An employee’s entitlement to privacy and data protection in the workplace is one of the most frequently discussed topics in employment law. Many employers allow, or at least tolerate, private internet use in the workplace to a reasonable extent. If the employer instead opts to prohibit all personal use of internet in the workplace, an employee’s failure to respect this prohibition can provide sufficient grounds for termination for cause, as the Federal Labour Court has repeatedly stated.
It is, however, still controversial what measures the employer may use to detect prohibited private internet use. In its recent decision of 14 January 2016 (docket no. 5 Sa 657/15) the Higher Labour Court (Landesarbeitsgericht, LAG) Berlin-Brandenburg decided that the employer may analyse the history of the employee’s internet browser without his/her specific consent in order to establish the facts of a potential termination for cause.
The facts of the case
The employer had provided the employee with a business PC for fulfillment of his professional duties and prohibited private internet use except for exceptional circumstances outside working hours. Having received indications of regular private internet use to a considerable extent the employer decided to investigate the browsing history of the employee’s business PC without obtaining prior consent. The employer then went on to terminate the employee’s contract without notice for good cause on account of private internet use on five days in a period of thirty days.
Termination for cause; no inadmissibility of evidence
The Court considered the termination for cause effective. It held that the seriousness of the infringement against the employer’s policy to forbid private internet use was sufficient to justify a termination for cause with immediate effect. The court found no reason that the browser history analysis obtained by the employer without the prior specific consent of the employee was inadmissible as evidence in this instance.
No consent required to prevent abuse
Although the employee had not consented to the control of his personal data, the Court held that such consent was not required as the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) allowed for the collection and processing of personal data in order to prevent and investigate any alleged misuse of the kind in question in this case. Also, the employer’s actions were in line with the principles of necessity and proportionality as the employer did not have other means to prove the scope of the prohibited internet use.
In general however, the application of the Federal Data Protection Act to cases such as this one remains controversial in Germany. While the courts of lower instance seem to favor the position adopted in this case, the data protection authorities argue that, at least when private use of internet and e-mail is permitted, the employer becomes a service provider of telecommunications to its employees in the sense of telecommunication law and is therefore bound by much stricter rules in protecting the confidentiality of telecommunications.
The decision of the Higher Labour Court (Landesarbeitsgericht, LAG) Berlin-Brandenburg is in line with a recent case before the European Court of Human Rights (ECHR) where the court found no breach of human rights by email monitoring (see detailed discussion of the case here). In that case a clear rule against personal internet use implemented in the company’s policies provided the grounds for the ECHR to find that a fair balance had been struck between the employee’s right to respect for his private life and correspondence and the employer’s interests to verify that employees are completing their professional tasks during working hours.
However, despite these recent developments, employers must still exercise significant caution when monitoring employee emails and internet use. An employer who imposes disciplinary sanctions as a consequence of such employee misconduct must have comprehensive and bespoke IT and internet policies in place, clearly set out the rights and obligations of employees and how monitoring is conducted and how data is processed and used. These policies can be, for example, implemented in work agreements, but must be effectively communicated to employees and should be accompanied by appropriate training and consistently enforced.