In March 2016, the Turku Court of Appeal issued a judgment (16/111796) in which it found that two employer representatives had breached the Act on the Protection of Privacy in Working Life. The employee representatives had redirected the emails of a resigned employee into their own email accounts without the appropriate consent of the employee and without following the required procedure under the Act.
In the case at hand, the employee had given notice of termination of employment, after which the employer had released him from his duties. The employee gave his consent to his private emails being redirected to him from his professional email account during a fixed period lasting just over a week. No agreement was made with respect to his professional emails or what would happen to the employee's email account after the end of this period. The employee's email account was left open and all the emails were redirected to the managing director and sales director. It was given that the employer's representatives had accessed and read the emails intended for the employee even six months after the employee had stopped working at the company.
The employer's representatives argued that they had the employee's implied consent to read and redirect his professional emails as well as his personal emails. They further argued that the company's IT Policy supported the employer's right to redirect the employee's emails during the employee's absence.
The court stated that the employee's express consent is needed under the Act. As no such consent had been given, the company would have had to follow a certain procedure under the Act in order for its representatives to access and read the employee's emails. The court also stated that the company's IT Policy did not contain or imply the employee's consent. The court further noted that the mere receipt of the IT policy did not qualify as the consent of the employee.
The court imposed ten-day fines on the managing director. The court found that the sales director had acted under the instructions of the managing director, and that, under the circumstances, the sales director's breach could be deemed minor, and therefore decided to not impose any penalty on him.
As the case shows, employer's right to access an employee's professional emails is very limited in Finland. The ruling emphasizes the importance of obtaining the express consent of the employee if the employer wishes to access the employee's email account. If no consent is given or it cannot be obtained, certain requirements need to be met and a certain procedure needs to be followed before it is permitted to access the employee's emails.
Comments from a Swedish perspective:
This case shows the discrepancies between Sweden and Finland as regards data protection and privacy issues in the workplace. The Swedish legislation on the protection of privacy is piecemeal and relevant rules are partly contained in various acts, such as the Personal Data Act (Sw: Personuppgiftslag), and have partly developed in case law. A case such as the one considered by the Turku Court of Appeal could in Sweden be determined based on the Swedish Criminal Code, as a "breach of postal or telecommunications confidentiality" or "data infringement". This is, however, extremely farfetched, as criminal liability requires that the employer was not entitled to access the emails. From a Swedish perspective, it is clear that an employer is permitted to access professional emails that are sent via a professional email account. Some doubt may exist as regards private emails sent via a professional email account, but, in the absence of any legislation, it is safe to assume that such access is permitted as long as the employer has made the employees aware of the fact that the employer also accesses private emails sent via a professional email address.