EU Data Privacy Protections: Why Tuta Is Based in Germany.

With Strong Privacy Laws Like the GDPR and the Federal Data Protection Act, Germany Is One Of The Best Places For Your Secure Email Provider.

2024-02-19
Germany has some of the best privacy and data protection laws in the world. Combined with Tuta’s automatic end-to-end encryption, this makes Tuta Mail one of the most secure email providers in the world. While in theory we could move our business and servers to any place in the world, we have deliberately decided to keep them in Germany. Here is why.

Why Germany Stands Out:

1. German jurisdiction: German companies are not allowed to share customer’s information with foreign law enforcement.

2. No Data Retention: Unlike countries like the United States of America or Switzerland, Germany has no laws requiring companies to retain customer data.

3. European GDPR: In 2018 the General Data Protection Regulation (GDPR) was introduced in the European Union. This law sets a high bar for the requirements for protecting personal data. This forces companies to go above and beyond when taking privacy and security seriously.

4. EU Law Banning Weakening of End-to-End Encryption: By being located within the EU, Germany can take advantage of the latest European Court of Human Rights Ruling which bans the introduction of laws which aim to weaken end-to-end encryption. This one of a kind law, sets the EU's privacy standards far beyond those of countries like the US.

5. Right to Privacy Constitutionally Enshrined: The Right to Privacy is a documented part of the German Federal Constitution. This makes privacy the true law of the land, while other nations find themselves engaged in ever growing surveillance systems.

Why are data protection laws important?

Tuta encrypts your entire mailbox and data end-to-end so that no-one but yourself has access to your private information when it is at rest and while being sent. Tuta protects your personal data to the highest degree because we believe that everybody's right to privacy matters and it is time to stand up and fight for it.

As there is no law against whispering into someone's ear to hold a private conversation, in our opinion the same must be true for an online conversations. Tuta's automatic end-to-end encryption allows you to do just that: Hold a private conversation online with our anonymous email service. Creating an end-to-end encrypted account anonymously allows you to not only communicate securely, but it also lets you organize calendar events and store important contacts privately.

Due to the encryption in Tuta, no one can access your stored data, not even we can access your encrypted data. Nonetheless, data protection legislation is also an important factor to consider when choosing a secure email provider. Fortunately, Germany has some of the best data protection laws and – what could be even more important – a vigilant technology and data protection community that keeps pushing for better privacy protections. These laws make Germany a perfect choice if you are looking to find a secure location for your data.

What is data protection and data privacy?

Many people use data protection and data privacy interchangeably, but there is a clear differentiation: Data protection describes tools and policies that LIMIT access to user data whereas data privacy refers to WHO has access despite any limitations.

  1. Data protection is also referred to as data security: This refers to the measures, privacy laws and policies set in place to safeguard and protect one’s personal data in order to keep it confidential and safe from external threats like data abuse and malicious attackers. It is the responsibility of each company to protect the users’ data by taking different precautionary measures, and by allowing the user to decide their level of privacy.

  2. Data privacy refers to who has access to the data: When an individual uses a service, the privacy policy of this service must state how the data of the user is used, stored, and with whom it is shared.

If the service respects your right to privacy, you can choose how, when and to what extent your data is collected and shared. If you are using a Big Tech service like Meta or Google, then data privacy is non-existent as their privacy policies require you to accept data sharing for using their free services. You’d hope that no personal data is collected and sold but as we know, this is not the case when it comes to Big Tech companies, and unfortunately the same is true in many countries where privacy laws is weak.

At the end of the day, data privacy and data protection are related in the sense that with one it’s vital to have the other - they go hand in hand. You can have strict data protection measures in place to protect user data from outside attacks, but if you have a lack of data privacy laws or measures internally, then user data could be free for all and in itself becoming a product sold to advertisers - which ultimately results in a lack of privacy entirely.

Just because your personal information is protected, it doesn’t mean your sensitive personal information is private. That’s why you should use services with advanced data protection and privacy measures in place, like Tuta Mail where not even the company itself can see your encrypted messages or other data.

Privacy Culture

Due to Germany's history – with oppressive systems like the German Democratic Republic (GDR) and Hitler’s regime during WWII that heavily relied upon surveillance of the general public – Germans are very reluctant in giving the government too much power or too broad surveillance laws. Thus they also place high importance on data protection and privacy. For instance, the right to privacy is enshrined in the German constitution and general data retention is not possible in Germany.

While all data in Tuta is encrypted, there is some data that no email provider can encrypt, for instance metadata like sender and recipient of an email, date of emails sent. At Tuta, we go to great lengths to encrypt as much data as possible: subject lines – which are not encrypted by most email encryption protocols – have been encrypted with Tuta Mail from the start. In conclusion, while we have very little data, it is important to know what German authorities can and cannot request via a court order, and under what circumstances.

One major pro of German data protection laws is the fact that German companies are not allowed to hand out data of their customers to foreign law enforcement. A valid German court order is always required and only issued upon probable cause during a criminal investigation.

Plus, in Germany there is no law that could force us to submit to a gag order or to implement an encryption backdoor.

Surveillance around the world is growing

Politicians around the world want to increase online surveillance by claiming that surveillance will protect us from terrorist attacks and make the internet a safer place for children. While it is proven that more surveillance does not lead to more security, this is an important issue we as a secure email service need to monitor closely. For instance, many European countries now have data retention laws. In France and in the UK companies need to store their user's data for a minimum of 12 months, and Swiss businesses need to store their users' data for a minimum of six months.

Companies located within Germany do not have such a data retention law which makes Germany one of the best places for achieving online privacy and data protection.

