The German Federal Ministry for Digital and Transport (Bundesministerium für Digitales und Verkehr – BMDV) has drawn up a new draft bill which shall introduce:
- (i) a statutory obligation for providers of number-independent interpersonal communication services (e.g. instant messaging services) to allow their users to use end-to-end encryption (“E2EE”), and (ii) a statutory transparency obligation for such providers to inform their users accordingly; and
- a statutory transparency obligation for providers of certain cloud services to inform their users about how to use continuous and secure encryption (“Draft Bill”).
The Draft Bill (status 7 February 2024), which does not have any basis in EU law, is available here (German content).
Summary of Draft Bill
Based on the findings in the German Federal Cartel Office’s (Bundeskartellamt – “BKartA”) recent report on its sector inquiry into messenger and video services (German content), which focused on the issues of data protection and data security (English summary available here), the reasoning of the Draft Bill states that:
“Although end-to-end encryption is now the industry standard, some messenger services do not apply end-to-end encryption at all or only use it for certain functions, without this being justified by technical restrictions.” Under the Draft Bill, the Federal Telecommunications and Telemedia Data Protection Act (“TTDSG”) shall be amended to require providers of number-independent interpersonal communications services, such as email, messenger and other chat services, to (i) implement for their services E2EE by default or (ii) ensure that users can use E2EE, wherever technically feasible. The Draft Bill acknowledges that E2EE is subject to technical limitations where certain services or many users are involved, such as in video conferences and webinars.
This obligation is complemented by a transparency obligation. In essence, under this transparency obligation providers shall inform users about (i) the implementation of E2EE by default, (ii) how E2EE can be used, or (iii) technical reasons why E2EE is not feasible, as applicable.
Providers of cloud services that enable their users to store their data shall also be subject to a similar transparency obligation. They shall be obliged to provide users with information about how to protect their data stored in the cloud with continuous and secure encryption. Notably, page 7 of the Draft Bill suggests that services that disseminate information of their users to the public shall not be subject to this transparency obligation. In our view, this would result in ‘online platforms’ within the meaning of Article 3(i) EU Digital Services Act (“DSA”) to be out of scope, unless they also provide number-independent interpersonal communication services.
Non-compliance with the transparency obligation to inform users shall constitute an administrative offence and result in an administrative fine.
According to the Draft Bill, the planned right to encryption shall increase acceptance for the widespread use of encryption technologies among the population, businesses and public institutions:
“It is an essential contribution to guaranteeing the fundamental rights to the secrecy of telecommunications and the confidentiality and integrity of information technology systems and to cybersecurity”.
How does the Draft Bill align with other pending legislative projects?
Interplay of the Draft Bill with current developments on EU level
The Draft Bill aligns with current developments on EU level, in particular the proposed permanent regulation laying down rules to prevent and combat child sexual abuse. This proposed EU regulation is intended to impose qualified obligations on providers of hosting or interpersonal communication services (and other services) concerning the detection, reporting, removing and blocking of known and new online child sexual abuse material (“CSAM”), as well as solicitation of children (“Proposed CSAM Regulation”):
In May 2022, the European Commission published the first legislative proposal for the Proposed CSAM Regulation. In its recent Report of 16 November 2023, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) recommended to introduce a quite significant exception to the text of the Proposed CSAM Regulation: End-to-end encrypted communications shall expressly be exempted from detection orders under the Proposed CSAM Regulation. Furthermore, nothing in the Proposed CSAM Regulation shall be interpreted as prohibiting, weakening or undermining E2EE. LIBE expressly stressed that:
“end-to-end encryption is an important tool to guarantee the security and confidentiality of the communications of users, including those of children”.
The national data protection authorities of EU Member States expressly welcomed the LIBE’s proposal to exempt end-to-end encrypted communications from detection orders under the Proposed CSAM Regulation (cf. European Data Protection Board (EDPB), Statement 1/2024 of 13 February 2024).
Challenges emerge, however, with regard to the EU Digital Markets Act (“DMA”). Article 7 DMA requires number-independent interpersonal communications services from “gatekeepers” to be interoperable. According to BKartA’s sector inquiry report, the concept of market-wide interoperability of services with E2EE is a challenging issue. This is due to the many individual solutions on the market and the technical challenges posed by interoperability.
Interplay of the Draft Bill with current developments on national level
Germany is currently in the course of adjusting its national law provisions to align with the DSA: A draft bill for a German DSA Implementing Act is currently in the legislative process. Once enacted, the German DSA Implementing Act will result in quite significant changes to the TTDSG, same as the Draft Bill. However, so far the Draft Bill has not taken into account the amendments under the German DSA Implementing Act that are to be expected, in particular the proposed replacement of the long-standing notion “Telemedia” (German: “Telemedien”) with the new term “Digital Services” (German: “Digitale Dienste”) within the entire German legal system. Accordingly, at least some editorial changes will need to be made to the Draft Bill during the upcoming legislative process.
Outlook
The Draft Bill is currently at an early stage of the legislative process. Stakeholders may take the opportunity to present their comments on the Draft Bill and/or identify items that may require further clarification.