On 26 May 2020, the German Data Protection Authorities (German DPAs) issued guidelines on measures to protect personal data transferred via email (Guidelines; available in Germen here). The Guidelines outline requirements for procedures to send and receive emails that must be met by data controllers, data processors and public email service providers (Email Service Providers) to comply with Art. 5(1)(f), 25 and 32(1) of the General Data Protection Regulation (GDPR).
Sending emails containing personal data
Data controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects concerned.
According to the German DPAs, the risks arising from a breach of confidentiality for personal data being transferred via email must be minimised using end-to-end encryption and transport encryption. Differentiating between normal risks and high risks, the German DPAs outline the following:
- Normal risk: Where a breach of confidentiality (of the content or the circumstances of the communication) only poses a normal risk to the rights and freedoms of the data subjects concerned, controllers must establish mandatory transport encryption, preventing the unencrypted transmission of emails. The mandatory transport encryption should be established using the SMTPS protocol or the SMTP command STARTTLS, subsequently establishing a TLS encrypted communications channel and taking into account the requirements set out in the technical guidelines of the German Federal Office for Information Security (BSI) TR-02102-2 (available here). Transport encryption should provide basic protection and represents a minimum measure to meet the legal requirements.
- High risk: Where a breach of confidentiality of personal data in the content of the message poses a high risk to the rights and freedoms of the data subjects concerned, controllers must regularly use both end-to-end encryption and qualified transport encryption.
End-to-end encryption should be established using S/MIME (RFC 5751) and OpenPGP (RFC 4880), ensuring not only the protection of the actual transport but also the intermediate storage and processing on the servers involved in the transmission.
Qualified transport encryption must involve, for example, DANE and/or DNSSEC mechanisms and ensure protection against active attacks by third parties. The German DPAs further explain the individual requirements to be met and, by way of example, point out that perfect forward secrecy (PFS) cannot be achieved by use of end-to-end encryption alone, since compromising a recipient’s private key may put all messages encrypted with the respective public key at risk of being decrypted.
The extent to which either end-to-end encryption or fulfilment of certain elements of the end-to-end encryption or qualified transport encryption can be dispensed should depend on the individual risks, the particular design of the transmission channel and any counter measures taken. The end-to-end encryption should be the most thorough protection measure.
With regard to the criteria used to determine whether a normal or high risk prevails, the German DPAs refer to their Short Paper Nr. 18 (Risks for the rights and freedoms of individual persons, dated 26 April 2018; available in German here).
Controllers who are under a statutory obligation of confidentiality pursuant to Section 203 of the German Criminal Code must take additional encryption measures to ensure that only the parties to which the confidential content of the message sent may be disclosed can decrypt such content. The German DPAs, however, do not further specify such additional encryption measures.
Express receipt of emails containing personal data
In general, it should be the sender’s responsibility to implement the above measures. However, where the recipient expressly receives personal data via email, for example, where requested on the recipient’s website, according to the German DPAs, it is also the recipient’s responsibility to establish a secure communication channel:
- Normal risk: Where the risks of a breach of confidentiality result in a normal risk for the data subjects concerned, it is sufficient that the receiving server enables the establishment of TLS connections and that algorithms are used which are listed in the BSI TR 02102-2. In order to best facilitate the establishment of encrypted connections, the German DPAs recommend offering a wide range of qualified algorithms.
- High risk: Where the risks of a breach of confidentiality result in a high risk for the data subjects concerned, the recipient must enable both qualified transport encryption and to receive end-to-end encrypted emails.
In addition, the recipient must sufficiently verify the authenticity and integrity of the received messages, for example, by verifying DKIM-signatures and signed emails. In case of high risks, qualified checks of existing signatures (PGP or S/MIME) must be carried out.
Deployment of Email Service Providers
Email Service Providers must meet the requirements of BSI TR 03108-1 (available here), including, for example, the implementation of measures to receive encrypted emails and to achieve the best possible protection available regarding cryptographic algorithms, checking the authenticity and verifying the recipients of emails. According to the German DPAs, controllers who deploy the Email Service Providers must ensure that the chosen Email Service Provider meets these requirements and the requirements of the GDPR.
In these long-awaited Guidelines, the German DPAs provide detailed guidance on which encryption measures have to be established by controllers, processors and Email Service Providers, when sending personal data via email. However, the German DPAs miss the chance to provide guidance on how to determine whether a normal or high risk exists in this particular context and on what grounds the protection level might be lowered, for example, where the data subject concerned grants their consent.