
Premise
On 6 February, the Guarantor for the protection of personal data (” Guarantor ” or ” Authority “) published a policy document (“Guideline Document”) in which it established that the metadata of employee e-mail communications can be kept by employers (public and private), at the latest, for 7 days, extendable by a further 48 hours in case of proven needs.
The Guidance Document gave rise to numerous requests for clarification, in response to which the Guarantor decided, on 27 February, to launch a public consultation and to suspend the effectiveness of the Guidance Document.
The consultation then opened on 16 March with the publication of the notice in the Official Journal ( general series, no. 64 ) and will end on 15 April.
With this brief focus, we will retrace the stages that led to the publication of this Guidance Document, providing some food for thought also in light of the jurisprudential guidelines on the subject of logs as well as in light of the latest provisions of the Guarantor on metadata.
How to participate in the consultation
To participate in the consultation, it is possible to send observations and proposals by post (addressed to the headquarters in Piazza Venezia n. 11 – 00187 Rome) or by e-mail or certified e-mail (to the e-mail address [email protected] or of certified email [email protected]) indicating in the subject «Consultation on the retention period of the metadata generated and collected automatically by the email transmission and sorting protocols».
The Guarantor has already specified that the contributions received will not bind him in any way.
The Metadata Guidance Document
The Guideline Document was adopted following numerous investigations conducted with regard to the processing of personal data carried out in the work context, the outcome of which emerged that IT programs and services for email management, marketed by suppliers in cloud mode , can collect, by default, in a preventive and generalized way, the metadata relating to the use of the email accounts used by employees (for example, day, time, sender, recipient, subject and size of the email), keeping the same for an extended period of time.
In these scenarios, the employer sometimes finds it impossible to change the basic settings of the computer program to disable the systematic collection of such data or reduce the retention period of the same.
The Authority, in the Guideline Document, first of all recalled that:
- the content of the e-mail messages – as well as the external data of the communications and the attached files – concern forms of correspondence supported by guarantees of secrecy also protected constitutionally ;
- it is necessary for the employer to always verify the existence of a suitable prerequisite of lawfulness before carrying out processing of workers’ personal data through such programs and services, avoiding collecting information that is not relevant for the purposes of evaluating the worker’s professional aptitude or in any case relating to his private sphere;
- in compliance with the principles set out above, the collection activity must have as its object only the so-called metadata necessary to ensure the functioning of the electronic mail system infrastructures, and the same must be kept for a time which cannot normally be longer than a few hours or a few days, in any case no longer than 7 days, extendable, in the presence of proven and documented needs that justify the extension, by a further 48 hours . Otherwise, the generalized collection and storage of such metadata, for a more extended period of time, as it can lead to indirect remote control of workers’ activities, requires the implementation of the guarantees provided for by the art. 4, paragraph 1, of ln 300/1970 (union agreement or authorization from the Labor Inspectorate), in addition to compliance with other obligations, including informing employees correctly and transparently, assessing the need for an assessment of impact on the protection of personal data.
With this provision, the Privacy Guarantor therefore addressed public and private employers, inviting them to carry out a survey of the electronic mail management IT programs and services used by employees. An implicit invitation seems to also be read towards the suppliers of these systems, where the practice of these suppliers of not making it possible to disable the systematic collection of such data or reduce the retention period is recalled.
But what is meant by metadata?
While in the Guideline Document the Guarantor does not provide a clear definition of metadata, limiting itself to an exemplary list (” for example, day, time, sender, recipient, subject and size of the email “), in the subsequent provision launching the consultation provides some more elements to clarify what constitutes metadata.
Here, in fact, the Guarantor referred to the metadata generated and collected automatically by the e-mail transmission and sorting protocols and relating to the operations of sending, receiving and sorting of e-mail messages . The metadata thus understood may include the e-mail addresses of the sender and recipient, the IP addresses of the servers or computers involved in the routing of the message, the times of sending, retransmission and reception, the size of the message, the presence and the size of any attachments, in some cases also the subject of the message sent or received.
The position of the Guarantor on metadata: the precedents
Already on other occasions, respectively in 2016 and 2022, the Guarantor had addressed the issue of metadata connected to the use of email.
In the first case ( provision no. 303 of 13 July 2016 ), it emerged that a University was collecting and storing (initially for 5 years, then during the investigation the owner had declared that he wanted to reduce the timeframe to 1 year) the log files relating to internet traffic and information relating to email use and network connections.
The second case ( provision no. 409 of 1 December 2022 ) always involved a public administration (more specifically, a Region), which collected and stored for 180 days the metadata relating to times, recipients, subject of communications and weight of attachments. In this case, it was the union that complained about monitoring of the email of the staff working at the regional lawyer’s offices. During the investigation, the Region had represented that it had never indicated to the provider (who took care of the information system) how long to keep the metadata. It was therefore arbitrarily the provider himself (as data controller) who replaced the Region (data controller) in defining this timing.
