While some countries see their email privacy regulations attacked or breached, offshore email services in European countries can generally offer stronger email privacy to both individuals and companies worldwide.
Here we have summarized the relevant regulations in the US and Norway.
Email Privacy Regulations in the US
The extent to which email privacy is respected and email is protected from unauthorized inspection depends greatly on the legislation in the country in question.
In the United States, there is no constitutional guarantee on email privacy or correspondence in general. The secrecy of correspondence is derived from the Fourth Amendment to the United States Constitution and an 1877 U.S. Supreme Court case.
However, like all rights that have been derived through litigation, this is subject to interpretations and is limited by the legal requirement of a “reasonable expectation of privacy” which may be either subjective (the opinion of the person in question) or objective (as recognized by society).
Email is also protected by the Electronic Communications Privacy Act of 1986 which was enacted to extend government restrictions to include transmissions of electronic data. The ECPA has been criticized because an agency doesn’t need judicial review in order to demand consumer data from service providers.
Furthermore, after 6 months, email messages lose their status as protected communication under the ECPA and become a regular database record. This means that just a subpoena instead of a warrant is required for a government agency to force email providers to produce a copy of a record.
Email Privacy in Norway
Some countries, especially in Europe, have a constitutional guarantee of secrecy of correspondence, wherein email is equated with letters and therefore protected from all types of screening and surveillance. In electronic communication, this principle protects not only the message contents but also the logs of when and from/to whom messages have been sent.
In Norway, freedom of expression and privacy of correspondence is governed by Article 100 and 102 of the Constitution and the implementation of the European Convention on Human Rights in the Norwegian Human Rights Act, especially Article 8: Right to respect for private and family life.
The Data Protection Authority was established January 1, 1980 and was among the first agencies in the world to facilitate the protection of individuals from violation of their right to privacy through processing of their personal data.
Central principles of the Norwegian data privacy regulations are:
- Personal data must only be collected by private entities when consent from the user has been obtained.
- Personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.
- Personal data must not be stored longer than required by the purpose of collection.
- Personal data must be kept confidential unless required by law or court order.
Finally, the coming Data Retention Directive will soon be implemented in Norway but will only regulate electronic infrastructure providers, which Runbox is not.
Runbox and Privacy Regulations
Because Runbox is not considered by the Norwegian Communications Authority to be an “electronic infrastructure provider”, Runbox is exempt from the Electronic Communications Act (currently only available in Norwegian). This means that Runbox will not be required to keep logs of traffic data for any specific time period, which will be required of electronic infrastructure providers who also provide email services in Norway and EU, when the Data Retention Directive is implemented in Norway.
Runbox is however required to adhere to the Personal Data Act and keep our customers’ personal data confidential. Furthermore, Runbox will not disclose personal data without a Norwegian court order.
Runbox has appointed a Data Protection Officer who is authorized by the Norwegian Data Protection Authority to ensure that all user data is processed according to their guidelines.