IMY (Sweden) - DI-2021-4355: Difference between revisions
No edit summary |
|||
Line 92: | Line 92: | ||
== Comment == | == Comment == | ||
Because the controller had developed and launched a new communication solution for sending emails to the company’s customers, following the allegations of security issues made by the complainant the DPA considered – after an overall assessment – the infringement to be minor. Therefore, the DPA issued a reprimand on the basis of [[Article 58 GDPR|58(2)(b) GDPR]] instead of a fine. | ''Because the controller had developed and launched a new communication solution for sending emails to the company’s customers, following the allegations of security issues made by the complainant the DPA considered – after an overall assessment – the infringement to be minor. Therefore, the DPA issued a reprimand on the basis of [[Article 58 GDPR|58(2)(b) GDPR]] instead of a fine.'' | ||
== Further Resources == | == Further Resources == |
Revision as of 14:09, 5 June 2023
IMY - DI-2021-4355 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 32 GDPR Article 32(1) GDPR Article 60 GDPR Article 9 GDPR Article 58(2)(b) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 19.01.2023 |
Published: | |
Fine: | n/a |
Parties: | If Skadeförsäkring AB |
National Case Number/Name: | DI-2021-4355 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | EDPB (Final One Stop Shop Decisions Database) (in EN) |
Initial Contributor: | n/a |
Sending an e-mail containing sensitive data with enforced TLS-encryption instead of end-to-end encryption was deemed insufficiently secured under Article 32(1) GDPR. The controller received a reprimand instead of a fine as it had increased the security of its communication solutions.
English Summary
Facts
Following a complaint, the Swedish DPA investigated whether an insurance company – If Skadeförsäkring AB – (the controller) had ensured an appropriate level of security pursuant to Article 32 GDPR when sending an email containing sensitive personal data.
The e-mail in question contained the controller’s decision on a claims settlement and a medical assessment which the decision was based upon. The data subject complained about the fact that they received an email including personal data on their health by the controller via e-mail that was not end-to-end encrypted.
It was stated by the controller that the e-mail was encrypted with so-called Enforced Transport Layer Encryption (Enforced TLS-encryption). The controller argued that this implied that the message was encrypted from the controller’s servers to the recipient’s e-mail server.
Furthermore, the controller presented that it has increased its security by, among other things, developing and launching a new communication solution for emails that are sent to the company’s customers. With the new solution a notification is sent to the customer by e-mail or text message informing the customer that the customer has received a message from the controller that can be read on a specific site “My pages”. In order to log in to “Mypages”, the customer needs to authenticate with the Swedish e-identification “BankID”.
Holding
The DPA established that the controller is responsible for the security of the processing pursuant to Article 32 GDPR. Therefore, the controller must assess the risks associated with the processing and take appropriate technical and organisational measures to address those identified risks.
In this particular case, the DPA identified that the issue is the transfer of sensitive personal data over an open network (internet). The technical and organisational measures to be taken by the controller are subject to enhanced requirements when processing sensitive personal data pursuant to Article 9 GDPR. Sensitive personal data are considered to be worthy of extra protection as the processing of such data may pose significant risks to the fundamental rights and freedom of individuals.
The DPA noted that the encryption solution used by the controller only encrypted the email during the transmission from the controller’s server to the server of the complainant’s operator. This meant that the encryption ended before the message had reached the complainant. Consequently, there was a risk that unauthorized persons could access the email in plain text after the encrypted transmission had ended.
Regarding the controller’s new communications solution, the DPA considered that the processing is not subject of the complaint and was therefore not part of the DPA’s investigation.
As a result, the DPA concluded that the controller had not protected the data in such a manner that only the intended recipient could access it after the email had been delivered to the operator’s server. At that moment, the encryption ceased and, therefore, the data lacked sufficient protection against unauthorised disclosure of, or unauthorised access to, the personal data. Since the email contained sensitive data, the DPA found that there was a significant risk of breach of the complainant’s right to privacy.
Eventually, the DPA held that the controller had not taken appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by the processing. The DPA reprimanded the controller for processing personal data in breach of Article 32(1) GDPR.
