Issues οf Ε-mail monitoring at the workplace

(Published on BusinessNews.gr)

ISSUES CONCERNING THE MONITORING OF ELECTRONIC COMMUNICATIONS (E-mails) AT THE WORK PLACE

This article examines the issue of electronic communications’ monitoring at the workplace, namely the monitoring of employees’ company e-mail by the employer.

In this context, it is noted that the employer’s managerial right and the protection of the legitimate interests of himself and his business often conflict with the rights of workers to protect their privacy and personal data. In particular, it is accepted that workers have a legitimate expectation of some degree of protection of privacy at the workplace, where they develop a significant part of their relationships with other people. This right, however, has to be balanced with other rights and interests of the employer, in particular his right to operate his business effectively and the right to be protected from the damage that workers’ actions may cause. These rights and interests are a legitimate basis which may justify appropriate measures to limit the right of employees to privacy, subject to strict conditions. In particular:

A. RIGHT IN PRIVATE LIFE – PROCESSING OF PERSONAL DATA

I.   It follows from Article 9 (1) of the Greek Constitution and Article 8 of the European Convention on Human Rights (ECHR) that the protection of privacy includes the private and family life of the individual. As opposed to social life, private life means all the relationships and activities that the individual wants to keep away from publicity, either solely for himself or for a close cycle of people, which he himself each time determines. Thus, besides erotic life, health and family life of the individual, being at the core of the right to be protected, within the concept of private life falls a wider cycle of his or her affairs, which may also be associated with working life. The European Court of Human Rights has held that phone calls and e-mail from the workplace may be considered as particular aspects of the worker’s privacy and protected by Article 8 of the ECHR.

II.   Furthermore, according to Article 9A of the Constitution “Everyone has the right to protection against the collection, processing and use, in particular by electronic means, of his or her personal data as defined by law. The protection of personal data is ensured by an independent authority, set up and functioning, as defined by law”. As personal data are considered not only those referring to private life but also those intended for externalization in the public sphere, while protection concerns not only the processing of such data by state bodies but also by individuals. The individual is entitled to check and determine the way information concerning him/her is collected and processed, with the guarantee and assistance of an independent authority entrusted with this very responsibility, the Data Protection Authority.

The General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 with effect from 25 May 2018 – concerns the creation of a single legislative framework for the processing of personal data in the Member States of the European Union and shall replace the previous Directive 95/46/EC which was incorporated into the Greek Legislation with Law 2472/1997. The rights of employees, as data subjects, are extended under the GDPR, presenting greater obligations on employers and HR teams.

Under the current legislation, personal data in order to be lawfully processed, must:

(a) Be collected fairly and lawfully for specified, explicit and legitimate purposes and be processed fairly and lawfully for these purposes.

(b) Be relevant, appropriate and not more than is required at all times for the purposes of the processing.

(c) Be accurate and, if necessary, be notified.

(d) Be kept in a form which permits the identification of their subjects and only for the period required for the purposes of collecting and processing them.

III.   Moreover, personal data may be processed only when the data subject has given his/her consent. But this fundamental rule is not absolute. By way of exception, personal data may be processed without the consent of the person concerned where that is “strictly necessary to satisfy the legitimate interest pursued by the controller … and provided that this clearly outperforms the rights and interests of the persons to whom the data relate and their fundamental freedoms are not prejudiced”. Thus, the protection of personal data does not extend to the complete prohibition of their processing but to the establishment of terms and conditions under which their processing is permissible, in order to achieve a fair balance between the protection of that right and the satisfaction of other constitutional rights such as the right to legal protection (Article 20 (1) of the Constitution) and the freedom to conduct a business (Articles 5 and 106 (2) of the Constitution). Such a legitimate interest is the exercise of the economic freedom of the employer and the exercise of a right before a Court; in particular the case where the information requested is necessary for the recognition, exercise or defense of a right. A typical example is the presentation of personal data by the employer before a court and administrative or independent authorities in defense of his or her rights. In particular, as the Data Protection Authority has repeatedly held, the use of personal data collected without the prior consent of the person concerned is legitimate if “the intended purpose of defending rights cannot be attained by other milder means”[1].

In addition, the Supreme Court accepts that, as opposed to personal and private life, the execution of an employee’s duties may be subject to controls, which would be unacceptable outside of work. Thus, as it has been decided, it is legitimate to record a cashier during work, because the work they provide is subject to the employer’s control and such recording does not relate to the sphere of the personal and private life of the employees[2].

With the recent decision no. 1/2017, the Supreme Court at its Plenary Session held that it is lawful for employers to use data recorded on the company’s computers’ hard disc, which were made available to its employees and executives, after the latter resigned and took up work in a competitive business with parallel acts of unfair competition. In particular, the Supreme Court ruled that, although closely linked to the commercial and general business of the employer, the correspondence of workers on the job, when serving their personal interests, is “personal” and therefore falls within the concept of “privacy” and personal data. However, the collection and processing of these personal data by the employer, in order for the latter to protect his rights and interests (Article 5 (1) of the Constitution), the safeguarding of his commercial loyalty and the protection of free competition, was considered as perfectly fair.

IV.    It can be concluded from the above that the collection and processing of personal data of workers is permitted in principle for purposes directly related to the employment relationship and the organization of work. The finding of “compatibility” between the information collected and the employment relationship cannot be done on an abstract basis, but by weighting the interests of the employees and the rights of the employers, taking into account issues such as the type of work for which the collection and processing of personal data, or whether the collection and processing is done upon recruitment or during the working relationship. Personal data must be relevant, appropriate and not more than necessary at any time in view of the purposes of processing. The collection and processing must take place in such a way that the employer intervenes as little as possible in the worker’s personal life, with milder means for achieving the purpose for which the information is collected.

