Miriam H. Wugmeister
Employment + Labor, Litigation, Privacy + Data Security, Germany, United Kingdom, and Brussels
While there is no doubt that employee monitoring is becoming standard practice, companies need to ensure that it complies with legal requirements and does not unduly affect the employment relationship. This feature outlines the law governing employee monitoring in various jurisdictions in Europe, the US and Asia-Pacific and provides some practical guidance on achieving compliance.
Monitoring employees is standard practice in many workplaces although the reasons for monitoring can vary greatly. Some companies monitor to protect employees, for example where they work in hazardous environments, and it is essential to ensure that safe working practices are being followed. Others may be under legal or regulatory obligations to monitor, for example in the financial services sector. Most companies, however, primarily monitor to check their employees' performance. Monitoring may also be specifically targeted, for example to detect misconduct or to ensure compliance with specific company policies and procedures.
Although the advantages to the company may be obvious, the adverse impact of monitoring employees is perhaps less apparent. A company may view employee monitoring as essential to the effective and efficient running of its business. However, if employees are permitted to use telephones, e-mail and the internet for personal use, it may be difficult for the company to draw a distinction between work and private information and activity, and limit monitoring to the former. Although employees may expect and accept the monitoring of their work, the monitoring of their private information and activity is likely to be much less welcome.
A company's failure to consider the adverse impact of monitoring on employees can interfere with, or ultimately destroy, working relationships; it can also amount to a criminal offence. For instance, in May 2005 the former CEO and five other executives of Sonera, the Finnish telecoms company, now TeliaSonera, were given fines or between six and ten month suspended sentences by a Finnish court for illegally keeping logs on e-mails and telephone numbers dialled by employees, in an effort to identify who had leaked information about management disputes to mass media.
Even where companies can justify monitoring employees' activities, it may still be advisable for them to strike a balance between the legitimate need to run their businesses in the best way they see fit and respect for their employees' private information and activities.
The regulation of employee monitoring varies greatly between jurisdictions, raising complex issues for multinational companies. With this in mind this feature:
In Europe, the general right to privacy is derived from the European Convention on Human Rights (Convention), which governs Council of Europe member states, and the Data Protection Directive (95/46/EC) (Directive), applying to EU member states (see box, The European legal framework). There are differences, however, in the way that EU member states such as France, Germany, Sweden and the UK have implemented the provisions of the Directive.
E-mail monitoring is subject to stringent rules under:
There is a legal distinction between work-related and personal e-mails. Work-related correspondence is not subject to the secrecy of correspondence principle (Supreme Court judgment, 16 January 1992, unreported). Incoming and outgoing personal e-mails are subject to this principle and the right of privacy, even if a company policy prohibits the use of e-mail for private purposes (Supreme Court judgment no 4164, 2 October 2001 in case 99/42942, Nikon Francev Mr O ). This means that there is no issue of "expectation of privacy" and the right to privacy of correspondence in personal e-mails is absolute. However, network administrators can access personal information such as web logs and personal e-mails for technical purposes (that is, to safeguard the proper functioning of the network) (Mr M, Mr H and Mrs Fv Public Prosecutor(ParisCourt of Appeal), 17 December 2001, case no 00/07565 ).
To distinguish work-related from personal e-mails, the company must exercise judgment by reading the subject line of an e-mail (ToulouseCourt of Appeal judgment, 6 February 2003in case no 02/02519, unreported ). Similarly, e-mails sent from non-personal addresses (for instance sales@companyABC.com) cannot automatically be considered work-related and companies should exercise their judgment by first reading the subject line and then, if necessary, the body of the e-mail (Bordeaux Court of Appeal judgment, 1 July 2003 in Cegelecv Mrs L, case no 01/01847 ).
However, a recent Supreme Court judgment appears to redress the balance somewhat between employee privacy and employers' interests. Its judgment of 17 May 2005 in Mr Kv Cathnet-Science (case no J 03/40017, judgment no 1089) suggests that a company may search an employee's computer provided the employee is present or "properly convoked" or if there is a "risk" of a "particular event" taking place if the search is not carried out immediately.
