Article 29 Working Party advocates for the use of strong & efficient data encryption

The GDPR came into effect on 25th May 2018 and sets a new “gold” standard for data protection and privacy. Although it doesn’t go so far as to make encryption compulsory, it advocates the use of strong and efficient encryption to ensure a secure, free flow of data between citizens, businesses and governments.

Perhaps the most compelling reason of all to use encryption lies in its implications for breach notification and potential financial/punitive damages in the event of a breach. The GDPR introduces some strict new regulations and penalties for organisations that suffer a notifiable breach.

That term “notifiable” is of particular importance. If the data is protected by suitably strong and effective encryption, it does not qualify as a notifiable breach. As such, it is not subject to a financial penalty that could be up to €20million or 4% on annual revenues (whichever is greater).

Despite having the support of cyber security experts around the world, as Hashed Out’s Patrick Nohe pointed out earlier this year, certain law enforcement organisations continue to push for encryption backdoors or the weakening of cryptographic systems.

In his article Mr Nohe points to the recent guidance on encryption standards issued by the Article 29 Data Protection Working Party (WP29). The statement concerns the use of encryption and its impact on the protection of individuals, with regard to the processing of their personal data within the EU.

WP29 appreciates that there is a need to balance the potentially conflicting interests of personal privacy, public interest and the ability for law enforcement to effectively pursue and prosecute criminals.

The working group statement makes three specific points. First, that properly implemented encryption, using appropriately strong algorithms, offers a reasonable guarantee of security. In its absence, WP29 acknowledges that data integrity, confidentiality and authentication may be compromised.

The availability of strong and trusted encryption is a necessity in the modern digital world. Such technologies contribute in an irreplaceable way to our privacy and to the secure and safe functioning of our societies”.

Second, the statement concedes that encryption may be used to conceal criminal activities; and that this poses a challenge to law enforcement. However, in respect of the calls for backdoors or master keys, WP29 is clear.

“Encryption must remain standardized, strong and efficient, which would no longer be the case if providers were compelled to include backdoors or provide master keys.”

Finally, the statement explains that law enforcement agencies already have access to a range of legal and technical channels that can be used to access otherwise encrypted data. These include access to metadata, social engineering and targeted voice or data interception tools.

WP29 believes law enforcement should concentrate on improving these techniques, rather than call for a weakening of encryption standards.

“Even though these powers raise serious privacy concerns and require significant legal and technical safeguards, they appear more proportionate and less dangerous than master keys and backdoors.”

Despite concerns from law enforcement agencies, strong encryption remains the key to the security of so much of today’s digital economy. The irony is, the high-standards that hardware encryption is designed to meet were first developed for government and defence applications. They have latterly been adopted by commercial organisations as they offer “unbreakable” encryption.

What does strong and trusted encryption look like?

Not all encryption solutions offer what might be considered “strong and trusted” encryption. As organisations seek to establish best practice under the new GDPR regulations it is important to avoid a low-cost, low-assurance encryption solution in the misguided hope that it will meet the required standards.

“To be dependable, the broadest public availability of state of the art, strong and reliable encryption needs to be promoted to allow for public scrutiny…With regard to this, emerging quantum cryptography capabilities should be taken into consideration.”

The most secure organisations are eschewing less secure MACsec, IPSEC or hybrid/multi-function network devices in favour of dedicated hardware encryption.

WP29 also recognise the importance of long-term data protection in a post-quantum computing world and make reference to this in their statement.

“To be dependable, the broadest public availability of state of the art, strong and reliable encryption needs to be promoted to allow for public scrutiny…With regard to this, emerging quantum cryptography capabilities should be taken into consideration.”

ID Quantique has developed a portfolio of quantum-safe security solutions, designed to help government and commercial organisations alike protect mission critical data in the long-term. Our quantum key generation quantum key distribution and quantum-safe network encryption solutions offer unparalleled protection for network data.

Before you make a decision on data encryption, talk to one of our quantum-safe security experts on +41 22 301 83 71 or email info@idquantique.com

 

 

Home
HomeShop Online