German Data Protection Authority Says GDPR Requires Email To Use At Least Transport Layer Encryption
from the but-why,-is-not-entirely-clear dept
As Techdirt has reported, the EU’s GDPR legislation certainly has its problems. But whatever you think of it as a privacy framework, there’s no denying its importance and global reach. That makes a recent ruling by a data protection authority in Germany of wider interest than the local nature of the decision might suggest. As Carlo Pilz reports in his post examining the case in detail, the Data Protection Authority of North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen — LfDI NRW for short) looked at what the GDPR might mean for email — in particular, whether it implied that email should be encrypted in order to protect personal information, and if so, how.
The LfDI NRW made a fundamental distinction between encryption at the content level and encryption at the transport level for the transmission of emails. The former encrypts content and attachments, using technology such as S/MIME and OpenPGP. However, the metadata associated with an email is not encrypted. With transport layer encryption, both the content and the metadata is encrypted. Pilz explains:
LfDI NRW therefore assumes that without exception at least transport encryption must always be implemented. As mentioned above, such a mandatory encryption obligation does not result from the GDPR. One could therefore argue that this view goes beyond the requirements of the GDPR. In its assessment, the authority may assume that transport encryption is now the “state of the art” mentioned in Art. 32 para 1 GDPR. This could be supported by the reference to the European providers. Nevertheless, Art. 32 para 1 GDPR provides, in addition to the feature “state of the art”, for further criteria which must be taken into account for the measures to be implemented, such as in particular the risk of varying likelihood and severity for the rights and freedoms of natural persons. Thus, under the GDPR, controllers and processors should still be able to assess whether encryption of the data is absolutely necessary on the basis of these characteristics. Unfortunately, the opinion of the authority does not go into the individual criteria mentioned in Art. 32 para 1 GDPR in detail and does not justify its opinion.
So the newly-published position of the German data protection authority is not exactly clear as to why it thinks transport layer encryption must be used, although it does specify which standard must be followed: BSI TR-03108-1: Secure E-Mail Transport (pdf). It also mentions that transport layer encryption may not be enough when dealing with particularly sensitive personal information. This includes “account transaction data, financing data, health status data, client data from lawyers and tax consultants, employee data”. The problem here is that even though encrypted in transit, the emails are stored in cleartext on the servers. To address this, LfDI NRW says that additional security measures are required, for example using end-to-end encryption, or even falling back to physical postal delivery of highly-sensitive documents.
Because of the way GDPR is enforced, it’s worth noting that the opinion of the LfDI NRW does not automatically determine the policies everywhere in the EU. It may influence the thinking elsewhere, but it’s possible that other data protection authorities in the EU might disagree with this interpretation — in which case the Court of Justice of the European Union would be called upon to adjudicate and offer a definitive interpretation. However, at the very least, the LfDI NRW’s position indicates that the GDPR is likely to impact when and how email encryption is deployed by companies operating in the EU, along with all the other areas it touches upon.