In addition, according to the Data Protection Authority (Commission nationale de l'informatique et des libertés (CNIL)), some forms of automatic monitoring are permitted (such as network management software and filter software that controls file size) provided it complies with the three requirements of the Labour Code (Report on cyber surveillance in the workplace, February 2002 (updated in December 2003 and March 2004), see http://www.cnil.fr ). In particular, a company should specify the storage period of e-mails on the company's servers.
The CNIL recommends that monitoring policies address the use of the internet. Technical measures such as filter software (to prevent viruses from harming the network and to preclude access to pornographic websites) are allowed, but individual monitoring of web logs should be registered with the CNIL and web logs should be deleted within six months.
Where breaches of the Data Protection Act have taken place, a company or person (including company directors) can be fined or imprisoned. In addition, documents gathered by illegal monitoring cannot be admitted as evidence in legal proceedings concerning the dismissal or discipline of employees.
The monitoring of employees' internet use is governed by employment law, collective agreements, data protection legislation, constitutional and human rights law, and telecommunications law. The result is complex, and whether internet use can be monitored depends on a number of individual circumstances.
As the constitutional and human rights law overlays all other regulation, the general view is that blanket monitoring infringes an employee's rights and, because they cannot be waived, collective or individual agreements to monitor internet use are unlikely to be valid.
The Telecommunications Act 2004 (Telekommunikationsgesetz) specifically provides for the privacy of electronic communications. It is largely thought that, by expressly or impliedly permitting private use of the internet by employees, a company becomes a provider of telecommunications services to them. The privacy right under the Telecommunications Act can be waived, within the limits of constitutional boundaries, but a company that has tolerated private internet use at work without an express written policy may find itself in a difficult position, because it would already be bound by the Telecommunications Act, and a change of policy might be met with resistance from the workforce or the works council.
Where a company has expressly forbidden private use of the internet at work, data protection law, employment law and the constitutional principles combine to form a set of complicated rules. In essence, where there is no express internet monitoring agreement, individually with the employee or collectively with the works council, monitoring is only allowed to the extent that it is based on a concrete suspicion against an individual employee for breaching the internet policy, or it is necessary to assess the employee's performance due to the nature of his job. Any monitoring must be kept to the necessary minimum and must be announced in advance. If a works council exists, it must expressly consent to each individual monitoring measure.
Because of the limited rights of companies to monitor, express agreements with employees or works councils are advisable. However, there is a risk that agreements will be void on the basis that they were obtained under duress, especially if they are wide-ranging and presented as a condition of employment. An express detailed agreement with the works council on a policy for the use of technology and its enforcement is usually the best way forward.
Since the adoption of the Data Protection Law 1998 (Personuppgiftslagen 1998:204), the Data Protection Authority (DPA) has received a substantial number of requests on how the law applies to the monitoring of employees. In 2002 it carried out a series of business, authority and organisation inspections to assess the overall application of the law and identify areas of difficulty. Its report was published in 2003 (Behandling av personuppgifter för kontroll av anställda - Datainspektionens Rapport 2003:3). As there is little case law on employee monitoring, DPA guidance is very important.
According to the 2003 report, employees were often informed that monitoring might take place, but they were not told of the reasons for it. In some instances the reasons for monitoring were found to be insufficient, with companies citing, for example, "particular circumstances", "suspicion of irregularities" and, in the absence of an IT use policy, "a superior's request after suspicions of abuse of IT equipment", "to investigate unethical use of IT equipment" or "working hours are not well spent". The report concluded that organisations need a proper legal basis for monitoring. These include:
Whichever legal basis a company uses, all monitoring must conform with "good practice on the labour market" (although this is not defined).
