This is how the (German) Federal Data Protection Act has adopted encryption
(REVISED VERSION - September 2018)
Over the course of the last months, we talked a lot and very intensively about the General Data Protection Regulation (GDPR) of the European Union. By now, we reached the due date and the GDPR is in effect. But for companies located in Germany, as we are, the Federal Data Protection Act (Bundesdatenschutzgesetz: BDSG) needs to be adhered to. The BDSG was adjusted to the new requirements of the GDPR and came into effect as BDSG (neu) on the 25th of May 2018, too.
What is the BDSG (neu)?
Many companies were facing problems to translate the requirements of the GDPR into practical measures, during the adjustment period, of two years. The GDPR is in many aspects fairly vague. Some issues, arising from the vague formulation of the GDPR, are possibly made more precise, not before the first court decisions are made, with regard to their interpretation. The national data protection laws have the purpose to put the requirements of the GDPR into a more tangible framework.
It is important to know that the European law (GDPR) is considered to enjoy primacy in application, with regard to the national law. The implementation of the GDPR is covered specifically in Part 2 (§22 -44) of the BDSG (neu).
The importance encryption is given to, by the BDSG is apparent in Part 3 (§45-84). Despite this part being merely concerned with the implementation of the EU directive 2016-680 – hence, the public institutions responsible for prevention, identification, uncovering, prosecution or punishment of criminal or administrative offenses – does it unveil the significance encryption is claiming nowadays.
Every EU member state is given a certain scope for translating the requirements of the GDPR into a legislative framework and may utilize this scope in up to 40, so-called “opening clauses”.
Encryption mentioned in the BDSG (neu)
The General Data Protection Regulation does not talk explicitly about encryption, when it comes to the protection of personal data – but it does require the undertaking of appropriate “technical and organizational measures” (TOM) to protect such sensitive data.
Within the BDSG neu, encryption is mention in four paragraphs, which makes the German law more tangible than the European GDPR. Nevertheless, both legislative frameworks have the objective of protecting personal data, the best possible way, to the same extent. But as noted before, the specifications concerning encryption apply to the public institutions only, as of now. Whether private organizations will be affected by adjustments made to the law, in the future, remains to be seen, but seems likely.
Encryption mentioned in §22 BDSG (neu): Processing of special categories of data
The subject of paragraph §22 of the BDSG (neu) is personal data that are particularly deserving protection. For this purpose, firstly the information, the legislator is supposed to put under special protection, is listed. Afterwards, the “…the appropriate and specific measures for the protection of interest of the person concerned…” are listed.
Besides the items of raising the awareness of all persons involved in processing personal data, or the appointment of a data protection officer, the seventh item on the list is encryption of personal data. This item may be derived from the GDPR too – but in contrast to the BDSG (neu), encryption of personal data is not specifically mentioned in the GDPR.
Encryption mentioned in §48 BDSG (neu): Processing of special categories of data
Paragraph 48 also deals with the processing of personal data.
In the first passage of this short paragraph it is stated once more that the processing of personal data is only admissible when it is absolutely necessary for the accomplishment of a task. In the second passage, adequate guaranties for the legal interests of the person concerned are listed.
The list consists of 8 items. Besides encryption of personal data (item 7.) are the items of a processing separated from others and a definition of the segregation control period listed, amongst other items.
Encryption mentioned in §64 BDSG (neu): Requirements for the security of data handling
This paragraph of the BDSG (neu) is concerned with the requirements towards the security of data handling. In this paragraph, it is stated that measures for the protection have to be implemented with consideration of the involved risks, costs and the current state of technology, by the responsible persons.
As such measures, pseudonymization and encryption are highlighted in particular. It is important for the legislator that:
- the confidentiality, the integrity, the availability and the resilience of the processing systems and services are safeguarded in perpetuity.
- the availability of, and the access to any stored personal data can be restored quickly, in case of a physical or technical incident.
§64 BDSG (neu)
In the third passage of paragraph §64, are following 14 controls to be implemented in order to achieve the previously defined measures, out of which 3 controls are particularly well realizable with state of the art encryption:
• Prevention of the unauthorized reading, copying, modification or erasure of data media (‘data media control’)
• Prevention of the unauthorized input of personal data and the unauthorized inspection, modification or deletion of stored personal data
• Ensuring that persons authorized to use an automated processing system have access only to the personal data covered by their access authorization
(‘data access control’)
The other controls stated in §64 BDSG (neu) refer to equipment access control, user control, communication control, input control, transport control, recovery, reliability, integrity, processing control, availability control and separability.
Encryption mentioned in §66 BDSG (neu): Notifying data subjects affected by a personal data breach
Paragraph §66 states that the person concerned has to be notified, in case of any violation of the protection of their data. This notification has to happen without a delay – however, the obligation to notify a data subject of a data breach is inapplicable if safety measures for the protection of personal data are in place. Encryption is mentioned in this section once more, explicitly: “…in particular those that render the personal data unintelligible to any person who is not authorized to access them, such as encryption”.
Conclusion – Encryption helps you sleep at night
Encryption of data is one of many measures, the legislator stipulates for the protection of personal data. As a data protection measure however, encryption needs to be particularly highlighted, since it is comparatively easy to be implemented. Although, the BDSG (neu) is applicable to public institutions only, as of now, a similar development of the requirements towards data protection can be expected, concerning private organizations, as well. Having this in mind, private organizations may comfortably implement encryption into their infrastructure already, by adopting an easy-to-use, user friendly and intuitively usable encryption solution, like Boxcryptor.
Boxcryptor puts an extra layer of security on top of the sensitive data, you as a company have to protect, by all means. It does not matter, whether the data you need to protect is personal data, you are obliged to protect under the GDPR, or whether it is internal, business-related data, you want to protect against unauthorized access: With end-to-end encryption, the data does not just rest safe at its’ storage location but is also already securely protected on its’ transfer to the storage location. This way, we enable companies to profit from the advantages a cloud provides:
Availability of data at all times, synchronization, versioning, etc.
In a previous version of this article we portrayed the BDSG (neu) to be valid without restrictions for all public and private entities. We have been made aware of the fact that this depiction was wrong by a member of our community. In fact, part 2 and 3 of the BDSG (neu) are restricted in their applicability to the public institutions depicted in the revised article.
We are sorry for any inconvenience or confusion caused by our erroneous article and want to say thanks to our community for being attentive and supporting us this way.