In an environment where we are ever more dependent upon the Internet and email for communication, the existence of a destructive email virus or the proliferation of Spam can bring businesses to their knees and cause misery to users. Subscribers to email and Internet services are increasingly dependent upon providers for the use of appropriate filtering mechanisms. In addition, tools exist for tracking email usage on a mass scale. In this context a burden falls upon providers of Internet and email filtering services to ensure that their software gives rise to minimal interference with the communication process and the privacy of users. This area has been the subject of recent review at the level of the European Commission.
On 21 February 2006 representatives of the European Advisory Authorities for data protection and privacy, Working Party 29, adopted an opinion on privacy issues related to the provision of email screening services.1 The Working Party's opinion does not have the force of law for the European Member states. It is an interpretation of the principles contained in existing directives. Nonetheless, the Working Party's opinion would be considered to be influential when a regulator is assessing compliance with that domestic legislation.
Shortly thereafter, the European Commission published a May 2006 Communication (2006) 251 regarding a strategy for a Secure Information Society - 'Dialogue, partnership and empowerment' ('the Secure Information Society Communication'). The Communication sets out a strategy that coordinates the regulatory framework for electronic communications, of which data protection is a part, with specific network and information security measures and steps to minimise cybercrime. The measures set out in the Secure Information Society Communication are connected with the work of the recently formed European Network and Information Security Agency (ENISA), which contributes to the development of a culture of network and information security across the European Union. The Commission also noted the connection with other initiatives in the cyber security realm including the Internet Governance Forum, a new forum for a multi-stakeholder dialogue on Internet governance established by the United Nations.
This note outlines issues raised in these two documents. Taken together, they underline the importance of ensuring that processes are established for maintaining security across the Internet consistently with European Directives on data security.
All U.S. businesses operating in or conducting business with Europe should be cognisant of the European approach and framework for data privacy.
Data Privacy In Europe
Both the U.S. and European Union aim to enhance the protection of messages forwarded to citizens in relation to their privacy and personal information. At a global level protection of privacy is enshrined in Article 12 of the Universal Declaration of Rights: 'no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to protection of the law against such interference or attacks.'
In the European Union this principle is mirrored in Article 8 of the European Convention on Human Rights that provides that an individual has a right to respect for his or her private and family life, home and correspondence. Furthermore, Article 10 of the Convention enshrines the right to freedom of information which carries with it as a corollary the right to receive and impart information. This framework is supported by a number of Directives and associated guidance.
The aim of the Directives is to ensure a high level of protection of personal information and remove potential obstacles to trans-border information flows across the European Union to encourage the development of an internal market and 'information society.' All European Member States2have introduced legislation which is broadly consistent with the main data protection principles.
Relevance For U.S. Businesses
European Data Protection authorities are able to take enforcement action against organisations that do not comply with the relevant domestic legislation.3For example, in 2000 the UK Information Commissioner issued an enforcement notice ordering the website www.b4usearch.com to stop using personal information from electoral registers published before 2002 after finding the site in breach of the Data Protection Act.
Internet service providers and email service providers should also note that other European data protection authorities, such as the French Commission Nationale de l'Informatique et des Liberts (CNIL), have used the requirement that organisations processing personal data are registered with the relevant domestic authority to enforce data protection principles. Registration was recently denied to one organisation on the basis that CNIL considered that the whistleblower hotline that had been put in place in order to comply with Sarbanes-Oxley Act 2002 was not consistent with European Data Protection principles.
U.S. businesses should also be concerned to ensure that they act in accordance with European data protection obligations so that controllers of personal data in Europe are able to assess the organisation as adequate for the purposes of transfer of personal data to the U.S.
Working Party 29 Opinion On Email Screening Services
Working Party 29 is an independent advisory body on data protection and privacy set up under Article 29 of the European Commission Directive 95/46/EC, the foundation of European data protection principles. The Working Party is tasked with:
a) providing expert opinion on data protection to the commission;
b) applying primary uniform data protection principles;
c) advancing any community measures affecting the individual rights in relation to personal data and privacy;
d) making communications on data protection matters.
The opinion on email screening services considers the practice of screening emails for the purpose of detecting and removing viruses, filtering Spam and removing emails containing predetermined content. The opinion also considers the propriety of software that enables organisations to optimise their marketing strategies by tracking the receipt and response to emails.
The Working Party analysed these processes by reference to the principles of data protection laid down in existing European Commission documents.
The Working Party referred expressly to Directive 2002/58/EC of the European Parliament and the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (the e-Privacy Directive). This Directive provides, at Article 5, that member states shall prohibit the listening, taping, storage or other kinds of interception or surveillance of communications. A further directive of relevance is the Electronic Commerce Directive.4Article 15 of this Directive provides that Internet and email services should not be the subject of general monitoring of member states.
The Working Party emphasised that all on line communications are the subject of general confidentiality protections and that unauthorised access to emails and their content or impeding the communication of emails could contravene the principles of data protection set out in the above documents.
