Email Privacy Law: Expectations and Reality
We said time and again that, for all its convenience, email is not private in its nature. But as its user, it’s good to know there are still privacy laws that can protect your data while you’re using email services.
Of course, every country has its own set of data privacy laws that apply to its citizens, so in this article, we’re going to take a look into the data security and privacy laws of the United States and the European Union in particular. Hopefully, after reading this, you’ll have a better picture to build your expectation of privacy on the Internet when it comes to electronic communications.
Privacy by Design vs Privacy by Default
Before we go into the privacy laws pertaining to electronic communications, it’s important to understand two principles that govern most of these laws:
Privacy by design and privacy by default.
Under Privacy by Design, an action that a company undertakes to process personal information in any way must be completed with data protection and privacy in mind from start to finish (at every step).
On the other hand, Privacy by Default is a principle which states that if the user provides their personal data to enable the optimal use of a product or service, those data can only be kept for as long it’s necessary to provide that product or service.
For example, when you sign in to a social media account, you allow the service provider to share your name and email address, but not your location. If they also share the location, that’s a violation of the privacy by default principle.
Secure Email Laws and Regulations in the United States
How do data privacy laws in the US and EU differ?
Quite a lot in fact.
The biggest difference here is that the United States doesn’t have a single, federal-level data security and privacy law, whereas the European Union does.
Instead, the US citizens need to rely on several vertically-focused privacy laws, including:
The US Privacy Act 1974
The US Privacy Act of 1974 sets the rules and practices that dictate how government agencies can gather, maintain, use and finally publish personal information that they keep in their records.
Under the Act, the agencies are prohibited from disclosing any record about an individual from their systems without that person’s written consent.
Among other things, the US Privacy Act sets:
- The right of citizens to access and copy any data about them that a government agency is holding;
- Right of US citizens to correct any errors in their personal information;
- Data can only be accessed on a “need to know” basis;
- Government agencies can only share data between themselves under certain conditions;
- Finally, when collecting data, government agencies are to collect only “relevant and necessary” data.
Health Insurance Portability and Accountability Act (HIPPA)
The HIPPA Act was introduced in 1996 by the US Department of Health and Human Services and is a set of standards put in place to enhance the security, confidentiality, integrity and availability of electronically protected health information (ePHI) in transit and at rest.
ePHI includes any data that can identify a patient:
- Name;
- Birthdate;
- Address;
- Phone number;
- Email address;
- IP address;
- Social Security Number (SSN) or another identifying number;
- Any physical information, including a photo, fingerprint, etc.
We already talked about HIPPA check out the article explaining why it’s important that your emails comply with HIPPA.
However, it’s important to remember two reasons why HIPPA is important:
- It ensures that healthcare service providers and business associates of HIPPA-covered entities put in place the necessary safeguards that will protect patient’s personally identifiable health information;
- It also enables patients to obtain records of their health information so they can check them for errors and correct them.
Children’s Online Privacy Protection Act (COPPA)
The COPPA, which first saw light in 2000, prohibits online companies from collecting and asking for personally identifiable information (PII) from children under 12 without their parents’ consent
In 2012, the Federal Trade Commission (FTC) further modified and strengthened COPPA to better take on the then-emerging new technologies, particularly the rise of social media and the increased use of smartphones and other mobile devices.
These amendments, among other things:
- Expanded the list of personal information cannot be collected without the parents’ consent;
- Broadened COPPA so that it covered IP addresses and mobile IDs among other online identifiers;
- Widened the coverage to third-parties that are also collecting data so they also must comply with COPPA;
- Enhanced the data security protections to ensure online service providers take necessary steps to only release children’s sensitive information to companies that are qualified at keeping it secure and confidential;
- Required from covered operators to adopt reasonable procedures when it comes to data retention and deletion;
- Established the FTC’s oversight of self-regulatory safe harbor programs.
Gramm-Leach-Biley Act (GLBA)
The GLBA is a banking and financial law that also includes some data security and privacy requirements.
In particular, the GLBA Act protects non-public personal information. The FTC defines NPI as:
“Any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.”
What’s important to remember about GLBA, however, is that it’s limited in consumer privacy protection, especially when it comes to affiliated third-parties. In this case, a consumer has little to no legal privacy controls that will allow him to restrict the sharing of their NPI.
Email Privacy Act
Finally, the most important email data privacy law in the US is the Email Privacy Act which was introduced as an update to the Electronic Communications Privacy Act of 1986 and serves to stop electronic and remote communication service providers from disclosing the contents of private email on purpose.
In addition, under the Email Privacy Act (EPA) the government is obligated to get a warrant in case it needs to disclose the contents of a private email.
European Union GDPR and Private Email
While the US doesn’t have a single law that covers data privacy on a federal level, the European Union does in the form of the General Data Protection Regulation (GDPR).
The GDPR was officially introduced in 2018 and it deals with protecting personal data and privacy in the EU and the European Economic Area, as well as the transfer of private data outside these two.
So how does the GDPR apply to email?
The GDPR mostly focuses on email marketing and spam, but that doesn’t mean it completely ignores email encryption and email privacy.
Amidst the intricate landscape of data regulations, the GDPR’s gaze is notably fixed on the realm of email marketing for small businesses and the pervasive specter of spam. However, the tapestry of its provisions is woven with threads that extend beyond, encompassing the crucial elements of email encryption and privacy.
Just as the GDPR delves into the complexities of data security, small businesses must navigate the nuanced landscape of email marketing, striking a harmonious balance between engaging communication and the protective cloak of privacy, much like the interplay of perplexity and burstiness in crafting compelling written content.
Instead, when it comes to encryption and security, it’s important to remember the principles of the “Privacy by design” and “Privacy by default” In particular, both email encryption and anonymous email are both listed in the regulation as recommended measures companies should take to reduce the risk of a data breach.
As for spam and other unsolicited email, the initial hope was that GDPR would “end spam”. Obviously, it didn’t do that, but it does a good job at protecting consumers from getting an unsolicited email by forcing companies to obtain opt-in from users to send them emails as well as better define user consent.
Specifically, Article 6 lists six “lawful bases” for an organization to process user’s data. In particular, consent:
- Must be “freely given, specific, informed and unambiguous”;
- Request for it must be “clearly distinguishable from other matters” and presented in a “clear and plain language”;
- Can be withdrawn at any time;
- Children under 13 can only give consent with parent approval;
- Finally, consent must be documented.
Why an Encrypted Email Service is More Important than any Law
As you can see, there is quite to cover when it comes to data privacy regulation and email privacy laws in particular in the US and EU both. In a lot of ways, this is still a somewhat unchartered territory and many of these regulations contain loopholes that third parties can exploit to obtain your private data and even read your emails.
This is why your expectation of privacy can’t be too high if the only thing protecting it are such laws.
The best way to protect your online privacy and security is to use an end-to-end encrypted email service with strong security features.
One such email service that strives to protect your privacy because that’s a right worth fighting for is CTemplar. We believe that personal information should not be profited from in any way and if you’re on the same page as we, sign up to your CTemplar email account today.
Is email protected by privacy laws?
Personal email should be private and users can reasonably expect that their private emails have not been opened, read or otherwise altered by a third party, unless there is a suspicion of criminal activity on their part.
Is it legal to forward an email without permission?
Yes, it is completely legal to forward an email someone else has sent you. However, you should still obtain permission from the sender in most cases.