The Guarantor, in both provisions, followed the same logical path, believing that the extensive collection and prolonged storage of email metadata, considered constitutionally protected forms of correspondence, are not justified as necessary for the normal performance of employed work .
For the Authority, a retention period of 7 days for this metadata was deemed appropriate in order to ensure the correct functioning and regular use of the email system.
A broader conservation, essentially, in the opinion of the Guarantor, since it can lead to an indirect remote control of the workers’ activity , entails for employers the need to adopt the guarantee procedures provided for by the Workers’ Statute, such as the signing of the union agreement or request for authorization from the Labor Inspectorate.
In the first provision of 2016, the Guarantor simply prohibited the University from using the data collected up to that point; in the second, however, that of 2022, in addition to prohibiting the processing of metadata relating to the use of email (kept for more than 7 days from their collection) it also inflicted a fine of Euro 100,000.
Interesting is the in-depth analysis carried out by the Guarantor in the first provision mentioned, where it examines in detail which services, software or applications may be included among the tools used by the worker to perform the work performance (which therefore would not require the activation of the guarantee procedures envisaged by the Workers’ Statute). Among these, not only the e-mail and web browsing service, but also the systems and measures that allow their physiological and safe functioning in order to guarantee a high level of security of the company network made available are an integral part of these tools. of the worker, including ” logging systems for the correct operation of the email service, with conservation of only external data, contained in the so-called “envelope” of the message, for a short duration not exceeding seven days ; anti-virus filtering systems that detect security anomalies in workstations or on servers for the provision of network services; systems for automatically inhibiting the consultation of online content inconsistent with institutional competences, without recording access attempts”.
The case law on log files
Within this analysis, it is also worth recalling an interesting ordinance, with which the Court of Naples (Labour Section) ruled on the subject of conservation of log files and on the characteristics of origin, reliability and immutability that these log files must have (order of 04/29/2014).
The case arose from the dismissal of an employee who, using a company computer, had illegally accessed the e-mail of his colleagues. The entire architecture of the dismissal was based on the extraction of logs from the systems that would allow the company to demonstrate illegitimate access by the employee. The ordinance is particularly interesting because, although it does not deal with log retention times, it focuses on the methods of storing them, expressly recalling the provisions of the Privacy Guarantor’s provision on system administrators of 27 November 2008 . In this provision, the Guarantor provides that the recordings (access log) – actually referring to the activity carried out by system administrators – must have characteristics of completeness, inalterability and possibility of verifying their integrity adequate to achieve the purpose of verification why they are required ”.
From the technical report of the CTU appointed by the Judge it emerged that, at the time of the facts, copies of the log files had been made to avoid their loss, given that the system overwrote them at the end of the fixed retention period . It emerged, however, that the copy had been made through an “openable” text file that could be easily modified using an editing program (e.g. Notepad). The logs, therefore, could have been altered and, therefore, not being editable, they lost their reliability.
In the Judge’s opinion, the company should have adopted specific policies for the preservation of digital evidence through the production of digitally signed and time-stamped logs, in order to establish the exact identity with the original data. A conclusion that goes well with the numerous recommendations provided by the Guarantor to adopt clear and transparent policies on the saving and conservation of relevant company data (as well as on the methods of controls and purposes of use of the data collected).
Having acknowledged that the copies of the log files were legally unreliable, the employer who had not fulfilled the burden of proving the worker’s conduct was then ordered to reinstate the worker, declaring his dismissal ineffective.
Conclusions
While waiting to read the Guarantor’s decisions following the outcome of the consultation, some reflections, also in light of the above, are appropriate.
First of all, the choice of a tool such as consultation certainly leads one to think that the Guarantor intended, despite the non-binding nature of the contributions received, to open up towards the involvement of all the actors affected by this process.
As anticipated, the consultation concerns only the metadata retention period.
From the analysis carried out, it emerges that the definition of “metadata” and therefore the scope of the Guideline Document could be further clarified: it is therefore desirable that in the decisions following the consultation (as already done with the provision launching it ) the Guarantor provides an even more precise perimeter of the scope of application of the Guideline Document and the related provisions.
And we will also have to refer to the decisions to better understand the reasons behind the Guarantor’s choice to establish a fixed deadline, perhaps a little in contrast with the principle of accountability which leaves autonomy to the data controller, after carrying out an assessment on its systems , to define, among others, the retention periods of personal data with respect to each processing purpose pursued, naturally taking into consideration the security measures to be adopted, as well as the nature, scope, context and purposes of the treatment, as well as risks of varying probability and severity for the rights and freedoms of natural persons.