VG Frankfurt am Main - 5 L1281/22.F: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 78: Line 78:
The Court held that transport encryption was sufficient for sending email via the controller's communication platform.  
The Court held that transport encryption was sufficient for sending email via the controller's communication platform.  


According to [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], personal data must be processed according to the principles of integrity and confidentiality. The Court acknowledged that these principles are general and need to be specified, but it insisted that they impose concrete obligations. The measures that must be taken are those that ensure a level of protection appropriate to the risk, taking into account the eight criteria listed in [[Article 32 GDPR#1|Article 32(1) GDPR]]: (1) the state of the art, (2) the costs of implementation, (3) the context of processing, (4) the scope of processing, (5) the context of processing, (6) the purposes of processing, (7) the risk to the rights and freedoms of natural persons, and (8) the severity of those risks. The realisation is mandatory and must not only be strived in the best possible way. The technical requirements to ensure adherence to these principles follow from [[Article 32 GDPR#1a|Article 32(1)(a) GDPR]].
According to [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], personal data must be processed according to the principles of integrity and confidentiality. The Court acknowledged that these principles are general and need to be specified, but it insisted that they impose concrete obligations, not merely goals for which to strive. The measures that must be taken are those that ensure a level of protection appropriate to the risk, taking into account the eight criteria listed in [[Article 32 GDPR#1|Article 32(1) GDPR]]: (1) the state of the art, (2) the costs of implementation, (3) the context of processing, (4) the scope of processing, (5) the context of processing, (6) the purposes of processing, (7) the risk to the rights and freedoms of natural persons, and (8) the severity of those risks.  


The court acknowledged that the legislator has not specified specific requirements to ensure compliance with the principles of integrity and confidentiality. The court held, that unencrypted electronic communication would not be sufficient. However, securing the communication by transport encryption is sufficient. The controller has taken all reasonable safeguards within the meaning of [[Article 32 GDPR|Article 32 GDPR]] to ensure compliance with the basic principles of integrity and confidentiality. The court further held, that transport encryption must be currently seen as state of the art for safeguarding electronic communication.
Taking these factors into account, the Court concluded that transport encryption must be currently seen as the state of the art for safeguarding electronic communication, so the controller had taken all reasonable safeguards within the meaning of [[Article 32 GDPR|Article 32 GDPR]] to ensure compliance with the basic principles of integrity and confidentiality.  





Revision as of 10:54, 3 August 2022

VG Frankfurt am Main - 5 L1281/22.F
Courts logo1.png
Court: VG Frankfurt am Main (Germany)
Jurisdiction: Germany
Relevant Law: Article 5(1)(f) GDPR
Article 32(1)(a) GDPR
Decided: 15.07.2022
Published:
Parties:
National Case Number/Name: 5 L1281/22.F
European Case Law Identifier: ECLI:DE:VGFFM:2022:0715.5L1281.22.F.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Bürgerservice Hessenrecht (in German)
Initial Contributor: Fabian Dechent

The Adminstrative Court of Frankfurt held that the German authorities were not obligated to use end-to-end encryption when communicating with an arms dealer; transport encryption was compatible with the state of the art.

English Summary

Facts

The data subject distributed weapons of war and security products to the German authorities. Due to their "physical and chemical properties," the data subject's products were particularly suitable for illegal activities, and he feared becoming a target of kidnapping or robbery to obtain those products if his personal data were exposed.

The German Federal Office for Economic Affairs and Export Control (hereinafter “Office”) was the supervisory authority of the controller within the meaning of the German War Weapons Control Act and the corresponding regulation on the implementation of this act. The Office maintained the electronic war weapons register and had switched to electronic legal transactions via its own communication platform. Emails sent out by this communication platform were sent with transport encryption, not end-to-end encryption.

The data subject and the controller disagreed about the obligation to use end-to-end encryption in these electronic legal transactions. The data subject argued that the electronic legal transactions need to be safeguarded by end-to-end encryption. The controller and the Office argued that a transport encryption was sufficient and does not see the necessity to implement additional end-to-end encryption.

The data subject requested a temporary injunction on the transmission of his personal data without end-to-end encryption by the controller pending a decision on the issue by the Adminstrative Court of Frankfurt.

Holding

The Court held that transport encryption was sufficient for sending email via the controller's communication platform.

