Encryption is a well-known and effective security measure applied by IT professionals all over the world to ensure that personal data is not subject to unauthorised access or disclosure. However, since the adoption of the EU General Data Protection Regulation (GDPR) in May 2018, encryption can also be perceived as a multi-layered legal concept that leverages data protection and privacy. Let us first solve some of the confusion surrounding this concept, before we consider its implications for your security strategy.
For GDPR to apply, it is necessary that it concerns personal data. This means the data needs to relate to a natural person and to directly or indirectly identify a person. To understand the relation between the GDPR and encryption, let's also take into account how encryption works. As a mathematical method, it transforms readable data (plaintext) into a set of unreadable characters (ciphertext), protecting that data from those who are unauthorised to access it. This evidently raises the question of whether encrypted data can be considered as personal data.
Encrypted data is personal data
It has been argued that encrypted data should be treated as anonymous data and, as such, excluded from GDPR, since it does not allow a person to be identified without the possession and use of a decryption key. Others have claimed that it would be personal data only to those who actually possess such a key, since they alone can see the information in its original – that is: readable - format. So, they alone are able to identify the person to whom the data relates to.
These mixed opinions have led to some debate in the legal world. But as this legal issue has also been resolved now, we can finally shed some light on the matter and confirm that encrypted data is also to be regarded as personal data. And that it is to be treated as such too. The reasoning behind that legal conclusion is that encrypted data, though masked, can still be reversed back to its original form and therefore lead to the identification of a person.
This criterion of identifiability, in a legal context, was developed by the Court of Justice of the EU (CJEU) in the Breyer case. The Court has stated that, if there is a possibility of an external or internal threat or vulnerability, to obtain a decryption key, decode the data and be able to even indirectly identify a person is sufficient for GDPR to apply. Consequently, your organisation must take into account that dealing with encrypted data puts it within the scope of GDPR.
Impact beyond security: from data protection to human rights
Encryption is primarily to be understood as a security measure. However, its impact goes way beyond security. It plays an important part, for instance, in the interconnection of security, privacy, and data protection, which it helps to drive. And given its functionality, it shouldn’t really come as a surprise that encryption itself has been recognised as a powerful data protection measure under GDPR.
There are diverse types of encryption, from symmetric to asymmetric, just as there is a wide variety of cryptographic applications. You can deploy encryption on your devices, networks, storage drives, or simply on your data itself. In other words: encryption allows you to control the authorised access to your data and keep that data protected from malicious attacks and other exploitations (such as espionage, surveillance, or unlawful interference of communication) while it is transmitted and processed as well as stored.
Encryption not only protects your IT systems and networks against activities that could compromise the confidentiality of your data or services, it also guarantees your fundamental human rights, such as the right to a private life and private communication. What’s more, by converting our data to an intelligible form, it protects other freedoms as well, such as the right to freedom of expression, information, and opinion. And it allows individuals to live in a safe environment, protected from political and religious persecution.
Combining technical and legal expertise
This is where combining a legal with a technical skillset becomes crucial to the success of your organisation in deploying encryption measures. As a business, to be able to guarantee the secure processing of your data, you will want an end-to-end integrator to design you a tailor-made solution. Above all, however, you will want that integrator to be fully committed to building you a trusted, safer, and more resilient cyberspace by combining technical and legal expertise.
In my next blog post, I will explain, among others, why Sopra Steria is precisely that kind of integrator. Can’t wait to read it? You can check it out here already