E-mail encryption - What do you have to consider?

Björn Holeschak, Leiter Datenschutz EIKONA Systems GmbH
The picture shows the lettering "Security".

Nowadays, more and more business transactions are being handled through electronic transmission. This ranges from simple messages, business mail, quoting and order acceptance to electronic invoicing. Even entire B2B contracts or other legal issues are processed between companies by e-mail. But what about data protection - don't business e-mails have to be transmitted in encrypted form?

What does e-mail encryption mean?

When talking about e-mail encryption, one must bear in mind in advance that e-mails on the Internet travel unencrypted on every server and on the paths between the servers. In the process, they can be read or even falsified by attackers. Basically, you can imagine it like a postcard. To change this e-mail (postcard) into a letter in an envelope or even into a registered letter with confirmation of receipt depends on the encryption method. It is important to know which encryption methods are available for e-mail communication. There are two main methods: transport layer security (TLS), i.e. transport route encryption (the equivalent of a letter) and end-to-end encryption, for example via S/MIME or PGP (our registered letter). With TLS encryption, basically the channel between sender and recipient is encrypted so that outsiders have no access to this communication. However, the email that is routed through this channel, including attachments, is itself unencrypted. With end-to-end encryption, in addition to the transport channel, the content itself, including attachments, is encrypted and can only be read by the sender and recipient. This also prevents the message from being changed on its way from the sender to the recipient.

Who must encrypt e-mails and when must I use which encryption?

Both the DSGVO (Art. 32 para. 1 and 2 in conjunction with Art. 5 para. 1 lit. f) and the Trade Secrets Act (§ 2 para. 1 lit. b) state that in order to protect information, security measures must be implemented that are based on the sensitivity of the information. In this case, this is necessary to ensure the confidentiality and integrity of the information. Simplified: the more sensitive the information, the higher the level of technical encryption should be. But do I have to encrypt all e-mails? It is very likely that you already send e-mails with TLS encryption. Nowadays, this is automatically preset on almost all e-mail servers and is, so to speak, technically state of the art. So even if you don't know, your technology will certainly be able to answer the question. Whether you should secure your e-mails with end-to-end encryption depends on the combination of several of the following factors:

  • Information to be transmitted is particularly worthy of protection (e.g. special personal data according to Art. 9 DSGVO or information on criminal investigations according to Art. 10 DSGVO or development data on patent applications).
  • Senders belong to the so-called professional secrecy holders (lawyers, doctors, tax advisors, etc.).
  • There are contractual confidentiality agreements with your communication partner to use a certain encryption.
  • For example, the data is to be sent to a so-called unsafe third country (according to DSGVO).

Check with your data protection officer whether end-to-end encryption is recommended in your business applications or whether TLS encryption may be sufficient.

A current judgement on e-mail encryption

The Administrative Court of Mainz recently clarified in its ruling of 17 December 2020 (Ref.: 1 K 778/19 MZ) that the mere fact that a person is a holder of professional secrecy and records a communication with his client is not sufficient to require end-to-end encryption. Only when other special indications, such as the sensitivity level of the message sent, are taken into account, can increased or extended security of email traffic be considered. Thus, the court also found that in individual cases, a password-protected file can provide sufficient protection.

Björn Holeschak
Björn Holeschak
Team Lead, Data Protection

Drawing on his profound data protection expertise, he tackles data protection challenges with renewed vigor every single day. He understands the dangers and stumbling blocks in intimate detail and gives customers practical advice.

Add a comment

Please calculate 5 plus 9.