Germany

[DE] Act on Legally Binding Communication via “De-Mail” Adopted

IRIS 2011-4:1/37

Sebastian Schweda

Institute of European Media Law (EMR), Saarbrücken/Brussels

With the votes of the ruling coalition, the German Bundestag (lower house of parliament) adopted the Gesetz zur Regelung von De-Mail-Diensten und zur Änderung weiterer Vorschriften (Act on the regulation of “De-Mail” services and amending other provisions) on 24 February 2011. The creation of the “De-Mail” e-mail service is designed to enable German citizens to send messages via the Internet in a secure, reliable and verifiable way with a single user account. Use of “De-Mail” is optional for citizens. Service providers can charge fees for carrying “De-Mails”, although the cost must be significantly lower than standard postage charges (see IRIS 2009-4/103).

The controversial Federal Government bill of 23 November 2010 had been amended in several places by the Bundestag’s Internal Affairs Committee. This process had also taken into account amendments proposed by the Bundesrat (upper house of parliament) as part of its role in the legislative process. However, the committee’s proposal, which has now been adopted by the parliament, ignored one essential objection. Both the Bundesrat and opposition parties had complained that no provision had been made for end-to-end encryption in order to guarantee secure communication. Under the new Act, e-mails are only encrypted while they are travelling and are also decrypted for a short time in order to check for viruses or unsolicited advertising (spam). The Federal Government refused to include the obligation to encrypt e-mail content so that only the sender and receiver can see it. It referred to the fact that the necessary software, although it had been available for a long time, was not used by many people, and that the “De-Mail” service was designed to offer basic security functions only. However, users could also incorporate end-to-end encryption themselves at any time.

Nevertheless, improved data protection rules were adopted, with strict limitations on the use of data, subject to criminal penalties. Accredited service providers may now only collect and use consumers’ personal data for the purposes of providing and operating De-Mail. General data protection rules, which allow data to be used for other purposes, are only applicable on a subsidiary basis and therefore do not apply in view of the aforementioned limitations.

The opposition voted unanimously against the bill, since it thought essential points had still not been adequately addressed. The Bundesrat will now vote on it on 18 March 2011. However, it can no longer veto the Act, since the Federal Government - contrary to the opinion of the Bundesrat - considers that the Bundesrat’s assent is not required.