Setting the right standard to ensure compliance with the technical and organizational safeguards for data security required under Art. 32 GDPR is a challenge for many companies when it comes to electronic communications – not least e-mail. The German Conference of Independent German Federal and State Data Protection Supervisory Authorities (DSK) has issued guidance on the topic. The guidance represents a majority resolution of the German states, with Bavaria dissenting. The guidance goes into detail about the technical and organizational safeguards that, in the view of the DSK, controllers under data protection law must implement for email communication.
The DSK sees the controller and each processor as being under an obligation to minimize the risks to personal data that arise when e-mails are sent and received. The obligation to implement adequate technical and organizational safeguards arises from Art. 5 (1) (f), Art. 25 and Art. 32 GDPR. Art. 32 GDPR thus establishes a central standard whereby controllers and processors are required to implement suitable technical and organizational measures. To ascertain which measures are appropriate, the controller needs to balance various interests, in particular the risk to personal data.
According to the DSK, the current state-of-the-art offers two suitable technical safeguards for communication by e-mail: (qualified) transport layer encryption and end-to-end encryption. Without encryption, an e-mail and all the data it contains can be read by anyone who intercepts the traffic. Transport layer encryption (also known as point-to-point encryption) involves the encrypted transmission of an e-mail. In simple terms, an e-mail is sent from the sender’s computer to the recipient’s computer via the servers of the sender’s and recipient’s e-mail providers. Content is encrypted during the transmission. Transport layer encryption is carried out automatically if it is activated on the respective servers, i. e. without the sender and recipient having to perform any special steps. With end-to-end encryption, an e-mail is encrypted on the sender’s system, transmitted in this form, and only decrypted when it reaches the recipient. It guarantees a higher level of protection, but requires additional measures. For example, the sender and recipient need to exchange keys in advance in order to be able to read the messages.
According to the DSK, the following principles apply to the sending and receipt of e-mails:
Whether it is possible to consent to the sending of unencrypted e-mails is disputed (see below).
The requirements for qualified transport layer encryption are set down in part 5.2 of the guidance and mainly consist of compliance with technical standards and cryptographic principles.
The obligation to implement safeguards actually lies with the sender of an e-mail because, from the perspective of data-protection law, the recipient is not the controller of the transmitted personal data. At the same time, however, the DSK believes that a recipient would need to take safeguards, for example, if they ask the sender to send personal data. Accordingly, transport layer encryption should be guaranteed when receiving e-mails of a normal risk level. For high risks, the DSK requires both qualified transport layer encryption and the receipt of end-to-end encrypted messages to be enabled. An example of a high risk level may involve data concerning health that a health insurance company acting as a controller asks its customers to send by e-mail.
The DSK imposes additional requirements on persons subject to professional secrecy. Persons subject to professional secrecy include all professional groups set out in section 203 (1) German Criminal Code (Strafgesetzbuch, StGB), in particular doctors, pharmacists, lawyers, and accountants. According to the DSK, at high risk levels these controllers – in addition to the requirements for sending and receiving e-mails set out above – are obligated to deploy encryption in order to ensure that messages can only be decrypted by persons who are authorized to view the content of the messages. That means, for example, that it also needs to be considered when deciding on suitable measures to safeguard the personal data contained in the message is whether any third parties may be able to access the recipient’s mailbox. This may be the case, for instance, if proxy accounts have been set up.
The DSK believes that e-mail transmission must not take place if the requisite safeguards cannot be implemented. In that case, other communication channels need to be used. Alongside “analogue” communication, this may also entail other web-based methods such as a web portal or cloud solutions. If the controller offers such an option, it must also provide adequate technical and organizational safeguards (e. g. encrypted connections, prior encryption of the content if need be).
The question arises here as to whether consent given by the data subject may permit the controller to implement fewer or no security measures. The DSK guidance provides no instruction with regard to this controversial question. A common argument against the existence of such an opt-out is that Art. 32 GDPR does not expressly provided for such. However, that is too narrow a view. If data subjects can create a legal basis for processing by granting their consent (Art. 6 (a) GDPR), then they can certainly determine the modalities of the processing, such as the appropriate safeguards. However, the strict requirements for consent under Art. 4 (11), Art. 6, Art. 7 GDPR must be observed. In particular, consent can only ever be given by the data subject. An employer cannot give consent on behalf of their employees, for example. Thus, consent will never be deemed to have been given where personal data of people not participating in the direct email communication is involved.
Controllers who use e-mail and other electronic communication must first ascertain the risks involved in the various processing situations (see also DSK brief no. 18). In a second step, the necessary technical and organizational safeguards can then be ascertained and implemented. In practical terms, it is not possible to perform such an assessment for each individual communication process. For that reason, the following procedure should be adopted: