Denmark’s Data Protection Authority Datatilsynet  has published an article emphasizing the importance of providing encrypted means for communicating personal information:

  • Authorities and companies must, as data controllers, ensure — on the basis of an assessment of the risk to citizens’ rights — that they establish appropriate security measures. This means, among other things, that authorities and companies are responsible for establishing secure transmission solutions that address the identified risks to citizens — not only when they send information to citizens, but also when they collect information from citizens for the processing of a case or service.
  •  An authority or company is not responsible for the method of transmission if the citizen sends information of a confidential or sensitive nature unsolicited via an unencrypted connection, or if the citizen — despite an invitation to send the information encrypted — still uses an insecure method of transmission.

Details in this article from Datatilsynet.