The Higher Administrative Court (OVG) of Münster has addressed the question of whether public authorities are generally required to use end-to-end encryption when transmitting personal data.
What was the case about?
A plaintiff demanded that a public authority transmit personal data exclusively using end-to-end encryption. He argued that transport encryption alone (e.g., TLS) did not meet current technical standards and endangered his interests. He viewed transport encryption as offering an insufficient level of protection and demanded a higher level of security.How did the court rule?
The OVG Münster (Decision of 20.02.2025 – Case No.: 16 B 288/23) rejected the plaintiff’s appeal. The court found that the GDPR does not prescribe a general obligation for end-to-end encryption. According to Article 32 of the GDPR, only “appropriate measures” are required to protect personal data, based on the risk and the state of the art.In this case, the authority was already using transport encryption (TLS), which was considered sufficiently secure. The court emphasized that the plaintiff could not credibly demonstrate any specific risk arising from the use of TLS. There was no indication that the authority was exposed to heightened risks, such as frequent hacking attempts or security vulnerabilities.
Additionally, the authority had implemented further security measures, including the use of a SINA box and client certificates for communication with other government entities. The authority also held an IT security certificate from the German Federal Office for Information Security (BSI), confirming the implementation of an appropriate IT security concept.
The court stated that the authority had conducted a risk assessment and ensured an adequate level of protection based on that assessment. The plaintiff failed to prove that the authority’s data processing posed a special risk to him or that end-to-end encryption was necessary.
Implications for practice
The OVG Münster decision has the following implications for data transmission by public authorities:- No general obligation for end-to-end encryption:
Authorities are not generally required to transmit personal data using end-to-end encryption. The choice of security measures depends on the specific risk and the state of the art. - Appropriateness of the protection level is key:
The GDPR does not require maximum security but an adequate level of protection, based on the risks. Authorities must conduct risk assessments and take appropriate technical and organizational measures accordingly. - Transport encryption is generally sufficient:
In most cases, transport encryption (TLS) is sufficient, provided there are no concrete indications of increased risk. TLS is considered state of the art and offers a high level of security. - Burden of proof on the plaintiff in case of higher risk:
If a plaintiff demands end-to-end encryption, they must credibly demonstrate a heightened risk. A mere desire for maximum security is not enough to justify such a requirement. - Additional security measures may still be necessary:
Authorities must implement further security measures if required by the risk assessment. This may include tools like SINA boxes, client certificates, or other technical solutions.
