European Data Protection Watch Dog Outlaws E-Mail Content Screening

On 21 February 2006, the Article 29 Data Protection Working Party (“the Working Party”), issued an opinion on email content screening, virus scanning and spam filtering.

Email Screening

The Working Party takes the view that:

• content screening to trace unlawful material, or material that is unwanted to e-mail recipients, even if conducted without human intervention, is not a necessary technical and organizational requirement to safeguard security of e-mail services, and requires the prior consent of the users of the communications service, or a specific legal basis (e.g. screening for public security purposes); and

• the use of e-mail services that allow the sender of e-mails to covertly track operations conducted by the e-mail recipient, such as tracking of opening, reading, or forwarding of e-mails, is not lawful.

From a privacy perspective, the Working Party is concerned that “e-mail service providers may become censors of private e-mail communications, by for example blocking communications whose content may be completely lawful, raising fundamental questions of freedom of speech, expression and information.”

The Opinion affects a broad range of services provided by internet or e-mail service providers, including content scanning for purposes of direct marketing, but it is unclear how the it will affect local and international corporations that use automated screening tools to scan employee e-mail traffic to ensure compliance with ethical policies and US security breach legislation.

Virus Scanning

The Working Party takes the view that virus scanning is a legitimate practice under the service providers' obligations to take appropriate technical and organization measures to safeguard the security of their services.

Spam Filtering

Spam filtering is generally also considered lawful, but the Working Party stipulates the following recommendations that enhance individuals' choice with respect to such filtering:

• provide subscribers with an opportunity (i) to opt-out of e-mail scanning for spam prevention purposes; (ii) to check e-mails deemed to constitute spam to ascertain whether they should be effectively considered spam; and (iii) to determine the types of unwanted e-mails that should be filtered out;

• develop filtering tools allowing end users their installment or configuration in the terminal equipment or in third party servers or in the provider's e-mail server, enhancing users' control of the e-mails they want to receive; and

• provide adequate notice of e-mail screening for anti-spam purposes to subscribers. ESPs should also ensure the confidentiality of filtered e-mails which may not be used for other purposes.