Indiscriminate and unrestricted retention of employee data (especially their emails) is a common yet dangerous violation of the GDPR that undermines workers‘ rights from multiple perspectives. But how far can GDPR compliance go without excessively hindering business needs and interests?

This is the question behind one of the most recent (and discussed) decisions of the Italian data protection authority, also known as the Garante per la protezione dei dati personali. With a decision on December 21, 2023 (doc. web n. 9978728), the authority abruptly changed the rules regarding the retention of metadata from employee emails, through new guidelines on „Email management computer programs and services in the work context.“ From now on, they can only be retained for a maximum of seven days from their collection!

Digression: Metadata can be defined as the „data about the data“, like a label or a tag that helps you understand and manage the data it describes. In the case of employees‘ email accounts, examples of metadata include date, time, sender, recipient, subject, and email size.

Who does the Garante’s decision apply to?

The document is addressed to all employers (data controllers), both public and private, who use email management programs provided also in cloud mode (e.g., Google Workspace or Office 365).

Why do we care about metadata?

From a practical and business standpoint, this information plays a crucial role in many aspects. Analysing metadata, including email metadata, can:

  • Assist in system prevention and security (identifying potential security threats such as phishing attempts);
  • Optimize workflow;
  • In some sectors and countries, companies may even have a legal obligation to retain metadata for a certain period.

Reasons for the new retention period

Following an extensive investigation, the Garante identified numerous situations where these tools are set to retain metadata related to the use of email accounts, „by default, preventively, and generically„.

Therefore, the authority calls for a limitation on the retention period of metadata, which can be legitimately processed to ensure the functioning of the e-mail system infrastructure only for a time deemed „appropriate to the objective of detecting and mitigating any security incidents.“ This period is now set at seven days plus an additional 48 hours.

Employers now have to:

  • Verify that their email management programs (especially if they are cloud-as-a-service solutions) comply with the new retention deadline of a maximum of seven days (plus an additional 48 hours for proven needs);
  • If not, modify (if allowed by the product used) the basic settings accordingly.

The ultimate aim of this new requirement is to raise awareness of the unlawful and excessive data retention practices, prevalent in common programs and solutions, compelling employers to choose service providers that enable compliance with data protection requirements.

While the recent decision by the Garante may appear to mark a significant shift in stance regarding the processing and retention of metadata, it is not without precedent. Notably, a previous decision (doc. web n. 9833530) against the Lazio Region (December 1, 2022) addressed the risks associated with excessive metadata retention, particularly in terms of its potential misuse for employee monitoring purposes.

In this earlier ruling, the Garante unequivocally stated that the previous practice of storing metadata from employee emails for 180 days was outdated, favoring instead a new retention period of seven days. The 180 days storage period resulted in a systematic accumulation of metadata associated with employee emails, coupled with the technical capability to extract, analyze, and scrutinize the same. This change aimed to prevent employers from extrapolating information on employee activities from the extensive metadata collected. Such practices allowed employers to glean significant insights into employee behaviors without directly accessing their inbox, a practice deemed problematic from both data protection and labor law perspectives.

What if I want to retain metadata for more than seven days?

The Garante considers prolonged retention of this data to pose a clear risk of systematic monitoring of employees‘ activities.

For this reason, the retention of metadata for a longer period is deemed legitimate only if carried out:

  • For the pursuit of „proven organizational or productive needs“ and for “purposes of IT security and protection of the employer’s assets, including information technology assets”;
  • In compliance with the guarantees provided by Article 4 of the Workers‘ Statute (i.e., the same guarantees provided for the adoption of tools that may entail the risk of monitoring and control of workers). According to Italian law, therefore, retention longer than seven days must be either agreed with the unions or authorized by national and local works councils.

Furthermore, it is advisable to:

  • Update the Records of Processing Activities (ROPA);
  • Conduct a specific Data Protection Impact Assessment (DPIA);
  • Conduct a specific Legitimate Interest Assessment (LIA) if the legal basis for prolonged retention is identified in the legitimate interest of the data controller (Article 6, paragraph 1 lit. f of the GDPR);
  • Inform employees adequately.

Impacts on companies

It’s evident that the Garante’s decision aimed primarily at limiting the practices of the „Big“ cloud service providers to curb the widespread practice of unrestricted data retention.

However, the implications extend beyond this, impacting Italian companies and international organizations with operations in Italy. The dilemma is clear: how can businesses align with regulatory requirements and follow authorities‘ directives without jeopardizing their own interests and operations?

To navigate this challenge, firms must take necessary steps. This includes reassessing their organizational and technical frameworks concerning data retention. Moreover, a thorough review of service providers is imperative to ensure compliance with this new obligation.

If service providers do not permit the retention of metadata for a maximum of seven days, followed by deletion from the systems, companies may need to consider switching to alternative email management solutions.

What to do to avoid being caught unprepared

Relying on your Data Protection Officer (DPO) or specialized privacy consultants is crucial in such circumstances, particularly when decisions regarding metadata collected in Italy could impact decisions, configurations, and retention policies utilized in various countries, in the context of international companies.

Update 05.03.2024

The Italian Data Protection Authority temporarily suspended the decision and calls for a Public Consultation. Given the numerous requests for clarifications received in the past weeks concerning the Guidelines, in particular with regard to the retention time of metadata generated or collected within the framework of e-mail systems, the Garante decided to suspend the validity of the Guidelines for 30 days, during which a Public Consultation is called to collect useful insights and opinions on the outstanding matters from experts (see press release dated 27.02.2024).

The Guidelines left many questions open as to its correct interpretation and implementation from employers. We will wait for the Authority review of the Guidelines after the conclusion of the Public Consultation to inform you on the most revelant developments