On July 23, 2018, Denmark’s data protection agency announced that companies must encrypt all emails transmitting sensitive personal data. This new rule goes into effect January 1, 2019, giving companies that do business in or with Denmark approximately five months to implement encryption technologies for their email systems. This is a strict interpretation of Article 9 of GDPR; however, one facet of GDPR is that each European Union country can interpret and determine how companies must comply with the overarching GDPR principles and requirements.
By way of background, under Article 9 of GDPR, sensitive personal data includes the following information: a person’s racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; the processing of genetic data; the processing of biometric data for the purpose of uniquely identifying a natural person; data concerning health; data concerning a natural person’s sex life; and/or data concerning a person’s sexual orientation. Further, processors cannot process this sensitive personal data unless one of the enumerated exceptions in Article 9 applies, such as explicit consent.
While Denmark is the first country to require encryption for this sensitive personal information, it would not be surprising if other countries follow suit. Email encryption is becoming more common in in the United States as well as the default protection afforded to emails that contain sensitive information.