Law Library Stacks

Back to Government Access to Encrypted Communications

I. Interception of Communications Data

Article 10 of the German Basic law provides that the privacy of correspondence, mail, and telecommunications is inviolable. Restrictions may only be imposed pursuant to law. If the restriction serves to protect the free, democratic basic order or the existence or security of the German Federation or of a German state, the law may provide that the affected person will not be informed of the measure. [1]

Several German intelligence and law enforcement agencies have been authorized to access, intercept, and request stored communications data. This authority and its limits are delineated in article 10 of the Basic Law as explained above and in specific acts. For the Federal Intelligence Agencies, the specific authorizations are contained in the Act on the Federal Office for the Protection of the Constitution; [2] the Act on the Federal Intelligence Service; [3] the Act on the Military Counterintelligence Service; [4] and the Act to Restrict the Privacy of Correspondence, Mail, and Telecommunications (Article 10 Act). [5]

Furthermore, restrictions on the privacy of mail and telecommunications undertaken by Federal Intelligence Agencies are monitored by the Article 10 Commission of the German Parliament. [6]

The authorizations for the federal law enforcement agencies are contained in the Act on the Federal Criminal Police Office, [7] the Act on the Federal Police, [8] the Act on the Customs Investigation Bureau and the Customs Investigation Offices, [9] and the Code of Criminal Procedure. [10]

Back to Top

II. Transmission of Communications

The German Federal Constitutional Court has held that the transmission of subscriber data by telecommunications providers to a requesting agency is only permissible if there is a legal norm authorizing the agency to request the data and an additional legal norm obligating the telecommunications provider to transfer the data (“double door model”). [11] Telecommunications providers are defined as anyone who exclusively or occasionally provides telecommunications services or who contributes to the provision of such services. [12]

Anyone who operates a telecommunications network that provides publicly available telecommunications services to more than 10,000 participants is obligated to install a surveillance system that complies with the technical requirements set out in the Telecommunications Surveillance Directive and the technical guideline adopted by the German Federal Network Agency. [13] Telecommunications providers must ensure that they are at all times capable of being informed by telephone of incoming requests and their urgency, and that they are able to accept and process such requests during regular business hours. [14]

Once a request from an authorized agency is received, a surveillance copy of the communications must be compiled and transmitted without undue delay. [15] It must include informational content and event data. [16] The communications are transmitted in the form in which they were received by the telecommunications provider. [17] If the telecommunications providers do not comply with a lawful transmission request, the Federal Network Agency may impose fines of up to €500,000 (around US$561,100) to force compliance, or partially or completely shut down the operations of the providers. [18]

Back to Top

III. Encryption of Communications

The aforementioned laws, which allow the access, interception, and transmission of communications, make no distinction between encrypted and unencrypted communications. If the communications have been encrypted by the user, federal intelligence agencies and law enforcement agencies are allowed to use whatever technologies they have at their disposal to unlock lawfully intercepted and transmitted encrypted communications. If they discover an encryption or network key during the course of the interception or surveillance of communications or during the course of a lawful search, they may use it to unlock the encrypted communications. [19]

However, there is no legal basis that would compel the user to turn over an encryption or network key, in particular with regard to the nemo tenetur principle. The nemo tenetur principle, derived from the general right of personality found in the German Basic Law and from section 136, para. 1, sentence 1 of the German Code of Criminal Procedure, states that a suspect may not be compelled to cooperate in an investigation that would incriminate him/herself.