Comment
Because the controller had developed and launched a new communication solution for sending emails to the company’s customers, following the allegations of security issues made by the complainant the DPA considered – after an overall assessment – the infringement to be minor. Therefore, the DPA issued a reprimand on the basis of 58(2)(b) GDPR instead of a fine.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(6) Notice: This document is an unofficial translation of the Swedish Authority for Privacy Protection’s (IMY) version of the decision is deemed authentic.wedish Ref no: DI-2021-4355 Date of decision: Decision pursuant to Article 60 under 2023-01-19 the General Data Protection Date of translation: 2023-01-19 Regulation – If Skadeförsäkring AB Decision of the Swedish Authority for Privacy Protection The Swedish Authority for Privacy Protection (“IMY”) concludes that If Skadeförsäkring AB, as per 6 November 2020, has processed personal data in violation of Article 32(1) 1 of the GDPR by sending sensitive personal data to the complainant in an e-mail without using a sufficiently secure encryption solution. Hence, If Skadeförsäkring AB has not implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. IMY gives If Skadeförsäkring a reprimand pursuant to Article 58(2)(b) of the GDPR for the concluded violation. Presentation on the supervisory case IMY has initiated supervision regarding If Skadeförsäkring AB (“If” or “the company”) due to a complaint. The complainant has stated that personal data regarding health has been sent via e- mail without encryption all the way from the sender to the receiver, i.e. by the use of so-called end-to-end encryption. Due to the complaint, IMY has initiated an investigation for the purpose of assessing whether If has ensured an appropriate level of security in accordance with Article 32 of the GDPR as regards the relevant processing. The investigation in this case has been carried out through written correspondence. Since the complaint concerns cross-border processing, IMY has used the mechanisms for cooperation and consistency contained in Chapter VII of the GDPR. The supervisory authorities concerned have been the data protection authorities in Denmark, Finland, Norway and Estonia. 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).Privacy Protection Authority Our ref: DI-2021-4355 2(6) Date:2023-01-19 What If have stated If has mainly stated the following. Transfer of sensitive personal data via e-mail as per 6 November 2020 If has stated that the company is the data controller for the processing of personal data to which the complaint relates. Furthermore, If has stated that, in the context of its claims settlement, the company sent an e-mail to the complainant in one of the complainant’s reported personal injury. The e-mail was sent on 6 November 2020 to the e-mail address provided by the complainant. It contained If’s decision and an attached file containing the medical assessment which the decision was based upon. The medical assessment included information regarding background, course of events, diagnosis, assessment, graduation of possible invalidity and date of birth (not the social security number). The e-mail was sent encrypted with so-called Enforced Transport Layer Encryption (Enforced TLS-encryption). This implied that the message was encrypted from If’s servers to the recipient’s e-mail server, which in the present case was hosted by Tele2 (the operator). In the event that a receiving server was unable to receive a TLS encrypted message, the message was not sent. Thus, it was ensured that the message was always encrypted during transmission. The company’s guidelines in force at the time stated that when sensitive personal data were sent by e-mail, the e- mail should always be encrypted. 2 The solution with enforced TLS encryption was implemented following a decision from the Danish data protection authority, Datatilsynet, where If received criticism for using opportunistic TLS encryption for e-mails containing sensitive personal data. If also refers to a decision of Datatilsynet in which the Danish data protection authority concluded, following an investigation of a law firm, that the use of enforced TLS 1.2 entails an encryption with sufficient security for e-mails containing confidential and sensitive personal information during transmission. If stated that it was this encryption solution that was used when the e-mail containing the medical assessment was sent to the complainant on 6 November 2020. New solution for managing e-mail messages If has stated that, during the period following the complaint, the company has increased its security by, among other things, developing and launching a new communication solution for e-mails that are sent to the company’s customers. Within the framework of this solution, If’s customers get access to e-mails via “My Pages” on the company’s website. The solution works in such a way that a notification is sent to the customer by e-mail or text message informing the customer that the customer has received a message from If that can be read on “My pages”. In order to log in to “My pages”, the customer needs to authenticate with the Swedish e-identification “BankID”. 2 See Datatilsynet’s (Denmark) decision of 18 June 2020 in case J.nr. 2019-31-2175. 3 See Datatilsynet’s (Denmark) decision of 5 November 2019 in case J.nr. 2019-41-0026.Privacy Protection Authority Our ref: DI-2021-4355 3(6) Date:2023-01-19 Justification of the decision Applicable provisions Data concerning health constitutes so-called sensitive personal data. It is prohibited to process such special categories of personal data pursuant to Article 9(1) of the GDPR, unless any of the exceptions set out under Article 9(2) is applicable to the processing. These data are considered to be worthy of extra protection as the processing of such data may pose significant risks to the fundamental rights and freedom of individuals. Furthermore, pursuant to Article 32(1) of the GDPR, the controller shall take appropriate technical and organisational measures to ensure an appropriate level of security for the protection of the data being processed. When assessing the appropriate technical and organisational measures, the controller shall take into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the processing and the risks to the rights and freedoms of natural persons. According to Article 32(1), appropriate safeguards include, among other things: • The pseudonymisation and encryption of personal data. • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Pursuant to Article 32(2) of the GDPR, when assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. IMY’s assessment E-mail sent to the complainant on 6 November 2020 Since the controller is responsible for the security of the processing pursuant to Article 32 of the GDPR, the controller needs to assess the risks associated with the processing of personal data and take appropriate technical and organisational measures to address the identified risks. What constitute appropriate measures