Denmark DPA: Decision on Lowell Danmark A/S – opportunistic TLS encryption of email based on risk assessment

https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2019/jul/klage-over-manglende-kryptering/

The Data Inspectorate has in this regard emphasized that Lowell Danmark A / S stated that a risk assessment has been carried out, in which the concrete procedure is deemed to be appropriate assurance that opportunistic TLS was used when transmitting the relevant emails 1.2 encryption based on AES256, that X’s e-mail client supported this encryption form and that the 2 e-mails sent were encrypted on the transport layer.

The Data Inspectorate notes that the supervision in general – when processing e-mail with sensitive and / or confidential information – encourages the data controller to set up his mail server in order to enforce TLS (Forced TLS), as a minimum in version 1.2. However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.

However, it is the opinion of the Authority – not in itself – to use an opportunistic TLS, contrary to Article 32 of the Data Protection Regulation, if the data controller, based on a risk assessment, has correctly considered that such setup constitutes an appropriate safeguard.

In the specific case, the Data Inspectorate has not found evidence that could override the risk assessment made by Lowell Danmark A / S in relation to the use of encryption form. However, in the specific case, the Data Inspectorate must emphasize that a risk assessment cannot be based on what the data subject itself may have authorized, since such acceptance cannot be equated with what level of security is appropriate.

Danish DPA on email encryption (TLS vs. end-to-end)

From the annual report 2018 (Google translation- so there might be flaws)
http://www.datatilsynet.dk/media/7896/aarsberetning_2018.pdf

Encryption of emails

  • On July 23, 2018, the Data Inspectorate published a review of conditions regarding treatments, where confidential and sensitive information was sent in e-mail over networks outside the data controller control (eg the Internet).
  • The conclusion of this review was: that data controllers – for all the treatments they make – must make an assessment of the risk of the rights of the data subject, that the compromise risk profile of an unencrypted e-mail sent on a network the controller does not control is at the high end of the scale, and that the Danish Data Protection Agency is of the opinion that encryption is an appropriate security measure email containing confidential and sensitive information.
  • On September 20, 2018, the Data Inspectorate published a more detailed text specifying the technical possibilities for such encryption.
    Two possible approaches for encryption.
    Either encryption on the transport of the data packets containing the e-mail when sent over the network,
    or encrypting the actual contents of the e-mail with the sender before it is sent over the network.
  • It is the data controller who – based on his risk assessment – must assess the level of security and, accordingly, the form of encryption that is appropriate.
  • The Data Inspectorate also stated that there are types of treatment where encryption on the transport layer is appropriate. In addition, the Authority stated that encryption on the transport layer should be considered as a minimum level of security when sending confidential or sensitive personal data by e-mail.
  • Where the risk of the data subjects’ rights is higher, the safer end-to-end encryption will be appropriate.

    Example:
    A data controller sends a file of health information about a large number of data subjects to a data processor for the purpose of sending letters.

    The data controller, based on a risk assessment, decides that end-to-end encryption will be one appropriate precautionary measure.

    An ongoing collaboration with the data processor could take place at, that the two parties have exchanged S / MIME certificates, and therefore can send e-mails back and forth to each other, which is end-to-end encrypted. It is the data controller who is responsible for the secure transmission to the recipient’s mail server.
  • When the e-mail is delivered to the recipient’s mail server, the responsibility for processing this e-mail is handed over to the recipient himself.
    A data controller cannot be held responsible for the fact that a citizen has chosen to create a free e-mail account with a service provider that potentially uses the e-mail for your own purposes.
  • The data controller is responsible for the processing of personal data that takes place on its own mail server, whether it is operated internally within the company, the authority or the like, or whether an agreement has been entered into with an third party for handling emails on behalf of the data controller.

[UK/India] – Health Company Fined by UK’s ICO

  • Subcontractor based in India to process sensitive personal data without adequate data processing / data transfer grounds
  • Lack of contractual definition of adequate technical and organisational measures in India
  • Sensitive personal data (with high severity) sent via unencrypted email
  • Sensitive personal data on  FTP server without restricted access controls
  • Patient found his/her data via Internet search

https://www.hldataprotection.com/2017/03/articles/international-eu-privacy/health-company-fined-by-uks-information-commissioner-office/