If the communications were encrypted by the telecommunications providers (network encryption), the encryption must be removed at the point of transmission to the requesting agency. [20] Furthermore, if the telecommunications providers support encryption of peer-to-peer communications over the Internet by means of key management provided by them without involving their network elements or those of their partners in the transmission of the content, the providers must make the initial key available to the requesting agency. The telecommunications providers do not need to transmit the exchanged key if they can remove the encryption themselves by means of additional network elements. [21]

Back to Top

IV. European Developments

In an April 2015 communication titled “European Agenda on Security,” the EU Commission proposed, among other ideas, to create an EU Forum with IT companies to help counter terrorist propaganda and address the concerns of law enforcement agencies about new encryption technologies. [22] The EU Forum was officially launched in December 2015. [23]

Furthermore, in July 2015, Europol launched the European Union Internet Referral Unit (EU IRU). The goal of the EU IRU is “to combat terrorist propaganda and related violent extremist activities on the internet.” [24] Europol Director Rob Wainwright has expressed concerns that encrypted communications pose problems for law enforcement when dealing with terrorism threats. [25] The German government stated that it supports the efforts and goals of the EU IRU, but that it was not aware of specific plans that were discussed with technology firms regarding encryption mechanisms. [26]

Prepared by Jenny Gesley
Foreign Law Specialist
May 2016


[1] Grundgesetz für die Bundesrepublik Deutschland [Grundgesetz] [GG] [Basic Law], May 23, 1949, Bundesgesetzblatt [BGBl.] [Federal Law Gazette] I at 1, unofficial English translation at http://www.gesetze -im-internet.de/englisch_gg/basic_law_for_the_federal_republic_of_germany.pdf , archived at http://perma.cc/ MER4-79JH.

[2] Bundesverfassungsschutzgesetz [BVerfSchG], Dec. 20, 1990, BGBl. I at 2954, 2970, as amended, §§ 8a, 8d, http://www.gesetze-im-internet.de/bundesrecht/bverfschg/gesamt.pdf , archived at http://perma.cc/C858-Y6VY.

[3] Bundesnachrichtendienstgesetz (BNDG), Dec. 20, 1990, BGBl. I at 2954, 2979, as amended, §§ 2a, 2b,http://www.gesetze-im-internet.de/bundesrecht/bndg/gesamt.pdf, archived at http://perma.cc/7DTM-H656.

[4] Gesetz über den militärischen Abschirmdienst [MADG], Dec. 20, 1990, BGBl. I at 2954, 2977, as amended, §§ 4a, 4b,http://www.gesetze-im-internet.de/bundesrecht/madg/gesamt.pdf, archived at http://perma.cc /99CA-LB6W.

[5] Gesetz zur Beschränkung des Brief-, Post- und Fernmeldegeheimnisses [Artikel 10-Gesetz] [G 10], June 26, 2001, BGBl. I at 1254, 2298, as amended, § 1, para. 1,http://www.gesetze-im-internet.de/bundesrecht/g10_2001/gesamt. pdf, archived at http:// perma.cc/6YVZ-UCCU.

[6] Article 10 Act § 1, para. 2, § 15.

[7] Bundeskriminalamtgesetz [BKAG], July 7, 1997, BGBl. I at 1650, as amended, § 7, paras. 3, 4; § 20b, paras. 3, 4; § 20l; § 20m; § 20m; § 22, http://www.gesetze-im-internet.de/bundesrecht/bkag_1997/gesamt.pdf , archived at http://perma.cc/XJ9R-4HUX.

[8] Bundespolizeigesetz [BpolG], Oct. 19, 1994, BGBl. I at 2978, 2979, as amended,http://www.gesetze-im-internet. de/bundesrecht/bpolbg/gesamt.pdf, archived at http://perma.cc/LEU5-HE59.

[9] Gesetz über das Zollkriminalamt und die Zollfahndungsämter [ZFdG], Aug. 16, 2002, BGBl. I at 3202, as amended, § 7, paras. 5-9; § 15, paras. 2–6; §§ 23a–23g,http://www.gesetze-im-internet.de/bundesrecht/zfdg/ gesamt.pdf, archived at http://perma.cc/T7J8-T9TV.

[10] Strafprozessordnung [StPO], Apr. 7, 1987, BGBl. I at 1074, 1319, as amended, §§ 100a, 100b, 100g, 100i, 100j,http://www.gesetze-im-internet.de/bundesrecht/stpo/gesamt.pdf, archived at http://perma.cc/ZA7K-47GY, unofficial English translation at http://www.gesetze-im-internet.de/englisch_stpo/german_code_of_ criminal_procedure.pdf , archived at http://perma.cc/A6MH-9KXA (English translation only current up to 2014).

