Introduction
The Italian Data Protection Authority (Garante per la protezione dei dati personali (DPA)) has issued an update to its guidelines on handling email metadata in the workplace (Guidelines). While the new guidance offers some clarifications and reflects a slightly softened stance by the DPA, uncertainties remain regarding how employers should manage employee emails.
Background
Following the publication of the Guidelines, numerous requests for clarification led the DPA to launch a public consultation on metadata retention periods and delay the Guidelines’ implementation until its conclusion. The DPA published a revised version of the Guidelines, dated 6 June 2024, incorporating feedback from the public consultation.
Key highlights
- Metadata vs content: A crucial clarification is that the Guidelines apply exclusively to email metadata, not the content of email messages. Metadata includes log data, such as the date, time, sender, recipient, subject and size of emails, which are automatically recorded by email systems. The DPA emphasised that these should not be confused with the content of the emails which remains under the exclusive control of the employee and does not fall within the scope of the Guidelines.
- Extended retention period: the DPA has revised its stance on retention periods. Initially, the Guidelines limited the retention of email metadata for purely operational purposes to seven days. This period has now been extended to 21 days, with longer retention periods permissible only if necessitated by specific, justified conditions based on the employer’s technical and organisational needs. Exceeding this threshold requires either a union agreement or an authorisation from the Labour Office, in accordance with Italian employment law.
- Reiterated positions: The DPA reiterated that email metadata could potentially reveal information about employees’ personal lives and opinions. Therefore, according to the DPA, prolonged and systematic retention of metadata could violate Italian legislation that prohibits employers from investigating matters unrelated to employees’ professional suitability. The DPA also reinforced the necessity of conducting a data protection impact assessment when collecting employees’ email metadata, considering the vulnerability of employees in the workplace and the risk of indirect monitoring by employers.
Conclusions
While the distinctions between email metadata and content provide some clarity, practical challenges remain in the storage and management of employee emails. Despite the extended retention periods for metadata, there are still questions about the permissible duration and scope of email retention.
It is reasonable to anticipate that the DPA will apply a similar rationale in relation to employees’ email content, which is arguably more sensitive than metadata alone. Employers should, therefore, exercise caution when storing employees’ email messages and ensure their retention policies comply with the stringent approach of the DPA.
These restrictions present significant challenges for internal investigations and audits. While employers have a legitimate interest in maintaining operational integrity and security, limitations on email storage may in practice hinder their ability to conduct thorough investigations and audits, which often rely on reviewing email communications. Effectively navigating these challenges will require a nuanced approach that safeguards both employee privacy and organisational accountability.
