Germany seeks to make encryption a legal right

End-to-end encryption could become mandatory in Germany for some digital services if a new proposed law is passed.

The bill will require messaging platforms, email, and cloud service providers to offer users the possibility to encrypt their data "wherever it is technically possible." 

While governments worldwide are increasingly seeking to break encryption in the name of public safety, Germany could become the first country to defend the right to private and secure communications in a federal law.

Encryption as a legal standard

"Although end-to-end encryption is now the industry standard, individual messenger services do not use end-to-end encryption or only use it for certain functions, without this being justified by technical restrictions," reads the bill—here's the full text in German.

By definition, encryption is the process of scrambling data into an unreadable form to protect it from unauthorized access. This means that no one, even the provider itself, can see what users send to each other.

Many applications now offer E2E—think of the best secure email providers on the market, or messaging apps like Signal—but such protection isn't mandatory. The law aims to challenge this and make encryption a new standard, a default for those services that handle people's most sensitive data and can technically do so.

The draft bill intends to partially amend the German Telecommunications Telemedia Data Protection Act (TTDSG). While introducing an obligation for interpersonal communication and could services providers to offer encryption—or, if applicable, explaining why it wasn't possible to implement—it will also require informing users on how to use the protection for maximum security.

Legislators hope that by defending the right to encryption in federal law, they could promote the acceptance of the widespread use of these secure technologies among citizens, businesses, and public bodies alike. They described the practice as "an essential contribution to guaranteeing the fundamental rights to ensure telecommunications secrecy as well as the confidentiality and integrity of information technology systems and cybersecurity."  

The bill has been widely welcomed by the cybersecurity industry so far as a win for privacy.

For instance, Hannover-based encrypted email Tuta (formerly known as Tutanota) described it as an "outstanding move" from the German government. 

"Along with other IT experts we've been saying for years that only strong end-to-end encryption can protect data that is shared online from various cyber threats," Matthias Pfau, co-founder of Tuta Mail, told TechRadar. "It's great to see that the German government is now going in the right direction, not following the path of many other politicians who want stronger monitoring laws instead of better privacy protections."

Also according to the Free Democratic Party (FDP), one of the parties involved in the 2021 coalition agreement that first planted the seed for the legal right to encryption, the draft bill is a necessary prevention to potential future legislations, like the EU Chat Control, trying to break this protection—FDP spokesperson Maximilian Funke-Kaiser told digital advocate group Netzpolotik.

Not everybody is fully convinced just yet, though. The lawyer Dennis-Kenji Kipker from the University of Bremen, for instance, labeled the proposed law as "more of a PR measure than a sustainable strengthening of cybersecurity for everyone" as users will ultimately have to implement the security feature themselves.

However, the bill is just at the beginning of the legislative process. The federal cabinet still needs to reach an agreement, before the Bundestag (German Parliament) will start evaluating the draft proposal.