Synopsis 02: Defensive and Offensive Security Facets of Encryption under GDPRs in the EU and LU

i) A few legal definitions to understand encryption as a defensive security measure in GDPRs

There is no legal definition of the word “encryption” in GDPRs. However, there are a few legal definitions – e.g., “pseudonymization”, “processing,” and “categories of data subjects” - those are important to understand the scopes, limits, benefits, and risks associated with the encryption under GDPRs.   

For example, Article 4(2) of the Regulation (EU) 2016/679 defines ‘processing’ as any operation or set of operations performed on personal data that includes ‘adaptation or alteration’. It means the process of converting or changing personal data from plaintext into ciphertext represents ‘adaptation or alteration’ of that particular data or sets of data. When a controller or a processor encrypts personal data and is responsible for managing the key (by which that controller or processor can decrypt that data), then that controller or processor will still be processing personal data protected by the GDPRs. If a controller or a processor also subsequently store, retrieve, consult, or otherwise use that encrypted data, it will also be processing data covered by the GDPRs. Therefore, it would not be legally accurate if a controller or a processor uses encryption as an anonymization technique, and thereafter that encrypted data is not subject to the GDPRs. Because when a controller or processor is responsible for encrypting the personal data and is the key holder, then that controller or processor can re-identify individuals through decryption of that dataset. In this respect, encryption can be observed as a pseudonymization technique. This is how the legal definitions of “pseudonymization”, “processing”, “controller” and “processor” are interconnected with encryption.   

Let's consider another example. There is no legal definition of “categories of data subjects” given in Regulation (EU) 2016/679 but expressed in Article 6 of Directive (EU) 2016/680 and further explained and defined in Article 5 of the Law No 689 of 1st August of 2018 in Luxembourg (that is the transposed law of Directive (EU) 2016/680). However, the collective legal knowledge of the following legislative texts - Recital 81, Article 28 (3) and 30 (1) (c) of Regulation (EU) 2016/679; Recital 31 and Article 22 (3) of Directive (EU) 2016/680; Recital 51, Article 29 (3), 31(1)(c), 73, 87(3) of Regulation (EU) 2018/1725; and Article 21(3), 23(1)(d) of the Law No 689 of 1st August of 2018 in Luxembourg - demonstrates the obligations and rights of a controller or processor in relation with the various categories of data subjects. For instance, 30 (1) (c) of Regulation (EU) 2016/679 (that deals with the records of personal data processing activities) specified that each controller (and the controller's representative where applicable) shall maintain a record of processing activities under its responsibility that shall contain, among many others, a description of the categories of data subjects and the categories of the personal data. As mentioned in the paragraph above and also in Article 32(1)(a) of Regulation (EU) 2016/679, encryption can be deployed as security measures of such processing activities associated with different categories of data subjects and; therefore, such processing must be kept in record. In addition to that, under Article 28 (3) of Regulation (EU) 2016/679, when personal data processing by a processor is governed by a contract (i.e., outsourcing of personal data processing), then such contract shall set out, among many others, the duration, nature, and purposes of personal data processing (that may include encryption) in relation to the types of personal data and categories of data subjects. 

For collective legal reasoning and understanding, as captured in the above examples, the following legal definitions, at least, need to keep in mind while thinking and working with encryption under GDPRs. To avoid repetitions of legal texts in this writing, the table below provides only the title of such legal definitions and their corresponding legal references:

Please note that the above table helps find the legal references of essential legal definitions easily; those are very closely related to collective legal understanding of encryption under GDPRs. Whether the above definitions have the same legal meaning and applicability as specified in the above-mentioned different legislative texts and contexts is NOT the subject of this synopsis or the above table.

