As the popularity of social media and information sharing grows, so too does the importance of that shared data to employers. Information sent by employees—whether it is sent from e-mail accounts or through social networking services—can be invaluable for tracking inefficiency, investigating wrongdoing or even screening potential employees.
Unsurprisingly, the extent to which employers can legally monitor their employees’ electronically shared data depends in large part upon where the employees are located. In a recent webcast, McDermott Will & Emery’s international team of data privacy and security lawyers discussed how the privacy regimes of their respective countries apply to this evolving area of law.
In China, it is uncertain if there is any precedent for an employer requesting an employee’s social media login details; there are certainly no specific laws or regulations covering this. Although there is a general belief that employers have a duty to protect the personal information of their employees, it is unclear if the Chinese Government will regulate employer conduct in this area. It is, however, reasonably common for Chinese employers to monitor their employees’ e-mail communications. Again, there are no specific laws or regulations against doing so, but best practice dictates that employers draw a distinction between communications sent from company equipment and those sent from employees’ personal devices, and that employers provide notice to employees in advance before reviewing e-mails.
In France, employers cannot request the logins to social media accounts. As in other countries, however, there are no restrictions on employer access to employee profiles and postings that are open to the public. Although France protects freedom of speech, employees may nevertheless be terminated for abusing that freedom in social media.
French law has a developed regulatory framework for employers that wish to examine the content of employee e-mail communications. For instance, before accessing e-mail, the employer must consult the proper government agencies. Once the proper paperwork has been filed, an employer can generally access the electronic files and communications of an employee, although files identified as “private” can only be accessed if the employee is present.
In Germany, an employer may not request login credentials for the social media accounts of employees or potential employees as this is considered an unjustified encroachment on the constitutional right of self-determination. Where the social media account is used by the employee solely for business purposes, however, the account could be classified as belonging to the employer so the employer, is permitted to access its login information and content. Although pending legislation may expand the rights of employers to investigate the content of employees’ leisure social media accounts, it is likely this will be limited to what is accessible publicly.
With respect to employer monitoring of employee e-mail, German law generally requires drawing a distinction between situations where private use of company equipment is permitted and where it is not. Where such use is permitted, an employer may not survey the content of personal e-mail without the express consent of the employee. Where such use is not permitted, however, current legislation suggests there are no such restrictions.
For further detail on e-mail monitoring and social media access in Germany, please see pages 10 and 12.
Italy does not have well-developed guidelines on employer monitoring of employees’ social media accounts. In the absence of specific regulation, Italy’s general principles concerning the protection of personal data apply. In this context, the content of social media accounts may be deemed particularly sensitive because they contain the personal data of not only employees, but also of third parties.
With respect to employer monitoring of employee e-mail communications, however, there is an abundance of case law. Existing agreements between employers and trade unions have a significant impact on what employers are permitted to monitor. In practice, employers are encouraged to make available separate accounts and workstations to facilitate employees’ private communications so there can be no dispute regarding what constitutes professional communication.
The United Kingdom has taken a more categorical approach to employer requests for social media login credentials, the legitimacy of which depends on whether the account is personal or professional in nature. For instance, if the account is personal, an employer may request access, but cannot require it. If the account is purely professional in nature and has been set up by, and belongs to, the employer, then the employer can demand access.
When the account in question has both a personal and a professional component (as is the case for many professional networking services), a more nuanced approach is required. The employer may seek to assert some form of intellectual property rights over the data held in such accounts, but the employee may, for example, claim that the privacy settings used have rendered the material no longer confidential. Resolution of such debates will depend upon an array of factors, such as any existing employment contract or social media policies that may be in place. In difficult cases, a balance must be struck between the legitimate interests of the employer and those of the employee.
In the case of e-mail monitoring, the potentially adverse effect on employees must be justified by the employer. Before making the decision to monitor these communications, employers should consider alternatives and understand the obligations that follow from a decision to monitor. In some cases, i.e., the interception of electronic communications in the course of transmission, employers are required to obtain the freely given consent of the affected employees.
In the United States, some employers have attracted a great deal of media attention for requiring login credentials from current or prospective employees’ social media accounts. These requests are often founded upon legitimate business needs, e.g., information gathered from social media accounts can be used to test the veracity of claims made by interviewees.
The public response to these practices has, however, generally been negative, and state governments have responded accordingly. The states of California, Illinois and Maryland have passed laws expressly prohibiting employers from requesting or requiring login credentials, and 14 states considered related legislation in 2012. The federal government has considered similar laws, but for now appears content to let the states take the lead.
Employer monitoring of employee e-mail is a more settled area of law in the United States. It has become common practice for employers to include within employee training materials and compliance policies clear notice that e-mail communications sent and received from company e-mail addresses may be monitored. In all but a few instances—for example, where an employer has failed to provide adequate notice to its employees—an employee does not have a legitimate expectation of privacy in company e-mail communications.