[11] Bundesverfassungsgericht [BVerfG] [Federal Constitutional Court], 100 Entscheidungen des Bundesverfassungsgerichts [BVerfGE] [Decisions of the Federal Constitutional Court] 313, 366 et seq., http://www.bundesverfassungsgericht.de/SharedDocs/Entscheidungen/EN/1999/07/rs19990714_1bvr222694 en.html , archived at http://perma.cc/QBZ9-3B9A. If the agency is authorized by law to request communications data, the Telecommunications Act requires telecommunications providers to immediately comply with such a request. Telekommunikationsgesetz [TKG] [Telecommunications Act], June 22, 2004, BGBl. I at 1190, as amended, §§ 110–115,http://www.gesetze-im-internet.de/bundesrecht/tkg_2004/gesamt.pdf, archived at http://perma.cc/WP2Y-XH69.

[12] Telecommunications Act § 3, no. 6.

[13] Telekommunikations-Überwachungsverordnung [TKÜV] [Telecommunications Surveillance Directive], Nov. 3, 2005, BGBl. I at 3136, as amended, §§ 3, 5, para. 1, http://www.gesetze-im-internet.de/bundesrecht/tk_v_2005/ gesamt.pdf , archived at http://perma.cc/4MFL-9LW8; Technical Guideline for the Implementation of Legal Measures for the Surveillance of Telecommunications and the Disclosure of Information, Oct. 15, 2015, http://www. bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/Telekommunikation/Unternehmen_Institutionen/Anbieterpflichten/OeffentlicheSicherheit/TechnUmsetzung110/Downloads/TRTK%C3%9CV%20englische%20Version.pdf?__blob=publicationFile&v=7 , archived at http://perma.cc/F382-S4TE.

[14] Telecommunications Surveillance Directive § 12.

[15] Id . § 6, para. 1.

[16] Id . § 5, para. 1.

[17] Id . § 8, para. 2, no. 3.

[18] Telecommunications Act § 115.

[19] Code of Criminal Procedure § 95.

[20] Telecommunications Surveillance Directive § 8, para. 3.

[21] Technical Guideline, Part A, Annex D.1, para. 7.5.1; Part A, Annex H.3.2, para. 5.5; Part A, Annex H.3.3, para. 4.4; Part A, Annex H.3.4, para. 6.2.

[22] Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, the European Agenda on Security , at 16, COM (2015) 185 final (Apr. 28, 2015), http://ec.europa.eu/dgs/home-affairs/e-library/documents/basic-documents/docs/eu_agenda_ on_security_en.pdf , archived at http://perma.cc/Z8AR-ALEE.

[23] European Commission Press Release IP/15/6243, EU Internet Forum: Bringing Together Governments, Europol and Technology Companies to Counter Terrorist Content and Hate Speech Online (Dec. 3, 2015),http://europa.eu/ rapid/press-release_IP-15-6243_en.htm, archived at http://perma.cc/PYG3-3DMD.

[24] Europol Press Release, Europol’s Internet Referral Unit to Combat Terrorist and Violent Extremist Propaganda (July 1, 2015), https://www.europol.europa. eu/content/europol%E2%80%99s-internet-referral-unit-combat-terrorist -and-violent-extremist-propaganda , archived at http://perma.cc/6VA4-5RK2.

[25] Warwick Ashford, EU Launches Internet Referral Unit to Combat Online Extremism, Computerweekly.com (July 1, 2015), http://www. computerweekly.com/news/4500249133/EU-launches-Internet-Referral-Unit-to-combat-online-extremism , archived at http://perma.cc/DYN5-UVG2.

[26] Deutscher Bundestag: Drucksachen und Protokolle [BT-Drs.] 18/5144, p. 6, questions 16, 17,http://dip21.bundestag.de/dip21/btd/18/051/1805144.pdf, archived at http://perma.cc/YVE2-8DBW.

Back to Top

Last Updated: 10/01/2016