What is the scope of the technique

State of the art in the GDPR - definition, relevance, implementation

The state of the art criterion in the GDPR

In the sections "General Obligations" and "Security of Personal Data", the GDPR regulates in Articles 25 and 32 GDPR that suitable technical and organizational measures must be taken to protect personal data. The state of the art is named as one of several criteria by which the suitability of these measures is measured.

The criteria mentioned in addition to the state of the art are:

  • Implementation costs
  • Type, scope, circumstances and purposes of the processing
  • the different probability of occurrence and severity of the risks associated with the processing for the rights and freedoms of natural persons

The state of the art therefore focuses as the only criterion on the technological component when assessing the suitability of measures to protect personal data. The GDPR is silent on what the state of the art should be. It is a so-called indefinite legal term.

That makes perfect sense. The law is opened through the use of technical knowledge standards. It does not have to be continuously adapted to scientific and technical developments. The Federal Constitutional Court (BVerfG) also sees this as promoting the protection of fundamental rights. According to him, a legal fixation of a certain standard through the establishment of rigid rules would inhibit rather than promote further technical development and the appropriate safeguarding of fundamental rights. Since the protection of personal data is a fundamental right (Article 8, Paragraph 1 of the Charter of Fundamental Rights of the European Union), this statement can certainly be used here, even if it does not come from any judgment on data protection.

Definition and classification of the technical standard

In German law, in addition to the state of the art, the standards “generally recognized rules of technology” and “state of the art of science and technology” are often cited. The Federal Constitutional Court established a corresponding three-part gradation in a ruling in 1978 (BVerfG - 2 BvL 8/77).

This classification places the state of the art between the generally recognized rules of technology as the lowest standard and the state of science and technology as the highest standard.

With the standard of the generally recognized rules of technology, one can limit oneself to ascertaining the overwhelming opinion among the technical practitioners. Strikingly, one could speak of the tried and tested here.

By using the state-of-the-art standard, the GDPR makes it clear that general recognition and practical approval are not sufficient for the protection of personal data. Rather, the technicians must enter into the disputes of opinion in order to determine what is technically necessary, suitable and appropriate.

However, the requirements are not so strict that the latest technical and scientific findings must be implemented, which reflect the state of science and technology. In the state of the art, it should still be possible to find a certain recognition and validation of measures implemented in practice.

Concrete example: e-mail encryption

In order to clarify this classification of the state of the art, which has perhaps still remained abstract, we illustrate this using the subject of email encryption:

When encrypting e-mails, a basic distinction can be made between transport and content or end-to-end encryption.

  • Transport encryption is the encrypted transmission of the message between two endpoints. It is not the content of the message but only the transmission path that is encrypted. The disadvantage of this method is that an attacker who intercepts the transmission (e.g. by means of a man-in-the-middle attack) can read the content of the message.
  • Content or end-to-end encryption protects against this. Here, the sender and recipient each have a key with which the message is encrypted before it is sent and only decrypted again at the recipient. If the message is intercepted on the transmission path, the attacker cannot do anything with it because he does not know the key.

The following comparison does not reflect the technical complexity of email encryption, but it does make the differences clear:

  • Sending a postcard would be unencrypted.
  • If this is transported in a locked box, the transport is encrypted.
  • If the card was written in a cipher that only the sender and recipient know, then the content is encrypted.

Since many emails are still sent completely unencrypted, it is argued that the use of transport encryption - i. d. Usually by means of the Transport Layer Security Protocol (TLS) - does not yet correspond to the state of a generally recognized rule of technology. It is therefore the state of the art.

But this will change. Almost every practitioner considers transport encryption to be necessary and the TLS protocol has meanwhile been implemented more or less across the board in the professional environment. The use of transport encryption in business e-mail traffic will therefore be one of the generally recognized rules of technology in the foreseeable future.

In addition, to rely on content encryption using S / MIME or PGP for secure transmission is definitely not yet an established standard everywhere. But it is already so practical that it is no longer possible to speak of the state of research. Encryption of the content of e-mails is also state of the art.

Encryption according to the state of the art in science and technology would be, for example, the use of quantum cryptography.

Does this mean that content encryption has to be implemented as a technical protective measure when personal data is sent by email? Not necessarily. As stated at the beginning of this article, the state of the art is one of several criteria by which the suitability of a technical and organizational measure for the protection of personal data is measured. The other criteria listed by the GDPR are the implementation costs, the type, scope, circumstances and purposes of the processing as well as the probability of occurrence and the severity of the risk.

In the e-mail example, the requirements for encryption depend primarily on the risks that arise for a natural person if a third party could read the data sent. In other words: the more sensitive the content is (in terms of data protection law), the higher the technical requirements for the encryption of the e-mail (state-of-the-art).

If, for example, the findings are to be sent by email as part of a medical examination (particularly sensitive personal data), greater technical efforts must be made than if only normal invoices (i.e. simple personal data) are to be sent. The criterion of the state of the art must then be given more consideration and increased requirements apply to it. The doctor must therefore also rely on content encryption. Transport encryption is sufficient for the sender of a normal invoice.

This also reflects the current opinion of the supervisory authorities, which require transport encryption for the transmission of personal data and expand this requirement to the use of content encryption as soon as special personal data such as health data are involved.

Action notes on the state of the art

  • It is essential to keep an eye on the state of the art. Due to the further technical development it can mean in the foreseeable future that the state of the art will always make the use of content encryption the default.
  • Think about a general risk assessment. Only those who have thought about the risk associated with the respective processing in a first step can think about appropriate measures that take the risk into account in a second step.
  • Use the requirements of data protection law to protect company values. Although data protection primarily means the protection of fundamental rights, by establishing technical specifications you also often support corporate values ​​through data security measures.

If you would like to find out more about e-mail encryption, you will find a comprehensive guide on our website. You will also find numerous practical guides on other aspects of technical data protection, which discuss the state of the art and explain it in relation to the application. Last but not least, you are guaranteed to find out in our newsletter when the current requirements for the "state of the art" change.