Murray S. Kucherawy wrote: > Martin Rex <mrex@xxxxxxx> wrote: >> >> Article 2 "Definitions" of this EU directive (page 7 of above PDF) >> >> The following definitions shall also apply: >> (a) "user" means any natural person using a publicly available >> electronic communications service, for private or business >> purposes, without necessarily having subscribed to this >> service; > > > I would claim that > such an employer's email servers do not comprise "a publicly available > electronic communications service", so I don't think employees using a > protected domain are "users" under this definition. An employee only has to meet the "a natural person" criteria to fall under the under the "user" defintion of the EU directive. The term "publicly available electronic communications service" in the directive sounds vague and appears to provide wiggle room for national legislators. But even if some EU member states would try to "exploit" this, chances are that the European Court of Justice (ECJ), who is the authority on the interpretation of EU directives and has a duty to make laws of EU member state converge, may not allow loopholes and argue based on the stated pupose of the directive and the necessity of the protection. Exceptions are limited to those listed in Article 15 and must be narrowly defined within statue law. In german national law (TKG) the wording is better and clearer. There, it covers any "electronic communication service" that is connected to public communication services, i.e. when it allows sending to or receiving from public communication service. > > And even if that doesn't wash, an employment contract (here, at least) > typically grants the Article 5 consent that makes this point moot, > and is not typically a "Click OK and forget" situation. The Article 5 consent wasn't about "american style consent", which is why I quoted it under the definitions: >> >> (f) "consent" by a user or subscriber corresponds to the data >> subject's consent in Directive 95/46/EC; > > I imagine email service providers could secure the same sort of consent > through a privacy policy, though "I had no idea" might be a more successful > counter-argument there because nobody really reads those. Your expression "secure consent" gives a hint where your misunderstanding might come from. For many centuries, lots of contries had the notion that a certificate of marriage would "secure consent" to sex between the couple, and marital/spousal rape wasn't called rape and tolerated. Over the last two or three decades a number of countries cleaned up this part of their medieval heritage and started to protect "the fundamental right to sexual self-determination" in their legislation. In Germany, we fixed the laws in a similar fashion about the fundamental right to informational self-determination, and this concept was adopted by the EU data protection directive 95/46/EC, which is refered to in the definition of "consent" quoted above. "Terms of use" or contract clauses that try to "secure consent", rather than making consent a seperate, purely voluntary opt-in, will regularly be illegal and legally void in EU member states. They definitely are legally void in Germany (that is even spelled out in the German TKG). -Martin