should not be understood as an arbitrary estimation, but an adequate assessment, based on the nature, scope, context and purpose of the processing and the risks to the individual’s rights and freedoms. In this case, the issue is the transfer of sensitive personal data over an open network (internet). The processing of sensitive personal data entails that the technical and organisational measures to be taken by the controller are subject to enhanced requirements. When an e-mail is sent over an open network, the sender or recipient generally has no control over which computers (e.g. servers) the specific e-mail passes along the way. A consequence of this is that anyone who possesses equipment that unprotected e- mails pass through, can access, disseminate or distort them.Privacy Protection Authority Our ref: DI-2021-4355 4(6) Date:2023-01-19 By taking appropriate technical and organisational measures, it should not be possible for unauthorised persons to read personal data transmitted over an open network. This can be achieved by encrypting the e-mail containing personal data and/or by protecting the transmission of the e-mail through encryption. Enforced TLS is an example of an encryption solution that can be used to protect an e-mail. In the present case, enforced TLS was used when the relevant e-mail was sent. IMY notes that the solution used by If to send the e-mail to the complainant only encrypted the e-mail during the transport from If’s e-mail server to the e-mail server provided by the complainant’s operator. This implied that the encryption ended before the message had reached the final recipient and, thus, did not constitute an end-to-end encryption. Consequently, there was a risk that unauthorised persons could access the e-mail in plain text after the encrypted transmission had ended. In light of the above, it cannot be deemed that If had protected the data in such a manner that only the intended recipient could access it after the e-mail had been delivered to the operator’s e-mail server. At that moment, the encryption ceased and therefore the data lacked sufficient protection against unauthorised disclosure of, or unauthorised access to, the personal data. Since the e-mail contained sensitive personal data, there was a significant risk of breach of the complainant’s privacy. If refers to a decision issued by the Danish data protection authority, Datatilsynet, which concerns a law firm, to demonstrate that Datatilsynet has deemed enforced TLS to be a sufficiently secure solution for transfer of sensitive personal data. IMY notes that the relevant decision does not concern a specific processing, but rather a planned investigation of the security of the processing of personal data, in particular when using encrypted e-mails. The law firm has specified various methods that it uses to ensure secure communication. The method to be applied is assessed in each individual case and one of the methods is to encrypt the transmission of e-mails using enforced TLS. Datatilsynet has assessed that the law firm’s action was in accordance with the GDPR. IMY’s investigation in this particular case differs from the Danish decision since this investigation concerns the question whether a specific consignment has been adequately protected all the way from the sender to the receiver. In conclusion, IMY considers that, during the specific occasion, If had not taken appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by the processing, since If had sent the e-mail containing sensitive personal data without ensuring that the deployed encryption solution protected the message all the way to the recipient. Consequently, If processed personal data in breach of Article 32(1) of the GDPR. If’s new solution for managing e-mails If has stated that, during the period following the complaint, the company has, among other things, developed and launched a new communication solution for e-mails to its customers. It is noted that the personal data processing carried out within the scope of this new solution is not subject of the complaint and is therefore not part of IMY’s investigation.Privacy Protection Authority Our ref: DI-2021-4355 5(6) Date:2023-01-19 Choice of intervention Article 58(2) and Article 83(2) of the GDPR give IMY the authority to impose an administrative fine. Depending on the circumstances of the case, an administrative fine shall be imposed in addition to or in place of the other measures referred to under Article 58(2), such as injunctions and prohibitions. Furthermore, Article 83(2) determines the factors to be taken into account when deciding on an administrative fine and determining the amount of the fine. In the case of a minor infringement, as stated in recital 148, IMY may, instead of imposing a fine, issue a reprimand under Article 58(2)(b). The aggravating and mitigating circumstances of the case, such as the nature, gravity and duration of the infringement and previous infringements of relevance, shall be considered. IMY has found that If has processed personal data in breach of Article 32(1) of the GDPR. An infringement of that provision may give rise to a fine. If’s infringement was committed when the company sent an e-mail containing sensitive personal data to the complainant on 6 November 2020 without using a sufficiently secure encryption solution that protected the message all the way from the sender to the intended recipient (so-called end-to-end encryption). IMY’s investigation concerns an e-mail sent by If without the use of adequate security measures — the one to which the complaint relates. If has worked to improve the security by, following Datatilsynet’s decision against If, changing from opportunistic to enforced TLS and also, following the complainant’s allegations of security flaws, taking security measures by, among other things, developing and launching a new communication solution for e-mails to the company’s customers. Overall, IMY therefore considers the infringement to be minor why, on the basis of 58(2)(b) of the GDPR, If is given a reprimand. __________________________________________________ This decision has been approved by unit manager , following a presentation by It and information security specialist .Privacy Protection Authority Our ref: DI-2021-4355 6(6) Date:2023-01-19 How to appeal If you wish to appeal the decision, you should write to the Swedish Authority for Privacy Protection. Please indicate in your letter the decision you want to appeal and the amendment that you are requesting. The appeal must reach the Swedish Authority for Privacy Protection no later than three weeks from the date on which you received the decision. If the appeal has been received in due time, the Swedish Authority for Privacy Protection will forward it to the Administrative Court in Stockholm for review. You can send the appeal by e-mail to IMY if the appeal does not contain any sensitive personal data or information that may be subject to confidentiality. The Swedish Authority for Privacy Protection’s contact details are set out in the first page of the decision.