Encryption Keys and privacy: AEPD discusses how keys may be considered personal data

Encryption keys and privacy explored by the AEPD, and why some encryption keys may be considered personal data.




Encryption keys and privacy go hand in hand, and  have proven to be extremely useful in the online world. However some can be considered personal data under the GDPR, and must be treated as such. The AEPD has published an article discussing encryption keys and how they should be handled under the EU GDPR.

There are two types of encryption systems, one of which uses a public key, making it very suitable for internet use.


Encryption systems can be broken down into two main categories: symmetric and asymmetric encryptions. With symmetric encryption systems, one single key does both the encryption and decryption. On the other hand, with asymmetric encryption there is usually one key, which could be public, and another key for the decryption, which is private, with only the legitimate owner having possession. While the encryption and decryption keys are linked, it is difficult to ascertain one from the other. Asymmetric keys are inherently very suitable for the internet, thanks to the one freely accessible key. This is known as the public key and is useful for authentication, verification signatures, the exchange of symmetric keys, among other things.


As an online identifier, a public key may be considered personal data under the GDPR.


While the keys may be anonymized, it is still possible to identify a person as far as proving that different actions online are commonly linked. The public and private key can be used in this way to identify an individual. According to the GDPR, ‘personal data’ refers to any information relating to an identifiable natural person, or ‘data subject’. An identifiable person, according to Article 4, is one who can be identified directly or indirectly, by reference to an identifier. This identifier may refer to a name, identification number, location data or an online identifier to factors specific to the identity of that natural person.


Recital 30 of the GDPR states that natural persons may be associated with online identifiers provided by their devices, applications, tools etc. and that these may leave traces which, particularly when combined with unique identifiers and other information received by servers, may be used to profile or identify natural persons. To this extent, a public key is considered a unique identifier, considering the fact that the probability of two people sharing the same string of characters as a public key is practically zero. This uniqueness is what enables public keys to be used securely within encryption systems online.


There is an important link between encryption keys and privacy as public and private keys can be, and have been used to re-identify a person.



The use of the public and private keys make it possible to profile a person and even prove that different online actions are linked to the same individual. This is the case with authentication or block chain. The accuracy of this type of information is so grave that it has actually been used to successfully re-identify a person, and this service of re-identification is actually now available to law enforcement agencies. Public keys are created by third parties which identify and register the natural person to whom the public he will be assigned, and digital certificate issued. This process is made possible via public key infrastructures (PKI). While the owner or user of a public key has an inaccessible private key which allows for the process of asymmetric encryption, and which cannot be deduced from the public key, the association between the two can be used to link various online actions. Whatever is encrypted with one private key can only be decrypted with a specific public key. As a result, the public key will act as a pseudonym with the consideration of personal data, as under the GDPR (Article 4(5)), pseudonymised information is personal data.


Does your company have all of the mandated safeguards in place to ensure the safety of personal information collected on your website or app? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Leave a Comment


Your email address will not be published. Required fields are marked *