While some countries see their email privacy regulations attacked or breached, offshore email services in European countries can generally offer stronger email privacy to both individuals and companies worldwide.
To give you an overview of how your privacy is better protected in Europe we have summarized the relevant regulations in the US and Norway, which is part of the European Economic Area (EEA) and therefore subject to European Union (EU) regulations.
The extent to which email privacy is respected and email is protected from unauthorized inspection depends greatly on the legislation in the country in question.
In the United States, there is no constitutional guarantee on email privacy or correspondence in general. The secrecy of correspondence is derived from the Fourth Amendment to the United States Constitution and an 1877 U.S. Supreme Court case.
However, like all rights that have been derived through litigation, this is subject to interpretations and is limited by the legal requirement of a “reasonable expectation of privacy” which may be either subjective (the opinion of the person in question) or objective (as recognized by society).
Email is also protected by the Electronic Communications Privacy Act of 1986 which was enacted to extend government restrictions to include transmissions of electronic data. The ECPA has been criticized because an agency doesn’t need judicial review in order to demand consumer data from service providers.
Furthermore, after 6 months, email messages lose their status as protected communication under the ECPA and become a regular database record. This means that just a subpoena instead of a warrant is required for a government agency to force email providers to produce a copy of a record.
Some countries, especially in Europe, have a constitutional guarantee of secrecy of correspondence, wherein email is equated with letters and therefore protected from all types of screening and surveillance. In electronic communication, this principle protects not only the message contents but also the logs of when and from/to whom messages have been sent.
In the European Union, the General Data Protection Regulation (GDPR) is an important and groundbreaking regulation on data protection and privacy for all individuals within the European Economic Area (EEA).
The GDPR defines how data may be collected and processed, and gives control over personal data back to the persons themselves. The regulations require that businesses and organizations integrate this human right into their business practices through policies, procedures, and technologies that safeguard the users’ privacy.
Specifically, the GDPR declares that individuals have:
- The right to transparency about how data is processed.
- The right to access and information about collected data.
- The right to rectify stored data.
- The right to erase data (“right to be forgotten”).
- The right to restriction of processing.
- The right to data portability.
In Norway, freedom of expression and privacy of correspondence is governed by Article 100 and 102 of the Constitution and the implementation of the European Convention on Human Rights in the Norwegian Human Rights Act, especially Article 8: Right to respect for private and family life.
This legislation implements the EU’s General Data Protection Regulation (GDPR), which substantially strengthens the rights to privacy of individuals in the EEA.
The Norwegian Data Protection Authority was established January 1, 1980 and was among the first agencies in the world to facilitate the protection of individuals from violation of their right to privacy through processing of their personal data.
Central principles of the Norwegian data privacy regulations are:
- Personal data must only be collected by private entities when consent from the user has been obtained.
- Personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.
- Personal data must not be stored longer than required by the purpose of collection.
- Personal data must be kept confidential unless required by law.
Runbox is located in Norway, which is part of the EEA, and therefore adheres to the EU’s General Data Protection Regulation (GDPR). The Norwegian Personal Data Act implements the GDPR in Norway and regulates how personal data may be collected, stored, and processed.
Additionally, Runbox has appointed a Data Protection Officer who is authorized by the Norwegian Data Protection Authority to ensure that all user data is processed according to their guidelines.
Because Runbox is not considered by the Norwegian Communications Authority to be an “electronic infrastructure provider”, Runbox is exempt from the Electronic Communications Act (currently only available in Norwegian).