The standard approach to quantum risk in privacy programs is to treat it as a future compliance question — something to address once quantum computers arrive. That framing is wrong, and the legal argument for why it's wrong is specific enough that privacy counsel and compliance officers should be working through it now.
The Three-Part Argument
Part 1: GDPR Article 32 requires state-of-the-art security today
Article 32 of the GDPR requires controllers and processors to implement "appropriate technical and organizational measures to ensure a level of security appropriate to the risk," taking into account "the state of the art." The regulation does not define "state of the art" — it is intentionally technology-neutral and forward-looking. What constitutes state-of-the-art security is not fixed at the time a system was built. It is assessed against what is available and known at the time of the assessment.
This is not a new interpretation. The EDPB has consistently held that Article 32 requires ongoing evaluation of security measures against current threats and available countermeasures. The standard evolves as the threat environment evolves and as protective measures become available.
Article 32 does not ask whether your encryption was state-of-the-art when you deployed it. It asks whether your security measures are appropriate to the risk today. Those are different questions.
Part 2: NIST published post-quantum standards in August 2024
In August 2024, NIST finalized FIPS 203 (ML-KEM, replacing RSA and ECDH in key exchange), FIPS 204 (ML-DSA, replacing RSA and ECDSA in digital signatures), and FIPS 205 (SLH-DSA, hash-based backup signature algorithm). These are not draft standards or experimental proposals. They are final, published, federally standardized post-quantum cryptographic algorithms.
The publication of these standards is the event that changes the Article 32 analysis. Before August 2024, there were no finalized replacements for RSA and ECC. "State of the art" in public-key cryptography was, essentially, RSA-2048 or ECC with appropriate key lengths. That argument is no longer available. Post-quantum alternatives now exist as published federal standards. The question of whether RSA-2048 constitutes "state of the art" is now a live legal question, not a theoretical one.
Part 3: Harvest Now, Decrypt Later is an active operation
The third element of the argument is the threat that makes Parts 1 and 2 urgent rather than theoretical. The Harvest Now, Decrypt Later (HNDL) attack model describes a collection operation that does not require a quantum computer today. It requires only that adversaries collect encrypted data now and store it for future decryption when quantum processing becomes available.
NSA's 2022 CNSA 2.0 advisory stated plainly that adversaries are "currently harvesting encrypted data with the expectation that they will eventually be able to decrypt it with a quantum computer." That language is present tense and deliberate. CISA, NSA, and NIST's 2023 joint advisory on quantum readiness identifies HNDL as the reason organizations should begin migration immediately, independent of projections about when quantum computers will exist.
The harvest is happening now. The quantum computer needed to decrypt it does not exist yet. The data being collected today will still exist when it does. For data with long retention requirements — healthcare records, financial data, biometric data, legal communications — the window between "data transmitted" and "data vulnerable to decryption" is measured in years, not decades.
Why Data Retention Schedules Define the Exposure
HNDL risk is not uniform across all data. It is calibrated by the length of time data remains sensitive. The organizations most directly exposed are those with long data retention obligations whose data has high value to adversaries.
Consider what this means practically. A healthcare organization transmitting patient records under RSA-2048 encryption in 2024 faces a specific timeline: that data will remain a regulated record subject to HIPAA requirements for years. The same data is, under the HNDL model, currently being archived by sophisticated adversaries for future decryption. If a cryptographically relevant quantum computer becomes available in 2030, 2032, or 2035, the data transmitted in 2024 is potentially decryptable at that point — and it will still be within its retention horizon.
This is not a speculative argument. It is an arithmetic one. The retention obligation creates a window. The HNDL collection creates the exposure within that window. The question Article 32 asks is whether the organization took appropriate measures — including state-of-the-art encryption — to protect that data.
