It’s just another manic Monday.
You are sitting at your desk, making your way through a nearly-exploding inbox and wondering why people send so many emails – and why they send them over the weekend – when a message catches your attention. A colleague is asking for a client’s phone number.
You could write the phone number on a post-it and bring it to her, but what’s the point of constantly battling your inbox if you can’t use emails to make life easier?
You hit ‘reply,’ write the phone number and the client’s name in the body of the email, and press ‘send.’
The week hasn’t even started, and you might just have violated the GDPR (the famous – and somewhat infamous – EU Regulation protecting personal data).
Your inbox is full of personal data.
You might think we’re talking to the wrong person, as you don’t process “personal data.”
After all, only data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, and health conditions amount to personal data, right?
This misconception is persistent and, in a way, understandable: different legal systems offer different definitions of the same concept, and it’s hard for non-professionals to keep up (spoiler: it’s hard for professionals, too).
But believing that only these categories of data fall under the GDPR’s scope is misleading, as the Regulation offers a much broader definition.
According to article 4, «‘personal data’ means any information relating to an identified or identifiable natural person […]».
Your client’s name and surname? It’s personal data.
Your employee’s telephone number? It’s personal data.
The invoice you’ve sent through email? It’s full of personal data.
Hey, even the very email address of the recipient might be personal data! (Addresses like email@example.com most definitely qualify as personal data – even if when they technically are “business emails.”)
So you don’t need to be a doctor or a judge to process personal data (the notion of “processing” set forth by article 4 is equally broad, as it refers to ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means’).
In fact, it’s borderline impossible to exist in this world and NOT process some sort of personal data.
And if you (or your organization) process personal data, you qualify as a data controller under the GDPR – and have to comply with it.
But what’s the issue with emails?
You might be thinking something along the lines of “Cool, so my inbox is full of personal data. But I didn’t steal it. If I have email addresses, bank account numbers, documents, doctor’s letters, telephone numbers, and even my employee’s family certificate, it’s because the owner gave them to me. So what’s the deal if I use my email to forward or store these documents when I need to?”.
Well, the problem is that sending personal data through email means sharing it with third parties.
When you send an email, the information travels from server to server until it reaches its destination – pretty much like a letter would if you were using the “regular” mail systems.
But letters are sealed in an envelope: emails are not, and their content is visible to anyone who handles them. As many in the tech world like to say, emails are like postcards: all the “postmen” can read their content.
Granted, in the case of emails, the “postman” is a computer, not a natural person: but that doesn’t change much as far as the GDPR is concerned. When you send an email containing personal data, you involve a third party in processing information that had been entrusted to you.
Where is the personal data going?
There’s another thing few email users realize: emails might travel around the world before reaching their destination – even if the sender and the recipient are sitting side by side.
As we’ve mentioned before, emails travel from server to server. Servers are located in several countries, so when you send an email through a webmail service, there is no guarantee the info attached to it will remain within the borders of the EU.
Why is this relevant?
Because having a personal data-filled email travel through a non-EEA-based server qualifies as ‘transfer of personal data through third countries’ under Chapter V of the GDPR.
According to the Regulation, the transfer of personal data to third countries is only allowed when it meets a series of strict requirements. In particular, the destination country must offer a level of data protection equivalent to the one enjoyed in the EU.
To simplify the process – and relieve data controllers of a burden – the European Commission can adopt a so-called ‘adequacy decision’ (see article 45). Once an adequacy decision is in force between the Union and a third country, transfer to the third country is admitted. This is the good news.
The bad news is that as of November 2021, there is no adequacy decision in force between the EU and the state where a lot of servers are located, namely, the United States of America. In summer 2020, the European Court of Justice (ECJ) caused quite a stir by declaring the EU-USA Privacy Shield invalid. Despite ongoing negotiations, a new agreement has yet to be signed.
