There are two "level" where the data stream is generally encrypted.
One is the wifi radio connection, and Jeff is correct that only WPA and WPA2 encrypt the whole data stream. WEP just does and access check to let you on or not, but once you are on all data is clear and unencrypted. And of course an open wifi data stream is just that.
But even if someone can listen in on the wifi radio data stream between your computer and the wifi base station, they need to be able to understand that data stream. That brings us to the next level of encryption, which is between your application and the server it is talking to.
Anytime your browser is connected to
https://something or other, the entire data stream between your browser and the web server it is talking to is encrypted. Listen all you want, it will just be jibberish. Every bank and ecommerce site uses https at least for checkout, if not for the whole session. So I think that makes those browser sessions secure no mater who is listening in. No WPA wifi required. No VPN required. If you do use a WPA wifi or VPN, you are double encrypting the data stream, once by the browser, and once again to talk over the wifi or VPN channel. By once is enough.
Other applications can do the same. When you set up your email you typically connect to a POP or IMAP server. You can check a box to say you want that communications to be via SSL (Secure Socket Layer) which is the same encryption mechanism used my HPPTS. Buy the way, the "S" in HTTPS stands for HTTP over SSL. Once you have done that, all your email traffic is encrypted end to end over the internet.