The right of encryption

The Coalition Agreement itself does not state what it means by a 'right of encryption'. But the FDP delegation to the German Parliament presented motion 19/5764 on 27 January 2020², calling for a right of encryption. We can deduce from this motion what is meant by the term. Specifically, the motion calls upon lawmakers to require telecommunications and telemedia providers to offer bug-proof communication services (end-to-end encryption) which are to become standard after a transitional period, to condemn the use of 'backdoors', to reject government participation in digital gray and black markets for security vulnerabilities, and to refrain from any prohibitions or restrictions on cryptographic security systems.

Impact on data protection

The use of encryption methods has several implications in terms of data protection law. In accordance with Article 32(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), controllers and processors are required to take appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Under 32(1)(a), the GDPR expressly cites the encryption of personal data as one such measure. In the event of a personal data breach, controllers are required to notify the supervisory authority (Article 33) and, if there is a high risk to the personal rights and freedoms of natural persons, the data subjects as well (Article 34). But the controller's duty to notify the data subjects does not apply if the controller has taken preventive security precautions, with the GDPR expressly mentioning encryption methods as an example of such precautions. With regard to the controller's duty to notify the supervisory authority, this is evident from the fact that, in accordance with Article 33(1)(1) of the GDPR, such notification is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the affected data were encrypted using a state-of-the-art encryption method, there would be no risk to the data subjects from the data breach alone.

If the adoption of a 'right of encryption' leads to a more widespread use of secure encryption methods, this could potentially encourage more widespread implementation of 'appropriate measures' in terms of Article 32 of the GDPR. This, in turn, would benefit controllers, since it would mean that they may not be subject to notification requirements if the integrity of their technical systems is breached.

Third country transfers and cryptographic methods

A 'right of encryption' may also have an impact with regard to the legality of third-country transfers. In accordance with Article 44 of the GDPR, personal data many only be transferred to countries outside the EU if those countries ensure an adequate level of data protection. In Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), the Court of Justice of the European Union's ('CJEU') formulated strict requirements for data transfers to third countries, e.g. to the US. Even in cases where standard contractual clauses are used, companies need to examine whether the contractual arrangement alone ensures an adequate level of data protection or if additional measures are necessary. Prominent among these additional measures are encryption and pseudonymisation. Accordingly, promoting secure and easy-to-use encryption methods could serve to minimise risks in connection with third-country transfers.

Conclusion

Regardless of whether the aforementioned facets of a potential right of encryption are actually implemented, controllers should be aware of the importance of cybersecurity and secure encryption methods for protecting data. This is particularly true in light of the fact stressed in the 37^th Activity Report of the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') for 2021, titled 'Ways out of the pandemic - back to freedom':³ 'the IT infrastructure remains under fire. […] Such attacks are not natural disasters which come out of nowhere and which we are powerless to stop'. If a 'right of encryption' is implemented with the potential of raising the level of cybersecurity, this would be a welcome development from the viewpoint of data protection. But even if this does not happen, there are many reasons why it is in the interest of corporate controllers not to lose sight of this issue.

Stefan Hessel Attorney-at-Law and Co-Head Digital Business Unit
[email protected]
reuschlaw Legal Consultants, Saarbrücken

1. Available at: https://www.spd.de/fileadmin/Dokumente/Koalitionsvertrag/Koalitionsvertrag_2021-2025.pdf, p. 16 (only available in German)
2. Available at: https://dserver.bundestag.de/btd/19/057/1905764.pdf, pp. 2f. (only available in German)
3. Available at: https://www.baden-wuerttemberg.datenschutz.de/taetigkeitsbericht-datenschutz-2021/ (only available in German)