Data Encryption and Data Protection Regulations: When to Report a Security Incident

Understanding Data Encryption in the Context of GDPR

Data encryption plays a crucial role in data protection, particularly when considering regulations like the General Data Protection Regulation (GDPR). Proper security measures, such as encryption, can significantly impact  a character of a data controller’s activities related to the security incidents.

Encryption as a Protective Measure

The GDPR (Article 32) mandates the implementation of appropriate technical and organizational measures to ensure personal data security. Encryption is among the recommended methods of data protection.

Key points about encryption include:

• It makes data difficult to read by unauthorized individuals
• Encryption is effective when encryption keys are appropriately secured

When is a Theft of Encrypted Data Considered a Data Breach?

The GDPR (Recital 83) defines a personal data breach as a violation of confidentiality, integrity, or accessibility of data. Therefore, if personal data is leaked or provided to an unauthorized person, we consider such a situation as an infringement of data security.

However, if data is encrypted and inaccessible to third parties, even a violation of confidentiality may not lead to any serious consequences.

Reporting Requirements 

Article 33 of the GDPR states that in the case of a personal data breach, the data controller is obliged to notify the personal data breach to the supervisory authority. What is more, in some cases, informing data subjects is also required.

However, it is not necessary if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

The European Data Protection Board stated in one of its guidelines that if the encrypted data is not compromised during a security breach, then the data is unintelligible to the unauthorized recipient. Consequently, it is unlike to adversely affect data subjects, especially if a data controller did not lose access to data themselves.

To sum up, reporting is not always necessary. The decision depends on several factors:

You do NOT need to report an incident if:

• Data is fully secured through state-of-the-art encryption
• The data controller is certain that encryption keys were not compromised

You MUST report an incident if:

• There's a risk that data could be decrypted, e.g. because of a known vulnerability of the encryption algorithm
• Encryption keys have been stolen
• The incident could potentially impact the rights and freedoms of data subjects due to other factors

Practical Reporting Obligations

Data controllers must conduct a risk assessment by considering:

• Whether the incident poses a risk to individual rights and freedoms
• The likelihood of data being compromised

Reporting Timelines and Requirements

• Low-risk incidents, where there are no adverse consequences to the data subjects (securely encrypted data): No reporting to supervisory authorities is required
• High-risk incidents, where potential negative consequences to the data subjects may occur (e.g. because of the access to encryption keys): Must be reported to supervisory authorities within 72 hours of detection

Notification of data subjects is mandatory when there's a high risk of rights and freedoms violation. Using encryption greatly diminishes this risk. 

Practical Examples

Example 1: No Reporting Required

• Encrypted data stolen from a server
• Encryption keys stored in a separate, secure system
• Encryption was performed with state-of-the-art algorithm
• Result: No reporting obligation

Example 2: Reporting Necessary

• Encrypted data stolen along with encryption keys
• Result: Breach must be reported

Emerging Considerations: Post-Quantum Cryptography

As technology evolves, data controllers must also consider emerging risks, such as potential advancements in quantum computing that might compromise current encryption methods.

Conclusion