Email Addresses Considered “Personal Information” Pursuant to Israeli Privacy Protection Law
The Israeli Privacy Protection Authority (PPA) recently published a pronouncement whereby a collection of email addresses and the names of their owners also constitutes a database.
According to the PPA’s position, an email address has unique characteristics that may reveal details about a person’s personality, marital status, or occupation. Furthermore, an email address is often used for other purposes, beyond communication, like, for example, as a user name on various websites, which turns the address into “information” and not just an address.
The Privacy Protection Law defines the term “information” very broadly as containing details about a person’s personality, marital status, private matters, state of health, economic situation, vocational training, opinions, and beliefs. Therefore, any database that contains such information-subject to two exceptions-is a database that must be maintained according to the provisions of the Privacy Protection Law and its regulations, including the Privacy Protection (Data Security) Regulations.
The two exceptions to the definition of a “database” are the existence of a collection of data for personal use and not for business purposes, and the existence of a collection that contains only names, addresses, and modes of communication, which, per se, do not generate a characterization that constitutes an infringement of privacy, provided that the owner of the database does not hold another database.
The PPA’s pronouncement addresses the second exception. Up until the publication date of the pronouncement, the question of the classification of an email address as “information” was not unequivocally answered. There were those who believed that an email address merely constitutes a mode of contact, just like a telephone number. Others, however, took a more stringent approach and argued that it constitutes “information,” because the very compilation of the list generates a characterization that constitutes an infringement of privacy. An example would be a psychologist’s list of patients. Even if the list only contains physical addresses and telephone numbers, the fact that this is a list of a psychologist’s patients suffices to generate a characterization that constitutes an infringement of privacy.
Now the PPA is clarifying and announcing in its pronouncement that a collection that includes email addresses alongside the owners’ names constitutes a database, for the following key reasons:
- An email address constitutes “information” – In many instances, it is possible to deduce additional personal details about a person by his or her email address. For example, it is possible to deduce a person’s “vocational training” (in instances in which the email address refers to the person’s title and the organization where he or she works), a person’s “personal matters” (in instances in which the address reflects particular traits from which personal matters may be deduced), and a person’s “marital status” (in instances in which an email address mentions both names of the couple).
- An email address does not constitute “solely a means of communication” – Over the years, the use of email addresses for identification purposes on social networks and for online services has become common. Therefore, an email address may also be used as a “key” that enables identification of a person and access to various items of information about that person that are being held in various databases, even when the sequence of letters comprising the email address does not, per se, contain “information” as defined in the law.
- An e-mail address may generate “a characterization that constitutes an infringement of privacy” – In the vast majority of instances, business owners manage a computerized list of identified email addresses for the purpose of maintaining contact with their customers. A “characterization that constitutes an infringement of privacy” of those customers is generated whenever the customer’s mere appearance in a list “characterizes” that person in a way that infringes on his or her privacy. Furthermore, experience has taught us that a business owner who wants to stay in contact with customers will also possess additional personal details, such as payment details and details of past transactions that reveal information about consumption habits. Therefore, even prior to the publishing of the pronouncement, it was not warranted to exclude such lists from the definition of a “database,” since the criterion for “an exception to the exception” was fulfilled.
The Privacy Protection Authority’s position is, therefore, that the legislative purpose of the Privacy Protection Law is to prevent abuse of information and to protect the rights of the data subjects . The only reasonable interpretation that fulfills this legislative purpose is one that considers an email address as being more than “a mode of communication.” Therefore, a collection of names and email addresses does not fulfill the criteria for exclusion from the definition of a “database,” since at issue is not merely a name and a mode of communication.
Accordingly, if you hold, and not merely for personal use, a list that contains names and email addresses, you are in possession of a database and are subject to the provisions of the law and regulations applying to databases. You are required to register this database according to the conditions prescribed in the law, and you are required to protect the database and the information contained in it in compliance with the Privacy Protection (Data Security) Regulations.