Relevance of Justified Security Expectations in Email Communication in Business Transactions
The question of the appropriate technical and organizational protection in the context of business email communication is continuously updated against the backdrop of ongoing digitalization. Especially in business transactions, where sensitive and sometimes confidential data are regularly exchanged electronically, the scope of security measures required for sending emails is of significant practical relevance. The recent decision of the Karlsruhe Higher Regional Court from 19.09.2023 (Case No. 19 U 83/22) contributes to further clarification of the legal standards to be applied here. In particular, the criterion of justified security expectations in business transactions comes into focus.
Standard for Security Measures: The Justified Expectations of Business Transactions
Delineation of Technical Protection Obligations
The Karlsruhe Higher Regional Court clarified in its ruling that the required level of technical protective measures when sending emails is not generally determined by abstract IT security standards but rather by the justified expectations of the average business partner. There is no general obligation, purely from a technological perspective, to encrypt all emails consistently; instead, an encryption requirement presupposes that, under the circumstances of the specific business transaction and the nature of the information exchanged, encryption is necessary. Both the sensitivity of the data and the influence of the respective business sector on the state of technology are decisive.
Business Circles and Industry Specifics
The established level of protection is largely oriented by the practices in the relevant business circle. Technical minimum standards are thus shaped by actual industry practice and the communication methods typically used. Depending on the industry and type of data transmitted, different requirements may therefore apply. This means that stricter standards may apply in the banking and financial sector than in ordinary goods trade. The usual expectation in commercial life thus limits the obligation to implement further security measures.
Due Diligence Standard and Organizational Responsibility within the Company
Differentiation According to Organization and Recipient Group
The due diligence standard that companies must observe when sending emails again results from the justified security expectations of the recipients. Organizational responsibility therefore includes the duty to evaluate and adjust internal processes, especially regarding the selection of the appropriate transmission method and informational duties toward those involved. As long as the email concerns only the exchange of publicly accessible or otherwise non-confidential information, simple unencrypted transmission is still recognized as customary practice.
Relation to Liability Issues
The scope of possible liability in the event of damage due to insecure email communication depends on the security measures taken and owed. If the technically and organizationally usual security level is not met, this may constitute a breach of the duty to ensure safety in traffic (Verkehrssicherungspflicht). However, the Karlsruhe Higher Regional Court made clear that an objectively elevated protection level is only owed if the average recipient could reasonably expect corresponding protective measures due to comprehensible risk situations.
Effects on Contractual and Business Processing
Importance for Business Trust
The decision strengthens the justified trust of business participants that the scope of required security measures is oriented towards the established standard of business practice and expectations. This maintains the principle that not every potential technical option is necessarily legally required. For companies, this means increased predictability of their obligations when dealing with everyday electronic mail.
Further Development of Expectations
It must be taken into account that with ongoing technological development and increasing digitalization, the standards of business expectations are subject to constant adjustment. Previously customary methods may be shifted toward higher requirements by new legal provisions, industry self-regulations, or generally accepted market standards. This applies, for example, if transport encryption, previously rarely used, becomes standard through wider application.
Case-by-Case Examination and Open Legal Questions
Importance of the Individual Case
The decision of the Higher Regional Court of Karlsruhe emphasizes the necessity of a differentiated approach that takes into account all circumstances of the specific business process. Crucial factors include the type of information, the risk of data disclosure, and the extent to which the communication partners could reasonably expect confidential transmission. There is no rigid classification of protection duties; rather, each individual case must be examined, considering not only the technical measures taken but also the individual expectations and industry practices.
Legal situation in transition
It should be noted that the underlying decision may be subject to ongoing discussions and possible further reviews. The published facts are based on the judgment of the Higher Regional Court of Karlsruhe dated September 19, 2023 (File No. 19 U 83/22), whose factual and legal appraisal could be subject to a changed assessment in the future, for example by a decision of the Federal Court of Justice (source: https://urteile.news/OLG-Karlsruhe_19-U-8322_Mass-der-Sicherheitsvorkehrungen-beim-Versand-von-E-Mails-im-geschaeftlichen-Verkehr-richtet-sich-nach-berechtigten-Sicherheitserwartungen-des-Verkehrs~N33273). Until a final supreme court ruling is issued, continuous development should be assumed.
Conclusion and outlook
The Higher Regional Court of Karlsruhe bases the design of IT security measures for email communication primarily on the legitimate expectations of market participants and rejects blanket obligations to apply the highest possible encryption standards. This framework offers companies a basis oriented towards actual business requirements for their electronic information flows, which accommodates both the economic need for practical solutions and the protection of confidential information. Given the ongoing development of technical possibilities and legal requirements, companies should closely monitor the further evolution of case law and industry practices. For more complex legal questions or considerations regarding the securing of business email communication in light of current case law, it is advisable to seek qualified advice. Further information and individual support are available from MTR Legal under the subject area Legal advice in IT law.
