What action can an employer take when faced with pornography at work? Under French law, employers must tolerate employees' reasonable personal use of IT systems. However, there are certain limits to this, and recent cases have clarified the position towards the use of IT systems in the workplace for personal purposes.
The extent to which an employer can take action against employees who act in an inappropriate manner, particularly in relation to pornographic websites or files, depends on the employee's actions and whether the employer has policies in place. In certain cases, it has been held that employers were justified in dismissing their employees on grounds of serious misconduct, whereas in other instances the courts have upheld the values of privacy over those of morality.
Internet access during working hours, using a company computer, is considered to be for professional purposes and an employer can thus monitor employees' access to websites using the server website history data to which it has access.(1) Unlike accessing certain other data, there is no requirement to inform the employee in advance before consulting website history data.(2)
The fact that employees can save websites to their favourites list does not enable them to claim that these are used for personal purposes (as would be the case for specific files marked 'personal') in order to avoid such monitoring.(3)
A recent decision clearly demonstrates a situation justifying an employee's dismissal for serious misconduct. On September 21 2011(4) the Supreme Court upheld an employer's decision to dismiss an employee due to his consultation of pornographic websites during his working hours. In this case, the employee also attempted to hide the traces of such activity by downloading software to clean his hard drive.(5)
With respect to the consultation of websites, case law makes no specific distinction according to whether the employer has a specific policy. A single, isolated consultation of a website unrelated to the employee's professional activity is unlikely to be sufficient to justify dismissal for misconduct. However, multiple connections to such websites in the same day, as well as use of software intended to cover the employee's tracks, constitute a sufficient breach of the general obligations of loyalty and integrity to constitute serious misconduct, irrespective of whether such obligations are expressly stated in the employment contract or another policy.
When it comes to work email use, an employer has limited options of accessing and using emails against an employee.
As a general rule, any emails that are not expressly identified as 'personal' are considered to be of a professional nature, and the employer can therefore freely access them without the employee being present.(6) However, in a recent case(7) the Supreme Court limited this possibility, holding that:
"while the employer may always monitor and open files that have not been expressly identified as 'personal' by the employee, these files cannot be used to discipline the employee if they are related to the employee's private life."
Indeed, the Supreme Court reiterated that "employees have the right to privacy in relation to their personal life".
Unlike in relation to the consultation of websites, it seems necessary for employers to implement an IT policy in order to take disciplinary action. This was demonstrated by a Supreme Court decision in December 2010,(8) in a case where an employee used his work email address to receive and save 480 pornographic files in direct violation of the employer's IT policy. The court held that his dismissal was justified, whereas another dismissal on similar grounds was held to be unfair due to the absence of such an IT policy.(9)
Where no policy has been implemented, it would seem possible to discipline an employee only where the employee has taken specific action to the detriment of his or her work.
The Supreme Court(10) held that an employee who had spent a significant amount of time collecting and storing pornographic files on his work computer was rightfully dismissed for serious misconduct. However, this decision was based on the fact that he had spent time misusing company time rather than working, and was thus not directly linked to the immoral or inappropriate nature of the files in question. This reasoning was also followed in a 2009 case.(11)
The Supreme Court followed the above precedent in its July 5 decision, where the employee had received photos of an erotic nature by email from another employee with whom he had a relationship. Such emails were not expressly referred to as personal; this was despite the fact that the employee kept the emails in his inbox, which his secretary had access to and was required to use as part of her role. The employee claimed that the emails in his inbox were not as a result of action on his part, as he had not displayed them, forwarded them or even saved them on his hard drive, and that he would have deleted them when he cleaned out his inbox, as he did every two months.
Employers can define limits on the use of IT equipment and the Internet, for instance:
by physically preventing access to certain sites (through filters); or
by establishing internal regulations or an IT policy prohibiting:
access to 'adult' websites (ie, dating, chat, pornographic websites);
the storage or downloading of sexually explicit photographs or videos; and
the creation of pornographic or otherwise inappropriate websites.
Such limits can also be applied more generally in order to cover other forms of prohibited online activity, in particular downloads due to the risk of viruses.
Applying filters requires no specific process in relation to employees or their representatives. Nevertheless, in order to implement an IT policy, a specific process must be complied with, as is the case with internal regulations. Further, such policies must be in French in order to be binding on employees.
The implementation of an IT policy is possible only where justified and proportional. Employees' right to privacy must be respected, and the employee representatives (ie, the works council) must be informed and consulted. It is also necessary to inform employees and notify the data protection agency, as required pursuant to data protection regulations.
Lastly, in the event that an employer takes action against an employee in relation to the inappropriate use of IT equipment, it is important to bear in mind the statute of limitations applied to disciplinary action, whereby the procedure must be commenced within two months of the employer becoming aware of the facts,(12) and a specific procedure must then be followed.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.