The data categories most directly in scope:
- Protected health information with clinical record retention requirements of 6–10+ years
- Financial records subject to multi-year regulatory retention (SEC Rule 17a-4: 3–6 years)
- Biometric data, which retains its sensitivity indefinitely once compromised
- Legal and attorney-client communications
- Intellectual property and trade secrets with long commercial value
- Controlled Unclassified Information (CUI) under CMMC obligations
What "State of the Art" Means in 2026
This is where the argument becomes a specific compliance question rather than a general concern. NIST published post-quantum standards in August 2024. Australia's ASD mandates a completed PQC transition plan by end of 2026. NSA's CNSA 2.0 sets software and firmware adoption targets beginning 2025. The Banque de France and the Monetary Authority of Singapore completed a joint PQC experiment in November 2024.
Given this regulatory and standards landscape, the defensibility of a position that RSA-2048 satisfies "state of the art" under Article 32 — for long-lived sensitive personal data — is declining. It was arguably defensible before the NIST standards were finalized. It is less defensible in 2026, with published standards, documented collection operations, and active regulatory guidance from multiple jurisdictions. It will be progressively less defensible as the 2030 NIST deprecation deadline approaches.
This does not mean organizations are in violation of Article 32 today for using RSA-2048. It means the legal argument for continued use without a documented migration plan and timeline is weakening, and the argument will face increasing scrutiny in DPIAs, regulatory inquiries, and — in the event of a breach involving long-retained data — enforcement proceedings.
Supervisory authorities have not issued enforcement guidance specifically connecting HNDL to Article 32 obligations as of this publication. That is not evidence the argument doesn't exist. It is evidence that enforcement tends to follow incidents, and the incidents will come when quantum decryption becomes available.
The DPIA Gap
Most DPIAs completed in 2024 and 2025 did not address quantum risk. The EDPB's DPIA guidelines (WP248 rev.01) require assessment of risks to the rights and freedoms of data subjects — including risks from future security vulnerabilities that are foreseeable at the time of the DPIA. HNDL is a foreseeable risk. The ASD, NSA, and CISA have all characterized it as an active and documented threat.
A DPIA for a system that processes sensitive personal data with long retention requirements — completed in 2026, with NIST post-quantum standards published, HNDL documented as an active threat, and multiple national authorities issuing migration guidance — that does not address quantum risk is arguably incomplete under the standard the EDPB has established for what "foreseeable" risks must be assessed.
The gap is not necessarily a violation. It is a documented absence that creates exposure in the event of a future regulatory inquiry. Privacy teams should be extending DPIA templates to include a quantum risk assessment section for systems handling long-lived sensitive personal data.
What to Do Now
The practical implication is not that organizations must complete PQC migration immediately to satisfy Article 32. It is that the following documentation should exist, and for most organizations it does not:
- A documented assessment of which data categories with long retention horizons are protected by quantum-vulnerable encryption
- A documented PQC migration plan with timelines, aligned to NIST IR 8547 milestones
- DPIA updates for systems processing long-lived sensitive personal data that address quantum risk as a foreseeable threat
- Legal review of whether current encryption constitutes "state of the art" under Article 32 for the organization's specific data categories and retention obligations
The Immediate Action
Take one data category — the most sensitive one with the longest retention horizon. Healthcare records. Biometric data. Legal communications. Map how it's transmitted, under what encryption, and what its retention obligation is. Then ask legal counsel whether that encryption satisfies "state of the art" under Article 32 in light of the published NIST standards and documented HNDL collection activity. The answer to that question, and the documentation it generates, is where the analysis needs to start.
Discuss your DPIA exposure →This article reflects the state of regulatory guidance and technical standards as of May 2026. It does not constitute legal advice. Organizations should work with qualified legal counsel to assess their specific obligations under GDPR Article 32 and applicable data protection frameworks.
References: GDPR Article 32, Regulation (EU) 2016/679 · NIST FIPS 203, 204, 205 (August 2024) · NSA CNSA 2.0 Advisory (2022) · CISA/NSA/NIST Joint Advisory on Quantum Readiness (2023) · ASD Planning for Post-Quantum Cryptography (September 2025) · EDPB DPIA Guidelines WP248 rev.01 · Banque de France / MAS PQC Experiment (November 2024)