According to Article 5(1)(f) GDPR, personal data must be processed according to the principles of integrity and confidentiality. The Court acknowledged that these principles are general and need to be specified, but it insisted that they impose concrete obligations, not merely goals for which to strive. The measures that must be taken are those that ensure a level of protection appropriate to the risk, taking into account the eight criteria listed in Article 32(1) GDPR: (1) the state of the art, (2) the costs of implementation, (3) the context of processing, (4) the scope of processing, (5) the context of processing, (6) the purposes of processing, (7) the risk to the rights and freedoms of natural persons, and (8) the severity of those risks.

Taking these factors into account, the Court concluded that transport encryption must be currently seen as the state of the art for safeguarding electronic communication, so the controller had taken all reasonable safeguards within the meaning of Article 32 GDPR to ensure compliance with the basic principles of integrity and confidentiality.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

reasons
I

marginal number1
The parties involved are arguing about an obligation to use state-of-the-art end-to-end encryption in electronic legal transactions.

marginal number2
The applicant sells primarily to security authorities ... which are subject to a ban with the reservation of permission after ... and whose products are particularly suitable for illegal activities such as ... due to their physical and chemical properties. He is the person affected by the decision of the Federal Administrative Court of June 10, 2021 - 3 B 19/20 - (juris = BeckRS 2021, 19844) and fears becoming the victim of a kidnapping or robbery in order to get to the stored products.

paragraph 3
The Federal Office of Economics and Export Control (hereinafter referred to as the "Federal Office") is the respondent's monitoring authority within the meaning of Section 14 (8) KrWaffG in conjunction with Section 2 KrWaffKontrGDV 1 and has largely switched processes in its area of responsibility to electronic legal transactions via its communication portal ELAN-K2 . The electronic war weapons book is kept with him. According to Section 10 (3) sentence 1 KrWaffKontrGDV 2, notifications of changes in population must be submitted electronically from April 1, 2020. The first data transmission of a report had to take place electronically via the ELAN-K2 communication portal by the deadline of September 30, 2020.

paragraph 4
On August 24, 2020, the applicant contacted the Federal Office and complained that future information on the electronic war weapons register would be sent by e-mail - in addition to being published on the Federal Office's website - and suggested encrypting it using the "Chiasmus" software , objected to the current form of transmission as a precautionary measure in accordance with Art. 21 GDPR and requested a suspension in accordance with Art. 18 GDPR. On August 25, 2020, he complained again about the email delivery. In the following, the parties corresponded about the procedure and the applicant pointed out that the data processor according to Article 5 Paragraph 1 Letter f and Article 32 Paragraph 1 Letter a GDPR, taking into account the state of the art, the implementation costs and the The nature, scope, circumstances and purposes of the processing as well as the different probability of occurrence and the risk to the rights and freedoms of natural persons have to take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk. The Federal Office agreed to an examination and suspended the processing of the applicant's information by e-mail until it was completed, as requested by the applicant, in accordance with Article 18(1)(d) GDPR. However, on September 29, 2020, the applicant was again sent e-mail messages with personal data via the Internet, which he reprimanded on October 2, 2020 and took the opportunity to request, as a precautionary measure, the exemption from the obligation to submit the electronic report in accordance with Section 10 Para. 5 KrWaffKontrGDV 2 to apply. On December 15, 2020, the Federal Office asked for an explanation of the need for protection, which the applicant submitted on January 27, 2021. On April 1, 2021, the applicant applied to the Federal Office for a determination of the illegality of the data transfer of September 29, 2020. On October 1, 2021, the applicant requested a decision regarding his objection of August 25, 2020 and application of October 2, 2020. On January 5, 2022, the applicant applied to the Federal Office for information in accordance with Art. 15 (1) GDPR with a copy in accordance with Section 15 (3) GDPR. The application for exemption from the obligation to submit the electronic report was rejected by the Federal Office on March 23, 2022, pointing out that the applicant would have to use the ELAN-K2 portal for future reports; the applicant raised an objection to this, the decision of which is not yet apparent to the court. On April 1, 2022, the applicant contacted the Federal Office about his application from January 6, 2022 and pointed out the deadlines according to Art. 12 Para. 3 DSGVO. On April 2, 2022, the applicant announced that he would bring an action for failure to act if his objection of August 25, 2020 was not decided by April 15, 2022, 12 noon. On April 20, 2022, the applicant brought an action before the administrative court in Frankfurt am Main, filed under reference number 5 K 1094/22.F, because of the data transfer dated September 29, 2020 and the pending decision on his objection dated August 24, 2020 becomes. Due to the requested provision of information and its delay, the applicant brought an action before the administrative court in Frankfurt am Main on April 13, 2022, which is filed under the file number 5 K 1030/22.F. Another lawsuit for supplementing information provided by the Federal Office on May 2, 2022, which is listed under the business number 5 K 1624/22.F, was filed on June 22, 2022 and, together with a further application for the issuance of a temporary injunction, is under the Business number 5 L 1623/22.F pending.

