The Italian Data Protection Authority - Decision of February 22, 2024

Many citizens, when reading the Data Protection Authority's Decisions, either do not understand or pretend not to understand. To the first category, belong those people who, in good faith, simply do not understand (among these people, I could also be counted, should I be mistaken - I do not exclude this hypothesis a priori). To the second category, belong those people who pretend not to understand, because they are moved by interests conflicting with the freedom of other citizens (the data subjects).

Actually, as I wrote a few days ago, I believe there is an incontrovertible truth: the Freedom Protection Authority does his job well, and it is quite paradoxical that one can criticize the one who is supposed to guarantee freedom when he takes measures to protect freedom. In any case, criticism made in good faith is welcome, because, in any case, fortunately our Constitution also guarantees freedom of thought, expression and criticism.

What has happened in recent months?

The Data Protection Authority, as part of its inspection activities with regard to the processing of personal data carried out in the workplace context, has noticed that there is a risk that computer programs and services for e-mail management, marketed by providers in cloud mode, may collect by default, in a preventive and generalized manner, metadata related to the use of e-mail accounts in use by employees (e.g., day, time, sender, recipient, subject and size of the e-mail), storing the thereof for an extended period of time. This, at times, without the employer being able to change the basic settings of the computer program in order to disable the systematic collection of such data or to reduce the retention period of such data.

The risk is very serious.

To this day, no one has denied the existence of such a risk. In short, no one has said or written that the Data Protection Authority was wrong and that it is not true that the confidentiality of messages subject to correspondence and the freedom and dignity of people (yes, workers are "people") are in danger.

In order to avoid the aforementioned risk (the existence of which is not questioned by anyone, not even by the Data Protection Authority's "critics"), with the Decision of December 21, 2023 (Guideline Document "Computer programs and services for e-mail management in the work context and metadata processing") the Data Protection Authority has set for the protection of all employees (i.e., all "people" who work) a line between the activity of collecting and storing metadata so to speak "tolerable, with safeguards" and that so to speak "tolerable, with strong safeguards". The one and the other find different regulation within the structure of the current Article 4, Law 300/1970. Falls within the field of application of paragraph 2, art. 4, Law 300/1970, the activity of collecting and storing only the so-called metadata necessary to ensure the functioning of the infrastructure of the electronic mail system, for a time that, as a result of technical evaluations and in compliance with the principle of accountability, cannot normally exceed a few hours or a few days (in any case not more than seven days, extendable, in the presence of proven and documented needs that justify its extension, by an additional 48 hours). On the other hand, the generalized collection and preservation of such metadata, for a longer period of time, falls within the field of application of paragraph 1, Article 4, Law 300/1970 - with the consequent necessity of the experiment of the procedural guarantees provided therein (union agreement or public authorization) - even though on the assumption of its necessity for purposes of computer security and protection of the integrity of the employer's assets, including information assets. This, as such collection and storage may imply indirect remote monitoring of workers' activities.

The Data Protection Authority, in adopting the aforementioned Decision, has been consistent with the principles developed over the past 20 years in first- and second-level (national and international) sources. No one has ever questioned these principles (how could one legitimately have done so?) and, even today, no one criticizes the precedents and sources in which they are contained.

So, in summary, no one doubts that the Data Protection Authority has correctly verified the existence of a very serious danger to the rights of employees (the people who work) and no one denies the legitimacy of the legal bases (privacy-side) that led to the adoption of the December 21, 2023 Decision.

What is the main criticism that seems, then, to be made against the Data Protection Authority? Some believe that the Data Protection Authority adopted its Decision in violation of Article 4 of Law 300/1970 (as amended by Legislative Decree No. 151 of September 14, 2015). Such an interpretation, in my opinion, has no solid technical-legal basis and is completely wrong. Moreover, the Data Protection Authority does not seem to have said anything new (nor so shocking) compared to what he has written in the Decisions adopted in recent years (post-2015).

There is to be said that since the adoption of the December 21, 2023 Decision, the Data Protection Authority has received a rain of requests for clarification with reference to the retention times of metadata generated or collected within the framework of e-mail systems.

Well, what did the Data Protection Authority do? It simply continued to do (well) its job and, by Decision of February 22, 2024, ruled the initiation of a public consultation (with a duration of 30 days from the date of publication of the public notice of initiation of the same consultation in the Official Journal of the Italian Republic), in order to acquire comments and proposals regarding the congruity, in relation to the purposes pursued by public and private employers, of the term of retention of metadata generated and collected automatically by the protocols of transmission and sorting of electronic mail and related to the operations of sending reception and sorting of electronic mail messages (which may include the email addresses of the sender and recipient, the IP addresses of the servers or computers involved in routing the message, the times of sending, retransmission and reception, the size of the message, the presence and size of any attachments, and in some cases even the subject of the message sent or received) and, more generally, regarding the forms and methods of use of such metadata that would necessitate their retention beyond that assumed in the aforementioned December 21, 2023, policy document.

Thus, the subject of consultation is solely and exclusively the congruity of the retention period (no more than seven days, extendable, in the presence of proven and documented needs justifying its extension, by an additional 48 hours), which is the criteria for the applicability of paragraph 1 or paragraph 2 of Article 4 of Law 300/1970.

The scheme, therefore, will not change: paragraph 1 or paragraph 2 depending on the retention time, on which only can be "discussed."

The effectiveness of the policy document "Computer programs and services for managing e-mail in the work context and processing metadata" (Decision of December 21, 2023) was consistently postponed:

- to the end of the aforementioned public consultation, at the outcome of which the Data Protection Authority reserved the right to adopt further determinations;

- or, if no further determinations were made, on the 60th day following the expiration of the deadline for submitting the contributions requested as part of that consultation.

We cannot complain. Once again, the Data Protection Authority did (well) his job.