IT equipment provided by the company remains its property, although it is generally recognised that most companies allow employees to use it for limited personal use. Allowing personal use necessitates clear and precise information, such as a technology use policy setting out how the equipment can be used and when, and why monitoring will take place.
In 2002, a draft law on personal integrity in the work place was circulated for comment (SOU 2002:18 Personlig integritet i arbetslivet (LIA)) but was considered too complicated and difficult to apply in practice. No steps have been taken to adopt this legislation and it may be that the government is waiting for new EC legislation.
UK(England and Wales)
The Information Commissioner, the UK data protection authority, has issued the Employment Practices Data Protection Code (Code) to assist companies in complying with the Data Protection Act 1998, which implements the Directive in the UK.
Part III of the Code covers monitoring at work. It recommends that all companies undertake an "impact assessment" before carrying out any monitoring. This involves identifying whether monitoring is necessary and, if so, what form it should take to achieve the best balance between employees' rights to privacy and the company's needs for carrying out its business. The assessment should address:
If monitoring is considered necessary, the company should assess whether it is a proportionate response to the relevant business need. If disproportionate, the company should not carry out the monitoring.
If the general assessment identifies and justifies the need for monitoring and the type of appropriate monitoring, the company should then carry out a further impact assessment specific to the type of monitoring contemplated (such as telephone, e-mail and internet access, CCTV and in-vehicle monitoring).
The Code also advises on different types of monitoring. For example, when monitoring electronic communications, companies should establish a policy on their use and communicate it to employees. The policy should set out clearly:
A company that carries out full impact assessments need not obtain the consent of its employees to monitor unless it obtains sensitive personal data as a result of monitoring.
Although the Code is not legally binding, failure to comply with it, such as not carrying out an impact assessment, is likely to be cited in any enforcement notice for non-compliance with the Data Protection Act issued by the Information Commissioner. A company that fails to comply with an enforcement notice is guilty of a criminal offence and may be fined. However, the courts are unlikely to prevent use of the data obtained, for example as evidence in an action relating to an employee's dismissal.
US law generally allows monitoring of employees provided they have no reasonable expectation of privacy. As a result, if companies have given employees clear notice that they will monitor public areas and technology resources, employees generally will have no reasonable expectation of privacy and a company can monitor.
Under federal law, a company's monitoring of e-mails is governed primarily by the Electronic Communications Privacy Act of 1986 (18 USC §§ 2510 et seq.) (ECPA). What a company can monitor turns on whether the employees' messages are intercepted during transmission or are retrieved from storage on the company's server (ECPA).
Interceptions of online communications (that is, monitoring messages as they are transmitted) are subject to the ECPA's most stringent restrictions and are permitted only in limited circumstances. For employers' purposes, the exceptions most likely to apply are:
Employee communications stored on a company's server can be read by it regardless of whether either of the above exceptions apply (EPCA). The company is therefore relatively free to monitor stored e-mails as long as the expectation of privacy has been removed (Fraserv Nationwide Mutual Insurance Company, 352 f.3d 107 (3rd Cir 2003) ).
Similarly, if a company provides, in its technology use policy, that it reserves the right to, and will in fact, monitor employees' internet use, there are few legal impediments to that monitoring.
The law on employee monitoring varies significantly between different Asia-Pacific jurisdictions. Several have adopted a model similar to the US, where giving notice to the employee is a necessary and sufficient requirement for the company to monitor. Others, such as Hong Kong and Japan, have adopted far-reaching guidelines supplementing the legislative framework and imposing strict requirements on data collected from employees. South Korea's approach is more similar to that taken in Europe.
Although it is not always clear, employee monitoring is permitted by the "employee records exemption", which was introduced to the federal Privacy Act 1988 when it became applicable to the private sector in 2001. The exemption applies to data collection practices that are directly related to a current or former employment relationship and employment records (section 7B(3), Privacy Act). ("Employee records" is defined in section 6(1) of the Privacy Act.) However, there are also privacy laws at state level that protect private sector employee records (for example, the Health Records Act 2002 Victoria).
