Applicable Rules to Employer Monitoring and Use by Employees of IT Tools (Email and Internet)
In France, the employer's right to monitor the use by employees of company IT tools is subject to certain limits:
- the surveillance system must be brought to the employee's knowledge and requires prior consultation of the works council as well as the filing of a notification with the French data protection commission (CNIL) in the event of collection of personal data;
- the employer's monitoring must be reasonable and based on legitimate business needs (e.g., productivity, safety, protection against intrusion, viruses, promotion of the company);
- the restriction of employees’ rights and freedoms must be proportionate to the requirements of the professional activity;
- monitoring must be proportionate to its objective and must be conducted in a nondiscriminatory manner. Note that a reasonable private use of internet and the email system by employees is generally tolerated, whereas a general prohibition would most likely be viewed as inappropriate and disproportionate.
French employers who wish to monitor emails and internet use usually issue and implement a specific separate policy, which may be but is not required to be inserted in its internal company regulations. In either case, they must follow the rules provided for implementation or modification of internal regulations.
It is important to follow such rules as otherwise the employer will not be able to use the files and/or emails as evidence of faults which may have been committed by the employee and thus to take disciplinary measures (e.g., dismissal).
Specific Rules for Access to “Personal” Emails or Files
Under French law, messages received or sent that are considered as “personal” may not generally be monitored by the employer, so as not to infringe the French rights of privacy and secrecy of correspondence even if the employer prohibits the personal use of the work IT systems.
If the employee has identified the files as “personal”, then the employer may not open them outside the employee’s presence or with prior notification (except in the event of a specific risk or event for the company).
What is Deemed a “Personal” Email or File?
This general principle regarding emails and files identified as “personal” has since been regularly interpreted and tempered by the French Supreme Court.
Files and emails which are not expressly or clearly entitled or identified “personal” are deemed professional and may be accessed by the employer (provided the monitoring rules have been complied with) outside the employee’s presence. In one case confirmed by the Supreme Court, a file designated by the employee’s initials or first name was deemed insufficient to be considered “personal”.
The French Supreme Court has also ruled that a file named “my documents” was insufficient to prove that the file was “personal” (Cass. Soc., May 10, 2012, n°11-13.884).
Generally, the employee may not transform a file or email which is professional by nature into a “personal” file or email. In the same way, the employee may not characterize a document as “personal” if its presence in the work place is unauthorized (for example, pornographic pictures). Recently, in another case, the French Supreme Court considered that renaming a hard drive “D:/Personal Data” did not render “personal” all of the data contained therein (Cass. Soc., July 4, 2012, n°11-12.502). In this particular case, the hard drive contained numerous pornographic files and false affidavits.
What Should Employers Do?
Employers should always attempt to strictly define what is deemed “personal” in their email and internet policies or internal regulations so to limit legal uncertainty, bearing in mind that the employer may always access a file or email entitled “personal” in the presence of the employee, if he has been invited or if there exists a specific risk for the company (e.g., if the employer suspects competition violations).
In fact, employers need to make sure that their policies and regulations are well drafted in general. In this regard, the French Supreme Court recently held that the employer’s access to professional emails could be limited by internal regulations (Cass. Soc., June 26, 2012, n°11-15.310). In this particular case, the employee was able to invalidate his dismissal and obtain damages since the internal regulations prevented the employer from checking employee emails in their absence and did not make any distinction between the type of emails concerned (professional or personal). Employees therefore had to be present even if the employer opened a professional email.