IMY (Sweden) - DI-2021-4355
| IMY - DI-2021-4355 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 32 GDPR Article 32(1) GDPR Article 60 GDPR Article 9 GDPR Article 58(2)(b) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 19.01.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | If Skadeförsäkring AB |
| National Case Number/Name: | DI-2021-4355 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | EDPB (Final One Stop Shop Decisions Database) (in EN) |
| Initial Contributor: | n/a |
Sending an e-mail containing sensitive data with enforced TLS-encryption instead of end-to-end encryption was deemed insufficient secured under Article 32(1) GDPR. The controller received a reprimand instead of a fine as it had increased the security of its communication solutions.
English Summary
Facts
Following a complaint, the Swedish DPA investigated whether an insurance company – If Skadeförsäkring AB – (the controller) had ensured an appropriate level of security pursuant to Article 32 GDPR when sending an email containing sensitive personal data. The e-mail in question contained the controller’s decision on a claims settlement and a medical assessment on which the decision was based.
The data subject complained about the fact that they received an email including personal data on their health by the controller via e-mail that was not end-to-end encrypted. It was stated by the controller that the e-mail was encrypted with so-called Enforced Transport Layer Encryption (Enforced TLS-encryption). The controller argued that this implied that the message was encrypted from the controller’s servers to the recipient’s e-mail server.
In the course of the investigation, the controller presented to the DPA that it has increased its security by, among other things, developing and launching a new communication solution for emails that are sent to the company’s customers. With the new solution a notification is sent to the customer by e-mail or text message informing the customer that the customer has received a message from the controller that can be read on a specific site “My pages”. In order to log in to “Mypages”, the customer needs to authenticate with the Swedish e-identification “BankID”.
Holding
The DPA established that the controller is responsible for the security of the processing pursuant to Article 32 GDPR. Therefore, the controller must assess the risks associated with the processing and take appropriate technical and organisational measures to address those identified risks.
In this particular case, the DPA identified that the issue is the transfer of sensitive personal data over an open network (internet). The technical and organisational measures to be taken by the controller are subject to enhanced requirements when processing sensitive personal data pursuant to Article 9 GDPR. Sensitive personal data are considered to be worthy of extra protection as the processing of such data may pose significant risks to the fundamental rights and freedom of individuals. The DPA noted that the encryption solution used by the controller only encrypted the email during the transmission from the controller’s server to the server of the complainant’s operator. This meant that the encryption ended before the message had reached the complainant. Consequently, there was a risk that unauthorized persons could access the email in plain text after the encrypted transmission had ended.
Regarding the controller’s new communications solution, the DPA considered that the processing is not subject of the complaint and was therefore not part of the DPA’s investigation.
As a result, the DPA concluded that the controller had not protected the data in such a manner that only the intended recipient could access it after the email had been delivered to the operator’s server. At that moment, the encryption ceased and, therefore, the data lacked sufficient protection against unauthorised disclosure of, or unauthorised access to, the personal data. Since the email contained sensitive data, the DPA found that there was a significant risk of breach of the complainant’s right to privacy. Eventually, the DPA held that the controller had not taken appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by the processing. The DPA reprimanded the controller for processing personal data in breach of Article 32(1) GDPR.
Comment
Because the controller had developed and launched a new communication solution for sending emails to the company’s customers, following the allegations of security issues made by the complainant the DPA considered – after an overall assessment – the infringement to be minor. Therefore, the DPA issued a reprimand on the basis of 58(2)(b) GDPR instead of a fine.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(6)
Notice: This document is an unofficial translation of
the Swedish Authority for Privacy Protection’s (IMY)
version of the decision is deemed authentic.wedish
Ref no:
DI-2021-4355
Date of decision: Decision pursuant to Article 60 under
2023-01-19
the General Data Protection
Date of translation:
2023-01-19
Regulation – If Skadeförsäkring AB
Decision of the Swedish Authority for Privacy
Protection
The Swedish Authority for Privacy Protection (“IMY”) concludes that If Skadeförsäkring
AB, as per 6 November 2020, has processed personal data in violation of Article 32(1)
1
of the GDPR by sending sensitive personal data to the complainant in an e-mail
without using a sufficiently secure encryption solution. Hence, If Skadeförsäkring AB
has not implemented appropriate technical and organisational measures to ensure a
level of security appropriate to the risk of the processing.
IMY gives If Skadeförsäkring a reprimand pursuant to Article 58(2)(b) of the GDPR for
the concluded violation.
Presentation on the supervisory case
IMY has initiated supervision regarding If Skadeförsäkring AB (“If” or “the company”)
due to a complaint.
The complainant has stated that personal data regarding health has been sent via e-
mail without encryption all the way from the sender to the receiver, i.e. by the use of
so-called end-to-end encryption. Due to the complaint, IMY has initiated an
investigation for the purpose of assessing whether If has ensured an appropriate level
of security in accordance with Article 32 of the GDPR as regards the relevant
processing.
The investigation in this case has been carried out through written correspondence.
