Let us all see what you are doing.
Whilst not all employers in the U.S.A. monitor their employees’ communications and activities, the majority do so, namely to evaluate their professional performance, to protect trade secrets, to prevent information security breaches or to avoid or reduce their liability in lawsuits.
So, incoming and outgoing email correspondence, telephone calls, websites visited and documents saved on the computer may be only some of the data accessed in this context.
This surveillance of employees’ electronic communications and activities over employer-provided facilities are generally deemed unlawful under the European Union law. Member States legal systems usually include constitutional laws, telecommunications laws, labour laws and criminal laws which are intended to be dissuasive.
Currently, there is no specific EU legislation regarding the privacy and protection of workers’ personal data at work.
Nevertheless, Article 31(1) of the Charter of Fundamental Rights of the European Union, whose application is mandatory whenever Member States apply EU law, states: “Every worker has the right to working conditions which respect his or her (…) dignity”.
In parallel, there are two EU Directives which can be applicable in these professional contexts. Although they do not specifically deal with any aspect of employment relationships nor address employee monitoring, they establish some privacy principles which are applicable regarding surveillance at workplace. These provisions are then furthered by Member States through their national legislation.
Firstly, we have the 95/46/EC Directive which relates to the protection of individuals with regard to the processing of personal data. Under this framework, data subjects are provided control over the collection, transmission, and use of their personal information. In fact, this instrument foresees that data subjects have the right to be notified of collection of personal information.
In this context, employers have to ensure that their surveillance is legitimate and restricted and must be transparent regarding any surveillance conducted. Any monitoring of the employees communications and activities, namely regarding the use of e-mail, the internet or phones, without their employee’s knowledge or consent, is unlawful.
Secondly, the 2002/58/EC Directive relates to the processing of personal data and the protection of privacy in the electronic communications sector. The interception of communications over private networks, including e-mails, instant messengers, and phone calls, and generally private communications, are not covered as the instrument only refers to publicly available electronic communications services in public communication networks.
The European Convention for the Protection of Human Rights and Fundamental Freedoms (hereafter ‘ECHR’), in its article 8, reads as follows: “Everyone has the right to respect for his private and family life, his home, and his correspondence”.
Whilst the right to privacy at work has not yet be considered by the Court of Justice of the European Union, the European Court of Human Rights (hereafter ‘ECtHR’) has already ruled that the right to privacy right is not restricted to the household and extends to the workplace environment.
In fact, in Köpke v Germany, the Court stated as follows: “(…) that the concept of private life…may include activities of a professional or business nature and may be concerned in measures effected outside a person’s home or private premises(…)”.
In the Niemietz v. Germany case, the ECtHR included business relations, e-mails, and any other form of electronic communication in the concept of ‘private life and correspondence’, no distinction being made between private or professional correspondence.
In Halford v. UK Gov., the ECtHR held that the employer’s surveillance of the employee’s calls at work unjustifiably interfered with the employee’s right to privacy and correspondence. Communications via e-mail, fax, wireless, and any technological means is covered by the concept of correspondence.
Moreover, in the ruling Copland v United Kingdom, the ECtHR concluded that the fact that the calls or the e-mail usage occur in the office and, at least in theory, are business related, was irrelevant. Business correspondence and telephone calls may contain personal information, which is protected by human rights and by data protection law.
It also found that, even if the telephone monitoring was limited to “the date and length of telephone conversations” and “the numbers dialled,” and do not involve the content of the communications, it still violates article 8 of the ECHR.
The Court stated as well that article 8 is infringed where the monitoring is not previously communicated to the employees, as they have, in consequence, a “reasonable expectation” that they will not be.
However, a worker’s right to privacy at work is not absolute.
In Benediktsdóttir v. Iceland, the ECtHR concluded that the right to privacy and to correspondence has to be balanced with the other rights, namely those of the employer.
In this context, although not legally binding, the Article 29 Working Party (hereafter WP29) opinions provide important guidance. In fact, national data protection authorities take them into account when applying and enforcing national laws.
The WP29 issued an opinion on the processing of personal data in the employment context in 2001, concluding that “[t]here should no longer be any doubt that data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, internet access, video cameras or location data.” Therefore, monitoring must be proportionate, not excessive for the intended purposes, and carried out in the least intrusive way possible. Furthermore, it stated that, under the Data Protection Directive, employers may process data concerning their employees only with “unambiguous consent” or if the processing is “necessary.”
In 2002, the WP29 issue a Working Document on the surveillance of electronic communications in the workplace, in which was argued that the employee’s right to privacy should be balanced with the legitimate rights and interests of the employer, such specific and important business need, as efficiency or the right to protect the employer from harm caused by employees’ actions. Therefore, the monitoring activities should be necessary, proportionate and transparent.
In the WP29’s viewpoint, any monitoring of electronic communications should be exceptional, namely when necessary to obtain to obtain proof of certain actions of the worker; detect unlawful activity; detect viruses; or guarantee the security of its systems. Therefore, concealed or intrusive monitoring is generally unlawful.
In 2005, in its annual report, the WP29 has affirmed that “[i]t is not disputed that an e-mail address assigned by a company to its employees constitutes personal data if it enables an individual to be identified.”
The WP29 stressed, in another Opinion, in 2006, that all online communications in the workplace are subjected to confidentiality protection, including those sent from workplace equipment for private as well as professional purposes. It suggested seven principles to ensure a proper monitoring: necessity regarding a specified purpose; a specified, explicit and legitimate purpose; prior notice to employees about the monitoring; the monitoring should be aimed to safeguard employer’s legitimate interests; personal data processed in connection with any monitoring must be adequate, relevant, and not excessive with regard to the purpose for which they are processed; data must be accurate and not retained for longer than necessary; and appropriate technical and organisational measures shall be implement regarding security.
The requirements at stake may vary according to the monitoring technologies used as some will require stricter standards according to the extent of interference with private life. For instance, in Uzun v. Germany, the ECtHR concluded that the monitoring via GPS is not as intrusive telephone tapping.
Considering that the data collected by the employer may constitute sensitive data, it can only be processed in the cases foreseen in Article 7 of the Directive 95/46. In this context, considering the disparity in the contractual positions at stake the employee’s consent may not deemed to legitimize the processing.
In this context, it is quite advisable for private employers established in the EU to set up clear and acknowledged internal policies or guidelines regarding the use of Internet and electronic equipment in the workplace, for instance as part of the work contract.
This legal and jurisdictional context highlights the challenge that companies and other organizations face when doing business in the European Union, especially those which also operate under U.S.A. law.
invalidating the EU Data
invalidating the EU Data