A few months ago, we delved into a new decision of the Italian data protection authority (Garante) on this blog, which recommended that employers set retention periods for their employees‘ email metadata not exceeding 7 days. This guideline created some confusion, leading the Garante to suspend its applicability and open it up for public consultation to gather comments and concerns from employers and experts.

On June 6, 2024, the Garante adopted an updated version of the previous document from February 2024, addressing once again the management and retention of email metadata in the workplace. In this new article we will analyse the relevant aspects of the provision, how it will impact employers and what they need to do to comply with the new guideline.

The Reasons behind the Guidelines

The Garante underscores that long retention periods for email metadata in the workplace allow for potential monitoring of employees‘ activities. To mitigate this risk, employers will have to shorten the current retention periods for email metadata.

The authority notes that employers often lack control over the retention periods and practices for email metadata, as these are predominantly determined by the providers of email management systems used in the workplace. These systems typically collect and retain metadata automatically and by default for extended periods, leaving employers with limited ability to manage or influence these retention practices.

Defining the Scope – The Definition of Metadata

The previous provision faced significant criticism due to the unclear definition of metadata provided by the authority. The Garante now clarifies that metadata “technically corresponds to the information recorded in logs generated by email management and distribution systems (MTA = Mail Transport Agent) and client stations in the interaction that takes place between the different interacting servers and, if applicable, between these and the clients (the terminal stations that send messages and allow incoming mail to be viewed by accessing electronic mailboxes, defined in technical standards as MUA – Mail User Agent).

Consequently, metadata include all the information automatically recorded by email systems, regardless of the user’s intent, such as:

  • Sender and recipient email addresses;
  • IP addresses of the servers or clients involved in routing the message;
  • Timestamps for sending, relaying, or receiving;
  • Message size;
  • Presence and size of attachments;
  • In some cases, even the subject line of the sent or received message.

However, it is important to note that “information contained in the email messages in their ‚body part‘ (body of the message) or integrated within them“ (the so-called envelope data) is excluded from the definition of metadata. Envelope data are specifically excluded from the metadata definition by the Garante because they are “inseparable from the message of which they are an integral part” and remain “under the exclusive control of the user”. Therefore, they are not subject to the retention periods imposed on metadata.

This clarification resolves previous concerns about how to delete metadata in compliance with the Garante’s guidelines without compromising the availability or integrity of the email content. This is crucial as employers may need to retain email content for various future purposes, such as investigations or legal inquiries.

Retention of Metadata and Accountability

The Garante has extended the metadata retention periods from the previous guidelines, which set a strict maximum of 7 days plus an additional 48 hours. In the new guideline, a maximum yet only indicative limit of 21 days is set for the retention of „metadata/logs necessary to ensure the functioning of the email system infrastructure.“ To quote the Garante „it is considered that [retention] can normally be carried out for a limited period of a few days; as a guideline, such retention should not exceed 21 days.“

Longer retention periods are not excluded, but can be lawfully implemented by the employer in its role of data controller, only if

  • there are specific conditions that necessitate the extension, and;
  • it is adequately documented to demonstrate the specific technical and organizational requirements of the employer, in line with the principle of accountability.

This implies that the retention period is directly tied to the employer’s ability to justify and document the need for such an extension, under the principle of accountability. As long as the employer can substantiate the extended retention with proper justification in line with GDPR principles, it is permissible.

Contrary to what is explained above, the „generalized collection and retention“ of such metadata from email logs for an extended period constitutes an indirect remote monitoring of employee activity and can therefore be lawfully implemented only in compliance with the procedural safeguards outlined in Article 4, paragraph 1, of the Workers‘ Statute, which mandates obtaining agreement from the company’s trade union representatives or authorization from the Labor Inspectorate.

Providers selection and management

The employer, as the data controller, must „ensure that functions not compatible with its processing purposes or that conflict with specific sector regulations“ are deactivated, especially those conflicting with GDPR obligations.

Conducting a thorough selection and assessment of email management service providers is therefore crucial. The controller is responsible for verifying that the services and settings offered by the provider allow compliance with GDPR and other relevant obligations. Moreover, the controller should be allowed to eventually modify these settings, for example, by „appropriately adjusting the data retention periods or requesting the service provider to anonymize the collected metadata in cases where longer retention is not intended“.

What Should You Do Now?

To navigate this complex scenario, firms must take necessary steps. This includes:

  • Ensure that the email management software and services used by employees – especially if they are market products provided in a cloud or as-a-service mode” enable the employer to comply with the data protection rules and to the terms set out in the guidelines, including with regard to the retention period of metadata;
  • Adequately inform employees about the purpose of metadata processing resulting from their email usage;
  • Conduct a specific Data Protection Impact Assessment (DPIA).

Relying on your Data Protection Officer (DPO) or specialized privacy consultants is crucial in such circumstances, particularly when guidelines regarding metadata collected in Italy could impact decisions, configurations, and retention policies utilized in various countries, in the context of international companies.