Since the complaint concerns cross-border processing, IMY has used the mechanisms
for cooperation and consistency contained in Chapter VII of the GDPR. The
supervisory authorities concerned have been the data protection authorities in
Denmark, Finland, Norway and Estonia.
1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation).Privacy Protection Authority Our ref: DI-2021-4355 2(6)
Date:2023-01-19
What If have stated
If has mainly stated the following.
Transfer of sensitive personal data via e-mail as per 6 November 2020
If has stated that the company is the data controller for the processing of personal data
to which the complaint relates. Furthermore, If has stated that, in the context of its
claims settlement, the company sent an e-mail to the complainant in one of the
complainant’s reported personal injury. The e-mail was sent on 6 November 2020 to
the e-mail address provided by the complainant. It contained If’s decision and an
attached file containing the medical assessment which the decision was based upon.
The medical assessment included information regarding background, course of
events, diagnosis, assessment, graduation of possible invalidity and date of birth (not
the social security number).
The e-mail was sent encrypted with so-called Enforced Transport Layer Encryption
(Enforced TLS-encryption). This implied that the message was encrypted from If’s
servers to the recipient’s e-mail server, which in the present case was hosted by Tele2
(the operator). In the event that a receiving server was unable to receive a TLS
encrypted message, the message was not sent. Thus, it was ensured that the
message was always encrypted during transmission. The company’s guidelines in
force at the time stated that when sensitive personal data were sent by e-mail, the e-
mail should always be encrypted.
2
The solution with enforced TLS encryption was implemented following a decision from
the Danish data protection authority, Datatilsynet, where If received criticism for using
opportunistic TLS encryption for e-mails containing sensitive personal data.
If also refers to a decision of Datatilsynet in which the Danish data protection authority
concluded, following an investigation of a law firm, that the use of enforced TLS 1.2
entails an encryption with sufficient security for e-mails containing confidential and
sensitive personal information during transmission. If stated that it was this encryption
solution that was used when the e-mail containing the medical assessment was sent to
the complainant on 6 November 2020.
New solution for managing e-mail messages
If has stated that, during the period following the complaint, the company has
increased its security by, among other things, developing and launching a new
communication solution for e-mails that are sent to the company’s customers. Within
the framework of this solution, If’s customers get access to e-mails via “My Pages” on
the company’s website. The solution works in such a way that a notification is sent to
the customer by e-mail or text message informing the customer that the customer has
received a message from If that can be read on “My pages”. In order to log in to “My
pages”, the customer needs to authenticate with the Swedish e-identification “BankID”.
2 See Datatilsynet’s (Denmark) decision of 18 June 2020 in case J.nr. 2019-31-2175.
3 See Datatilsynet’s (Denmark) decision of 5 November 2019 in case J.nr. 2019-41-0026.Privacy Protection Authority Our ref: DI-2021-4355 3(6)
Date:2023-01-19
Justification of the decision
Applicable provisions
Data concerning health constitutes so-called sensitive personal data. It is prohibited to
process such special categories of personal data pursuant to Article 9(1) of the GDPR,
unless any of the exceptions set out under Article 9(2) is applicable to the processing.
These data are considered to be worthy of extra protection as the processing of such
data may pose significant risks to the fundamental rights and freedom of individuals.
Furthermore, pursuant to Article 32(1) of the GDPR, the controller shall take
appropriate technical and organisational measures to ensure an appropriate level of
security for the protection of the data being processed. When assessing the
appropriate technical and organisational measures, the controller shall take into
account the state of the art, the costs of implementation and the nature, scope, context
and purpose of the processing and the risks to the rights and freedoms of natural
persons.
According to Article 32(1), appropriate safeguards include, among other things:
• The pseudonymisation and encryption of personal data.
• The ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services.
• The ability to restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident.
• A process for regularly testing, assessing and evaluating the effectiveness of
technical and organisational measures for ensuring the security of the
processing.
Pursuant to Article 32(2) of the GDPR, when assessing the appropriate level of
security, account shall be taken in particular of the risks that are presented by the
processing, in particular from accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise
processed.
IMY’s assessment
E-mail sent to the complainant on 6 November 2020
Since the controller is responsible for the security of the processing pursuant to Article
32 of the GDPR, the controller needs to assess the risks associated with the
processing of personal data and take appropriate technical and organisational
measures to address the identified risks. What constitute appropriate measures should
not be understood as an arbitrary estimation, but an adequate assessment, based on
the nature, scope, context and purpose of the processing and the risks to the
individual’s rights and freedoms. In this case, the issue is the transfer of sensitive
personal data over an open network (internet). The processing of sensitive personal
data entails that the technical and organisational measures to be taken by the
controller are subject to enhanced requirements.
When an e-mail is sent over an open network, the sender or recipient generally has no
control over which computers (e.g. servers) the specific e-mail passes along the way.
