Corporate e-mail and metadata: tough stance from the Italian DPA

Within its supervisory activity the Authority found an increasingly widespread use of computer programmes and services for e-mail management, offered by cloud providers or “as-a-service”, capable of automatically collecting - sometimes in a generalised and preventive way - metadata relating to the use of employees' e-mail accounts (e.g. the date, time, sender, addressee, subject and size of the e-mail), often without allowing employers to disable the systematic collection of data, nor to customise the relevant retention period, e.g. setting a shorter timeline.

In the eyes of the Italian Data Protection Authority, this practice might conflict not only with the principles of privacy by design and by default, transparency, storage limitation and accountability laid down in the GDPR, but also with national regulations safeguarding employees, both in relation to remote monitoring (art. 4 of Law No. 300 of May 20th, 1970) and the prohibition for employers to acquire and in any case process information not relevant for the assessment of the workers’ professional attitude or pertaining to their private life (art. 8 of Law No. 300/1970 and art. 10 of Legislative Decree No. 276 of September 10th, 2003).

The Garante, therefore, peremptorily establishes that the activity of collecting and retaining metadata necessary to ensure the operation of the e-mail system infrastructure should exceed seven days, which might be extended by further 48 hours, only in the presence of proven and documented needs.

The retention of such data for a longer period though - e.g. for cybersecurity purposes and to ensure the integrity of corporate assets, including IT infrastructure -, is not tout court forbidden: in this case, however, employers are required to rely on the authorization process provided under art. 4(1) of Law No. 300/1970, as such processing may in fact involve an indirect remote control of workers.

The Authority has therefore urged e-mail management services and applications providers to design and develop such tools in such a way as to avoid generalized and indefinite collection of e-mails associated metadata, allowing customers to tailor the basic framework by setting the preferred storage period.

The impact of the decision is quite significant: the collection and subsequent processing of information automatically produced by computer systems, such as log data or metadata, undoubtedly represent a crucial - as well as irreplaceable - element to ensure the security of the technological infrastructure implemented by the employer and, consequently, the operational continuity and integrity of the corporate assets.

As we can assume that very few stakeholders will be willing to worsen their information security policies by complying with the retention period prescribed by the DPA, it will become imperative to put in place all the requirements provided for under current legislation to avoid the risk of sanctions and decisions by the Authority. In particular, employers should consider: