Close
What would you like to look for?
Site search

8 November 2021

E-mail Service Also Subject to Limited Telecom Surveillance Only

According to the Swiss Federal Administrative Court, Proton AG does not offer telecommunications services with its e-mail service. The court thus confirms the restriction of the obligations of OTT service providers to cooperate in the monitoring of their users' telecommunications traffic, as recently judged by the Swiss Federal Supreme Court. The Swiss Surveillance Service must reconsider its practice.

What It's All About

Proton AG ("Proton") is a Swiss provider of e-mail services and offers its users a virtual private network ("VPN"). Proton markets its services as part of their efforts to "build an internet that protects privacy" by, for example, offering end-to-end encryption and rigorously limiting the amount of user data collected and stored. Key for Proton's marketing is their credibility with respect to confidentiality – including vis-à-vis authorities.

The Swiss Post and Telecommunications Surveillance Service ("Surveillance Service") previously treated Proton as a telecommunications service provider ("TSP") for e-mail and VPN services, but with reduced surveillance obligations (art. 51 of the Swiss Federal Ordinance of 15 March 2016 on the Surveillance of Post and Telecommunications [SPTO]), as requested by Proton. Later, Proton requested classification as a provider of derived communication services ("PDCS"). PDCS are subject to significantly reduced obligations to cooperate in the area of telecom surveillance compared to TSP (on this delimitation, see also our article from 2018 "New Surveillance and Information Obligations for Communication Service Providers"). The Surveillance Service did not respond to this request – on the contrary: Following a reassessment in September 2020, it henceforth even classified Proton (under surveillance law) as a "regular" TSP (pursuant to Art. 2 lit. b of the Swiss Federal Act of 18 March 2016 on the Surveillance of Post and Telecommunications [SPTA] in conjunction with Art. 3 lit. b of the Swiss Federal Telecommunications Act of 30 April 1997 [TCA]). As a (re)classified regular TSP, Proton would have been required to guarantee in particular the readiness to provide information and to monitor (art. 32 SPTA) as well as to ensure the storage of the data required for monitoring within two months and the readiness to monitor within 12 months of the decision of the Surveillance Service (art. 51 para. 3 SPTO). It goes without saying, that this classification would be disadvantageous for Proton's marketing.

Following an appeal by Proton, the Swiss Federal Administrative Court had to assess whether the classification of Proton as a regular TSP for e-mail and VPN services by the Surveillance Service was lawful.

How the Swiss Federal Administrative Court Classifies E-mail (and VPN) Services Under Surveillance Law

In its judgment A-5373/2020 of 13 October 2021, the Swiss Federal Administrative Court criticizes the failure to address Proton's application to be qualified as a PDCS (cons. 4.4). In order to assess whether classification as a TSP with reduced monitoring obligations or as a regular TSP is appropriate, the Surveillance Service should have examined first whether Proton qualifies as a TSP under surveillance law at all or merely as a PDCS (cons. 4.4 f.). The court therefore defined the subject matter of the dispute more broadly than the Surveillance Service had wished. This allowed for the (important) discussion of the demarcation between TSP and PDCS under surveillance law in the first place.

In its assessment, the Swiss Federal Administrative Court places particular emphasis on telecommunications transmission (cons. 6.3.3) as a necessary element for qualification as a telecommunications service (art. 3 lit. b and c TCA). Telecommunications service providers offer their customers telecommunications transmission of information, e.g. for classical telephony or access to the internet (cons. 6.3.3). Providers of other internet services do not themselves offer telecommunications transmission, e.g. providers of various hosting services such as e-mail hosting, co-location server hosting, hosting without communication services or cloud services, chat platforms, document exchange platforms and peer-to-peer internet telephone services (ibid). For the delimitation of the derived communication services, the Swiss Federal Administrative Court considers it crucial that such services, e.g. e-mail services, require internet access, but the respective providers do not offer this access as such to their customers, nor do they assume any responsibility for the transmission of information via the internet (cons. 6.3.2 f.).

The e-mail users require internet access via a third-party provider in order to use Proton's over-the-top ("OTT") service. This does not make Proton's e-mail service itself an internet access service – in the view of the Swiss Federal Administrative Court, even the fact of end-to-end encryption does not change this (cons. 6.4.1). The mere feeding of information into a network is not sufficient for the service to qualify as a telecommunications service under surveillance law (cons. 6.3.3 with reference to Swiss Federal Supreme Court's judgment regarding Threema 2C_544/2020 of 29 April 2021, cons. 5.1.2, cf. our article on this). Thus, in the view of the Swiss Federal Administrative Court, Proton's e-mail services are not subject to the obligation to monitor telecommunications services (cons. 6.4.1).