According to the Privacy Commissioner, monitoring techniques that are not proportionate to the risk addressed cannot be "directly related" to the employment relationship and are not covered by the exemption. However, the exact scope of the exemption is unclear. For example, in a recent case in an organisation involving the disclosure by a manager of personal information about an employee's HIV/AIDS status to co-workers, the Privacy Commissioner decided that, although the company's (and the co-workers') interest was unlikely to outweigh the infringement of privacy suffered by the person in question, the disclosure was found to fall within the exemption.
Reflecting the concerns of some of Australia's trading partners about the level of protection provided for employee records data transferred into the country, the business community believes that greater privacy protection is necessary. In addition, in April 2004, the Privacy Commissioner advocated the repeal of the employee records exemption, mainly on the grounds that it would ensure (see http://www.privacy.gov.au/publications/empsub.pdf ):
Concerns about the level of privacy protection have prompted a review of the employee records exemption by the Attorney General and the Department of Employment. However, a recent government report suggests that the current review of the Privacy Act will not assess whether the exemption is still well-founded (Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, 18 May 2005. See http://www.privacy.gov.au/act/review/review2005.htm ).
As a result, for the moment, companies must continue to try to understand the scope of the exemption. Although intended for public sector use, in response to demand for guidance on privacy best practice, the Privacy Commissioner has recommended that private sector businesses use the Guidelines on Workplace E-mail, Web Browsing and Privacy (March 2000) (see http://www.privacy.gov.au/internet/email/index_print.html ).
The Personal Data (Privacy) Ordinance 1997 (Ordinance) applies to employee monitoring and allows the Privacy Commission for Personal Data to adopt guidelines. In December 2004, the Privacy Commissioner adopted guidelines on employee monitoring of e-mail, internet and telephone use and CCTV monitoring. As these guidelines set out the Commissioner's opinion on the application and enforcement of the Ordinance, they should be treated as binding.
Broadly speaking, the guidelines require the employer's legitimate business interests to be balanced against employees' personal data privacy rights. To do this, a company should:
This is similar to the UK's impact assessment (see above, UK ).
The guidelines state that a risk should be sufficiently realistic, but the examples provided indicate that the risk threshold is low. For example, time spent on web-browsing by employees may be monitored to prevent company resources from being substantially used for private purposes that may adversely impact on productivity; and the contents of e-mails sent using company communications equipment may be monitored to ensure the integrity and security of confidential business information. The risk assessment is meant to ensure that the reasons for monitoring are well founded and that the monitoring is related to, and aligned with, the company's business needs.
Once a monitoring purpose is established, companies should assess the likely adverse impact that it may have on employees' privacy. For example, when monitoring e-mails, the concern is whether the message is work-related or purely private. Monitoring e-mails that are clearly unrelated to work will likely be characterised as intrusive. As a result, the identified risk must be proportionately great (for example, there must be a reasonable suspicion of seriously improper conduct).
As a general rule, employee monitoring should be conducted openly on the basis of a clear and easily accessible employee monitoring policy or technology use policy. Where there is no policy, covert monitoring can only take place if special circumstances justify its highly intrusive nature. There is a twofold test for this:
In any event, covert monitoring must be limited in scope (to target only those areas in which an unlawful activity is likely to take place) and duration.
There are potentially serious consequences if the Ordinance requirements are not met. A company may be exposed to:
As in Hong Kong (see above), the Japanese government has published guidelines with several provisions relating to monitoring (see our translation and commentary here). These supplement the Law on the Protection of Personal Information 2005, which does not directly relate to employee monitoring. The guidelines provide that an employer should:
Privacy rights will be infringed if the purpose, method and manner of monitoring, when balanced against the harm incurred by the person being monitored, exceeds the range that social convention would deem to be appropriate (Tokyo District Court (wa) 12081 of 2000).
