September 08, 2023 /
A fake e-mail meant that the purchase of a car did not go through and the seller waited in vain for his money. The Higher Regional Court of Karlsruhe now had to clarify whether the buyer had not fulfilled his obligations or whether the car dealer had to take special measures to protect his mail traffic.
The present case & decision of the lower courts
A car dealer and a managing director of a company agreed on a purchase price of €13,500 for a car over the phone. The invoice should be sent by e-mail. However, I received two emails straight away, one genuine and one fake. A fraudster had hacked the car seller’s email account and exchanged the payment information, as he had previously done in other transactions.
Although the buyer was addressed as “I” in the email, while they were actually already on a first-name basis and there were a few other linguistic errors, he transferred the purchase amount to the fraudster’s account. The seller waited in vain for his €13,500, tried to sue for it in court and failed in the first instance.
OLG contradicts the lower court
In contrast to the lower courts, the OLG Karlsruhe did not consider §362 BGB to be fulfilled, as the money was transferred to a third-party account, which meant that the service could not be fulfilled.
The court found that the car dealer was not obliged to take special security precautions, such as the implementation of SPF (Sender Policy Framework) or special encryption techniques. A breach of safety precautions could give rise to a claim for damages pursuant to Section 280 para. 1 BGB. The buyer could assert this by way of the so-called dolo agit plea, but the judges in Karlsruhe did not see any infringement here.
What does the GDPR say?
As the contracting parties had not concluded any special security agreements, the OLG did not consider that any specific obligations arose from the General Data Protection Regulation (GDPR). Rather, the GDPR was not applicable because it did not concern the personal data of natural persons.
The legitimate security expectations of the contractual partners
The Higher Regional Court of Karlsruhe deduced from the case that it depended on the legitimate security expectations of the parties involved. Accordingly, the buyer could not assume that the e-mail or the attached PDF file would be specially encrypted, as this is not customary in business transactions. Nor could he expect certain system requirements for end-to-end encryption or transport encryption via Transport Layer Security (TLS) to be met. On the contrary, the seller’s safety measures were positively emphasized. This person changes the password for mail access every two weeks, which is then only known to two people. In addition, a virus scanner is used and the firewall is active.