Is TLS enough to encrypt emails securely and GDPR-compliant? Many say yes, the lawyers rather it depends. But what for? Stephan Heimel from SEPPmail sheds light on this question.
Both end customers and consulting and implementation companies are increasingly hearing the statement: “TLS (Transport Layer Security) is sufficient to communicate in a GDPR-compliant manner.” Behind this is usually the desire for the simplest possible way to communicate via encrypted communication Exchange emails with other communication partners. Unfortunately, this is a fallacious conclusion.
This is what the GDPR says
In order to look at this assessment through a legal lens, it is recommended to take a closer look at Article 32 of the GDPR “Security of processing” and recital 83 of the GDPR.
Article 32 of the GDPR states that persons responsible for processing personal data must ensure that this data is protected against unauthorized access. The obligated parties must take appropriate technical and organizational measures. Pseudonymization and encryption of the data are possible here. The encryption must ensure that the personal data is made inaccessible to all persons who are not authorized to access the personal data (see Art. 34 Para. 3 lit. a GDPR). Here you can decide for yourself whether TLS is the appropriate technology in all cases.
Beware of blanket answers
From a legal perspective, blanket statements are rarely a good approach. That’s why a lawyer’s first answer is usually: “It depends…”.
In the event of a dispute, the facts in question must be examined on a case-by-case basis. The test may show that no encryption was necessary at all, that TLS encryption was sufficient, or that end-to-end encryption of content should have been used in addition to pure line encryption.
A general statement such as “TLS is sufficient for GDPR-compliant communication” should be approached with caution. In order to comply with data protection regulations, the person responsible (according to Article 4 Number 7 EUGDPR) remains responsible. Because not only does the risk lie with him, but the consequences also affect him - if necessary personally. Possible sanctions include, among other things, claims for recourse against management or special representatives for compliance, data protection and information security. Compensation for damages is usually required under civil law. This also includes financial losses without a liability limit. Sanctions under public law include fines, imprisonment or administrative penalties. Regulatory measures can even lead to the closure of the business.
The art of secure email communication
Given these potential dangers, it is crucial to take every practical step possible to minimize the risks and maximize the security of email. In addition to the frequently used TLS encryption, various other encryption methods are available to secure confidential emails. This includes technologies such as S/MIME and PGP, which provide end-to-end encryption and ensure that only the authorized recipient can decrypt the content.
Likewise, using spontaneous encryption is a viable option to encrypt specific emails or messages as needed, creating an additional layer of security. All of these technologies were developed so that they do not have to be built on the underlying infrastructure, but rather function independently between the transmitter and receiver.
Ideally, these technologies are combined so that the confidentiality and integrity of email communication is under no circumstances a reason for GDPR violations.
More at SEPPmail.de
About SEPPmail
The internationally active and owner-managed company SEPPmail, based in Switzerland and Germany, is a manufacturer in the field of "Secure Messaging". Its patented, multi-award-winning technology for spontaneous, secure e-mail traffic encrypts electronic messages and, if desired, provides them with a digital signature. The secure e-mail solutions are available worldwide and make a lasting contribution to secure communication using electronic mail.