By Judgment of 17 December 2020 (Case No. 1 K 778/19.MZ) (only in German), the Administrative Court of Mainz ruled that it is not a violation of the GDPR for persons subject to professional secrecy obligations to send out e‑mails with transport-layer encryption. The court found that end-to-end encryption is required only in case of high risk.
The case before the Administrative Court of Mainz was based on a complaint filed by an attorney challenging a warning from the Rhineland-Palatinate Data Protection Authority. The authority had sent the attorney a warning in accordance with Article 58(2)b of the GDPR because he had sent out e‑mails without end-to-end encryption, which the authority considered to be a violation of the IT security requirements of the GDPR. The authority took the view that unencrypted e‑mails do not offer adequate security for messages containing sensitive information and that the attorney, as a person subject to duties of professional secrecy, should set a good example by educating his employees about data protection and instructing them accordingly.
The Court’s Ruling
But in its decision, the Administrative Court of Mainz ruled that the attorney’s complaint against the warning is admissible and well-founded.
With regard to the admissibility of the complaint, the court found that the Commissioner for Data Protection and Freedom of Information of the State of Rhineland-Palatinate is the right defendant for disputes between the state supervisory authority and natural or legal persons pursuant to Article 78(1) and (2) of the GDPR.
On the question of whether the complaint is well-founded, the court ruled that the authority’s warning is in violation of substantive law, pointing out that sending out e‑mails without end-to-end encryption or other security measures beyond (obligatory) transport-layer encryption does not violate Article 5 of the GDPR. The court noted that, while Article 5(1)(f) and (2) of the GDPR does require controllers to ensure appropriate security when processing personal data, it does not follow that end-to-end encryption is required. Rather, Article 32(1) of the GDPR requires “appropriate technical and organizational measures.” While encryption is expressly mentioned in Article 32(1)(a) of the GDPR, the court found that, even for persons subject to professional secrecy obligations (such as attorneys), an appropriate level of security in terms of Article 32(1) of the GDPR can be attained by using (obligatory) transport-layer encryption, unless a higher level of security is required in any individual case.
The court’s decision is a welcome development for companies, even those which are not subject to professional secrecy obligations, since it clarifies that the need for IT security measures to satisfy the requirements of data protection law cannot be assessed with a broad brush. Rather, this need depends on the individual processing operation and, in particular, on the existing risk in each case. Specifically, Article 32(2) of the GDPR does not establish any mandatory minimum standards which companies are required to implement or a conclusive list of criteria which can play a role in determining the appropriate level of protection. With this differentiated view, the court rejected the blanket assertions by some data protection authorities about the need for end-to-end encryption on the part of persons subject to professional secrecy obligations. But this is just an isolated decision at the moment, so that supervisory authorities which require end-to-end encryption for e‑mails containing personal data sent out by persons subject to professional secrecy obligations cannot be expected to abandon their view, however much that view merits criticism. Accordingly, companies which are subject to duties of professional secrecy should ensure that they carefully document their risk assessment in connection with these processing activities so that they can show that an elevated risk does not exist in this particular case.back