Posted on by stefan

Danish DPA on email encryption (TLS vs. end-to-end)

From the annual report 2018 (Google translation- so there might be flaws)
http://www.datatilsynet.dk/media/7896/aarsberetning_2018.pdf

Encryption of emails

  • On July 23, 2018, the Data Inspectorate published a review of conditions regarding treatments, where confidential and sensitive information was sent in e-mail over networks outside the data controller control (eg the Internet).
  • The conclusion of this review was: that data controllers – for all the treatments they make – must make an assessment of the risk of the rights of the data subject, that the compromise risk profile of an unencrypted e-mail sent on a network the controller does not control is at the high end of the scale, and that the Danish Data Protection Agency is of the opinion that encryption is an appropriate security measure email containing confidential and sensitive information.
  • On September 20, 2018, the Data Inspectorate published a more detailed text specifying the technical possibilities for such encryption.
    Two possible approaches for encryption.
    Either encryption on the transport of the data packets containing the e-mail when sent over the network,
    or encrypting the actual contents of the e-mail with the sender before it is sent over the network.
  • It is the data controller who – based on his risk assessment – must assess the level of security and, accordingly, the form of encryption that is appropriate.
  • The Data Inspectorate also stated that there are types of treatment where encryption on the transport layer is appropriate. In addition, the Authority stated that encryption on the transport layer should be considered as a minimum level of security when sending confidential or sensitive personal data by e-mail.
  • Where the risk of the data subjects’ rights is higher, the safer end-to-end encryption will be appropriate.

    Example:
    A data controller sends a file of health information about a large number of data subjects to a data processor for the purpose of sending letters.

    The data controller, based on a risk assessment, decides that end-to-end encryption will be one appropriate precautionary measure.

    An ongoing collaboration with the data processor could take place at, that the two parties have exchanged S / MIME certificates, and therefore can send e-mails back and forth to each other, which is end-to-end encrypted. It is the data controller who is responsible for the secure transmission to the recipient’s mail server.
  • When the e-mail is delivered to the recipient’s mail server, the responsibility for processing this e-mail is handed over to the recipient himself.
    A data controller cannot be held responsible for the fact that a citizen has chosen to create a free e-mail account with a service provider that potentially uses the e-mail for your own purposes.
  • The data controller is responsible for the processing of personal data that takes place on its own mail server, whether it is operated internally within the company, the authority or the like, or whether an agreement has been entered into with an third party for handling emails on behalf of the data controller.