Thales Blog

Regulation, Compliance And Encryption As A Default

August 6, 2014

Reading an article last weekend about everybody's favourite hero and villain du jour, Edward Snowden, I was particularly struck by one comment:

" What last year's revelations showed us," said Snowden, " was irrefutable evidence that unencrypted communications are no longer safe."

It's a bold statement but one, I suspect, that will not surprise many.  Even before the Snowden revelations, it was commonplace for organisations to disclaim in their privacy policies that "no communication over the Internet can ever be guaranteed 100% secure" (or words to that effect).

Snowden didn’t stop there.  He continued: " Any communications should be encrypted by default."

This inevitably begs the question: do organisations have a legal duty to use encryption to protect the data they process?  It was this very question that we set out to answer when preparing our recent white paper " The legal obligations for encryption of personal data in the United States, Europe, Asia and Australia".

If the question is simple, then the answer is a little less straightforward: there are over 100 data privacy and security laws globally, with many more in the process of reform or on the brink of adoption, and there is no worldwide, uniform set of standards that organisations must apply to protect their data.  Furthermore, not all data is created equal: some data (like medical or bank account records) are inherently more sensitive, and therefore deserving of greater protection, than others.

In fact, when you look into the detail of global data protection laws, they are often deliberately drafted to be as technology neutral as possible, carefully avoiding reference to specific technology solutions for protecting data.  Invariably, they all impose a requirement to maintain data security, but will often couch this in terms of using "appropriate", "reasonable" or "necessary" security taking into account the wider context, such as the nature of the data and the potential harm that might be caused by its loss.

Because of this, legislation seldom imposes an express requirement to implement encryption (although there are notable exceptions, such as the Personal Information Protection Act in South Korea), instead leaving it to the relevant supervisory authorities and courts to flesh out the precise security measures they expect through national guidance, opinions and jurisprudence.

That doesn't mean that legislators don't have particular solutions in mind though.  Indeed, to focus only on the language and diversity of global laws would be to lose sight of the bigger picture – which is that legal regimes around the world are converging on encryption as a fundamental expectation for protecting data.  This expectation derives from a variety of places, including from repeated regulatory interpretation of EU laws that effectively mandate encryption as a must-have component of "appropriate" security measures for processing personal data; to US breach disclosure laws that exempt victim organisations from notifying their data breaches if the data they lost was securely encrypted; to sector-driven requirements for protecting data, such as the Payment Card Industry's Data Security Standards for cardholder payment data.

So, whatever your views of Snowden, he was certainly right in this respect: encryption shouldbe a default standard.  And, the way the law is going, it soon will be.

Phil Lee is a Partner in the Privacy and Information Law Group at Fieldfisher, and leads its US Office in Palo Alto, California.  He can be contacted at and followed on Twitter at @euprivacylawyer.