To have an overview of GDPRs in the EU and LU, please see the following synopsis:

ii) Primary legal references for encryption in GDPRs

The table below shows the primary legal references that are directly associated with encryption under GDPRs. However, please note that many other legislative texts can be interpretatively connected to encryption under GDPRs. For example, Recital 39 and Article 5(1)(f) of Regulation (EU) 2016/679 articulated the necessity of the principles of transparency, integrity, and confidentiality in personal data processing specifying that personal data should be processed in a manner that ensures appropriate security and confidentiality of personal data including for preventing unauthorized access to or use of personal data and the equipment used for the processing. Even though the said legislative texts do not use the word encryption, that indirectly implies the useability or operational scope of encryption in GDPRs.   

iii) The encryption as a defensive security measure in GDPRs: How and Why?

a. Which general data protection principles under GDPRs promote the utilization of encryption?

Several general data protection principles in GDPRs, directly and indirectly, promote the utilization of encryption as a defensive security measure. Most notably, they are as follows:

- GDPRs’ principles of integrity and confidentiality relating to the processing of personal data, in accordance with Article 5(1)(f) of Regulation (EU) 2016/769, specified that personal data should be processed in a manner that ensures appropriate security of the personal data. That includes using appropriate technical or organizational measures, such as encryption, to protect personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Please bear in mind that it is also the case that, when encryption is used, then a loss of the decryption key will likely mean that no-one will have access to that data. Depending on the circumstances, a failure of having the appropriate decryption key could constitute ‘accidental loss, destruction or damage’ to personal data. Therefore, it would be a contravention of the GDPRs’ principles of integrity and confidentiality relating to the processing of personal data. Furthermore, suppose the personal data cannot be restored due to the non-availability of the decryption key may also constitute a personal data breach due to a lack of availability, depending on the risks this poses.

- GDPRs’ principle of the lawfulness of personal data processing, under Article 6 of Regulation (EU) 2016/769, stated that the controller might use encryption as an appropriate technical measure where a person data processing undertaken for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent, or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) such as national security, defense, public security, the protection of judicial independence and judicial proceedings, the protection of the data subject, the protection of rights and freedoms of others, the enforcement of civil law claims, etc. [i.e., for a full list, please check Article 23(1) of the said Regulation]. 

- GDPRs’ principle of security of personal data processing, under Article 32(1)(a) of Regulation (EU) 2016/679, requires to put in place appropriate organizational and technical measures such as encryption to ensure secure personal data process. However, please note that  Recital 83 of the same Regulation also stated that the controller or processor should evaluate the risks associated with such measures and implement measures to mitigate those risks, such as encryption. More on this is discussed later in this synopsis.    

b. Is it mandatory to use encryption under GDPRs? 

In general, as discussed above using several EU legislative texts of GDPRs, encryption is an example of a technical measure that can be appropriate to protect personal data and its processing. Eventually, whether or not encryption is the right measure to deploy depends on the controller or processor's circumstances, such as the art of technology available to the controller or processor for processing personal data they hold. However, please note that when encryption is not used to protect the data, that may cause regulatory action to be pursued. Hence, it is essential to conduct a proper Data Protection Impact Assessment (DPIA) to assess the controller or processor's circumstances to identify the possible scopes of the utilization of encryption and to take measures to reduce residual risks associated with encryption. More on this is discussed later in this synopsis.

Still and all, under Article 65(5) of Law No 686 of 1 August 2018 in Luxembourg, encryption is a mandatory obligation over the controller for scientific or historical research purposes or statistical purposes. See more information in this regard is given below.    

c. Encryption while personal data at rest and in transit under GDPRs 

There are two different but crucial stages of personal data processing life-cycle: personal data being stored and transferred. Encryption can be deployed in each of these stages is discussed below briefly:  

Encryption while personal data being stored (personal data at rest): while stored, encrypted personal data may provide adequate protection against unauthorized or unlawful processing, particularly when the device that stores encrypted personal data is lost or stolen. It may demonstrate compliance with the security requirements associated with personal data processing under GDPRs. Please keep in mind that, under Article 33 and 34 of Regulation (EU) 2016/679, when personal data is lost or unlawfully accessed while encryption was not used, that may cause regulatory actions. That may also bring compliance requirements to the controller to communicate a personal data breach to the data subject [under Article 34(3)(a) of Regulation (EU) 2016/679] and to notify the incident of a personal data breach to the supervisory authority [under Article 33(3)(a) of Regulation (EU) 2016/679].

