Legislators all around the globe are gradually shifting their focus from analog to digital means of communication. One of the effects: a growing number of laws concerned with regulating the content of corporate emails. If you fail to comply with them, you run the risk of receiving a severe penalty. On the other hand, the requirements are often moderate and may be fulfilled by as little as including a short disclaimer in your messages.
But when exactly is this the case? Contrary to reports floating around on the web, email disclaimers are rarely specifically mentioned in legal acts, regardless if these acts focus on electronic correspondence exclusively, aim to regulate commercial messages in general or put restrictions on communication in certain branches of the economy. Neither are disclaimers a surefire protection against security breaches and lawsuits.
Below I discuss to what extent legal systems in different regions of the world mandate the use of email disclaimers and determine their status.
The Health Insurance Portability and Accountability Act (HIPAA)
Applies to: All US companies transmitting patients’ personal healthcare data.
Requirements: Implementation of appropriate administrative, technical and physical safeguards to guarantee the confidentiality of patients’ personal healthcare data.
Email disclaimers: While HIPAA does not explicitly require healthcare companies to use email disclaimers, they are considered a supplementary measure used to discourage unauthorized use, disclosure or distribution of message contents. They are also a good method of informing patients about the risks related to sending their individual healthcare information via email.
Gramm-Leach-Bliley Act (GLBA)
Applies to: Messages sent by financial institutions in the US.
Requirements: Messages containing recipients’ personal information must be vastly protected – this includes using protected channels, encryption, etc.
Email disclaimers: Since they do not ensure 100% confidentiality, they can only be used in an auxiliary capacity, e.g. to, quote: “Caution customers against transmitting sensitive data, like account numbers, via email or in response to an unsolicited email or pop-up message”.
A broad set of rules governing written tax advice, which, due to the unclear formulation, used to cause a “this email does not constitute tax advice” disclaimer to be added to most messages sent by law firms.
Starting from June 12, 2014, the Circular 230 rule that contributed to overuse of the “safety disclaimer” is no longer in force.
Email disclaimers: Not required.
Full text of revisions to Circular 230: http://www.irs.gov/file_source/pub/irs-utl/TD_9668_6-9-14_Cir%20230_6-9-14_Final_Reg.pdf
Canada’s Anti-Spam Legislation (CASL)
Applies to: All commercial messages sent to recipients in Canada.
Requirements: Aside from a few exceptions, Canadian users must always be given the option to provide express and informed consent before they receive any commercial messages from a company or individual. Messages must also include clear sender’s identification and a readily available opt-out mechanism.
Email disclaimers: Mandatory. To comply with CASL any person or company who sends commercial messages must append them with clear and up-to-date sender’s identification, i.e.:
- name of a person on whose behalf the message is sent (if applies)
- current mailing address
- phone number
- email or web address
- unsubscribe link or information about opt-out phrase (requests must be fulfilled within 10 days)
Applies to: All corporate correspondence.
Requirements: Messages must contain the legal form of the sender’s company, registered office physical address, as well as information where the company is registered and under what number. If the company is being wound up, the fact must be stated.
Email disclaimers: Mandatory.
Examples of implementation of the directive in EU member states:
Under the Companies Act 2006 businesses are required to append electronic messages with the following details:
- company’s registered name
- part of the UK where the company is registered
- company’s registration number
- registered office physical address
- the fact that it is a limited company in the following cases: if the company is exempt from adding the word “limited” to its name; if the company is a community interest company which is not a public company
- amount of paid up share capital (if the company has chosen to display shared capital).
Source and more information: http://www.companieshouse.gov.uk/about/gbhtml/gp1.shtml#ch10
Following the amendment of the Companies Act 1963 to comply with EU Directive 2003/58/EC, companies are required to include in all letters and order forms (paper or any other medium):
- the company’s name and legal form
- the place and number of registration
- registered office physical address
- in case of exemption from using the word “limited”, the fact that it is a limited company
- the fact that the company is being wound up (if applies)
- references to capital must include information on subscribed and paid up capital.
Source and more information: http://www.irishstatutebook.ie/pdf/2007/en.si.2007.0049.pdf
Starting from January 1, 2007, the Gesetz über elektronische Handelsregister und Genossenschaftsregister requires commercial emails to state the following:
- company name in accordance with the Commercial Register
- legal form (for example, K., KG, OHG, GmbH, AG, GmbH & Co.KG, Ltd.)
- place of the establishment with street and address
- registration court and registration number
- all directors or board members
- if present, the Chairman of the Supervisory Board with the family name and a complete first name
- the chairman of the board, if one is designated as such
- information on capital, in cases when it has not been fully paid up; additionally joint venture companies (AG) must additionally specify the amount of share capital and total value of outstanding shares, while limited liability companies (GmbH) must specify the share capital value and, if it has not been paid up yet, the value of outstanding deposits.
