One of the biggest challenges in meeting data protection requirements is to translate the general principles and rules into concrete actions and daily routines. How much and what data is needed to achieve a particular purpose? How can we obtain the necessary consent? How can we provide proper information to data subjects about a specific data processing activity? How do we manage access to certain categories of data? How can e-mails containing personal data be protected?
In practice, a huge number of questions similar to the above arise, and in achieving the adequate level of data protection, it is of paramount importance to find the right measures that fit to the whole process of personal data management in line with the potential risks. In the following post, the question of encrypting e-mails is discussed.
Due to the widespread use of e-mail, the issue of protecting personal data when they are sent via e-mail can affect a lot of people. What measures can be used to protect data? What is the extent of the responsibility of the data controllers and data processors? What questions should be considered when choosing the appropriate technical and organizational measures?
What specific data security measures are prescribed by the GDPR?
GDPR does not exactly specify what measures are to be taken to meet data security standards. The principle of integrity and confidentiality is laid down as a basic principle by the GDPR, which requires data controllers to guarantee the security of personal data and to protect data from incidents, including unauthorized access and loss of data. Designing and developing the whole data processing activity with regard to the principles of data protection by design and by default can help to meet the required data security level of the GDPR.
In addition to general expectations, the GDPR also provides some specific rules that can be relied upon to meet data security requirements (see, in particular Article 32 of the GDPR). Among these, besides pseudonymisation, encryption of personal data is referred to several times as a recommended data security measure.
Paragraph 83 of the GDPR’s Preamble also sets forth that
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.
How does the practice regarding encryption develop?
Email encryption became mandatory in Denmark. Earlier, on the basis of the recommendation of the Danish Data Protection Authority (Datatilsynet), the use of encryption was recommended for sending e-mails containing personal data. As of January 1, 2019, the new requirements will be enforced after 6 months of preparation period. No detailed requirements for the encryption method have been defined.
The North Rhine-Westphalia Authority for Data Protection and Freedom of Information (LDI NRW) recently published its guidelines on technical measures for sending e-mails. The authority declares that both email content and metadata may contain personal data.
The guidelines issued by LDI NRW examines the possibility of encrypting content and e-mail messages during transmission. Content encryption protects e-mail content and attachments, but does not cover metadata. Among the solutions used, the authority mentions S / MIME (Secure / Multipurpose Internet Mail Extensions) and OpenPGP (Pretty Good Privacy) standards. (A 2018 study analyzes the vulnerability of such solutions: Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.) Encryption is done at the sender's side and resolved at the recipient’s. Another basic option is to encrypt emails during transmission (TLS).
In North Rhine-Westphalia, the following basic requirements must be met for e-mail encryption:
- At least encryption during transmission shall be secured (subject to the recommendation of "BSI TR-03108 Secure E-Mail Transport" issued by the German Federal Information Security Agency).
- Depending on the nature of the data sent and the risks involved, it is possible to deviate from the above recommendation (note that in case of encryption during transmission, emails can be accessed on the servers without encryption). In case of more sensitive or special categories of data (e.g. health data, financial data or data regarding legal procedures), encryption applied during transmission is not always sufficient, additional organizational and technical measures (e.g. content encryption) are required.
- The subject field of the letter should not contain any personal data.
In Hungary, email encryption issues have also appeared in the practice of the Hungarian Data Protection Authority.
In the context of a 2018 resolution, the question arose that, in the light of GDPR's provisions on encryption, "is it an appropriate solution for the transmission of personal data via e-mail if the access to e-mails occurs via one or more encrypted connections (and the servers meet all security requirements), and if it is not appropriate, the data transmission in a password-protected compressed format is acceptable instead?" There is no clear guidance in the resolution, as the information available to the Hungarian DPA was not sufficient to establish an official position. The Authority refers to Articles 24 and 32 of the GDPR as the starting point for evaluating data security issues, but also draws attention to the fact that "the obligations of the controller are wider than performing data security measures but in order to develop data processing in compliance with the Regulation, other requirements shall also be taken into account." It is therefore not enough to focus on security measures only, such should be applied in the context of other obligations (e.g. information obligations) and principles (e.g. data minimisation, purpose limitation).
In a recommendation issued in 2016, the Hungarian DPA addressed the security issues of e-mail transmission in more details. In the given case, a bank's "IT system sends notifications in connection with certain online services (Internetbank, online investment system) to external e-mail addresses, which often contain sensitive personal information (e.g. transfer data, credit card number, investment transaction data) via non-encrypted channels." The recommendation, which was issued on the basis of the laws effective before the GDPR, sets out the following:
- it is the duty of the data controller to protect personal data by means of appropriate technical measures against unauthorized access in the course of processing of personal data, including the sending of personal data via email;
- the data controller must do everything in his power to ensure the security of personal data within the framework of the technical solutions reasonably available to him to ensure the security of his personal data;
- the data controller may not be exempted from the requirement to transfer personal data safely by referring to the fact that if the receiving e-mail service provider is unable to receive an encrypted message, the messages will be unencrypted;
- the controller cannot generally refer to a technical failure that may exist at other controllers.
In connection with encryption, it is also worth reviewing the ENISA's opinion paper issued in 2016 (this is not limited to encryption of e-mails) that gives a comprehensive view of the basic expectations regarding encryption.