With regard to the VPN service, the Swiss Federal Administrative Court considers the statements made by the Surveillance Service and Proton to be incomplete, and that therefore, a conclusive assessment in this respect not to be possible (cons. 6.4.2). The court assumes that it is known that VPN establishes a direct connection between remote devices and thus isolates the exchange of information from the rest of the traffic in public telecommunications networks. According to the Swiss Federal Administrative Court, although the use of a VPN presupposes internet access and therefore has some characteristics of a derived communications service, it involves the transmission of the entire information between the user and the recipient. The Swiss Federal Administrative Court points out that VPN communication also has certain characteristics that are specific to telecommunications services (cons. 6.4.2) – without, however, making a final assessment.

The court remits the case to the Surveillance Service for a new assessment (cons. 7).

What This Means For (Other) Providers of OTT Services

The Swiss Federal Supreme Court already held in its judgment 2C_544/2020 of 29 April 2021 that Threema GmbH, with its end-to-end encrypted instant messaging services as OTT services, does not provide telecommunications services, but merely qualifies as PDCS (cf. our article on this). The Swiss Federal Administrative Court's judgment on Proton and e-mail fits seamlessly into this practice and is convincing. Both judgments make it clear: Anyone who merely feeds information into an existing line or radio infrastructure, without assuming any responsibility for the transmission of information via the internet (e.g. also excludes liability in the terms of use) is not providing telecommunications services and is (at most) obliged to cooperate under the SPTA as a PDCS.

The Swiss Federal Administrative Court reiterates the Swiss Federal Supreme Court's earlier statement that the legislator, in revising the SPTA with the aforementioned distinction between TSP and PDCS, accepted that gaps in monitoring may (nevertheless) continue to occur or remain (cons. 6.3.5 with reference to the statements made by Swiss Federal Council Simonetta Sommaruga in the course of parliamentary deliberations in AB S 2014 p. 117). The Swiss Federal Administrative Court also points out (as did the Swiss Federal Supreme Court recently) the competence of the Swiss Federal Council to subject individual categories of providers to limited or extended monitoring obligations at the ordinance level (art. 26 para. 6 SPTA in conjunction with art. 51 SPTO and art. 22 para. 4 and art. 27 para. 3 SPTA) and thus to close certain loopholes (cons. 6.3.5). However, according to the clear statement of the Swiss Federal Administrative Court, this competence does not justify extending the definition of TSP as intended by the Surveillance Service (cons. 6.3.5).

A deviation from the "Threema practice" would have resulted in a peculiar dichotomy for OTT services: Certain providers of OTT services (e.g. of e-mail services) would have been subject to obligations to cooperate as they apply to traditional telecommunications (e.g. telephony or internet access providers), although they do not undertake any conceptually necessary, telecommunications-related transmission of information for their customers. Other OTT services (e.g. instant messaging services), as derived communications services, would in principle only give rise to reduced monitoring obligations. Such a dichotomy would be even more confusing for both providers and customers than the situation already is due to the uncertainties that have existed since the revision of the SPTA regarding the demarcation between "TSP" and "PDCS" (cf. our article).

Since the services offered by a provider can fall into different categories under surveillance law (cf. cons. 6.2), the new judgment on e-mail does not rule out the possibility that providers of different services are subject to different obligations under surveillance law depending on the category concerned. Provided that the judgment of the Swiss Federal Administrative Court is confirmed or the Surveillance Service follows the judgment of the Swiss Federal Administrative Court in its reassessment – at least for the e-mail service – this will at least provide a further important building block for a practice on OTT services. This would increase legal certainty for providers with regard to their (limited) obligations to cooperate in the context of telecommunications surveillance. Users would also know which interceptions are applicable to the services they use.

However, even for providers such as Proton, who are committed to confidentiality, secrecy does not go as far as not disclosing any user data. As even Proton admits, there may be cases in which disclosure to authorities is legally permissible and compulsory for Proton – for example, apparently this year in the case of French climate activists and a corresponding request for legal assistance from France (see also the statistics on requests from authorities in Proton's transparency report). Users of OTT services must also be aware of this.

The judgment of the Swiss Federal Administrative Court can be appealed to the Swiss Federal Supreme Court. How the Surveillance Service will deal with the judgment is currently still open.The result of the currently ongoing revision of the SPTO will be decisive for providers of OTT services: The Federal Council will define the obligations to cooperate – in particular the ones of TSP and PDCS – separately from the definition in the TCA (based on the new, not yet enacted art. 2 para. 1 lit. b and para. 2 revSPTA). However, these new provisions are not expected to enter into force before January 2023.

Further information:

Categories: Data & Privacy, Digital Business Law Bites, Media and Entertainment

You are currently offline. Some pages or content may fail to load.