Sending emails? Careful with that ‘cc,’ warns privacy body
MANILA, Philippines — The National Privacy Commission (NPC) has asked the public to take extra caution in sending emails to multiple recipients, saying the improper use of the “cc” or carbon copy function could invade or compromise other people’s privacy.
One of the risks to data privacy cited by the NPC is the display of the email addresses of all recipients to every recipient.
“This may result in unintentional disclosure of personal information, which may lead to spam, phishing attempts, or targeted attacks,” said the NPC.
Also, the inappropriate use of “cc” may give unauthorized persons access to personal and sensitive personal information and confidential or restricted information that may be contained in the email body or its attachments.
Adding “cc” could result in a breach of confidentiality, data sharing, and other applicable nondisclosure agreements, said the NPC.
“Mishandling personal information by using the ‘cc’ function, under certain circumstances, may be unnecessary or not proportional for the purpose which can be regarded as a violation of the general data privacy principles in the (Data Privacy Act),” the NPC added.
Unintended exposure
The government’s data privacy watchdog said it had observed many cases involving the erroneous use of the email feature that allows users to send messages to multiple recipients.
The NPC added that it had seen a rise in number since 2021 but did not elaborate on the figures it had recorded.
“Such errors have led to unintended data exposure, potentially compromising the privacy and security of the data subjects involved,” it said in a statement.
As an alternative, the NPC encouraged users of this email feature to check if the “bcc” (blind carbon copy) function is a more appropriate mode of delivery for emails.
“The ‘bcc’ function conceals the recipient email addresses from each other, providing an added layer of protection that reduces the risk of accidental data exposure,” said the NPC.
It also advised senders to double-check their email recipients and verify whether all those included in the “cc” function are necessary.
It also recommended using “bcc” when making announcements or mass emails to ensure that the email addresses of each recipient are hidden from one another.
The NPC also said that email users should be mindful of personal and sensitive information shared in email messages and their attachments, citing that it was better to apply other safeguards such as encryption, password protection, and secure file-sharing platforms.
Further, the commission urged employers to train and coach employees to adopt best practices regarding email correspondence.
As a final reminder, the NPC told users that failure to implement sufficient data protection measures could be punishable under the Data Privacy Act and issuances from the commission.
The punishable acts include the unauthorized processing of personal and sensitive personal information and giving access to these due to negligence.
Unauthorized access carries a penalty of imprisonment ranging from one year to three years and a fine of not less than P500,000 but not more than P2 million.
Meanwhile, providing access due to negligence can lead to prison time ranging from three years to six years and a fine of not less than P500,000 but not more than P4 million.
