Is encrypted data personal data? Or can data protection law be ignored for encrypted data?

The argument is often put forward that data is encrypted and therefore not personal. If, for example, a backup of the customer database is made and stored with an IT service provider, it is argued that there is no processing relevant under data protection law. Is this true?

Previous legal situation under the BDSG

Under the Federal Data Protection Act (BDSG), which will however be repealed on 25.05.2018, some German data protection supervisory authorities assumed that personal data that is securely encrypted using a strong cryptographic method in accordance with the current state of the art is not personal data, as the data is "unreadable". This is a pleasing result, as the encrypted data is then in no way covered by data protection law and its considerable restrictions, e.g. in the case of transfers to third parties, do not have to be observed.

New legal situation under the GDPR

According to the prevailing opinion, encrypted data is regarded as pseudonymized data under the EU General Data Protection Regulation (GDPR) and not as anonymized data. This is because the encrypted data can be decrypted using the key. This is comparable to the situation in which only code words are transmitted and these code words can be "decrypted" if the mapping table of code word and plain text is known. For example, if Alice agrees with Bob that the word "tree" (code word) should mean the word "Max Mustermann" (plain text), decryption can be carried out by anyone if this assignment is known. This means that only pseudonymization has taken place.

Encrypted data will therefore also be regarded as personal data (in pseudonymized form). The fact that the keys are only accessible to authorized persons, namely the sender and recipient, and not to third parties who only know the encrypted data, does not initially change this classification.

However, on the basis of an ECJ ruling on the EU Data Protection Directive in 2016, it is possible to consider whether encrypted data can constitute anonymized data if decryption is unlikely in practice due to the possible means. This concerns the ECJ's ruling on dynamic IP addresses:

The EU Data Protection Directive "[...] must be interpreted as meaning that a dynamic internet protocol address stored by a provider of online media services when a person accesses a website which that provider makes generally accessible constitutes, for the provider, personal data within the meaning of that provision if he has legal means enabling him to have the person concerned identified on the basis of the additional information held by that person's internet access provider."

(ECJ, judgment of 19.10.2016, Case C-582/14)

The ECJ thus indicates that encrypted data may be anonymized (and therefore no longer subject to data protection law) if there is no possibility of decryption.

In a recital of the GDPR, which is not legally binding and only serves as an explanation, there is also a reference to the fact that pseudonymized data can constitute anonymized data if decryption is unlikely:

"The principles of data protection should apply to any information relating to an identified or identifiable natural person. Personal data subject to pseudonymization that could be attributed to a natural person by using additional information should be considered as information relating to an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of any means likely reasonably to be used by the controller or another person to identify the natural person directly or indirectly, such as singling out."

(Recital 26 of the GDPR)

For data protection law to apply, data about a specific, identifiable person must be available. According to the cited recital, such identifiability should be lacking if the identifiability is unlikely, taking into account all available means.

Conclusion on the GDPR

Encrypted data is essentially personal data and is therefore subject to data protection law. However, a comprehensive assessment of the individual case may show that decryption is unlikely and therefore no longer constitutes personal data. It is not enough that the third party does not know the key. Rather, it must be assessed which factual and also legal (e.g. via a right to information) options are available for decryption. In doing so, the focus must not be narrowed to the respective third party. This is because, for example, the public prosecutor's office could gain access to the third party's data through a search. This would also require consideration of the factual and legal options available to the public prosecutor's office and the likelihood of decryption.

Furthermore, the state of the art must be taken into account, which makes decryption of current encryption increasingly easier. As a starting point, encrypted data should therefore also be treated as personal data and then examined on a case-by-case basis to determine whether the data should exceptionally be regarded as anonymized data that is not subject to data protection law.

The distinction between personal and anonymized data is of considerable economic value and even the legality of some business models depends on it. If you need an assessment for your specific situation, we will be happy to examine the legal situation specifically for your situation and with a view to the economic and practical requirements.

Date: 8. Jan 2018