Paragraph 5
On May 9, 2022, the applicant applied to the administrative court in Frankfurt am Main for the issuance of a temporary injunction, with which he could exercise his rights under Art. 5, 18, 21 and 32 GDPR through technical and organizational measures that correspond to the state of the art and the high risk, which from his point of view is only the case with end-to-end encryption corresponding to the state of the art be. On August 24th and 25th, 2020, he objected to any open electronic transmission of his personal data for special personal reasons; subsequently, however, the Federal Office undisputedly made further insecure electronic transmissions. There is also a reason for the order. Apparently, it was technically and organizationally still possible for the respondent to send e-mails and faxes containing the applicant's personal data without end-to-end encryption. The employees could also continue to make unencrypted telephone calls. Apparently not even official instructions were issued to prohibit insecure transmissions. The respondent has no idea how an appropriate level of protection can be determined and what technical and organizational measures are required to implement this. For this purpose, they and not the applicant bear the burden of explanation and proof. In order to classify the level of protection of the applicant's personal data, there must also be an administrative process that the respondent has to submit.

recital 6
The applicant requests:

1. The Respondent is provisionally obliged as part of an interim order until a decision is made on the main issue, to refrain from electronically transmitting the applicant's personal data without end-to-end encryption that is state-of-the-art and high risk, except such is expressly not required in exceptional cases due to special legal regulations.

alternatively:

As part of an interim order, it is provisionally determined, pending a decision on the main issue, that the respondent is obliged to protect the applicant's personal data in the case of electronic transmission in accordance with the state of the art and high risk with encryption, unless in exceptional cases due to special legal regulations to refrain from doing so.

2. The Respondent is threatened with a fine of up to €250,000 for each violation of the obligation to cease and desist pursuant to Item 1.

Margin number7
The Respondent requests

reject the applicant's application.

paragraph 8
According to Section 8 (1) BSIG, all federal authorities are required to comply with the recommendations for IT security issued by the Federal Office for Information Security (hereinafter "BSI"). The respondent is complying with the BSI basic protection. According to the BSI baseline protection compendium APP.5.3 "General email client and server", the use of transport encryption for emails is intended. In particular, e-mail clients – programs for sending and receiving e-mails – would have to use secure transport encryption to communicate with e-mail servers over untrustworthy networks. The e-mail server of the Federal Office transfers the e-mails sent from the ELAN-K2 portal with the domain ending “@bafa.bund.de” to the central e-mail server of the federal networks (hereinafter "NdB"). The NdB's e-mail server is configured in such a way that the e-mail is sent in transport-encrypted form. When encrypting e-mails, a distinction must be made between encryption during transmission ("transport encryption") and encryption of the content of the e-mail ("end-to-end encryption"). The transport encryption ensures encryption on the transmission paths of the e-mail. The transport channel is thus encrypted on the way between the sender and his e-mail provider, between the sender's e-mail provider and that of the recipient and finally on the way between the recipient's e-mail provider and the recipient. There are already doubts about the specificity of the application request. There is no right to an order. According to Section 3a (1) VwVfG, Section 10 KrWaffKontrGDV 2, the respondent is entitled and obliged to use electronic means of communication; the applicant has also opened a corresponding access by giving the respondent a fax number and an e-mail address. The communication between the parties involved was never insufficiently secured; the legal requirements of Article 5 (1) (f) GDPR and Article 32 (1) (a) GDPR have been complied with. The German data protection authorities and professional associations also considered transport encryption to be an adequate security mechanism. The special legal regulations on explosives and war weapons law do not result in any requirements for the security standard of communication, in the absence of regulation it can be assumed that the legislature made a conscious decision and not that there is a loophole.