As in the US, notification is a necessary and sufficient requirement for monitoring (Privacy Act 1993). If employees have been notified and the expectation of privacy has been removed, a company can monitor them.
An employee's e-mails can be monitored without providing notice to the employee if obvious monitoring would prejudice the purpose of monitoring. The Privacy Act allows the covert collection of information in circumstances involving potentially unlawful behaviour as it recognises that advising an employee of e-mail monitoring in relation to an investigation would probably affect the employee's future behaviour.
Notice of monitoring alone, even if the company has a legitimate reason to monitor, is insufficient. An employee must also give his express consent (Communications Secrecy Protection Act of 1993, Act on the Promotion of Information, Communications Network Utilization and Information Protection of 2001and Articles 17 and 18, Constitution 1948). Monitoring e-mails without employee consent will most likely infringe the law.
Failure to do this can result in criminal penalties including imprisonment and/or fines.
Taiwan has a similar approach to monitoring as New Zealand (see above, New Zealand ). Although there is a constitutional right to privacy (Article 12, Constitution 1946) and detailed data privacy legislation has been in place since 1995, the clearest statement of employee privacy law is found in recent district court case law from 2003 adopting the reasonable expectation test. Under this test, a company can only monitor employees' e-mails if they do not have a reasonable expectation of the privacy of their work e-mails (for example, where employees have been provided with a clear e-mail monitoring policy).
The European Legal Framework
The legislative framework in Europe encompasses:
The Convention introduces a general, but qualified, right to respect for private and family life and for correspondence (Article 8). This also applies in the workplace (Halford v United Kingdom (1997) 24 EHRR 523). Companies intending to monitor their employees in any of the 46 Council of Europe jurisdictions that have adopted the Convention (including EU member states) must do so in a way that is consistent with the Convention, as implemented by those jurisdictions' local legislation. There are some broad exceptions to this right, which may, in many cases, allow a company to monitor employees in the workplace (Article 8(2)), Convention).
The Directive aims to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to personal data. It regulates the processing of personal data, defined as "any information relating to an identified or identifiable natural person (data subject)" (Article 2(a)). A data subject is a person "who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, theological, mental, economic, cultural or social identity" (Article 2(a)).
Processing of personal data is defined as "any operation or set of operations which is performed on personal data, whether or not by automatic means, such as collection, recording, organisation of storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction" (Article 2(b)). Where the processing is not done by automatic means, the Directive only applies where the personal data forms or intends to form, part of a filing system (defined in Article 2(c)).
Application of the Directive is not confined to certain types of personal data or sectors of activity. It regulates the processing of all personal data by both companies and any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Requirements for monitoring. Processing of personal data can only be carried out if one of the following applies (Article 7):
There has been much discussion about the validity of consent. The Working Party created by Article 29 of the Directive, which is composed of representatives of the national data protection authorities of member states, believe that the extent to which consent can be used in the employment relationship is limited. Reliance on consent should, according to the Working Party, be confined to cases where the employee has a genuine free choice and is subsequently able to withdraw the consent without detriment.
Proposed developments. Companies wishing to monitor their employees may have to comply with further regulation if the European Commission proposes a directive specifically on workplace data protection later this year. This would be based on technological advances (such as the increased use of e-mail, electronic files and tele-working, which is blurring the boundary between work and private life) and globalisation (in particular, the growing trend of outsourcing the human resource function of large businesses). The proposed framework would cover data about employees, such as personal health records, and data created or used by employees, such as e-mails or the internet. It would deal with the issues of consent, medical data, drug and genetic testing, and monitoring and surveillance.
Ensuring Compliance: Some Practical Tips
As well as complying with any notice requirements, remember that many jurisdictions require a legal basis for monitoring, such as employee consent, or conducting a balance of interests test where the company's interest in monitoring outweighs the employee's right to privacy. Verify whether there are any applicable exceptions for employee monitoring.
©1996-2019 Morrison & Foerster LLP. All rights reserved.