The law basically does not support an employers right to read electronic mail

 47 U.S.C. § 230, a Provision of the Communication Decency Act

Tucked inside the Communications Decency Act (CDA) of 1996 is one of the most valuable tools for protecting freedom of expression and innovation on the Internet: Section 230.

This comes somewhat as a surprise, since the original purpose of the legislation was to restrict free speech on the Internet. The Internet community as a whole objected strongly to the Communications Decency Act, and with EFF's help, the anti-free speech provisions were struck down by the Supreme Court. But thankfully, CDA 230 remains and in the years since has far outshone the rest of the law.

Section 230 says that "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider" (47 U.S.C. § 230). In other words, online intermediaries that host or republish speech are protected against a range of laws that might otherwise be used to hold them legally responsible for what others say and do. The protected intermediaries include not only regular Internet Service Providers (ISPs), but also a range of "interactive computer service providers," including basically any online service that publishes third-party content. Though there are important exceptions for certain criminal and intellectual property-based claims, CDA 230 creates a broad protection that has allowed innovation and free speech online to flourish.

This legal and policy framework has allowed for YouTube and Vimeo users to upload their own videos, Amazon and Yelp to offer countless user reviews, craigslist to host classified ads, and Facebook and Twitter to offer social networking to hundreds of millions of Internet users. Given the sheer size of user-generated websites (for example, Facebook alone has more than 1 billion users, and YouTube users upload 100 hours of video every minute), it would be infeasible for online intermediaries to prevent objectionable content from cropping up on their site. Rather than face potential liability for their users' actions, most would likely not host any user content at all or would need to protect themselves by being actively engaged in censoring what we say, what we see, and what we do online. In short, CDA 230 is perhaps the most influential law to protect the kind of innovation that has allowed the Internet to thrive since 1996.

CDA 230 also offers its legal shield to bloggers who act as intermediaries by hosting comments on their blogs. Under the law, bloggers are not liable for comments left by readers, the work of guest bloggers, tips sent via email, or information received through RSS feeds. This legal protection can still hold even if a blogger is aware of the objectionable content or makes editorial judgments.

The legal protections provided by CDA 230 are unique to U.S. law; European nations, Canada, Japan, and the vast majority of other countries do not have similar statutes on the books. While these countries have high levels of Internet access, most prominent online services are based in the United States. This is in part because CDA 230 makes the U.S. a safe haven for websites that want to provide a platform for controversial or political speech and a legal environment favorable to free expression.

EFF works to ensure strong legal protections for Internet intermediaries and endeavors to fight threats that would weaken such protections for intermediaries and users. We realize that a combination of technology policy and law protecting intermediaries ultimately helps uphold freedom of speech online.

NOTE: This summary of CDA 230 isn't a substitute for, nor does it constitute, legal advice. Only an attorney who knows the details of your particular situation can provide the kind of advice you need if you're being threatened with a lawsuit. The goal of these pages is to give you a basic roadmap to the legal issues surrounding the interactive computer services covered by CDA 230.

The GDPR requires organizations to protect personal data in all its forms. It also changes the rules of consent and strengthens people’s privacy rights. In this article, we’ll explain how to ensure GDPR email compliance.

Email users send over 122 work-related emails per day on average, and that number is expected to rise. While we may not think of email as subject to the European Union’s General Data Protection Regulation (GDPR), your mailbox in fact contains a trove of personal data. From names and email addresses to attachments and conversations about people, all could be covered by the GDPR’s strict new requirements on data protection.

Any organization (companies, charities, even micro-enterprises) that handles the personal information of EU citizens or residents is subject to the GDPR. That includes organizations not in the EU but that offer goods or services to people there. The requirements basically boil down to two things: secure people’s data, and make it easy for people to exercise control over their data. (Our “What is the GDPR?” article provides an overview.) Those who don’t follow the rules can get hit with a fine of €20 million or 4 percent of global revenue, whichever is higher, plus compensation for damages.

While most of the focus regarding GDPR email requirements has centered around email marketing and spam, there are other aspects, such as email encryption and email safety, that are equally important for GDPR compliance. Below we’ll explain what the GDPR actually says and what it means for email.

Keep in mind that nothing you read here is a good substitute for legal advice. We recommend consulting with an attorney to understand how the GDPR applies to your specific situation.

GDPR encryption and security

What the GDPR says:

If you collect, store, or use the data of people in the EU, then the GDPR applies to you. And that means you may have an obligation to change the way your organization operates in some fundamental ways.

The GDPR requires “data protection by design and by default,” meaning organizations must always consider the data protection implications of any new or existing products or services. Article 5 of the GDPR lists the principles of data protection you must adhere to, including the adoption of appropriate technical measures to secure data. Encryption and pseudonymization are cited in the law as examples of technical measures you can use to minimize the potential damage in the event of a data breach.