Data controllers can still rely on other legal bases (enumerated by article 46) to transfer data to the US: but the process has grown increasingly complicated – and riskier for both the user and the data controller.
Can the data controller still control the data?
There is even a more pressing issue concerning emails and personal data: sovereignty.
Most people think of emails as no-hassle, cost-free letters:
- You send them.
- The post-service delivers them.
- The recipient gets them.
- Job done.
Unfortunately, that’s not how things work. When you use a webmail service, the information you’ve sent is stored in the company’s servers. You can access it anytime, provided you have an internet connection; you can even download a copy of it on your computer, but the physical email is located elsewhere (we know “physical email” it’s kind of a contradiction. But bear with us). It is no longer entirely yours to dispose of.
And this is a problem. It’s a problem for the user, whose personal data is now “owned” by the email service provider. And it’s a problem for the data controller, who no longer fully controls the information – making GDPR compliance more difficult.
Let’s pretend that Company A keeps a list of their most loyal clients’ physical addresses so that they can send out a little appreciation gift every year. The clients freely gave their addresses, so Company A has a legal basis (consent) to process them. Still, the clients can always exercise their rights to access or erasure (there are other rights, too: but let’s keep things simple).
One fair day, a client wakes up and decides he no longer wants to receive appreciation gifts. He’d rather keep his address private. So he phones Company A and tells them he wants his personal data deleted.
Under article 17, Company A is bound to honor the user’s request. But what if they’ve used an email service to circulate the list of addresses between employees? What if they’ve sent it to a third party (for example, the delivery service)?
Company A can remove its client’s address from its list and delete the emails it has sent containing the information. But that doesn’t amount to “erasing the personal data.”
Company A has forfeited its right to access the information, yet the information itself remains untouched in the recipient’s computer and – critically – in the provider’s servers.
To truly honor their client’s request and fully comply with the GDPR, Company A needs to have the user’s address removed from the email servers; but they have no power to do so. The data controller has lost control over the data.
To be clear: this loss of control is a problem in and of itself, regardless of how the email provider behaves.
We hear a lot of people saying that using emails to process personal data is OK because “Google doesn’t read them,” but that’s beside the point. Even if Google (or any other provider) doesn’t do anything with the data, even if they never access the information, the data controller now has to rely on the company’s goodwill to ensure GDPR compliance.
(By the way: Google bots do scan emails. How do you think they detect spam?)
Email providers as data processors
By this point, you might think that we are being too dramatic. Surely the GDPR doesn’t straight out prevent the data controller from relying on third parties, right? The data controller can’t possibly be expected to cut herself out from the modern world!
Indeed, the Regulation explicitly allows data controllers to have third parties (the so-called ‘data processors’) carry out the processing on their behalf.
But here is the trick: data processors have to comply with a series of requirements set forth by article 28.
In particular, the controller is required to only partner with processors offering a level of data protection equivalent to the one devised by the GDPR. The Regulation also requires the parties (controller and processor) to sign a binding agreement detailing the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
If these conditions aren’t met, the processing is not GDPR-compliant.
So, if you want to use emails to process personal data, make sure your service provider offers a data processing agreement (most companies do – and if they don’t, beware). Once you find the agreement, read it thoroughly. We know they’re not always easy to understand, but you have to be sure your emails will be handled in a safe, GDPR-compliant way,
Compare several agreements before committing to an email provider – and choose those that make privacy a priority.
Data regulations can be a beast. They force you to rethink and update processes you’ve always used, and they can seem to impose unnecessary burdens on companies, organizations, and individuals.
But there is a reason why they exist. Data sovereignty is not to be taken lightly. At the very least, users should be informed of what exactly happens with their personal data before they allow processing.
As individuals, we should collectively make an effort to understand what’s behind the technology we use every day to make informed decisions.
And as data controllers, we have the right to partner with email providers that care about privacy and offer us the instruments required to comply with the GDPR.
To have more information about our GDPR-compliant software, visit zextras.com/carbonio