According to a non-representative survey from 2019, between 40% and 60% of companies still use fax to send communications. This raises the question of whether and to what extent sending personal data by fax meets the requirements of the General Data Protection Regulation (GDPR). In the opinion of the State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen (LfDI Bremen), the transmission of personal data by fax is not permissible under data protection law.
Why is the fax no longer data protection compliant?
According to the supervisory authority, fax services do not contain any security measures to guarantee the confidentiality of the data. A fax message can therefore be compared to a postcard, which can theoretically be read by uninvolved parties.
For this reason, the transmission of special categories of personal data pursuant to Article 9(1) of the GDPR (e.g. health data, biometric data) by fax is not permissible under data protection law.
What is different about sending faxes now?
The regulatory authority argues strongly from a technical point of view: Until a few years ago, fax messages were transmitted via a line-based exchange. This established an exclusive connection that existed only between the two fax machines. It was difficult to "eavesdrop" on this connection. For some years now, however, a packet-based exchange has also been used for fax transmission. Here, the data of the fax message is divided into packets and, similar to an e-mail, transported via networks based on internet technology. This transport method is susceptible to interception of messages or parts of messages.
What are the risks of sending faxes today?
The fax message sent as a packet cannot be protected against unauthorised reading. Furthermore, in contrast to earlier transmission to a fax machine that was fixed from the outset, the sender can no longer be sure where his fax message will arrive. Instead, systems are currently frequently used in which incoming faxes are automatically converted into an e-mail and sent to one or more e-mail mailboxes.
What does case law say about the admissibility of sending faxes?
In July 2020, the OVG Lüneburg already criticised the lack of encryption of the fax transmission and assumed a breach of the confidentiality obligation pursuant to Art. 32 DSGVO (cf. OVG Lüneburg, decision of 22.07.2020, ref. 11 LA 104/19). The case law thus tends in the direction of the supervisory authority in Bremen.
Are faxes no longer allowed to be sent?
If you want to take the safest route in terms of data protection, you should refrain from sending fax messages and switch to other technologies, e.g. end-to-end encrypted e-mail.
However, it must be taken into account that the supervisory authority in Bremen has primarily deemed the sending of special categories of personal data by fax in accordance with Art. 9 (1) of the GDPR to be inadmissible. It is questionable whether this strict view will also prevail for "ordinary" personal data. Furthermore, it must be taken into account that in the vast majority of cases a recipient discloses his or her fax number himself or herself and thus deliberately uses a technically insecure procedure. If the recipient now criticises the receipt of a fax message as inadmissible under data protection law, he or she is behaving contradictorily in our view.
We are at your disposal as advisors in the entire field of IT/IP and data protection law
GoldbergUllrich Lawyers 2021
Julius Oberste-Dommes LL.M. (Information Law)
Specialist lawyer for information technology law