In the Unites States, private businesses monitor employees’ use of e-mail for a variety of purposes including ensuring worker productivity, preventing disclosure of confidential or sensitive information and preventing viruses or malicious code. Because companies generally own the equipment, software and systems used by employees in the workplace and have policies prohibiting personal use of its business systems, courts have generally concluded that employees have no expectation of privacy in their communications at work. As a result, monitoring usually can be implemented without much restriction.
But what if your company has operations in Europe?
Unlike the United States, individuals in European Union (EU) countries have an expectation of privacy even while at the workplace and using company owned equipment. This expectation of privacy has roots in the complex EU privacy law landscape, which includes general rights of privacy granted to individuals under national constitutions, specific legislation or case law as well as specific data protection and privacy legislation, such as the EU’s Data Protection Directive.
Additionally, some EU countries have adopted codes of conduct, workplace privacy principles or other guidance intended to address the obligations or best practices regarding disclosure and use of workers’ personal information and their workplace privacy, which, depending on the country, might be used to determine privacy violations by courts or enforcement agencies.
Despite the myriad of authorities in the EU and varying interpretations of law and enforcement by individual countries, the first step in analyzing any proposed e-mail monitoring is answering the following questions:
- Is there a legitimate business purpose for the monitoring?
- Does the planned monitoring or retrieval go no further than is necessary to meet the legitimate business purpose for monitoring?
- Have you selected the least intrusive method to accomplish such monitoring?
If you can answer “Yes” to the foregoing questions, there are still other areas to consider based on the location of your employees:
- Determine the role of unions, work councils or similar organizations in the countries you operate. For example, in Italy, employers cannot monitor e-mail content or Internet usage unless the employer has reached an agreement with the local union or has authorization from the local labor office.
- Determine the country’s view on private or personal e-mails. For example, a recent French case ruled that an employer may monitor and note that an employee is using a computer system for personal reasons (and may take disciplinary action for such use); however, an employer cannot review the contents of a personal e-mail.
- Have you adequately disclosed the type and extent of monitoring to your employees. For example, the United Kingdom Information Commission has advised employers to give employees notice of permitted uses of company e-mail, the type and extent of any monitoring and the penalties for breaching company policy.
Because interpretations of law, enforcement and penalties vary greatly across EU countries, it is critical to have legal counsel examine the particularities and sometimes peculiarities of a specific country before monitoring employee e-mails.
Monitoring and retrieving e-mails can be an important and legitimate tool for protecting and growing your business. By understanding and considering the unique privacy law framework in the EU and taking the proper steps, it can continue to be an important part of your business in the EU.