Denmark Makes Email Encryption Compulsory for Businesses.

A win for privacy: Businesses in Denmark must protect sensitive personal data in emails with end-to-end encryption starting January 1, 2019.

2018-10-12
Widely unnoticed, Denmark is the first country to require businesses to encrypt emails containing sensitive personal information end-to-end, starting January 1, 2019. This rule is a strict interpretation of Article 9 of the European GDPR. It is the first time a country has made email encryption mandatory — but it is expected that more countries will follow the Danish example. This comes as yet another indicator that the protection of sensitive personal data must be prioritized by any company doing business in Europe.

With the focus on strengthening consumer rights, data protection laws in Europe are becoming stricter. And rightly so as data breaches around the world continue to rise in scale and in number.

Strengthening right to privacy

The legal requirement for email encryption in Denmark helps to further strengthen the consumer's right to privacy. As a consequence, email encryption is becoming more popular among businesses in Europe and abroad. Here's the official announcement in Danish.

In a more detailed description of what the authorities expect from Danish businesses, the data protection agency states that TLS encryption and end-to-end encryption should be used for emails, depending on the level of sensitivity of the information contained.

What is sensitive personal data?

The GDPR sets clear rules and guidelines for businesses when processing personal data, but the regulation also states that some types of personal information are more sensitive than others. The categories of personal data that needs higher protection are described in Article 9:

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The new Danish rule comes into effect on January 1, 2019, and requires everyone doing business in Denmark to encrypt such data when sending it via email. The data protection agency leaves it to the data controller of the business to decide whether the personal information sent is so sensitive that it needs end-to-end encryption as an additional security measure on top of TLS encryption.

To be on the safe side, businesses should consider using a GDPR-compliant email service that has the option to end-to-end encrypt any email easily.

What is email encryption?

Transport layer encryption (TLS) for emails

Transport layer encryption is used to protect your emails in transit. TLS makes sure that the email is sent through a secure tunnel.

Everyone who is able to look into this tunnel, can read this email. This is why the real world equivalent to an email is a postcard: Lots of postal workers can read your postcard while it is in transit. With emails it is the same. Additionally, emails are still readable after delivery because an email is usually stored unencrypted on a provider's server - where it can still be read by third parties.

This is why TLS is not considered secure enough to send sensitive data such as information on someone's health or their banking details.

For highly sensitive personal information end-to-end encryption must be used to make sure no one but the intended recipient can read the email.

End-to-End Encryption

End-to-end encryption of emails makes sure that only the intended recipient has the key to decrypt the email. It cannot be read by anybody else because the email content is unreadable data even if intercepted while in transit.

When the recipients receive an end-to-end encrypted email, they need to use their private key (asymmetric encryption) or a password (symmetric encryption) to decrypt the data and transform it back into a readable format.

In contrast to transport layer encryption, end-to-end encryption fully protects a message while in transit as well as after it has hit the recipient’s inbox. This means that any third party who has access to this email or is able to intercept it will only see the encrypted version of the email and cannot decipher its content.

TLS or end-to-end encryption

The Danish data protection agency leaves it to the company to decide which form of encryption is appropriate for the data they handle via email:

It is always the data controller who, based on his risk assessment, must assess the level of security that is appropriate. According to the Data Inspectorate, there would be types of processing where encryption with TLS is appropriate and there will be types of treatment where - due to the high level of sensitivity of the personal data - end-to-end encryption will be appropriate.

Encryption use will rise further

While Denmark is the first country to require end-to-end encryption of emails for sensitive personal information, it would not be surprising if other countries follow suit. Email encryption is becoming more common all over Europe and abroad as the default protection for emails that contain sensitive information.

One sign of this is that users of the secure email service Tutanota already encrypt 58% of all sent emails end-to-end.

This is very good news for all of us. By using end-to-end encryption as the default, we can make sure that emails will no longer be sent as postcards, but in the form of a sealed letter.