Paragraph 9
For further details of the facts and the dispute, reference is made to the content of the court files and the court files 5 K 1030, 1094 and 1624/22.F as well as 5 L 1623/22.F and the transmitted authority files, the subject the consultation has been.

II.

Paragraph 10
The application is unsuccessful (A.), so that the applicant has to bear the costs of the procedure (B.). The value in dispute is to be set at half the value in dispute (C.).

A

Paragraph 11
According to Section 123 (1) VwGO, which is the only relevant option here, the court can, upon application, issue an interim order to regulate a provisional situation in relation to a contentious legal relationship, even before an action is filed, if, especially in the case of permanent legal relationships, this regulation appears necessary in order to avert significant disadvantages or to prevent the threat of violence or for other reasons. The actual requirements of the asserted claim and the reason for the necessary provisional regulation must be made credible (§ 920 Para. 2 ZPO in conjunction with § 123 Para. 3 VwGO, § 294 ZPO). The application for the issuance of a regulatory order is permissible and sufficiently specific in terms of content (1.), but remains unsuccessful due to the lack of a right to an order (3.), although a reason for the order can be assumed (2.).

Paragraph 12
1. The application is admissible according to § 123 Para. 5 VwGO, since the request of the applicant by way of § 43 Para. 2 Clause 1, § 111 Clause 1, § 113 Para. 3 Clause 2, Para. 4, § 169 Para. 2, § 191 Para. 1 VwGO - and in any case not with the rescission action within the meaning of § 42 Para. 1 Alt. 1 VwGO - is to be pursued. The existence of the general decree specifying individual details for the electronic transmission of reports in accordance with Section 10 (3) sentence 1 of the Second Ordinance on the Implementation of the Federal Office’s War Weapons Control Act of April 1, 2020 (BAnz AT April 28, 2020 B5) does not change this , because this affects the content, not the form of transmission, so that action against it is not expedient for the request of the applicant. The request is sufficiently substantiated by relying on end-to-end encryption in electronic legal transactions, even if vague legal terms such as “state of the art” and “high risk” are used as a standard.

Paragraph 13
2. The applicant has made a reason for the order credible. The existing obligation to electronically report stocks of war weapons on the reporting deadlines from Section 10 Paragraph 1 Sentence 1 KrWaffKontrGDV 2 is sufficient for this if the applicant sees himself violated by their form. The possibility of the Federal Office, according to § 10 Para dated March 23, 2022 rejected this form of transmission.

Paragraph 14
3. However, the applicant has not substantiated a claim for an order for either his main application or his auxiliary application. Electronic communication has been open since April 1, 2020 (a.), without its design violating the rights of the applicant based on the summary view that is only possible in preliminary legal protection proceedings (b.).

Paragraph 15
a. According to the general provision of § 3a Para. 1 VwVfG, the transmission of electronic documents is permitted if the recipient opens access for this. This principle is not limited to the administrative procedure, as can be seen from § 1 Para. 1, § 2 Para a. With the amendment by Art. 1 No. 3 Letter d of the Third Ordinance amending the Second Ordinance for the Implementation of the War Weapons Control Act of March 13, 2020 (Federal Law Gazette I p. 521), electronic legal transactions were April 2020 also for the licensing procedure, the obligations in dealing with war weapons and the monitoring of actions requiring a license under the War Weapons Control Act.

Paragraph 16
b. The specific design of the electronic communication - according to the only possible summary findings in the proceedings for preliminary legal protection - does not violate the applicant's rights. A public-law defense and injunctive relief recognized under customary law (cf. HessVGH, decision of February 8, 2019 - 8 B 2575/18 -, juris marginal number 19 = BeckRS 2019, 4401 marginal number 15; Maurer/Waldhoff, AllgemVwR, 19. Edition 2017, § 30 para. 6, 14 f.; Kranz, NVwZ 2018, 864) he does not hold. The transport encryption currently used for electronic communication with the Federal Office is necessary, but also sufficient. According to Art. 5 Para. 1 lit. f DSGVO personal data

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures (“integrity and confidentiality”).

Paragraph 17
According to recital 39 sentence 12, this includes:

Personal data should be processed in such a way that their security and confidentiality are adequately guaranteed, including that unauthorized persons do not have access to the data and cannot use the data or the equipment with which they are processed.

