According to a non-representative survey from 2019, between 40% and 60% of companies continue to utilize fax for transmitting communications. This raises the question of whether and to what extent the transmission of personal data via fax adheres to the requirements of the General Data Protection Regulation (GDPR). In the view of the State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen (LfDI Bremen), the transmission of personal data via fax is impermissible under data protection law.
Why is fax communication no longer compliant with data protection regulations?
According to the supervisory authority, fax services contain no security measures whatsoever to ensure data confidentiality. A fax message is therefore comparable to a postcard, which uninvolved third parties can theoretically read.
For this reason, the transmission of special categories of personal data under Art. 9 para. 1 GDPR (e.g., health data, biometric data) via fax is impermissible under data protection law.
What has changed regarding fax transmission?
The supervisory authority argues from a strong technical perspective: Until a few years ago, fax messages were transmitted via circuit-switched connections. This established an exclusive connection existing only between the two fax devices, making 'eavesdropping' on this connection difficult. However, for several years now, packet-switched transmission has also been used for faxing. In this method, fax message data is divided into packets and transported over networks based on Internet technology, similar to email. This transport method is susceptible to the interception of messages or parts thereof.
What risks are associated with current fax transmission?
Fax messages sent as packets cannot be protected against unauthorized interception. Furthermore, unlike earlier transmissions to a predetermined fax device, the sender can no longer be certain where their fax message will arrive today. Instead, systems are now frequently used where incoming faxes are automatically converted into an email and sent to one or more email inboxes.
What does case law say about the permissibility of fax transmission?
In July 2020, the Higher Administrative Court (OVG) Lüneburg already criticized the lack of encryption in fax transmission and assumed a violation of the confidentiality obligation under Art. 32 GDPR (cf. OVG Lüneburg, Decision of 22.07.2020, Ref. 11 LA 104/19). Case law thus tends to align with the supervisory authority in Bremen.
Are faxes no longer permitted to be sent?
If you wish to pursue the most data protection-compliant path, you should refrain from sending fax messages and switch to other technologies, such as end-to-end encrypted email.
It must be noted, however, that the supervisory authority in Bremen has primarily deemed the transmission of special categories of personal data under Art. 9 para. 1 GDPR via fax as impermissible. It remains questionable whether this strict view will also prevail for 'ordinary' personal data. Furthermore, it should be considered that in the vast majority of cases, a recipient discloses their fax number themselves, thereby consciously utilizing a technically insecure method. If the recipient now criticizes the receipt of a fax message as impermissible under data protection law, we believe their behavior is contradictory.
We are pleased to offer our services as consultants in all areas of IT/IP and data protection law.
GoldbergUllrich Attorneys at Law 2021
Julius Oberste-Dommes LL.M. (Information Law)
Attorney-at-Law and
Specialist Attorney for Information Technology Law
