Until 1989, Germany was a divided country. East Germany was under communist rule. The power base of the communist government was its secret service — the infamous “Staatssicherheit,” also known as the Stasi.
As a West German, I knew that the Stasi was likely to open the envelope when I sent a letter to my friends in the east part of Berlin. I also knew that the Stasi was likely to listen in when I called, so we were careful not to talk politics (or the music tapes I would smuggle across the border on my next visit) on the phone.
Today, 30 years later, communication is mainly electronic. When communicating, we all rely on our smartphones, tablets and laptops.
As the days of the Stasi are long gone, we all trust communication to be safe. We expect our service providers not to read our emails. We expect our telco providers not to intercept our messages. We expect our government not to listen in on our calls.
Trust in the confidentiality and security of communication is essential for the freedom of communication. People will only speak frankly and openly when they can communicate without the fear of surveillance and interception.
In the German constitution, the “secrecy of telecommunication” — “Telekommunikationsgeheimnis” — is defined as a fundamental right, akin to, but separate from, the fundamental right to privacy and “informational self-determination.”
Since the 1990s, the confidentiality of communication is also protected by the ePrivacy Directive. Article 5 ePD prohibits, as a rule, “listening, tapping, storage or other kinds of interception or surveillance of communications.”
The prohibition of interception and surveillance does not only protect privacy and the right to protection of personal data but also the freedom of communication, as recently stressed by the Court of Justice of the European Union in its Tele2 decision on data retention:
“Accordingly, the importance both of the right to privacy, guaranteed in Article 7 of the Charter, and of the right to protection of personal data, guaranteed in Article 8 of the Charter, as derived from the Court’s case-law …, must be taken into consideration in interpreting Article 15(1) of Directive 2002/58. The same is true of the right to freedom of expression in the light of the particular importance accorded to that freedom in any democratic society. That fundamental right, guaranteed in Article 11 of the Charter, constitutes one of the essential foundations of a pluralist, democratic society, and is one of the values on which, under Article 2 TEU, the Union is founded.”
The new, proposed ePrivacy Regulation that is presently being debated needs to meet the high standards set by the CJEU. According to these standards, protecting privacy is not enough. The freedom of communication also needs to be protected.
The European approach to privacy is “prohibition by default.” Any processing of personal data is prohibited unless such processing is covered by one of the grounds for lawful processing spelled out in Article 6 of the General Data Protection Regulation: consent, contract, legal obligation, vital, public or legitimate interests. The European Commission and the European Parliament intend to extend this approach to the new ePR: The existing prohibition of interception and surveillance is to be extended to any “processing” of electronic communications (Article 5 of the ePR). For the lawfulness of such processing, consent will normally be required (Article 6 of the ePR).
From a privacy point of view, the prohibition is consistent as it sets a standard of protection that is equivalent to the GDPR. However, as the CJEU has pointed out in the Tele2 case, the ePD and the ePR are not merely about privacy but also about the freedom of communication.
“Prohibition by default” cannot be the right answer when protecting the freedom of communication. I want my mails, messages and calls to remain confident and protected against interception. At the same time, I want to communicate without restrictions, checkboxes and red tape.
“Prohibition by default” has its side effects that become obvious in Article 6 of the ePR. Communication always involves, at least, two persons – sender and recipient. As it is the aim of the ePR to protect privacy, it will normally not be enough to ask the sender or the recipient for consent. In many cases, “all users concerned” needs to give consent, and it is hard to find a good reason why a spammer does not need to be asked before his mail is filtered out.
As the CJEU rightly pointed out, the freedom of communication is not just an individual right but also essential for an open, democratic and pluralistic society. Therefore, it is communication and not abstention from communication that needs to be encouraged. Communication must neither be prohibited nor burdened with overabundant consent requirements.
In order to meet the standards of Article 11 of the EU Charter of Fundamental Rights, Article 5 of the ePR needs to be revised. While it is vital to protect communication against interception and surveillance, communication is also a fundamental right that needs to be fostered and encouraged. When we're talking about communication, “prohibition by default” cannot be a regulatory option in a free and democratic society.