For traders who do not have a firm registered in the commercial register, § 15 b of the Trade Regulation applies, requiring that on all business letters that are addressed to a specific recipient, they provide their surname with at least one complete first name. The requirement does not apply to messages exchanged within existing business relationships, for which standard forms with separate disclosure rules are used.
Source and more information: http://www.internetrecht-rostock.de/email-pflichtangaben.htm
Article R 123-237 of the French Commercial Code, amended by decree of May 9, 2007, extends the category of correspondence onto external corporate emails, which henceforth have to include:
- the company’s unique registration number (SIREN number)
- Register of Commerce (RCS) in which company is registered
- registered office physical address
- information regarding insolvency proceedings (if applies)
- in case the company belongs to a corporate entity with registered office overseas, emails must include all of the above, as well as the overseas company’s name and legal form
- the fact that the company is run by a lease manager (locataire-gérant) or an authorized management agent (gérant-mandataire) (if applies).
European Union Directive 95/46/EC – The Data Protection Directive
Applies to: All messages containing personal data of EU citizens (including ones exchanged within a work environment).
Requirements: EU citizens’ personal information can only be collected and processed if the concerned party gives consent after having been informed in detail about the procedure. Collecting organizations must ensure that the information is not destroyed, altered, lost, as well as disclosed, stored or access without authorization.
Email disclaimers: According to a report by law firm Cooper, Counsel Covington & Burling the aim of the directive is to ensure that organizations’ outgoing e-mails contain information about any monitoring policies they may have in place (see page 14 of the report). Section IV of the directive states that the subject of data collection must be provided with the following information:
- the identity of the [data] controller and (if applies) their representative
- purpose of the processing for which the data is collected
- additional information, e.g.: recipients or categories of recipients of the data; if providing the data is obligatory or voluntary; a channel for inquiries and complaints.
Examples of implementation of the directive in local EU member states’ law include UK’s Data Protection Act, Germany’s Federal Data Protection Act (Bundesdatenschutzgesetz) and Netherlands’ Personal Data Protection Act (Wet bescherming persoonsgegevens).
Note: Monitoring of employees’ correspondence by the employer can also be considered to fall into the category of personal data processing.
EU directive FAQ: https://gdpr.eu/faq/
Employee email monitoring and workplace privacy in the European perspective (see page 2): http://www.law-review.mk/pdf/08/Evisa%20Kambellari.pdf
Chapter 2 of Directive 95/46/EC: http://www.dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm
A common practice among both corporate and private users is to append emails with confidentiality disclaimers, waivers of legal responsibility, etc. The main point to stress here is that the status of these types of notices varies from country to country. Where one legislature may imbue them with indisputable legal substantiality, another can view them as unenforceable.
The United Kingdom is an example of the former. Its existing law dictates that, if a message is expressly or implicitly confidential, a recipient cannot disclose its contents or use it for a purpose unintended by the sender (source: http://www.weblaw.co.uk/articles/legal-position-of-email-disclaimers/). It is evident that in this case stamping your email with an immediately visible confidentiality disclaimer makes all the difference. A person choosing to reveal the contents of such an email automatically comes into conflict with the law and is subject to penalty.
This is less clear cut in the USA, where each case may go either way based on the ruling of the jury. It can, however, be argued that confidentiality disclaimers generally hold up in American courts, as do to a large extent notifications of sender’s lack of contractual authority (source: http://www.rhlaw.com/blog/legal-effect-of-boilerplate-email-disclaimers/).
Two examples from one country may be little, but I think we can use them as proof that let’s call them “voluntary”, disclaimers should not be too hastily dismissed as void of any legal weight. In fact, based on the linked above article, they’ve been shown to get people out of trouble more than once.
To conclude, as you noticed, my article does not cover the entire scope of international email disclaimer legislation. Countries I failed to mention may enforce their own unique or very similar laws. Judging by the current trend of increasing Internet regulation and the budding (one can hope) recognition of end-user rights to privacy and transparency, I would guess the latter is or will soon be true.
As to voluntary disclaimers, if you’re still on the fence about attaching a standard one to your business emails, remember that regardless how the matter is treated by the legislation in force in your country or state, it can always be used as a supplementary measure informing recipients of potential legal ramifications of the correspondence, encouraging or discouraging certain behavior, or helping reduce damage caused by unexpected events. And the worst case scenario is that it will go unnoticed.
NOTE: Information in this article does not constitute legal advice or legal opinions. You should not act or rely on it without first seeking the advice of an attorney.
CodeTwo Exchange Rules: Automatic legal email disclaimers directly under latest reply/forward.
CodeTwo Exchange Rules Pro: Full legal email compliance including legal disclaimers, email archiving, email content inspection and control, management of attachments, and more.