In an ideal situation, the employment relationship should last for a significant time, so it should be as easy to manage and smooth-running as possible. On this basis, when an employer is recruiting, the personality of the applicant and his or her behavior in a social setting are as important as their qualifications.
Care must be taken to ensure the applicant fits into the existing team and is unlikely to harm the public image of the employer. An employer does not want to discover after signing the contract that a newly recruited employee distributes extremist ideas to an inf inite number of people via the internet, or spends his or her free time partying and drinking, with the inevitable consequences on work performance.
These characteristics are rarely revealed at a job interview. Employers are therefore reliant on other sources to gather important information about their applicants. Social media provide a perfect opportunity to learn more about applicants, because individuals tend not to withhold sensitive information from their network. They upload private photos, comment on their friends and connections, post personal opinions, circulate information, etc. From online sources, certain inferences about the applicant’s character could be drawn easily. This leads to the decisive question of whether or not these social media “background checks” are lawful in Germany.
The Law as It Stands
Currently, there is no specific legal basis for social media background checks in Germany. The general provision of Section 28 Paragraph 1 of the Federal Data Protection Act (BDSG) states the collection of personal data is only lawful if “the data is generally accessible or the controller would be allowed to publish them, unless the data subject has a clear and overriding legitimate interest in ruling out the possibility of processing or use”.
When Section 28 Paragraph 1 is applied to online background checks, personal data that could be revealed by entering the subject’s name into a search engine (e.g., Google) without any further registration by the employer or approval by the applicant, may be taken into account legitimately by the employer. This also applies to social media, regardless of its character, which tends to be either work-related (e.g., LinkedIn) or leisure-related (e.g., Facebook).
The legal situation is more problematic if the information contained in social media is only accessible to members (in which case employers would have to register in order to access it) or certain parties authorised by the potential employee (such as Facebook friends or LinkedIn contacts). Owing to the lack of case law, the legal situation in this scenario is vague.
Some commentators say the line should be drawn in relation to the character of the social media: work-related or leisure-related. These commentators argue that only workrelated media should be reviewed and all leisure-related media should remain private.
Others argue the line should be drawn at the point where the applicant has made his or her online information private. On this basis, an employer could legitimately review all public information. A background check would, however, be unlawful if the employer accessed the restricted, private profile by obtaining access by fraudulent means, e.g., by purporting to be someone else and establishing an online “friendship”. In an attempt to clarify the law, this issue was incorporated into a second draft of the proposed German Federal Data Protection Law for Employees that was submitted by the German Federal Cabinet in August 2010. The original version of the draft contained an express—and restrictive— statement regarding social media background checks. According to the first draft, background checks would only be lawful if conducted in work-orientated social media; leisure-related media would have been off limits.
In the course of the law-making procedure, however, this provision was withdrawn by the Federal Ministry of the Interior and replaced by another, more abstract and less restrictive, provision that refers not only to background checks but also to the personal data of employees in general. According to this provision, social media background checks would be lawful insofar as the social media is open to the public. This means that the sole limitation for background checks would be if the applicant has restricted access to his or her profile to friends, and if he or she did not grant friendship to the employer. This revised provision expands the legitimacy of background checks in favour of the employer, but until it is enshrined in law (and that date is currently unknown), the employer should still exercise caution in accessing potential employees’ leisure-related social media.
Consequences of a Breach of Privacy Law
Until the situation is fully clarified, either by the coming into effect of the Data Protection Law for Employees or through test cases that establish case law, employers need to consider two issues relating to liability. The first is the infringement of pre-contractual obligations, and the second is the infringement of the constitutionally protected, general “right to personality”. Both infringements could result in damage claims.
According to German law, obligations between the contractual parties could arise even before the contract is concluded. The negotiating parties are obliged to act in a manner that ensures the legally protected rights of the other party, in particular their physical identity and property rights and right to personality, are not infringed.
Though such claims could not result in a demand for employment, they could result in compensation for the damage suffered, either a material (financial) loss or nonmaterial damage (injury award).
Material damages can be awarded if the applicant can demonstrate and prove that a financial loss occurred as a result of an unlawful background check, i.e., the applicant claims that he or she would have been employed if the employer had not conducted the background check. This is usually quite difficult for the employee to prove; in most cases, the applicants do not even know that a social media background check has been conducted. Employers should therefore be careful not to refer to a social media background check when explaining to a candidate that they have not been selected. The same applies in relation to an injury award but, even if the applicant could demonstrate and prove an unlawful background check, the encroachment on the applicant’s right of personality would have to be severe in order to justify an award. This is unlikely to be the situation in ordinary cases.
In order to be as safe as possible, however, an employer should restrict social media background checks to search engine enquiries and only access work-related and leisure-related personal profiles that are fully public. If an employer goes further, it runs the risk of facing injury and financial damages claims. Even if these are rejected by the courts, the time and expense of dealing with them, and the potential damage to its reputation, are unacceptable risks.