Employee privacy rights at work
Recent case law has seemingly failed to provide clarity on the dilemma of whether employers have the right to access communications made by employees on workplace equipment – and during work time. Neil Hodge reports on the key cases and what in-house lawyers should know about employee privacy rights.
In 2007, a Romanian sales engineer, Bogdan Mihai Barbulescu, was fired by his employer for sending private messages at work via the Yahoo messaging system. He appealed, but in 2016 a Romanian court upheld that the dismissal was lawful.
However, the following year the European Court of Human Rights (ECHR) ruled he shouldn’t have been sacked and found the original judgment flawed in two key areas. Firstly, because it wasn’t clear whether Barbulescu was properly aware, or had been properly informed, that his computer activity was being monitored by his employer, meaning that his right to privacy was not being respected. Secondly, the company ‘could not reduce private social life in the workplace to zero’, meaning that it was an unreasonable expectation that he – or any other employee – would never use office equipment for private use.
Sensing that the judgment could be controversial, the ECHR issued a document outlining its reasoning and what employers could learn from its decision. It outlined that, despite its ruling, employers could still monitor workers’ computer activity, but any such surveillance measures needed to be ‘accompanied by adequate and sufficient safeguards against abuse’.
The ECHR said employers must consider whether the monitoring is proportionate, justified, intrusive, or targeted (in terms of detecting a particular kind of abuse, such as the exchange of confidential information); whether employees had been notified that such monitoring could take place; and whether the circumstances of such monitoring had been properly explained.
National interpretations
Despite the ECHR’s judgment and its applicability to all European Union Member States, national courts have discretion about how they should interpret the decision in terms of their own legislation. Some EU countries have fierce reputations for championing and fervently defending labour rights. Others don’t. As a result, the Barbulescu judgment is not as definitive as some employers – as well as in-house lawyers – would like to think.
France, for example, has a strict reputation among EU countries for protecting employees’ rights to privacy in the workplace.
In October, France’s Cour de Cassation considered a case where a messaging app – namely, MSN Messenger, installed on a company computer – was used by employees to send messages of a private nature, within the company. The court found that to access these apps, management would need to provide the employee with prior notice.
These apps, it found, enjoy the same privacy rules that private email accounts do. As a result, information that employers have retrieved from such apps cannot be used against employees in disciplinary or dismissal procedures.
‘Emails – even if exchanged in a professional context – usually contain personal data (such as name, email address, position and so on), so the GDPR applies’
Marlene Schreiber, Chair of the IBA Cybersecurity and Surveillance Subcommittee
The Cour de Cassation looked at the question of legitimate access to an employee’s professional mailbox in a 2011 ruling, too. It found that if a communication is private in nature, it can’t be used against an employee. However, if the mailbox content is related to the employee’s professional activity, it can be used.
French companies are entitled to access their employees’ workplace computers and professional mailboxes. Communications that aren’t marked as ‘private’ can be accessed in an employee’s absence, while messages marked as ‘private’ are protected. This applies even where an internal policy bans employees from using email accounts for personal reasons on company premises, and even when the data is stored on the company’s servers.
EU law, notably the General Data Protection Regulation (GDPR), imposes certain obligations on employers as to where and how employee communications can be monitored. These include for the purposes of the employer’s legitimate interests or for the purposes of compliance with a given legal obligation. Under French law, it’s also necessary to inform employees and their representatives beforehand that their online activity at work might be monitored.
Such cases are a reminder, say lawyers, that employers need to tread carefully when they handle suspected computer/workplace device misuse. They also should never assume that just because they own the equipment, they necessarily own all the data on them, or have a right of access to that information.
Marlene Schreiber, Chair of the IBA Cybersecurity and Surveillance Subcommittee and a lawyer at Härting, says that employers need to be aware that, under the GDPR, all forms of personal data is protected. This applies to email and text messages. ‘Emails – even if exchanged in a professional context – usually contain personal data (such as name, email address, position and so on), so the GDPR applies,’ she says. National legislation may apply, too. However, this doesn’t mean that such communications are automatically barred from management monitoring, she adds.
In Germany, in terms of business emails sent for business purposes, Schreiber says that the processing of personal data will generally be permitted under the GDPR, as well as the German Federal Data Protection Act (the Bundesdatenschutzgesetz, or ‘BDSG’). According to both sets of rules, data processing is lawful for the purposes of the ‘legitimate interests’ pursued by the controller (in this instance, the employer) or by a third party. The exception is where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data. The BDSG also permits the processing of personal employee data if relevant to the performance of the employment relationship.
