European Union: New EU Guidance on E-Mail Filtering

A new Opinion by the EU Working Party 29, calls into question use of many common filtering and tracking technologies. Many businesses use spam and anti-virus filtering tools, scan suspicious e-mail content, or track the receipt of e-mails to optimize marketing strategies. On February 21, 2006, representatives of the European Union¹ data protection authorities adopted an opinion paper that may severely limit the use of such techniques by "internet service providers" and "email service providers."² Those providers may be interpreted to encompass "true" ISPs, but also employers who wish to use virus and spam filters and police e-mail content, or even universities who want to monitor content when facilitating the use of electronic communications for students.

In the paper, the Working Party 29 (WP29)³ stresses that all on-line communications are subject to confidentiality protection, whether sent from the workplace or from the user’s home, whether for private or business purposes. Any access to e-mail content, any scanning, tracking, screening, intercepting, opening, and/or reading of communications, as well as, delaying or impeding the sending or receiving of mails may run afoul of Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). Also, any personal information found in these communications may only be collected where there is a legal authorization to do so, and the users are adequately informed about the use of such techniques.

The opinion differentiates between four filtering and tracking techniques:

In the paper, the WP29 states that virus filtering is generally legitimate, as service providers are obligated to take appropriate technical and organizational measures to safeguard the security of their services. In fact, providers may even be required to employ such techniques to comply with security obligations in their service contract with subscribers. However, the WP29 stated that the following conditions must be met for virus filtering to be legitimate:

• the content of e-mails (and the attached annexes) should be kept secret and not disclosed to anyone but the addressee;
• any content scanning should be done automatically, content data may not be used for any other purpose than virus filtering;
• if a virus is found, the software must offer sufficient guarantees regarding confidentiality; and
• the users must be informed about the use of anti-virus protection, e.g., in the service providers’ terms of use.

As with virus scans, spam filtering is generally considered legitimate by EU authorities. In the paper, the WP29 states that providers are required to use spam filters to ensure the security and efficiency of the communication services. Without spam filters the systems would be very slow and unreliable. However, for spam filters not to run a foul of the privacy considerations, data protection obligations, and freedom of speech, the WP29 "strongly recommends" the following:

• users should have the right (i) to opt-out of spam filtering of their
  e-mails (allowing easy opting back into the scanning of e-mails), (ii) to check e-mails deemed as spam in order to ascertain whether the supposedly unwanted mail may be "wanted," and (iii) to decide what "kind" of spam should be filtered out;
• users should be clearly and unambiguously informed about the provider’s spam-filtering policy, e.g., in its terms of use.

The WP29 also "encourages" the development of less intrusive filtering tools to fight spam.

Service providers frequently reserve the right to screen and/or remove predetermined content, e.g., in order to detect and/or block unlawful or unwanted material. Such screening is not generally legitimate as it is arguably not required in order protect the security of e-mail services. In the WP29’s view, providers may not censor e-mail communications; to do so would endanger freedom of speech, expression, and information.

Therefore, for such filtering techniques to be lawful there must be an explicit obligation to intercept content for national security, defense, and law enforcement purposes under an E.U. Member State law. Member State laws differ greatly on this point.

Alternatively, service providers may offer content screening as an added value service with the explicit informed consent of the user. It is unclear from the opinion whether the user’s consent may be obtained via his/her agreement to the provider’s terms of use. Providers who want to offer content screening for other purposes, as an added value, are therefore well advised to inform users about these techniques and to obtain their consent via privacy notices separate from their general terms of use.

Without specifically mentioning pixel tags or web beacons, the opinion also addresses any "tools which can be used to track whether an e-mail has been read, when it was read, how many times it has been read or opened, if it has been transferred to others, to which e-mail server including its location and/or which type of web navigator and operating system the recipient of the e-mail uses." "Did they read it" is cited as an example.

According to the WP29, the recording and transmittal of personal data (including IP addresses, browsing information, etc.) via these techniques is "contradictory to the data protection principles requiring loyalty and transparency" and is prohibited without the explicit unambiguous consent of the recipient of the e-mail. Users must have the ability to accept or refuse the retrieval of such tracking information. Also, according to the opinion paper, information needs to be given to the recipients including full details on the data controller, and the purposes for which the data are used.

Unfortunately, the opinion paper is silent on the practical difficulties of serving notice and obtaining prior consent of e-mail recipients without first recording certain information on the recipients. As pixel tags or web beacons were initially developed to collect browsing data and record the opening of e-mails, the opinion may well put into question the legal use of existing tracking methods.

While the paper is helpful in clarifying the general legality of anti-virus and scan filtering, it imposes burdensome information and other obligations for e-mail filtering.

Footnotes: