Admi­nis­tra­ti­ve Court of Mainz: end-to-end encryp­ti­on of e‑mails requi­red only in case of high risk

By Judgment of 17 Decem­ber 2020 (Case No. 1 K 778/19.MZ) (only in Ger­man), the Admi­nis­tra­ti­ve Court of Mainz ruled that it is not a vio­la­ti­on of the GDPR for per­sons sub­ject to pro­fes­sio­nal sec­re­cy obli­ga­ti­ons to send out e‑mails with transport-layer encryp­ti­on. The court found that end-to-end encryp­ti­on is requi­red only in case of high risk.

The Case

The case befo­re the Admi­nis­tra­ti­ve Court of Mainz was based on a com­plaint filed by an att­or­ney chal­len­ging a war­ning from the Rhineland-Palatinate Data Pro­tec­tion Aut­ho­ri­ty. The aut­ho­ri­ty had sent the att­or­ney a war­ning in accordance with Artic­le 58(2)b of the GDPR becau­se he had sent out e‑mails wit­hout end-to-end encryp­ti­on, which the aut­ho­ri­ty con­side­red to be a vio­la­ti­on of the IT secu­ri­ty requi­re­ments of the GDPR. The aut­ho­ri­ty took the view that unen­crypt­ed e‑mails do not offer ade­qua­te secu­ri­ty for mes­sa­ges con­tai­ning sen­si­ti­ve infor­ma­ti­on and that the att­or­ney, as a per­son sub­ject to duties of pro­fes­sio­nal sec­re­cy, should set a good exam­p­le by edu­ca­ting his employees about data pro­tec­tion and ins­truc­ting them accordingly.

The Cour­t’s Ruling

But in its decis­i­on, the Admi­nis­tra­ti­ve Court of Mainz ruled that the att­or­ney­’s com­plaint against the war­ning is admis­si­ble and well-founded.

With regard to the admis­si­bi­li­ty of the com­plaint, the court found that the Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on of the Sta­te of Rhineland-Palatinate is the right defen­dant for dis­pu­tes bet­ween the sta­te super­vi­so­ry aut­ho­ri­ty and natu­ral or legal per­sons pur­su­ant to Artic­le 78(1) and (2) of the GDPR.

On the ques­ti­on of whe­ther the com­plaint is well-founded, the court ruled that the aut­ho­ri­ty­’s war­ning is in vio­la­ti­on of sub­stan­ti­ve law, poin­ting out that sen­ding out e‑mails wit­hout end-to-end encryp­ti­on or other secu­ri­ty mea­su­res bey­ond (obli­ga­to­ry) transport-layer encryp­ti­on does not vio­la­te Artic­le 5 of the GDPR. The court noted that, while Artic­le 5(1)(f) and (2) of the GDPR does requi­re con­trol­lers to ensu­re appro­pria­te secu­ri­ty when pro­ces­sing per­so­nal data, it does not fol­low that end-to-end encryp­ti­on is requi­red. Rather, Artic­le 32(1) of the GDPR requi­res “appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res.” While encryp­ti­on is express­ly men­tio­ned in Artic­le 32(1)(a) of the GDPR, the court found that, even for per­sons sub­ject to pro­fes­sio­nal sec­re­cy obli­ga­ti­ons (such as att­or­neys), an appro­pria­te level of secu­ri­ty in terms of Artic­le 32(1) of the GDPR can be attai­ned by using (obli­ga­to­ry) transport-layer encryp­ti­on, unless a hig­her level of secu­ri­ty is requi­red in any indi­vi­du­al case.

Assess­ment

The cour­t’s decis­i­on is a wel­co­me deve­lo­p­ment for com­pa­nies, even tho­se which are not sub­ject to pro­fes­sio­nal sec­re­cy obli­ga­ti­ons, sin­ce it cla­ri­fies that the need for IT secu­ri­ty mea­su­res to satis­fy the requi­re­ments of data pro­tec­tion law can­not be asses­sed with a broad brush. Rather, this need depends on the indi­vi­du­al pro­ces­sing ope­ra­ti­on and, in par­ti­cu­lar, on the exis­ting risk in each case. Spe­ci­fi­cal­ly, Artic­le 32(2) of the GDPR does not estab­lish any man­da­to­ry mini­mum stan­dards which com­pa­nies are requi­red to imple­ment or a con­clu­si­ve list of cri­te­ria which can play a role in deter­mi­ning the appro­pria­te level of pro­tec­tion. With this dif­fe­ren­tia­ted view, the court rejec­ted the blan­ket asser­ti­ons by some data pro­tec­tion aut­ho­ri­ties about the need for end-to-end encryp­ti­on on the part of per­sons sub­ject to pro­fes­sio­nal sec­re­cy obli­ga­ti­ons. But this is just an iso­la­ted decis­i­on at the moment, so that super­vi­so­ry aut­ho­ri­ties which requi­re end-to-end encryp­ti­on for e‑mails con­tai­ning per­so­nal data sent out by per­sons sub­ject to pro­fes­sio­nal sec­re­cy obli­ga­ti­ons can­not be expec­ted to aban­don their view, howe­ver much that view merits cri­ti­cism. Accor­din­gly, com­pa­nies which are sub­ject to duties of pro­fes­sio­nal sec­re­cy should ensu­re that they careful­ly docu­ment their risk assess­ment in con­nec­tion with the­se pro­ces­sing acti­vi­ties so that they can show that an ele­va­ted risk does not exist in this par­ti­cu­lar case.

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.