‘Unhindered access to business emails is just as important for companies as, for example, access to letter post and access to employees’ communications play an essential role when it comes to internal investigations,’ says Schreiber. ‘Thus, insofar as any private use of emails is prohibited and the correspondence is purely business correspondence, the employer has a comprehensive right of inspection under data protection laws.’
When it comes to private emails, says Schreiber, the legal basis for the permissibility of access to emails is the same, but the weighing of interests varies. ‘The interests of employees are to be given far greater weight because of the possible intrusion into their private sphere, with the possible result that the employer cannot or can only be granted limited access to his or her employees’ emails,’ she says.
‘Unhindered access to business emails is just as important for companies as, for example, access to letter post, and access to employees’ communications play an essential role when it comes to internal investigations’
Marlene Schreiber
In practice, it’s not always possible to tell whether an email is private or business-related unless it has been read completely. This uncertainty can lead to serious limitations for the access rights of the employer. ‘If there are both business and private emails on an employee’s computer which fall under legal protections, the prohibition of checking private emails will affect the otherwise permissible checking of business emails,’ says Schreiber.
Employers cannot assume that all communications made during usual/typical working hours on office equipment are work-related messages. ‘The distinction between whether an email or other communication is of a private or business nature [depend] primarily on the content and intention of the sender,’ says Schreiber. ‘If an employee sends private emails during working hours on office equipment – regardless of whether private use is permitted or not – these emails remain private because their content and the intention are private.’
Schreiber explains that if the employer has not made any regulations on the permissibility of private use at all, this can be interpreted as permission from the employee’s point of view and lead to permission for private use in the form of a so-called ‘business practice’. This would be equivalent to explicit permission of private use.
‘However, excessive internet use during working hours for private purposes justifies termination of the employment contract without notice, as the German Federal Labour Court has ruled,’ she adds.
‘Bring your own device’ (BOYD) policies can be problematic from an employer’s perspective, says Schreiber. As the employee owns the device and their private data is stored on it, the employee would be able to defend themselves against control powers of the employer under the GDPR. Indeed, unlawful access to personal data by the employer entails the risk of heavy fines and claims for damages. ‘Insofar as the employee’s personal data and his or her private sphere is also affected, there is usually no legal basis for processing private [emails]. The employer can only access the device if the employee has given his or her consent,’ says Schreiber.
The GDPR intended to create EU-wide harmonisation, but differences in labour law and the rights of employees still occur between Member States. For example, in relation to Germany, section 26 paragraph 1 of the BDSG limits the processing of employees’ personal data (with very few exceptions), increasing protection for employees’ privacy rights at work.
As a result, Schreiber says, it’s important for employers to separate employees’ business and private emails. They should also prevent the receiving and sending of private emails on workplace devices if they want to easily monitor and review messages on them.
Lessons for in-house lawyers
If in-house lawyers are to devise policies on the use of computer equipment and issues of personal privacy, in general it’s always advisable to expressly regulate the use of computer equipment in the workspace, says Schreiber. Specifically, employers can use a company policy or an addendum to the employment contract. For example, if an employer really wants ‘to be on the safe side’, such a document should be drafted to clarify that any private use of the employers’ computer equipment, internet and so on is prohibited in its entirety. ‘Such a regulation is of course possible,’ she says, ‘but in my experience, it is rarely wanted by parties, and it isn’t a realistic way due to the fact that work and people’s private lives are not as separated as they used to be.’
One possibility, says Schreiber, is for employers to advise employees to store business and private emails in separate mailboxes. This would enable the employer to only access the mailbox containing business emails. Alternatively, private emails could be marked separately or deleted after certain periods of time. Companies should use plain and clear language, as well as illustrations, in explaining the policies. Employers should distribute policies via email or an intranet, for example, to ensure they’re seen.
Lara Vivas, partner at Cuatrecasas, says that the Spanish Act on Data Protection and Guarantee of Digital Rights (under article 87.1) aims to strengthen workers’ right to privacy in the workplace. It makes it even more difficult to argue that companies should be able to set up policies that absolutely restrict ‘workers’ private social life’ or ‘any expectation of privacy’ when using digital devices in the workplace – as many codes and protocols had previously allowed. The legislation also says that not only must employers respect employees’ privacy rights, but that workers must be informed of them and that workers’ legal representatives – such as works councils – should participate.
