Re: The application is a problem (given EU data protection obligations)
Unless I am mistaken the EU data protection regulations do not oblige companies to use encryption they only advise it.
The principal "Security:" does not define "how" data should be kept safe and secure. This is vague and open to abuse.
The 7 EU data protection regulations principals:
•Notice: subjects whose data is being collected should be given notice of such collection.
•Purpose: data collected should be used only for stated purpose(s) and for no other purposes.
•Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s).
•Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.
•Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data.
•Access: subjects should granted access to their personal data and allowed to correct any inaccuracies.
•Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.
Rogue Admins can have full access to email systems and unless the emails are encrypted you have to consider your data as being "public".
....