Lawfully Filtering Outbound Spam in the European Union

Introduction

Web hosting providers in Europe often hesitate to install spam filtering solutions for fear of violating data protection and data security laws in the European Union (EU). To clarify how providers can remain compliant with the law while providing the security their customers require, MailChannels retained the business law firm Büsing, Muffelmann & Theye (BMT) to analyze the requirements of the German Data Protection Act and the European Data Protection Directive as these statutes apply to MailChannels’ outbound spam filtering solutions. BMT’s analysis finds that outbound spam filtering as practiced by MailChannels generally meets the requirements of the German Data Protection Act and the European Data Protection Directive. This whitepaper outlines BMT’s findings and explains how MailChannels fits into the changing world of data protection legislation.

Legal

MailChannels retained the law firm Büsing, Muffelmann & Theye (BMT) to analyze the privacy implications of using MailChannels Outbound Filtering and MailChannels Transparent Filtering to filter outbound spam and identify compromised accounts. BMT’s legal opinion (available on request to qualified providers), which we summarize here, provides some guidance to help European web hosting providers understand how they can be in compliance with current data protection laws.

Data protection legislation in the EU

In the European Union, data protection is regulated at the EU level and by each of the 28 Member States. In order to ensure compliance, a data controller (i.e. hosting company) must sift through a vast amount of legal documentation to understand where the respective legislations overlap and how they affect corporate obligations as a whole. BMT focused on the European Data Protection Directive and the German Data Protection Act for their legal analysis on the matter of outbound spam filtering because:

• The German Data Protection Act is regarded as one of the strictest data protection acts in Europe. Therefore, compliance with the high standards of the German Data Protection Act will in most cases be a good indication for compliance with the data protection acts of other Member States, especially if the recognized standards in another Member State are lower.
• With the new General Data Protection Regulation expected to come into force in 2018, the EU will have binding legislation that is directly applicable in all Member States. It will replace the existing European Data Protection Directive which is only binding as to the result to be achieved, but leaves the choice of form and methods to the national authorities of each Member State. Yet, even though there are significant differences between the “old” directive and the “new” regulation, it appears highly likely that the conclusions of BMT regarding the required legal permission for data processing will be generally supported by the upcoming General Data Protection Regulation.

Who is the Responsible Data Controller?

The European Data Protection Directive and the German Data Protection Act apply to MailChannels’ solutions where the processing affects personal data of European data subjects. Both legislative acts are governed by a rather broad understanding of the term “personal data.” Such a wide regulatory filter means that even IP addresses, under certain circumstances, fall under that category. However, under the context of European and German data protection laws, there is a distinction between the “data controller” and the “data processor”. In this context, “controller” means any person or body that collects, processes, or uses personal data on its own behalf, or commissions others to do the same. For regulatory compliance, the concept of a “data controller” is important for distinguishing between MailChannels’ cloud and on-premise solutions:

• MailChannels Transparent Filtering. Web hosts integrate MailChannels Transparent Filtering software onsite, which means personal data is not processed on any servers outside the corporate network. This makes the respective web host – the customer, not MailChannels – responsible for legal compliance as far as data protection is concerned. As “data controller” he must specifically adhere to the basic European data protection principles, as outlined below.
• MailChannels Outbuond Filtering. The software is hosted by MailChannels in the cloud and provided as a service to web hosts. It automatically intercepts email traffic, filters out spam, and delivers legitimate email from MailChannels IP addresses. In this case, MailChannels may be regarded as responsible “data controller”, unless a data processing agreement has been concluded with the respective customer. In this case, the customer remains as “data controller” and MailChannels merely acts on behalf of the customer as a “data processor”. Where no data processing agreement has been concluded, each customer must ensure that any transmission of data to MailChannels Outbound Filtering and any processing by MailChannels complies with data protection laws.

MailChannels Data Centers in the European Union MailChannels offers qualified European web hosting providers the option of processing their cloud email traffic within a European data center, thereby ensuring all personal data remains solely within the EU. As no data is transferred to destinations in a so-called ‘third country’ outside the EU and the European Economic Area, the special requirements for international data transfers are not applicable. Contact us to learn more

Any data processing by a data controller subject to European data protection laws must comply with the basic data protection principles underlying the respective legislation. In general, these principles allow companies to collect, process, and use their customers’ personal data only if:

1. the data subject has consented; or
2. it is explicitly permitted by a legal provision (legal justification). Without the consent of a data subject (i.e. by a clear contractual provision), the use of MailChannels solutions requires legal justification. Insofar, it is likely that the use of MailChannels solutions would be legitimized by section 28 of the German Data Protection Act and article 7(b) of the European Data Protection Directive and would therefore be permissible under the current data protection regime. In particular, according to the German Data Protection Act there appears to be a “justified interest” in client communications not being interfered with or tampered with by spam or emails that contain viruses. Also, personal data processed for this purpose appears to be deemed as “necessary” to safeguard client email communications from spam or nefarious emails. Furthermore, the Article 29 Working Party – a working group consisting of European data protection officers – has stated in its opinion on privacy issues related to the provision of email screening services (WP 118, adopted on 21 February 2006) that screening of emails for the purposes of filtering spam could be legitimized “on the basis that filtering for spam is necessary for the email provider to be able to perform properly the service contract to which the data subject, i.e. recipient is a party.” However, please note that legal findings will always depend on the specific circumstances of the individual customer. As this whitepaper is only providing first guidance to customers acting as responsible “data controllers” under European data protection laws, we strongly suggest to seek legal advice in case of any further questions.