The Working Party concluded that virus scanning for the purpose of checking files for the existence of software viruses was generally acceptable. The process forms part of the obligation to take appropriate technical and organisational measures to safeguard the security of data processing services. The Working Party emphasised, however that certain principles should be at the forefront of such filtering processes. The Working Party referred to the need to:
a) ensure that content of emails or any annexes remains confidential;
b) ensure that content scanning is automatic with contents not reviewed for any other purpose;
c) provide sufficient guarantees regarding confidentiality, in the event that a virus is located in the software;
d) make full disclosure to users regarding the use of anti-virus protection.
Screening of Emails for Spam
The Working Party recognised that the proliferation of Spam would cause unnecessary commercial and personal concern to users of email services.Spam can make email services slow and inefficient. Article 4 of the e-Privacy Directive requires email providers to take appropriate technical and organisational measures to safeguard security and includes a need to ensure a base level of performance for these services. The Working Party noted that the proliferation of Spam could have the effect of blocking Internet traffic, thereby harming the reliability and security of the email services. Filtering Spam may have the effect of removing other messages that were not in fact Spam due to the criteria for filtering. On balance, the Working Party felt that the process of screening for Spam was acceptable but they recommended strongly that:
a) users of the services should be entitled to opt out and opt back in to the filtering services with ease;
b) users should be permitted to check emails considered to be Spam, to determine whether they are in fact unwanted mail and establish criteria for the filtering process;
c) users should be clearly and unambiguously informed about the Spam filtering policy being applied.
Screening of Suspicious Content from Emails
It is commonly the case that email and Internet service providers will reserve the right to screen and/or remove predetermined content. The Committee expressed the view that even if the purpose of such screening was to remove alleged unlawful material, it was not a security measure that was required to protect the email services and was in effect censorship of email communications. Accordingly, it was in breach of principles in the European Directive.
For such filtering services to be lawful, there would need to be an obligation contained in legislation of member states to intercept content for national security and law enforcement purposes.Or, service providers could offer content screening to users. In that case, they should require explicit informed consent from the individuals receiving the services. Eversheds LLP recommends that service providers review privacy notices to users to ensure that they are compliant with these recommendations.
Email Tracking Services
The Working Party also considered the use of tools to track whether emails have been read, when they are read and how many times they have been read or opened. The Working Party was referring to the use of pixel tabs or web beacons and specifically named the service ' Didtheyreadit?,' a service offered by Rampell Software LLC. This product invisibly tracks emails without alerting the recipient and advises the sender when the email was opened, how long it remained opened and where, geographically, it was received.
The Working Party criticised the use of such services on the basis that they allowed for the interference of communications without consent from the recipient of the email. The Working Party described such services as being 'contradictory to the data protection principles requiring loyalty and transparency.' Information should be given to the recipients of such services including full details of the data controller and the purposes for which the data was being used.
While the principle is an important one, we consider that this would be a very difficult standard to meet in practice as it would require the service of notice and obtaining of prior consent of email recipients in the absence of recording information about those recipients.
Internet Security Initiatives
The Secure Information Society Communication outlines a range of activities involving the European Commission, government bodies and private sector stakeholders throughout 2006.A report on progress will be provided to the Council and Parliament in 2007. In particular, the Communication invites private sector stakeholders to:
take steps to define the role and responsibilities of software producers and Internet service providers with regard to appropriate levels of information security for software producers;
encourage 'diversity, openness, interoperability, useability and competition as key drivers for information security,' together with prompting the development of security enhancing products;
establish baseline guidance on information security policies, practises and procedures for network operators and service providers;
support information security training;
develop security certification schemes, in particular with respect to privacy protection, that are affordable; and
cultivate, in conjunction with the insurance industry,appropriate risk management tools and methods to manage information security.
Other measures include a scheduled review of the regulation of electronic communications due within 2006. This review will be expanded to include consideration of network and information security. The review will examine technical and organisational measures to be taken by service providers, requirements to notify security breaches and specific remedies and penalties concerning breaches of obligations.
A multi-stakeholder approach to information security issues and active participation from the private sector is suggested. Providers should note that the importance of information security is squarely on the agenda in Europe, and it will be important to use the platform outlined by the Commission as an opportunity to develop workable, consistent, approaches that are in line with European information protection principles as a means of promoting the interests of providers and systems of self-regulation.
Where email and Internet service providers operate in Europe, they need to ensure that they prioritise the need to limit processing and interception of emails as far as possible (in their design principles). Where users are based in Europe, organisations providing email screening services should be aware of the acts of the service providers and provide clear information about their activities.
Eversheds LLP has an acknowledged strength in helping clients based outside Europe who need to address the question of compliance on an international scale. This experience has given us an understanding not just of the law, but also of the way in which it is applied by regulators. We have a substantial team of lawyers who specialise in Data Protection law located across its network of 28 offices across the UK, Europe and Asia. Eversheds lawyers have advised a large number of clients, from a wide variety of economic sectors, on the application of data protection and protection law to their businesses. These include clients in chemicals production, healthcare, technology, media, manufacturing, financial services, biosciences and the public sector.
1 Opinion 2/2006 00451/06/ENWP118
2 The 25 Member States of the European Union (EU) currently are: Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, the Netherlands, and the United Kingdom.
3 The criteria for the direct application of domestic legislation to a service provider would be whether they had equipment in the relevant jurisdiction.
4 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information and society services in particular electronic commerce in the Internet market.