"If the emails were indeed being read without the author's explicit and clear consent, this would likely be unlawful under GDPR"
Well, let's just leave this worry hanging here.
"Again, if no consent were obtained, it would contravene Google's own developer agreement, which requires explicit opt-in consent when a user's "non-public content is obtained through the APIs"."
And let's double down on it instead of investigating the answer.
"In a statement published on its website, Return Path founder Matt Blumberg said his firm had co-operated with the reporter but expressed dismay that the report was "extremely and somewhat carelessly selective"."
Can someone confirm if this user-facing API permission request is in fact the selectively omitted thing?
Apparently it's in the source article. Evil applications can get at your data, if you explicitly allow them to.. ?