Germany vs the United States

In Germany there is no law that could force us to submit to a gag order or to implement a backdoor. Unlike in the United States where companies are quickly hit with national security letters (NSLs) which forbid them from disclosing the data requests and do not require pre-approval from a judge. The use of NSLs skyrocketed following the introduction of the PATRIOT Act and increased the number of officials who could approve NSLs to include leading FBI agents across national field offices. By operating in Germany, we are free to disclose all legal inquiries and we take advantage of this liberty by regularly updating our transparency reports and maintain an active warrant canary.

Beyond illegal warrantless surveillance, other intelligence agencies like the NSA have begun purchasing the data of US citizens from data brokers as a legally gray means of collecting massive amounts of behavioral and tracking data while saving millions of dollars in research and development. Data collection has now moved beyond the realm of spy games and has become big business. Strong legislation against these practices are the best way to combat the ever growing Orwellian state. That's why we have chosen to keep our business and servers located in Germany where we can take advantage of the comprehensive EU data privacy laws like GDPR. Data stored in the EU avoids the traps set by US based data brokers who collect and package any data they can get their hands on for sale. The EU provides an alternative safe space for launching your digital life, where companies are simply not allowed to sell off your personal information to the highest bidder.

If all this was not enough to give you reason to protect your data in the EU, the European Court of Human Rights has banned any and all legislation which seeks to weaken end-to-end encryption. This is a first globally, and sets the EU steps ahead of other nation's privacy laws like those in the United States.

There are other major differences between the EU and US in the centralization of data privacy laws. The EU has created fixed laws which apply to all member nations, while the US maintains a complex web of state laws which are limited in scope alongside federal laws which protect information in sectors like education or the healthcare industry. While attempts to establish privacy protection laws similar to the GDPR are also being made in the USA, for instance with the APRA proposal, the majority of US politicians has not taken up the cause for privacy. This is no surprise as large US tech companies like Google and Facebook generate most of their incoming by tracking customers and users.

The lack of unified protections in the United States sets the American public at a major disadvantage when seeking home grown privacy. Due to the US’s lack of data protection and privacy laws, in most cases, the best thing you can do to protect yourself is to opt to use privacy respecting alternatives which are located in the European Union.

Analysis of Data Protection laws in Germany

It is also noteworthy that the previous German Federal Data Protection Act already covers a lot of aspects of the European General Data Protection Regulation (GDPR), which came into effect on May 25th 2018. European privacy rights are some of the best in the world. The GDPR requires that companies protect personal information they handle. Any sharing of personal information such as a private home address, bank details, or CVs of applicants could lead to fines under the GDPR. It is recommended to protect emails containing personal information with proper end-to-end encryption offered by email services located within the European Union – which is another reason why Tuta Mail is the perfect solution. German-based Tuta Mail end-to-end encrypts all emails by default so naturally your communications are private and secure.

German Court Rulings Enhance EU Privacy Law

In Germany there are several laws that force companies like Tuta to protect their users' data from illegal access. Data privacy regulations in the European Union (EU) are among the strictest in the world, and among all European member states, Germany has one of the strongest policies: the Federal Data Protection Act (Bundesdatenschutzgesetz).

This law protects users of Internet services. It puts the user in charge of what should be done with their data: Companies (=we) are not allowed to collect any personal information without express permission from an individual (=you), (i.e. name, date of birth, IP address). This law sets Germany leagues ahead of the US privacy laws where the widely accepted third party doctrine, has allowed for the massive collection and sale of personal information. This lack of privacy protections launched an entire personal data industry focused solely on selling off your information.

Germany: number one global destination for end-to-end encryption

All in all, Germany holds a much better pro-privacy stance than the United States and many other Five Eyes countries. While many politicians around the world try to ban encryption, Germany wants to become the number one encryption site and Germany fights against legislative proposals like Chat Control in the EU. The German government declares in their 'Digital Agenda' that they want to foster the accessibility of secure and easy-to-use encryption solutions to protect their citizens' communication. On page 31 of the Agenda it says (translated from German): "We want to become the top one location for encryption in the world. For this, the encryption of private communication to many should become a standard."

Germany has a very good reason to protect its Internet users and their privacy. Only decades ago, Germany was re-united. Before that, the German Democratic Republic (East Germany) was a prime example of a surveillance state - with all its horrific consequences. In Germany we have learned our lesson, and we will continue to lead the cause for protecting our online privacy.

Privacy is a basic human right and we at Tuta believe that privacy is enhanced by encryption. We successfully defend your private communication against mass surveillance and illegal access by state agencies and attackers alike.

By choosing Tuta you are choosing privacy.

By combining our end-to-end encryption with both the EU and German privacy and data protection laws, your data has never been stored in a more secure manner. That security is going to get even stronger as we near the release of the world's first post-quantum email encryption! By choosing Tuta Mail, you are building up a digital defense both legally and through cutting-edge technology. This is the true way to maximize your privacy online.

And Tuta is more than just email, our encryption is also used to protect your calendars, contact lists, and soon it will be available for protecting your cloud storage! The threats to your online privacy won't be going away any time soon, but neither are we.

In a day and age where mass surveillance and data capture is rife, Tuta has made getting a free mailbox that’s end-to-end encrypted easy and accessible to everyone! Tuta Mail is based in Germany, a country with the highest privacy and data laws ensuring you don’t fall victim to surveillance.

Make the switch and create your encrypted Tuta account in a few easy steps! It’s time to take back your privacy starting today!

Author
Brandon fights for your right to privacy by spreading the word about privacy respecting products like Tuta. His expertise in US privacy law, encryption usage and policy, and American surveillance politics lets him explain complicated topics and privacy issues in an easy-to-grasp language. Privacy shouldn't be a luxury and by working at Tuta, Brandon helps bring privacy and security to everyone.
Top posts
Latest posts