However, the same legislation allows employers to access the contents of workers’ digital devices, so long as the employer acts in a manner commensurate and consistent with the written protocol. Fundamental rights must be respected, while compliance with the three principles of constitutionality (need, appropriateness and proportionality in the strictest sense) must be ensured, as Spanish case law has required until now. Additionally, it must be clear that the sole purpose for accessing the contents derived from the use of these devices is to ‘monitor the fulfilment of job responsibilities and statutory obligations, and to ensure the integrity of digital devices.’
To access the private contents of digital devices and to review targeted contents or individuals, Vivas says, there must be at least enough evidence leading to suspicion or indications of a professional breach of duty or a risk to the devices’ integrity. Therefore – especially if private use is allowed – random checks and automated and indiscriminate monitoring (such as using spyware) are not allowed.
‘Very often, organisations get into trouble because they draw up strict guidelines and policies that say that all communications will be monitored, or that any misuse will result in an official reprimand, but then do little to enforce the terms’
Lara Vivas, partner at Cuatrecasas
Vivas says that there are several important considerations that in-house lawyers should pay attention to when developing guidelines on permitting or restricting office computers/devices from personal use.
Firstly, merely prohibiting the non-professional use of digital devices does not allow the company free and unrestricted access to them. Vivas says that if, in the future, a company wishes to access the digital devices it makes available to its workers, it must first establish a code of conduct clearly specifying – at least – the prohibitions and restrictions on the use of such devices. If applicable, this should also take into account workers’ profiles. The employer should also inform employees of the code’s content, as well as clarify what disciplinary proceedings employees can expect if they violate the policy.
Vivas also says that employers must ensure that in those countries that have works councils or formal arrangements for increased employee engagement, such as Germany and Spain, their policies comply with the requirements regarding the participation of workers’ representatives. Policies should also look at the role of any applicable collective bargaining agreement. She warns employers that, for purely procedural purposes, they should maintain an accurate chain of custody of the digital devices’ contents and the physical components it wishes to access that contain information the company wishes to use as evidence of an employee’s breach of the policy.
To make it easier for employers to distinguish between company and private emails, Vivas suggests that employees should write the word ‘personal’ in the subject message header or prominently at the top of the message contents. These messages can then be excluded from any search or monitoring process. Vivas recommends that employers draw up ‘right to disconnect’ policies in compliance with recent law so that any messages sent out of hours – perhaps between 2000 and 0800 – are automatically assumed to be private.
Another important consideration for in-house lawyers is to check that the organisation’s policy regarding the use of office equipment for personal use actually works as the company says. If it does not, then a review is necessary, followed by changes if appropriate.
‘Very often, organisations get into trouble because they draw up strict guidelines and policies that say that all communications will be presumed to be professional, or that any misuse will result in an official reprimand, but then do little to enforce the terms,’ says Vivas. ‘As a result, when the employer does try to discipline someone for using office equipment to send private emails in worktime, the employee can reasonably claim that colleagues also do it but no one else has been disciplined because the policy is not properly enforced.’
It is clear that employers do not have an automatic right to access all the information on workplace devices, even though they may own the machinery. Courts and legislators believe that companies need to expect – and respect – the fact that workers will use office computers, phones and other handheld devices for personal reasons. Draconian policies that forbid personal use outright are unlikely to work and unlikely to pass muster in a courtroom. As a result, employers need to ensure that any policies that govern the use of work computers are reasonable, proportionate, well-communicated and well understood.
A non-EU view – the situation in Japan
The problems regarding employers’ need to monitor and access employees’ emails is not limited to Europe.
Takashi Nakazaki is Vice Chair of the IBA Data Protection Governance and Privacy Subcommittee and special counsel at Anderson Mori & Tomotsune. He says that in Japan, when companies have tried to impose strict policies prohibiting employees from using company equipment to send private messages – even in limited or infrequent circumstances – courts have often found that the policies are too strict, are unreasonable and are unenforceable.
Courts have found that employers have often not communicated these policies to employees as rigorously or as widely as they should, meaning that employees were not aware of them. Where companies have not reviewed, monitored or attempted to strongly or evenly enforce them throughout the organisation has given employees the strong (but wrong) impression that the organisation does not care if office computers and phones are used for personal reasons, so long as confidential information is not shared in the process.
To help organisations set up realistic policies, the Japanese Data Protection Authority has issued Q&A guidance. The guidance states that employers must make policies known to employees so they understand them; that employers make it clear who is responsible for monitoring employees’ compliance with the policy; and that the company itself complies with its policy (for example, if the policy says that there will be ongoing monitoring of all employees’ communications, this must be duly carried out).
Nakazaki notes incidences of Japanese companies trying to penalise employees through disciplinary actions (including firing) for misusing office equipment, or for maligning the company in private social media posts.