In the case in question, the Danish Data Protection Agency examined, on its own initiative, the self-service facility of the National Police of Denmark to apply for a firearms certificate. The Agency found that the self-service facility used an outdated encryption standard, TLS 1.0, prompting it to criticise the National Police of Denmark.
The Agency stated that personal data “worthy of protection” must be secured by using transport layer security (TLS) encryption protocols supporting TLS version 1.2 or higher.
This decision is hardly a surprise and is entirely in line with the Agency’s recent decisions. However, it does provide a good opportunity for outlining the requirements that apply to the encryption of personal data exchanged via the internet, for instance in e-mails or by submission of online forms. The outline below is focused on e-mails, as this is relevant for everyone.
What level of encryption is needed for exchanging personal data via e-mail?
E-mails may generally be encrypted in one of two ways:
First and foremost, the actual transport of the e-mail may be encrypted. This is called Transport Layer Security (TLS).
The Agency’s recommendation is that TLS encryption must be used in all cases where confidential personal data, such as civil registration numbers, or sensitive personal data, such as health records, are sent by e-mail. The encryption protocol must support TLS version 1.2 or higher, and it must be forced. Forced TLS encryption means that an e-mail cannot be sent if the recipient’s e-mail server does not, at a minimum, support TLS version 1.2.
A standard configuration Outlook Exchange e-mail server, which is currently used by a large number of businesses, is generally configured to so-called opportunistic TLS, which means that the e-mail is always sent to the recipient – even if the recipient’s e-mail server does not support TLS encryption. This means that as a data controller, you risk sending e-mails without transport layer encryption. As a data controller in Denmark, you are therefore advised to manually configure your e-mail server to forced TLS, if you send or plan to send confidential and sensitive personal data via e-mail.
What is end-to-end encryption?
The sender may also encrypt the actual contents of the e-mail. This is called end-to-end encryption. End-to-end encryption requires the use of a dedicated encryption protocol. The recipient must use the same protocol in order to view the contents of the e-mail. For instance, NemID may be used for end-to-end encryption through the NemID extension program, which may currently be installed in Outlook and Thunderbird.
End-to-end encryption is generally only necessary if you send sensitive or confidential personal data about “a large number” of data subjects. What specifically constitutes “a large number” of data subjects is unclear and must be determined in each individual case.
Do you want to learn more about e-mail encryption?
You are welcome to contact Attorney Mathias Bartholdy, who is a certified IT attorney and a GDPR specialist.