Italian Privacy Authority’s U-Turn Move on Metadata of Employees’ Emails

The Italian privacy authority changed its approach on the retention of metadata of employees’ emails, but the new position might not be a solution for companies that shall perform substantial activities to comply.

The panic arose after the guidelines issued by the Italian data protection authority, the Garante, obliging to the deletion of metadata of employees’ emails within just 7 days was replaced by a huge relief after the publication of the updated version of the guidelines.

The Garante had launched a consultation on its initial guidelines that had led to considerable complaints. DLA Piper joined the consultation to protect the interest of its clients that did not want to get exposed.

You can read DLA Piper’s contribution to the consultation HERE, but what really matters is that the guidelines have now been updated, and below are a few thoughts on the topic.

What do the new privacy guidelines of Garante on metadata provide?

This version of the guidelines scales back the scope of the first version, introducing a distinction between:

1. the logs generated by electronic mail management and sorting servers (so-called Mail Transport Agent) and stations in the interaction between different interacting servers and between those servers and the terminals that send messages; and
2. the information contained or embedded in the “body-part” of e-mails (so-called Mail User Agent), which form the envelope, i.e., the set of structured technical headers that document message routing, provenance and other technical parameters.

The Italian data protection authority clarifies that the guidance in its guidelines refers only to those mentioned in point 1) above, while those mentioned in point 2) are inseparable from the email of which they are a part and remain in the exclusive control of the user which in any case shall set the relevant data retention term.

That said, the Garante confirms that the retention of metadata of point 1) should be limited to a few days. The term is extended though from 7 to 21 days and it is specified that this is a recommended term.

The generalized retention of metadata for a longer period of time can only take place with the prior agreement with the trade union representatives or the prior authorization of the Territorial Labor Inspectorate, without prejudice to the need to ensure compliance with the principle of storage limitation.

What shall companies do now?

The issue is whether, in a potential dispute, courts will consider employees’ emails to be sufficient without the relevant server’s log files. Indeed, employees might challenge the authenticity of emails if not accompanied by the relevant logs.

As a consequence, in light of the updated version of the Guidance Document, companies should:

1. Verify that the e-mail management programs they use enable them to comply with the requirements of the Garante’s Guidelines;
2. If they intend to retain metadata for more than 21 days, enter into an agreement with trade union representatives or, failing that, obtain authorization from the Territorial Labor Inspectorate;
3. Update the privacy information notice for staff and the processing register, specifically indicating the retention period applicable to email metadata;
4. Conduct a data protection impact assessment (DPIA) and legitimate interest assessment (LIA); and
5. Update the data retention policy and the record of data processing.

What is your view on the new guidelines? Contact us, if you want to discuss the topic. Also, you may find the following article to be interesting “Transparency Decree: New privacy obligations towards employees in Italy“.