Please be aware that various techniques can help activate and ensure (a) full-disk encryption, (b) individual file encryption, and (c) application or database encryption while personal data is stored. However, please be aware that an attacker can access the encrypted data at rest and cause residual risks with that encrypted personal data storage. More on this is discussed later in this synopsis. 

Encryption while personal data being transferred (personal data in transit): from one device to another may provide security protection against interception of the personal data communication by a third and unauthorized party. Therefore, it is recommended from an information security perspective to use encrypted personal data communication while transmitting any personal data over a wireless communication network such as Wi-Fi or an untrusted network. There are several secure data communication methods such as Transport Layer Security (TLS) or a Virtual Private Network (VPN). There are other methods such as Hypertext Transport Protocol Secure (HTTPS) for encrypting the content of a webpage or a mobile application between the browser of a user and the servers and thus help to protect the user’s input of personal data on the website and/or mobile applications. Using these methods properly can assure that the content of the personal data communication becomes unintelligible to any person who is not authorized to access it if intercepted, and therefore satisfies compliance requirements specified in GDPRs such as Article 34(3)(a) of Regulation (EU) 2016/679. However, please be aware that an attacker can access the encrypted personal data in transit and cause residual risks with that encrypted personal data. More on this is discussed later in this synopsis. 

d. How can encryption provide legal benefits in the case of a personal data breach?

As previously mentioned with the legal references of GDPRs, notably under Article 33(3)(a) and 34(3)(a) of Regulation (EU) 2016/679, it is possible, depending on the context of each incident of a personal data breach, that when data is lost or destroyed but it was not encrypted, regulatory action may be pursued.

e. How can encryption be legally used for pursuing scientific study, statistical analysis, and historical research?

Under Article 65(5) of Law No 686 of 1 August 2018 in Luxembourg, when the controller processes personal data for scientific or historical research purposes or statistical purposes, the encryption of personal data in transit and at rest must be implemented. Please note that while doing so, state of the art on encryption technology must be taken into account as an obsolete encryption technology may not be considered valid by the respective supervisory authority in LU.           

iv) Residual risks associated with [offensive security aspects of] encryption: what an attacker can do and how to reduce these risks?

a. What is the residual risk associated with encryption? 

There are many ways an attacker can cause residual risks associated with the encryption of personal data at rest and in transit. Some of these ways are:

- when an encrypted device with personal data is left unattended at the same time as a user is logged in, then an attacker may gain access to the decrypted personal data;

- When personal data is in encrypted volumes or containers, and that is not closed or unmounted once the user has finished, the personal data may be accessible to others;

- When a device is infected with malware that has appropriate permissions to access the personal data captured in full disk encryption or file encryption or any other forms of personal data encryption, an attacker can access the personal data once an authorized user has decrypted the data;

- When an attacker compromises applications on the device, any data that the application can access is vulnerable. For example, successful exploitation of a website vulnerable to an SQL injection attack could expose personal data whether or not the device itself is encrypted; 

- Certain data in transit may still be exposed (e.g., metadata) in an unencrypted form. Hence implementations relying on public-key infrastructure must implement strict certificate checking to maintain trust end-points.

For the above reasons (and more reasons are given below), addressing these types of risks is an integral part of a personal data encryption policy, which may include employee awareness training.

b. What GDPRs say about taking measures to reduce residual risks associated with encryption?

