Update on e-mail encryption

The Danish Data Protection Agency has recently published a supplementary opinion in respect of the announced tightened practice regarding e-mail encryption in the private sector. In this article, we review the issue of e-mail encryption and the Data Protection Agency’s opinions.

The supplementary opinion has been incorporated in the guidelines on when and how data controllers and data processors should encrypt e-mails. The overall description comprises encryption in both the private and public sectors. To read the guidelines, click here

The new practice for the private sector enters into force on 1 January 2019, while the practice for the public sector remains unchanged.

Below, Michael Hopp, Attorney-at-Law, Partner, of Plesner’s Data Protection team, shares his views on the Data Protection Agency’s announcements regarding e-mail encryption:

Risk-based approach

Generally, it is important to remember that the issue of encryption is just one element in the compliance with the requirement of article 32 of the General Data Protection Regulation in relation to “appropriate security measures” – in this connection when sensitive personal data are sent by e-mail.

What constitutes appropriate security measures according to article 32 should be determined on the basis of an overall assessment of the “state of the art, the cost of implementation and the nature, scope, context and purposes of processing” weighed up against “the risks of varying likelihood and severity for rights and freedoms of natural persons”.

At first glance, this may seem quite theoretical, but what it means is that you should start by determining the risk (seen as the product of likelihood and effect) of the affected persons’ right to protection of their personal data, for instance in the event that an e-mail containing personal data is hacked. In this example, it is quite obvious that the risk in the event of hacking is greater for the person involved if the e-mail contains sensitive personal data than if the e-mail contains merely simple, ordinary personal data.

It is important to note that security within the meaning of article 32 is assessed on the basis of the risk to the individual data subject – not the risk to the data controller or the data processor.

The risk is to be weighed up against the state of the art, the costs associated with the security measures and the circumstances of the processing in general. What constitutes appropriate security measures at any given time will therefore change in step with technological advances and the costs of implementing the security measures.

Accordingly, the overall assessment will guide the data controller or the data processor to the specific initiatives/security measures to be implemented in order to comply with article 32.

You can read much more about data protection in the guidelines on “Behandlingssikkerhed og Databeskyttelse gennem design og standardindstillinger” (“Security of Processing and Privacy by Design and Default”), which is available at the Data Protection Agency’s website (Danish version only). Here you will also find the guidelines on “Risk assessment”.

E-mail encryption in the private sector

In its opinion on e-mail encryption in the private sector, the Data Protection Agency has attempted to translate the assessment in the risk-based approach into a kind of rule by taking the general view that e-mails containing sensitive personal data and confidential personal data must be encrypted.

Sensitive personal data are defined in article 9 of the General Data Protection Regulation and include information related to:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data (see special definition)
  • Biometric data for the purpose of unique identification (see special definition)
  • Data concerning health (see special definition)
  • Data concerning a person’s sex life or sexual orientation

Confidential personal data are not defined in the General Data Protection Regulation, but first and foremost they comprise information about criminal offences, i.e. information comprised by article 10 of the General Data Protection Regulation and section 8 of the Danish Data Protection Act. The concept of criminal offences is to be interpreted broadly.

Confidential personal data also comprise information about civil registration (CPR) numbers, see section 11 of the Data Protection Act.

In addition, confidential personal data comprise other information, which according to the general public perception should not be put into the public domain, see section 152 of the Danish Criminal Code compared with section 27 of the Danish Public Administration Act.

Ordinary, non-sensitive personal data will therefore be confidential in certain situations. This applies in any case to the additional information comprised by the old section 8 of the Data Protection Act, i.e. information about significant social problems and grounds for expulsion etc. In the opinion of the Data Protection Agency, confidential information may also, depending on the circumstances, include information about income and financial position as well as job-related, education and employment matters. The same applies to information about internal family matters, including information about e.g. suicide attempts and accidents.

Finally, confidential personal data normally also comprise personal data which have been rendered confidential by special regulations (special acts etc.).

Methods of encryption

In July 2018, the Data Protection Agency announced that, going forward, it would consider the use of encryption for the transmission of confidential and sensitive personal data by e-mail via the Internet to be an appropriate security measure in normal circumstances – in the public sector as well as in the private sector.

At the time, it was not specified which form of encryption would be deemed to be required or to be appropriate, but the subsequent media coverage left the impression that end-to-end encryption would be required. This gave rise to some concern among businesses, in particular businesses communicating extensively with private individuals, as most private individuals would not be able to receive encrypted e-mails.

The Data Protection Agency has now specified that end-to-end encryption must be deemed appropriate in special cases, e.g. for transmission of large amounts of sensitive or confidential data about a large number of data subjects, but that in many cases transport layer encryption will generally suffice.

From a practical/administrative point of view, this is good news, as end-to-end encryption, although probably providing a higher level of security in general, is more demanding to implement and maintain and, moreover, involves certain business risks – besides the fact that, as mentioned above, most private individuals will not be able to receive encrypted e-mails.

End-to-end encryption requires exchange of keys between the parties, causing inconvenience in having to exchange and subsequently manage keys.

Using personal keys may give rise to dependence on individuals (as, basically, only the individuals involved know about the key). Dependence on individuals may of course be prevented by establishing an internal “key cabinet”, where key holders are required to deposit a copy of their password, much in the same way as it has been common practice in the IT area to deposit a copy of administrator passwords. However, this solution is not completely without its challenges, as you would have to consider how to safeguard against unauthorised access to deposited keys. Another challenge is the risk that a key holder forgets to update his/her deposited password when a password is changed.

An alternative solution could be to have joint keys known by a number of individuals. However, this solution is just about as (im)practical as using joint passwords. It requires a change of password every time a person who knows the key leaves the group and that all other persons in the group are informed about the new key. Moreover, if symmetric encryption is used, coordination with the other party is required in connection with key replacement.

It therefore makes good sense that end-to-end encryption requirements are limited to situations in which large amounts of sensitive or confidential data are exchanged. For businesses only having to do this every once in a while, the burden will probably be manageable whenever the need arises, and businesses with a regular need will generally at any rate have to establish formalised processes, thereby making it less burdensome in relative terms for such businesses to establish a setup for the secure handling of keys.

For other messages, which “only” require transport layer encryption, the Data Protection Agency specifies that it is the recipient’s responsibility if he or she chooses to use an unsecure mail service and that the sender will generally be deemed to have taken appropriate measures by trying to encrypt the message.

This specification serves an important purpose. However, as the Data Protection Agency notes, it will ultimately be the responsibility of the data controller and the data processor to assess what constitutes “appropriate security measures”. It is therefore important that you do not blindly lean on the guidelines, but that you constantly assess each individual situation on its own merits. It is important to keep up to date on technological advances and developments in the threat scenario, as this may change the definition of “appropriate security” in future.

Latest news on Data Protection Law

Data Protection Law