Does the GDPR differentiate between different methods of encryption?
The GDPR refers to encryption in several provisions; however, it does not specifically indicate which algorithm (e.g., AES 256bit) or application (e.g., at-rest, in-transit, or end-to-end). While it does not explicitly talk about encryption methods, the way encryption keys are stored is an important to decide whether re-identification of encrypted data is possible with reasonable efforts. With in-transit & at-rest encryption, the cloud provider has access to the encryption keys, while with end-to-end encryption, the keys are stored at the user side only. Because of this, in case of a data breach, re-identification of end-to-end encrypted data with the correct efforts is infeasible. End-to-end encryption with client-side key management represents stronger protection for the personal data.