What it means for email:

When it comes to email, encryption is the most feasible option. As little as five years ago, that would not have been true. But email encryption technology has developed rapidly, and several companies now offer end-to-end encrypted email service. Cloud-based, secure email is now a convenient and practical option. (Disclosure: GDPR.eu is run by Proton Mail, the world’s largest encrypted email service, and funded in part by the European Union’s Horizon 2020 Framework Programme.)

While encryption is not required, it is up to every organization to develop a rationale for developing the most appropriate data security practices.

Email retention under GDPR

What the GDPR says:

Data erasure is a large part of the GDPR. It is one of the six data protection principles: Article 5(e) states that personal data can be stored for “no longer than is necessary for the purposes for which the personal data are processed.” Data erasure is also one of the personal rights protected by the GDPR in Article 17, the famous “right to be forgotten.” “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” There are some exceptions to this latter requirement, such as the public interest. But generally speaking, you have an obligation to erase personal data you no longer need.

What it means for email:

Many of us never delete emails. There are plenty of good reasons: We may need to refer to them someday as a record of our activities or even for possible litigation. But the more data you keep, the greater your liability if there’s a data breach. Moreover, the erasure of unneeded personal data is now required under European law. Because of the GDPR, you should periodically review your organization’s email retention policy with the goal of reducing the amount of data your employees store in their mailboxes. The regulation requires you to be able to show that you have a policy in place that balances your legitimate business interests against your data protection obligations under the GDPR.

From a technical standpoint, email data erasure can be quite simple and often it can be automated. Proton Mail and some other email services have an expiring email option that allows you to set messages for deletion after a designated length of time. Whatever email retention strategy your organization decides, it’s going to require some getting used to but will significantly lower your GDPR exposure.

Email marketing and spam

What the GDPR says:

Among the other data protection principles in Article 5 are “lawfulness, fairness, and transparency.” This means you can only use people’s data if it’s allowed under one of six legal justifications, it must be fair to the data subject, and it must be based on transparent and unambiguous communication with the data subject. (The “data subject,” by the way, is the identifiable person the data is about.)

There are six “lawful bases” for you to “process” (collect, store, use, etc.) people’s data. These are listed in Article 6. The first is consent, which must be obtained unambiguously and after a full explanation of what you plan to do with the data. Specifically:

• • Consent must be “freely given, specific, informed and unambiguous.”

• • Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”

• • Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.

• • Children under 13 can only give consent with permission from their parent.

• You need to keep documentary evidence of consent.

The sixth legal basis is to have a “legitimate interest” to process the person’s data. Although the term is vague and could apply to a broad range of situations, you may have a hard time relying on this basis because the “fundamental rights and freedoms of the data subject” can often override your legitimate interest. Moreover, it remains to be seen how regulators and the courts will interpret this basis. You probably don’t want to be a test case.

The other four lawful bases are less common, but it’s a good idea to review Article 6 to make sure they don’t apply to you. The bottom line is that you should be very careful about using someone’s data unless you’re sure the person wants it used that way.

However, the ePrivacy Directive, specifically Article 13, presents organizations with another way to use a person’s data for marketing purposes that stems from the contractual basis of the GDPR. In the context of a sale of a good or service, an organization, “may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner,” according to Article 13, part 2. Essentially this means that an organization can lawfully send you marketing emails about the service they provide you as long as they inform you that you can opt-out at any time and there is the option to unsubscribe in every communication.

What this means for email:

After the GDPR passed, some people said it would be “the end of email marketing” or “the end of spam.” But it will be neither. Spam has always been outlawed or against the terms of use of most email providers. Those who send unsolicited or malicious mass emails will probably continue to send them. Did your spam folder dry up after May 25, 2018, when the GDPR took effect?

As for email marketing, the GDPR does not ban email marketing by any means. The GDPR did not set out to be anti-business, just pro-consumer. A good marketing email should ideally provide value to the recipient and be something they want to receive anyway. What the GDPR does is clarify the terms of consent, requiring organizations to ask for an affirmative opt-in to be able to send communications. And you must also make it easy for people to change their mind and opt-out. Only if a marketing email does not present the option to unsubscribe, is sent to someone who never signed up for it, or does not advertise a service related to one the receiver uses is it violating the GDPR.

Organizational email security

What the GDPR says:

There’s one more email aspect of the GDPR, and that’s email security. Article 5(f) says you must protect personal data “against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

What this means for email:

Email encryption is a technical measure. Organizational measures have to do with internal policies, management, and training. Ninety-one percent of cyber attacks begin with a phishing email, in which hackers attempt to gain access to an account or device using deception or malware. Links and attachments from unknown accounts should never be clicked or downloaded. Once an attacker gains access to one account or device, it’s often easy to access others, meaning a mistake by one employee could compromise vast amounts of data. If you cannot show regulators that you have implemented the proper technical and organizational measures, then you could be on the hook for huge EU fines and compensation to data subjects.

To avoid liability, it’s important to educate your team about email safety. Basic steps like requiring two-factor authentication can go a long way toward protecting data and complying with the GDPR.

Is a legal concept that gives individuals the right to recover?

What approach highlights the interlocking relationships that underlie all societies?