Encryption and Privacy: Encryption in the GDPR

There are specific references made in the GDPR in terms of encryption, which may be found in Recital 83, where it is established that encryption is one of the measures available to mitigate risk, to be used both by the data controllers and the data processors:

“Recital 83. In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. 2Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. 3In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.”

In Article 6 “Lawfulness of processing”, paragraph 4, lit. (e), it is established that encryption is one of the suitable guarantees to establish compatibility of a processing for a purpose other than the purpose for which the data were initially collected:

“Art. 6.4 Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

…

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.”

Article 32 Security of processing, in paragraph 1, lit. (a) thereof, includes encryption as one of the possible security measures that may be adopted by data controllers and data processors alike:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

…”

Finally, Article 34 “Communication of a personal data breach to the data subject” establishes in paragraph 3 lit. (a) thereof that encryption is one of the measures that entails a release of the obligation to communicate a personal data breach to the data subjects of the data involved in the event of an unauthorised access:

“Art. 34.3 The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

…”

No new references to encryption may be found in the LOPDGDD [Spanish Organic Law on Personal Data Protection and Digital Rights Guarantee] complementing the GDPR.

In April 2019, the Article 29 Data Protection Working Party, today the European Data Protection Board, published a Statement on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU. The text considers encryption as a key element to guarantee privacy in communications and supports the need to implement robust encryption systems that are efficient and standardised in order to protect the privacy of European citizens.

The Statement establishes encryption as an element that is necessary and irreplaceable in order to guarantee privacy in communication through the Internet and that said protection must be implemented from one end to the other, that is to say, directly between end users without any intermediate elements who have access to the information.

Said systems must not have limitations in terms of performance for the purposes of allowing a supervision of communications by police or court authorities. The need to raise the veil in communications for criminal activity investigations does not justify the addition of secret vulnerabilities in encryption systems, such as a master key or a backdoor.

By way of conclusion to this post, Opinion 05/2014 on anonymisation techniques of the Article 29 Data Protection Working Party establishes the limits of encryption with regard to personal data:

“The most used pseudonymisation techniques are as follows:

• Encryption with secret key: …

…

Neither encryption nor key-coding per se lends itself to the goal of making a data subject unidentifiable: as, in the hands of the controller at least…

Focusing only on the robustness of the encryption mechanism as a measure of the degree of “anonymisation” of a dataset is misleading, …”

In summary, the use of encryption is one of the guarantees that may be added to processing in order to manage risk, especially when communication takes place through the Internet, when personal data are going to be processed for a purpose other than the purpose for which the data were initially collected, as an appropriate technique of pseudonymisation or in the event of a security breach. Likewise, encryption applications cannot be weakened by reason of considerations about security at any level.

However, it must be noticed that the use of encryption does not suppress the nature of these data as personal data, and, therefore, encrypted information must not be considered as anonymised information.