determining ‘threatening or insulting’ conduct is not set out in the text. 

It is essential therefore that Member States take their responsibility to build upon these minimum standards seriously, but supplementing in their national law the requirements to ensure any potential derogations from the right to freedom of expression in the context of cyber incitement to violence or hatred meet the thresholds laid out by Article 20 of the ICCPR and the Rabat Plan of Action

A Nuanced Approach

With this Directive, EU Lawmakers have established what they determine as the ‘most serious forms of cyber violence’ which should be criminalised. Online GBV exists on a spectrum however and can take many forms, including actions that may not rise to the level of illegal conduct, but which can nevertheless have a chilling effect on women and non-binary people’s speech. The EU’s other regulatory frameworks, such as the Digital Services Act, puts in place due diligence obligations to address other forms of online GBV that cause significant harm, such as gendered disinformation, but that are better addressed through risk mitigation and expert consultation. 

This particular approach to addressing online GBV is not unique to the EU, with several jurisdictions having already introduced measures to address online GBV, whether through concrete legislation or voluntary frameworks co-developed with industry and international bodies. However, with the Directive and Digital Services Act now either agreed or in law, it would be pertinent to ensure that human-rights centred approach to enforcement and high standards of accountability towards due diligence obligations are maintained. There are specific recommendations for relevant stakeholders to consider in order for online GBV, and our progress towards true gender equity in our online ecosystems, to be achieved.

For Legislators

  • Legislation to address and potentially criminalise forms of online GBV must assess the balancing of rights under international law, especially the right to freedom of expression or access to information. Therefore, where it is not appropriate to put in place criminal law, mandatory due diligence obligations for online platforms should be adopted instead. 
  • A human-right centred approach to enforcement must be adopted, especially to prevent potential over-enforcement of laws, especially for historically marginalised groups, who continue to face discrimination such as a disproportionate application of punitive measures and surveillance from law enforcement bodies.

For Industry

  • Providers of intermediary services, specifically online platforms which host user-generated content must adhere to their international obligations to ensure their services do not undermine the rights of users, including the right of freedom from discrimination and harm. 
  • Online platforms must improve the level of transparency and meaningfully consult with expert civil society organisations in order to consistently improve upon internal mechanisms to address gender-related harms on their platforms. 
  • Platforms should consistently improve upon their content moderation systems in particular to address those forms of online GBV criminalised under the Directive. However, they should recognize the importance of human review in those systems and the limitations of automated content moderation tools such as those based on machine learning and generative AI as these tools cannot sufficiently analyse context which is important to identifying cyber harassment and cyber incitement to hatred. 
  • Platforms should protect the health and safety of human reviewers involved in any content moderation system to address online GBV and those who contribute to the development of training datasets. 
  • Invest in content moderation systems that are responsive to the intersectional dimensions of online GBV. This includes systems that recognize the unique ways women from minority backgrounds (based on race, immigrant status, religion, etc.) are particularly vulnerable to the forms of online GBV criminalised under the Directive.

For Researchers

  • In the EU, researchers should make the most of the Article 40 provisions to access data from online platforms for research that can better inform policymakers on the patterns, scale, and impacts of the offences outlined in the Directive. In particular they should focus research on the multiple identities that women hold and the focus of online GBV. 
  • Although Article 40 creates a process for vetted researchers to access data from online platforms, researchers should still be aware of the potential for unjustified law enforcement demands for such data. Article 8 of the European Convention on Human Rights can protect researchers in this regard, but not all researchers may be aware of, or have the resources to challenge, such unjustified demands.


CDT Europe welcomes the Directive, particularly taking into consideration the long journey for many advocates over the last decade to see this legislative framework established. It is vital that as the Directive is transposed into national laws, emphasis is placed on guaranteeing legal clarity and harmonisation with the broader EU co-regulatory framework in place. Similarly the initiatives of regional and international bodies such as the UN and OSCE must be advanced, with stronger mechanisms established to improve standards and to hold online platforms more accountable to their due diligence obligations. Online GBV undermines gender parity in the online ecosystem and prevents those who experience it from enjoying their right to privacy, freedom of expression, and safety. It is vital therefore that all efforts globally to combat this phenomenon are coherent, aligned with international human rights law,  intersectional in their approach and can not be weaponized against the very people they are aimed to protect.