France’s highest court (“Cour de cassation”) ruled 26 June 2012 in Monsieur X v. YBC Helpevia that a company’s internal rules may limit an employer’s access to employee emails.

French case-law has traditionally held that employees have a right to privacy at their workplace and that an employer cannot search an employee’s personal files stored on a work computer without breaching the employee’s right to privacy (Nikon France v. Onof).

As a result, case-law allows a French employer to search an employee’s professional messages, but prohibits any access to his/her personal files and messages that are specifically identified and marked “personal”.

The current decision has, however, narrowed the employer’s ability to search an employee’s professional files if the internal rules of the company place restrictions on the search.

In the current case, an employee was suspected of hacking into the email account of his employer in order to access data about potential future salary increase proposals. To confirm the suspicion, the employee’s emails were opened by the company on his professional computer whilst he was absent. However, the company’s internal rules stated that the employer would refrain generally from accessing the employee’s computer in such circumstances. The “Cour de cassation” confirmed the Rouen Court of Appeal decision and ordered the company to compensate the employee for unjust dismissal.

This decision established that if there is a general prohibition of the employer reading employees’ emails in their absence in the internal rules of a company, no distinction between personal and professional communications will be made – none of the communications may be read.

As a consequence, by failing to make the distinction between personal and professional messages in its internal rules, the company restricted its ability to access the employee’s professional emails by stating that such access could only be in the physical presence of the employee.

French companies looking to monitor their employees’ communications should therefore make sure that they do not unintentionally restrict themselves more than the law requires. This is also a reminder for employers that they need to draft their internal policies very carefully.

Employee protection remains a very sensitive issue in France. On another topic, the French CNIL published 23 October 2012 its decision to withdraw previous authorization it had granted to employers to monitor employee access to their workplace, as well as their work schedule by biometrical means.

The CNIL therefore decided to suspend for five years the application of its 2006 AU-007 “Unique Authorization” because of the fact that French labour organizations prefer non-biometric managing tools in order to strengthen the workers’ rights and to preserve the trust relationship between employer and employees.