Among many other legal texts, Recital 83 of Regulation (EU) 2016/679, clarified that – “to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate security level, including confidentiality, taking into account state of the art and the costs of implementation concerning the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, which may in particular lead to physical, material or non-material damage”.

c. The role of a Data Protection Officer (DPO) and Data Protection Impact Assessment (DPIA) to reduce residual risks associated with encryption 

Article 35(7)(d) of Regulation (EU) 2016/679 demonstrated that a DPIA must contain the measures envisioned to address the risks, safeguards, security measures, and mechanisms for ensuring the protection of personal data. Under Article 39(1)(c) of the same Regulation, the DPO provides advice regarding the DPIA and monitors its performance according to Article 35 of the same Regulation.          

d. The residual risks associated with encryption: in 21 ways, an attacker can break the encrypted personal data.

A cryptography attack or cryptanalysis involves studying various principles and methods of decrypting the ciphertext back to the plaintext without knowing the key. An attacker can apply the following attacks under the current start of art on hacking technologies:

-         Ciphertext-only attack

-         Adaptive chosen-plaintext attack

-         Chosen-plaintext attack

-         Related-Key attack

-         Dictionary attack

-         Known-plaintext attack

-         Chosen-ciphertext attack

-         Rubber hose attack

-         Chosen-key attack

-         Timing attack

-         Man-in-the-Middle attack

-         Brute-Force attack

-         Birthday attack, a class of brute-Force attack

-         Meet-in-the-Middle attack on digital signature schemes

-         Side-Channel attack

-         Hash collision attack

-         DUHK attack

-         Rainbow Table attack

-         Padding oracle attack

-         DROWN attack

-         Attack using cryptanalysis tools such as CrypTool to analyze and break ciphers.      

[note – in a few weeks, I will write a synopsis explaining how each of these above-mentioned cryptography attacks works under my Cybersecirty Synopses: Explained What You Need to Know. If you are interested to know more about it, please follow my Linkedin articles.]    

v) Legal consequences in the case of a personal data breach in LU

Article 51 of Law No 686 of 1 August 2018 in LU specifies that non-compliance with general data protection rules under the CNPD (National Commission of Data Protection in LU) may be punished by imprisonment of eight days to one year and a fine of Euro 251 to Euro 125,000 or any one of these penalties. Besides that, Article 42, 48, 49, 50, and 54 of the same law state different aspects of legal consequences in the case of a personal data breach.  

Furthermore, Article 47(1) to (9) of Law No 689 of 1 August 2018 in LU also explains different forms of punishment or legal consequences. For example, under Article 47(1) of the same Law, the violation of Article 30 [in which particularly Article 30(3)(a) states the role of encryption in the communication of a personal data breach to the data subject] may cause administrative fines of Euro 500 to Euro 250,000.        

vi) Defensive and offensive personal data security dilemma under GDPRs

Under sections III and IV, the discussion above introduced the defensive and offensive personal data security dilemma under GDPRs. On the one hand, as discussed above in sections I to III and V, GDPRs promote, directly and indirectly, encryption as an information security strategy to defend personal data security or protect the lawfulness, integrity, and confidentiality of personal data processing. On the other hand, as discussed above in section IV, malicious hackers or attackers use many modern technologies to break encrypted personal data even without knowing the key of the encrypted personal data. That creates a dilemma.     

On 24 November 2020, the Council of European Union has published a non-binding resolution on encryption titled “Council Resolution on Encryption – Security through encryption and security despite encryption”. It states that “ the principle of security through encryption and security despite encryption must be upheld in its entirety. The European Union continues to support strong encryption. Encryption is an anchor of confidence in digitalisation and in protection of fundamental rights and should be promoted and developed. Protecting the privacy and security of communications through encryption and at the same time upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes in fighting serious and/or organized crimes and terrorism, including in the digital world, and upholding the rule of law, are extremely important. Any actions taken have to balance these interests carefully against the principles of necessity, proportionality and subsidiarity.”

 vii) Can we escape the defensive and offensive information security dilemma?

Please read the following synopsis in this regard: