21. November 2018 - Security of processing

E-mail encryption: what does the data protection require?


The General Data Protection Regulation (GDPR) specifies encryption as a measure for ensuring the security of processing of personal data. Does this mean that all e-mails from now on have to be encrypted? It depends – on the e-mails and the type of encryption.

E-mail encryption Encryption of confidential data has thus far been the exception in practice, even in the case of e-mails, which are sent over the internet without any protection (Image: D3Damon / iStock / Getty Images)

Only 43 per cent of the companies surveyed use encryption strategies to protect sensitive data from cybercriminals, to satisfy compliance requirements and to prevent human error.

That was the result of the „2018 Global Encryption Trends Study“ by Thales. The study on global encryption trends in 2018 was conducted by the Ponemon Institute and is based on a survey of over 5,200 people in 12 countries.

Encryption in the GDPR

However, the GDPR should finally prompt the percentage of companies using encryption on grounds of compliance to increase significantly.

In Art. 32, the General Regulation expressly specifies encryption as one of the measures to guarantee the security of processing. In addition, Art. 34 GDPR, which concerns the obligation to inform to the data subject, states that this may not apply if the data has been encrypted.

E-mail encryption as an essential obligation?

Various providers of IT security solutions have used the requirements and consequences of the GDPR as an opportunity to advertise their products.

They make statements like „The GDPR means that e-mail encryption is now mandatory!“ But is that actually the case? It depends!

Even the old German Federal Data Protection Act specified encryption as one of the key technical and organisational measures. Encryption has always played an important role. It contributes considerably towards achieving the protection objective of „confidentiality“, and helps to monitor data for integrity and authenticity.

Nevertheless, suitable technical and organisational measures should ensure a level of protection that is appropriate to the risk.

Data controllers have to select them „taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons“.

What supervisory authorities say about e-mail encryption

So does that mean that e-mail encryption is voluntary? The office for data protection and freedom of information in the state of North Rhine-Westphalia writes, for example, that measures such as encryption are to be seen as examples of standard measures.

That means: if use is possible and appropriate, it should be implemented.

Key: appropriateness and protection requirements

So it depends on how appropriate it is, and therefore the protection requirements. If data with high or very high protection requirements, such as health data, are sent by e-mail, end-to-end encryption is required.

Because this encryption does not protect the subject line of the e-mail, the sender has to take care that the subject does not contain data with high or very high protection requirements.

If the sender is transferring personal data with normal protection requirements, it is possible that end-to-end encryption of the content is not required in some cases.

The supervisory authority states that the minimum standard for the transfer of personal data with normal protection requirements is transport encryption.

It becomes apparent: it depends on the personal data’s protection requirements and the type of encryption. However, data protection does not demand that all e-mails are encrypted.

Implementing e-mail encryption properly

Besides claims of a fundamental obligation to fully encrypt all e-mails, recently there have been reports that e-mail encryption is no longer secure.

This needs to be examined in more detail. E-mail encryption is a solution made up of many components. This is important to remember if we want to correctly assess the following security breach.

In May 2018, security researchers from University of Applied Sciences Münster, Ruhr-Universität Bochum and the University of Leuven (Belgium) discovered serious weaknesses in the widespread e-mail encryption standards OpenPGP and S/MIME, and informed the Federal Office for Information Security (BSI).

Attackers could therefore manipulate encrypted e-mails in such a way that they would receive the message in plaintext after the actual recipient has decrypted the text.

However, the BSI believes that the mentioned e-mail encryption standards can continue to be used safely if they are implemented correctly and configured securely.

The BSI made clear that in order to exploit the weaknesses an attacker must have access to the transport route, the mail server or the recipient’s e-mail inbox.

In addition, active content has to be allowed on the recipient’s side, i.e. execution of html code and, in particular, the loading of external content.

Accordingly, the BSI recommended that

  • data controllers have to disable active content in the e-mail client. This includes the execution of html code and the loading of external content, which are often permitted for design reasons.
  • E-mail servers and e-mail clients have to be protected against unauthorised access attempts.

Measures for more e-mail encryption

Even though employees do not have to encrypt every e-mail and e-mail encryption is not immune to security breaches, companies should be doing considerably more to protect confidential e-mails.

Check the measures listed in this checklist.

Information for the executive management

Studies and surveys that underline the need for encryption are useful for informing and raising awareness among the executive management as the responsible body. The latest studies include the aforementioned „2018 Global Encryption Trends Study“ by Thales and the study „Use of electronic encryption – barriers for the economy“ commissioned by the Federal Ministry for Economic Affairs and Energy.

The Federal Ministry for Economic Affairs and Energy makes clear: using encryption solutions, for example in e-mails and data carriers, is an important factor in increasing the IT security of companies and minimising the risk posed by attacks.

Although it seems that all of the necessary solutions are already out there, use across the board is not yet a given. This is despite the fact that information in an unencrypted e-mail is as poorly protected as if it was written and sent on a postcard.

The latest evaluation by the TÜV SÜD data protection indicator shows that many companies are still sending sensitive and confidential information unencrypted via e-mail.

As expected, the results are even poorer among private users, as shown by the study „ESET fact check: encryption„.

Summary: e-mail encryption – why and how?

The encryption of e-mails protects against the following data risks:

  • Loss of confidentiality and integrity when sending e-mails
  • Loss of confidentiality and integrity when saving e-mails

Procedure for e-mail encryption:

  • Encrypted transmission of e-mails (transport encryption): TLS (Transport Layer Security)
  • Encryption of e-mail content (end-to-end encryption): S/MIME (Secure/Multipurpose Internet Mail Extensions) or PGP (Pretty Good Privacy)

Oliver Schonschek
Oliver Schonschek holds a degree in physics and is an analyst and specialist journalist in the fields of IT security and data protection.