Does E-Mail Communication Need to be Encrypted?
July, 2020 - Philip Kempermann, LL.M.
Setting the right standard to ensure compliance with the technical and organizational safeguards for data security required under Art. 32 GDPR is a challenge for many companies when it comes to electronic communications – not least e-mail. The German Conference of Independent German Federal and State Data Protection Supervisory Authorities (DSK) has issued guidance on the topic. The guidance represents a majority resolution of the German states, with Bavaria dissenting. The guidance goes into detail about the technical and organizational safeguards that, in the view of the DSK, controllers under data protection law must implement for email communication.
OBLIGATION TO IMPLEMENT SAFEGUARDS
The DSK sees the controller and each processor as being under an obligation to minimize the risks to personal data that arise when e-mails are sent and received. The obligation to implement adequate technical and organizational safeguards arises from Art. 5 (1) (f), Art. 25 and Art. 32 GDPR. Art. 32 GDPR thus establishes a central standard whereby controllers and processors are required to implement suitable technical and organizational measures. To ascertain which measures are appropriate, the controller needs to balance various interests, in particular the risk to personal data.
ENCRYPTION METHODS FOR E-MAIL COMMUNICATION
According to the DSK, the current state-of-the-art offers two suitable technical safeguards for communication by e-mail: (qualified) transport layer encryption and end-to-end encryption. Without encryption, an e-mail and all the data it contains can be read by anyone who intercepts the traffic. Transport layer encryption (also known as point-to-point encryption) involves the encrypted transmission of an e-mail. In simple terms, an e-mail is sent from the sender’s computer to the recipient’s computer via the servers of the sender’s and recipient’s e-mail providers. Content is encrypted during the transmission. Transport layer encryption is carried out automatically if it is activated on the respective servers, i. e. without the sender and recipient having to perform any special steps. With end-to-end encryption, an e-mail is encrypted on the sender’s system, transmitted in this form, and only decrypted when it reaches the recipient. It guarantees a higher level of protection, but requires additional measures. For example, the sender and recipient need to exchange keys in advance in order to be able to read the messages.
MEASURES REQUIRED IN ALL CASES
According to the DSK, the following principles apply to the sending and receipt of e-mails:
- The sending of e-mails must always be protected at least by transport layer encryption (see part 5.1 of the guidance for the technical details).
- If sensitive data is being sent, additional measures such as end-to-end encryption (see part 5.3) and qualified transport encryption need to be implemented. Sensitive data is data that requires particular protection. This may involve personal data or also data such as account information.
Whether it is possible to consent to the sending of unencrypted e-mails is disputed (see below).
The requirements for qualified transport layer encryption are set down in part 5.2 of the guidance and mainly consist of compliance with technical standards and cryptographic principles.
ARE SAFEGUARDS ALSO REQUIRED ON THE RECEIVING SIDE?
The obligation to implement safeguards actually lies with the sender of an e-mail because, from the perspective of data-protection law, the recipient is not the controller of the transmitted personal data. At the same time, however, the DSK believes that a recipient would need to take safeguards, for example, if they ask the sender to send personal data. Accordingly, transport layer encryption should be guaranteed when receiving e-mails of a normal risk level. For high risks, the DSK requires both qualified transport layer encryption and the receipt of end-to-end encrypted messages to be enabled. An example of a high risk level may involve data concerning health that a health insurance company acting as a controller asks its customers to send by e-mail.
STRICTER REQUIREMENTS FOR PERSONS SUBJECT TO PROFESSIONAL SECRECY
The DSK imposes additional requirements on persons subject to professional secrecy. Persons subject to professional secrecy include all professional groups set out in section 203 (1) German Criminal Code (Strafgesetzbuch, StGB), in particular doctors, pharmacists, lawyers, and accountants. According to the DSK, at high risk levels these controllers – in addition to the requirements for sending and receiving e-mails set out above – are obligated to deploy encryption in order to ensure that messages can only be decrypted by persons who are authorized to view the content of the messages. That means, for example, that it also needs to be considered when deciding on suitable measures to safeguard the personal data contained in the message is whether any third parties may be able to access the recipient’s mailbox. This may be the case, for instance, if proxy accounts have been set up.
OTHER WEB-BASED FORMS OF COMMUNICATION
The DSK believes that e-mail transmission must not take place if the requisite safeguards cannot be implemented. In that case, other communication channels need to be used. Alongside “analogue” communication, this may also entail other web-based methods such as a web portal or cloud solutions. If the controller offers such an option, it must also provide adequate technical and organizational safeguards (e. g. encrypted connections, prior encryption of the content if need be).
CONSENT TO UNENCRYPTED COMMUNICATION
The question arises here as to whether consent given by the data subject may permit the controller to implement fewer or no security measures. The DSK guidance provides no instruction with regard to this controversial question. A common argument against the existence of such an opt-out is that Art. 32 GDPR does not expressly provided for such. However, that is too narrow a view. If data subjects can create a legal basis for processing by granting their consent (Art. 6 (a) GDPR), then they can certainly determine the modalities of the processing, such as the appropriate safeguards. However, the strict requirements for consent under Art. 4 (11), Art. 6, Art. 7 GDPR must be observed. In particular, consent can only ever be given by the data subject. An employer cannot give consent on behalf of their employees, for example. Thus, consent will never be deemed to have been given where personal data of people not participating in the direct email communication is involved.
SUMMARY AND RECOMMENDED ACTIONS
Controllers who use e-mail and other electronic communication must first ascertain the risks involved in the various processing situations (see also DSK brief no. 18). In a second step, the necessary technical and organizational safeguards can then be ascertained and implemented. In practical terms, it is not possible to perform such an assessment for each individual communication process. For that reason, the following procedure should be adopted:
- First, each communication medium needs to be considered individually because different risks arise from varying technical conditions and require different safeguards.
- Next, different classes of data that is sent via the respective medium need to be defined. It cannot be assumed that each communication via a specific medium involves the transmission of equally sensitive data. For example, an email could contain a proposed appointment for a meeting or comprehensive data concerning health. The more sensitive and comprehensive the data is, the stricter the security requirements need to be. This evaluation process should be comprehensively documented. This produces a flexible toolkit of security measures that permits an adequate level of protection depending on the specific risk assessment.
- In a third step, a policy must be in place that enables all employees who use e-mail communication and similar media to determine which safeguards need to be taken for each medium and class of communication or transmitted personal data. For example, the guidance may require implementation of end-to-end encryption for data concerning health. Transport layer encryption should be prescribed as the general minimum protection. Compliance with the policy must be regularly monitored by the controller.
- In a fourth step, customers and other communication partners must be notified so that they can adapt to the technical conditions and implement any technical precautions they may need to take for their part. Alternatively, consent to lower safeguards may be obtained in some cases.
Link to article