Beyond GDPR: Denmark Makes Email Encryption Mandatory0
On the heels of GDPR, Denmark’s Data Protection Agency announced that it will set even tighter rules for emails containing sensitive personal data. The agency has recommended the use of email encryption since 2008, but starting January 1, 2019, encryption will be a requirement for all emails that contain sensitive personal information. (Read the announcement, Danish.)
It’s the first time a country has made email encryption mandatory—and another indicator that the protection of subscriber data and privacy can no longer be a second thought for email marketers.
What’s Sensitive Personal Data?
GDPR sets clear rules and guidelines for organizations that collect and process personal data, but they also point out that some types of personal information are more sensitive than others, and thus need more protection. These special categories of personal data are described in article 9 of GDPR, and include:
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
Denmark requiring encryption for emails containing special category data is a strict interpretation of GDPR’s demand to keep this kind of data extra secure.
What Is Email Encryption?
Email encryption is an additional layer of security that helps ensure the confidentiality of a message by ensuring that an email’s content can only be read by the intended recipient.
There are two levels of email encryption:
- Transport Layer Encryption
Transport layer encryption protects your emails in transit from your ESP, to your inbox providers’ servers, and finally into your subscribers’ inboxes. However, messages are not stored encrypted at rest, so anyone with access to the inbox or mail server, including the recipient’s inbox service provider, can read the message. Messages can also be forwarded to others, making confidentiality difficult.
- End-to-End Encryption
When an email is protected by end-to-end encryption, the message is encrypted in transit and at rest, and it can only be “decrypted” back into a readable form by the intended recipient. This method uses asymmetric cryptography, also known as public-private key cryptography.
How does this work? If Seth (the sender) wants to send a private message to Rebecca (the recipient), Seth must first encrypt the message using Rebecca’s public key, which is known and available to everybody. Seth then sends the encrypted message to Rebecca’s inbox. Rebecca is able to open and decrypt the message using her private key, which is known only to her, thus ensuring that only Rebecca is able to read the message. In contrast to transport layer encryption, end-to-end encrypted messages are fully protected on their journey to the recipient’s inbox. That means that any tools and services in between the sender and the recipient—your email service provider or your inbox app, for example—will only see the encrypted version of the email.
Popular end-to-end encryption protocols include Bitmessage, GNU Privacy Guard (GPG), and Pretty Good Privacy (PGP).
What Does It Mean for Email Marketers?
It’s unclear what type of encryption Denmark will require for emails containing sensitive personal information, as the announcement does not prescribe a preferred encryption method.
Fortunately, most ESPs and inbox providers already give marketers the ability to encrypt their emails using a standard transport layer protocol. Unfortunately, most email marketers do not make use of this technology.
Litmus’ 2018 State of Email Survey found that only 23% of marketers currently encrypt their emails in transit. However, adoption grew 21% year-over-year.
Using transport layer encryption is a best practice that we recommend to all email marketing programs. Gmail already highlights which emails are encrypted using TLS by using a little lock icon, and flags the once that aren’t, thus making transport layer encryption a trust factor that’s visible in subscribers inboxes. If Denmark’s new legislation made this type of encryption mandatory, this would be a great step to expand this best practice to all emails that contain sensitive personal information.
If the new Danish law requires end-to-end encryption, things could get very complicated, very quickly.
For example, if a hospital wanted to send an email containing health information to a patient, it would first need to encrypt the email using a protocol known to the patient beforehand (such as PGP), and the patient would need to download the message and decrypt it using that protocol. While many B2B organizations are familiar with this communication method, it’s not as common in B2C communications. Imagine the hospital asking all of its patients to enable PGP, and then having those patients manually decrypt every email received from the hospital. That would be incredibly difficult!
More Detailed Guidance Needed
Just as we saw more detailed guidance on GDPR as the deadline came closer, we can expect Danish authorities to provide more details on what type of encryption they require for marketing emails containing special categories of personal data. That guidance is needed.
Share Your Thoughts
Does your brand encrypt all emails? Have you seen other brands using end-to-end encryption in email communication? Share your thoughts and examples in the comments below.