A consequence of this is that anyone who possesses equipment that unprotected e-
mails pass through, can access, disseminate or distort them.Privacy Protection Authority Our ref: DI-2021-4355 4(6)
Date:2023-01-19
By taking appropriate technical and organisational measures, it should not be possible
for unauthorised persons to read personal data transmitted over an open network. This
can be achieved by encrypting the e-mail containing personal data and/or by
protecting the transmission of the e-mail through encryption. Enforced TLS is an
example of an encryption solution that can be used to protect an e-mail. In the present
case, enforced TLS was used when the relevant e-mail was sent.
IMY notes that the solution used by If to send the e-mail to the complainant only
encrypted the e-mail during the transport from If’s e-mail server to the e-mail server
provided by the complainant’s operator. This implied that the encryption ended before
the message had reached the final recipient and, thus, did not constitute an end-to-end
encryption. Consequently, there was a risk that unauthorised persons could access the
e-mail in plain text after the encrypted transmission had ended.
In light of the above, it cannot be deemed that If had protected the data in such a
manner that only the intended recipient could access it after the e-mail had been
delivered to the operator’s e-mail server. At that moment, the encryption ceased and
therefore the data lacked sufficient protection against unauthorised disclosure of, or
unauthorised access to, the personal data. Since the e-mail contained sensitive
personal data, there was a significant risk of breach of the complainant’s privacy.
If refers to a decision issued by the Danish data protection authority, Datatilsynet,
which concerns a law firm, to demonstrate that Datatilsynet has deemed enforced TLS
to be a sufficiently secure solution for transfer of sensitive personal data. IMY notes
that the relevant decision does not concern a specific processing, but rather a planned
investigation of the security of the processing of personal data, in particular when
using encrypted e-mails. The law firm has specified various methods that it uses to
ensure secure communication. The method to be applied is assessed in each
individual case and one of the methods is to encrypt the transmission of e-mails using
enforced TLS. Datatilsynet has assessed that the law firm’s action was in accordance
with the GDPR. IMY’s investigation in this particular case differs from the Danish
decision since this investigation concerns the question whether a specific consignment
has been adequately protected all the way from the sender to the receiver.
In conclusion, IMY considers that, during the specific occasion, If had not taken
appropriate technical and organisational measures to ensure a level of security
appropriate to the risk posed by the processing, since If had sent the e-mail containing
sensitive personal data without ensuring that the deployed encryption solution
protected the message all the way to the recipient. Consequently, If processed
personal data in breach of Article 32(1) of the GDPR.
If’s new solution for managing e-mails
If has stated that, during the period following the complaint, the company has, among
other things, developed and launched a new communication solution for e-mails to its
customers. It is noted that the personal data processing carried out within the scope of
this new solution is not subject of the complaint and is therefore not part of IMY’s
investigation.Privacy Protection Authority Our ref: DI-2021-4355 5(6)
Date:2023-01-19
Choice of intervention
Article 58(2) and Article 83(2) of the GDPR give IMY the authority to impose an
administrative fine. Depending on the circumstances of the case, an administrative fine
shall be imposed in addition to or in place of the other measures referred to under
Article 58(2), such as injunctions and prohibitions. Furthermore, Article 83(2)
determines the factors to be taken into account when deciding on an administrative
fine and determining the amount of the fine. In the case of a minor infringement, as
stated in recital 148, IMY may, instead of imposing a fine, issue a reprimand under
Article 58(2)(b). The aggravating and mitigating circumstances of the case, such as the
nature, gravity and duration of the infringement and previous infringements of
relevance, shall be considered.
IMY has found that If has processed personal data in breach of Article 32(1) of the
GDPR. An infringement of that provision may give rise to a fine. If’s infringement was
committed when the company sent an e-mail containing sensitive personal data to the
complainant on 6 November 2020 without using a sufficiently secure encryption
solution that protected the message all the way from the sender to the intended
recipient (so-called end-to-end encryption).
IMY’s investigation concerns an e-mail sent by If without the use of adequate security
measures — the one to which the complaint relates. If has worked to improve the
security by, following Datatilsynet’s decision against If, changing from opportunistic to
enforced TLS and also, following the complainant’s allegations of security flaws, taking
security measures by, among other things, developing and launching a new
communication solution for e-mails to the company’s customers. Overall, IMY
therefore considers the infringement to be minor why, on the basis of 58(2)(b) of the
GDPR, If is given a reprimand.
__________________________________________________
This decision has been approved by unit manager , following a
presentation by It and information security specialist .Privacy Protection Authority Our ref: DI-2021-4355 6(6)
Date:2023-01-19
How to appeal
If you wish to appeal the decision, you should write to the Swedish Authority for
Privacy Protection. Please indicate in your letter the decision you want to appeal and
the amendment that you are requesting. The appeal must reach the Swedish Authority
for Privacy Protection no later than three weeks from the date on which you received
the decision. If the appeal has been received in due time, the Swedish Authority for
Privacy Protection will forward it to the Administrative Court in Stockholm for review.
You can send the appeal by e-mail to IMY if the appeal does not contain any sensitive
personal data or information that may be subject to confidentiality. The Swedish
Authority for Privacy Protection’s contact details are set out in the first page of the
decision.