Furthermore, for the permissible monitoring of company e-mail for employees, the employer must comply with certain principles. Particularly:

(a) Principle of necessity: The employer must check whether any form of monitoring is absolutely necessary before undertaking any such activity. The monitoring of the employee’s e-mail will only be necessary in exceptional circumstances, such as for example to ensure confirmation or proof of certain actions on the employee’s part or to maintain system security against viruses.

(b) Principle of transparency: The employer must be clear about his activities and must have informed employees about the monitoring, the purpose of the monitoring, the extent of it, etc. Consequently, secret e-mail monitoring as a rule is not allowed. In addition, the employer is required to provide full information to employees about its policy regarding the monitoring of their e-mails.

(c) Principle of legality: Any data processing operation may only be carried out if it has a legitimate purpose. A legitimate purpose may be the need for an employer to protect his business from major threats, such as preventing the disclosure of confidential information to a competitor.

(d) Principle of proportionality: Monitoring should be limited, if possible, to traffic data relating to the participants and the time of a message and not to cover the content of the messages, if this is sufficient to cover the employer’s concerns. If access to the content of a message is absolutely necessary, consideration should be given to the privacy of individuals outside the company who receive the messages and who have not given their consent to the monitoring.

To this end, the European Court of Human Rights (Grand Chamber) in case Bărbulescu v. Romania (application No. 61496/08) concluded that, in order to assess whether a particular measure is proportionate to the objective pursued, the authorities of the Member States should determine (a) whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence and of the implementation of such measures; (b) the extent of the monitoring and the degree of intrusion into the employee’s privacy; (c) whether the employer has provided legitimate reasons to justify such monitoring; (d) whether it would have been possible to establish a monitoring system based on less intrusive methods and measures than directly accessing the content of the employee’s communications; (e) the consequences of the monitoring for the employee and the use made by the employer of the results of the monitoring operation; and (f) whether the employee has been provided with adequate safeguards, to ensure that the employer cannot access the content of the communications unless the employee has been notified in advance of that eventuality.

B. CONFIDENTIALITY OF COMMUNICATIONS

The monitoring of e-mail raises further issues regarding the violation of communications secrecy (Art. 19 Constitution, Art. 370 Penal Code). Secrecy protection concerns not only text messages (letters) but also any form of private, i.e. non-public, communication, such as telegrams, phone calls, faxes, e-mails, which are the modern form of letters. This concerns communications from home and from workplace as well. Article 19 (1) of the Constitution protects only “intimate communication rather than communication in public”. Although it is described as “absolute”, secrecy may be removed under the conditions laid down by the same constitutional provision. Lifting of confidentiality can only take place for reasons of national security and for the detection of particularly serious crimes. However, it is accepted by legal theory that the consent of the victim excludes the constitutive elements of the crime of violation of communications confidentiality under Art. 370 PC.

As recently decided by the Plenary Session of the Supreme Court, e-mails, which, as mentioned above, are covered by the confidentiality of correspondence, are protected by par. 1 of Article 19 of the Constitution only at the communication stage. On completion, e-mails retained by the sender or their recipient in printed form or on his/her computer without the use of a password, do not fall within the scope of Article 19 (1) of the Constitution, but within the provisions of Articles 9 and 9A of the Constitution.

Furthermore, it could be argued that communications with professional content cannot be considered as secret, since the information being trafficked is not of a personal nature and is made using the company’s communication systems. Consequently, there is no secrecy of communications (or at least it does not cover professional communications), since the communication made by employees is not covered by secrecy requirements and does not concern their private life.

Therefore, provided that the employer has developed a policy for using electronic communications through the company’s IT and communications systems and has notified employees that the company e-mail account should be used only for business and not for personal purposes, employees cannot expect their privacy to be respected as regards this particular e-mail account.

C. CONCLUSIONS

• It appears that monitoring of employees’ corporate email is in principle permissible, subject to the conditions and principles mentioned above. However, each case is different and should be considered on a case-by-case basis.
• It would be desirable for a business to (a) develop a Policy for e-mail communications, detailing the extent to which the company’s communications facilities can be used for personal / private communications and the confidentiality obligations to be respected by employees and obtaining their written consent; (b) add a disclaimer at the end of the e-mails mentioning the possible recording of the messages, to ensure that third parties who may communicate with employees are aware of the existence of a monitoring system.
• In consultation with an IT technician, the available technical solutions for e-mail tracking should be considered and a monitoring system should be selected to ensure the control of employees’ e-mail in a way that violates as little as possible their privacy. In other words, a technical solution which ensures control and at the same time intervenes as little as possible in the private sphere and personal data of the employees should be chosen. E.g. it may not be necessary to collect the content of the e-mail, but only the external data of the communication (sender-recipient, date, time), while access to the content may be possible only in specific cases.
• The monitoring of the personal (not corporate) e-mail of employees, with a password-breaker, impinges on the principles of proportionality and legality and violates the right to privacy, since communication through the personal account is purely private, unrelated to professional activities, while messages may also include sensitive personal data, the processing of which is subject to even more stringent conditions.
• Finally, a business should keep secure any personal data obtained through monitoring and permanently delete it when it is no longer necessary. This includes limiting the staff who have access to the data, creating access gradings in company records, so that not all employees can have access to all files, and providing appropriate data protection training to employees.

[1] Data Protection Authority, 8/2005, 9/2005 and 57/2009

[2] Supreme Court 874/2004 NOMOS