Nowadays it is very common on most of the e-commerce and news websites to see an icon or a tool allowing users to forward the listing, a special offer or an article to a friend. Usually such functionalities allow the sender to provide his email address and the email address of the recipient (i.e. of the "friend") together with an accompanying message. The recipient will receive a message (stating for instance "Giulio thinks you will like this movie") together with the webpage containing the listing, article or offer that is conveyed by the Internet Service Provider but appears to come from his friend.
In most of the cases, Internet Service Providers (ISPs) are not concerned about the privacy implications deriving from this practice. Their view is that the user is the actual sender of the message and they should not be subject to any data protection commitment.
However, on the basis of a deeper review of the matter, the conclusion might be different because:
- the ISPs actually collect and process the email address (and any other information provided by the sender) of the recipient (even if they delete the address immediately after the delivery of the message) as the definition of "data processing" involves any processing of personal data. And ISPs perform such practice without having provided the recipient with any privacy information notice and without having obtained from him any consent to the delivery of marketing communications which consequently would entail an unlawful data processing; and
- the message received by the friend seems to come from the sender (i.e. the friend recommending the article, listing, offer), but in fact it comes from the ISP and such practice would be in contrast with Section 13.4 of the E-Privacy Directive that prohibits any practice aimed at disguising or concealing the identity of the sender on whose behalf the communication is made.
Also, the risks are even higher if the ISP does not delete the address and the personal data of the recipient after the delivery of the message, but it continues storing such data or (in an even worse scenario) keeps on sending marketing emails to the recipient that has never provided any consent to such data processing.
Unlike some other foreign Data Protection Authorities, the Italian DPA unfortunately has never issued any guidelines on the matter, but in my view there are measures aimed at considerably reduce the risks that the unlawful conducts are challenged by users under a data protection point of view. Feel free to contact me, Giulio Coraggio, if you want to discuss the above.