Paragraph 18
Even if this specification is kept extremely general and needs to be specified, it is by no means just a program sentence (BeckOK DatenschutzR/Schantz, 40th Ed. 1.11.2021, DS-GVO Art. 5 para. 2). Rather, it is about a basic obligation, the realization of which is obligatory and not only has to be striven for in the best possible way. Technical requirements follow from Art. 32 Para. 1 GDPR. After that must

[A]nlowing the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different likelihood and severity of the risk to the rights and freedoms of natural persons ... the controller and the processor appropriate take technical and organizational measures to ensure a level of protection appropriate to the risk; such measures may include, but are not limited to:

a) the pseudonymization and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services related to the processing;

...

d) a procedure for regularly checking, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the security of the processing.

Paragraph 19
The measures to be taken are those that ensure a level of protection appropriate to the risk, taking into account eight criteria. These eight criteria are: state of the art, implementation costs, type, scope, circumstances and purposes of the processing as well as different probability of occurrence and severity of the risk for the rights and freedoms of natural persons (Ehmann/Selmayr/Hladjk, 2nd edition 2018, DS-GVO Article 32 para. 4). However, the General Data Protection Regulation does not mention any anonymization techniques in this context, although under certain conditions these would also be suitable for contributing to data security (Ehmann/Selmayr/Hladjk DS-GVO Art. 32 para. 7). The standard-giver has not specified any specific requirements for the encryption method to be used that go beyond the objective of integrity and confidentiality. However, it must also be taken into account here that these must correspond to the state of the art. The provision also does not contain any requirements with regard to the encryption algorithm to be used and the key lengths to be used (Kuhling/Buchner/Jandt DS-GVO Art. 32 para. 21). Due to its sensitivity, it can be concluded from this in the present area that unencrypted electronic communication would not be permissible, which of course does not yet mean that transport encryption is not sufficient.

Paragraph 20
Whether and to what extent standards have to be shifted when weighting the criteria if electronic communication affects special categories of personal data can be left open here, because it is - also taking into account the general ruling of the Federal Office of April 1, 2020 (BAnz AT 28.04.2020 B5 ) – it is not apparent that the Second Ordinance on the Implementation of the War Weapons Control Act affects the processing of any data within the meaning of Art. 9 Para. 1, Art. 10 GDPR. Whether an extension should also apply to cases in which an "interest of criminal and resource-rich third parties" is foreseeable (according to VG Mainz, judgment of December 17, 2020 - 1 K 778/19.MZ -, juris para. 39 = BeckRS 2020, 41220 para. 37), can remain open here, since the court does not see such a threat to the applicant through or because of his electronic communication as credible. In this respect, the decisive factor is whether the data is particularly sensitive for data subjects (Wagner, Legal Professional Law and Data Protection: Unity, Contradiction or Parallel Worlds? BRAK-Mitteilungen 4/2019, 167 <171>). There is therefore no automatism in this respect; Wagner's view, referred to by the VG Mainz, relates to the professional duties of lawyers. The electronic communication that takes place in the area of the electronic war weapons register should be viewed and evaluated in general, and its security should not be based on the specific circumstances of individuals.

Paragraph 21
However, if transport encryption of electronic communication with the Federal Office takes place, the Respondent has not only sought organizational precautions to maintain integrity and confidentiality, but has already taken them. On the basis of data protection law, this currently still meets the standard that is required (Gasteyer/Säljemar: Confidentiality in the change of digital communication channels, NJW 2020, 1768 <1770 f.>; VG Mainz, loc.cit., juris marginal number 40 = BeckRS 2020, 41220 marginal number . 38), based on the law on weapons of war, there are currently no stricter requirements.

Paragraph 22
A possible claim under § 10 Para. 5 KrWaffKontrGDV 2 for approval of the transmission of reportable data from the applicant to the Federal Office in paper form is not the subject of the dispute.

B.

Paragraph 23
The applicant has to bear the costs of the procedure according to § 154 Abs. 1 VwGO, since he is unsuccessful.

C

Recital 24
The determination of the amount in dispute follows from Section 53 Paragraph 2 No. 1, Section 52 Paragraph 1, 2 GKG. The court assumes that the value in dispute is EUR 5,000, which is to be reduced according to No. 1.5 sentence 1 of the 2013 Catalog of Values in Dispute.