In certain circumstances an employer is entitled to analyse the browsing history of the work computer used by the employee without a need for the employee’s consent. This was made clear in a recent ruling of the Regional Labour Court (Landesarbeitsgericht – LAG) of Berlin-Brandenburg (judgment of January, 14 2016 – 5 Sa 657/15).
Facts of the Case
The employer had provided the employee with a work computer. The employee was allowed to use the Internet in a private capacity only in exceptional cases and during break times.
After evidence emerged of a substantial private use of the Internet by the employee, the employer checked the browsing history of the work computer without the employee’s consent. He discovered that the employee had exceeded his permissible private use of the Internet by a total of about five days within a period of 30 working days.
The employer went ahead and terminated the employment with immediate effect for good cause. The employee brought an action for wrongful dismissal and argued that checking his browser history without his consent had been inadmissible and that any evidence in this regard was therefore excluded.
The Regional Labour Court dismissed the action brought by the employee for wrongful dismissal. The Court found that severely exceeding the limits of permissible private use of the Internet constituted such a grave infringement of the obligations under the employment relationship that a dismissal with immediate effect was justified. According to the findings of the court, none of the web pages were accessed due to work-related matters.
The insights gained by analyzing the browser history without the employee’s consent were admissible. The Court held that the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) permits the storage and analysis of historical browsing data of an Internet browser for the purpose of monitoring abusive practices.
Notwithstanding the above, the Court held that in any event the evidence was not excluded if the employer had no other way of proving the extent of the abuse of the workplace Internet. The Court held that this was the case here.
The Regional Labour Court allowed an appeal on points of law to the Federal Labor Court(Bundesarbeitsgericht – BAG). Possibly there will be a supreme court decision in the near future that shed light on this issue. The decisions made to date by various Regional Labor Courts present a mixed picture; this is in part due to the fact that the question of whether the monitoring of employee data is permissible must always be decided on the basis of an individual weighing of interests.
Two issues have already been resolved in practice:
First, the employer is free to choose whether he allows private use of the Internet. The employee does not have a right to private use of the Internet on workplace computers (ECHR, judgment of January 12, 2016 – 61496/08).
Second, the unauthorized private use of the Internet in the workplace can be a reason for a termination of employment with immediate effect (e.g. BAG, judgment of April 19, 2012 – 2 AZR 186/11).
In practice, however, there is often great uncertainty regarding the question of how a breach of the prohibition on private use or private use in excess of the permitted limits can be proved.
Data protection supervisory authorities take the view that, by allowing private use, the employer becomes a service provider within the meaning of the German Telecommunications Act (Telekommunikationsgesetz – TKG). As a result, the principle of secrecy of telecommunications (section 88 TKG) must be observed and the strict provisions of the Telecommunications Act apply. The employer is allowed access to data that is subject to the principle of secrecy of telecommunications only with the consent of the employee. This applies, for instance, to data that shows the web pages accessed by the employee.
By contrast, most courts do not qualify the employee as a service provider and hold that “only” the provisions of the Federal Data Protection Act are to be observed; in the context of an employment relationship, section 32 BDSG in particular (LAG Lower Saxony, judgment of May 31, 2010 – 12 Sa 875/09; LAG Berlin-Brandenburg, judgment of February 16, 2011 – 4 Sa 2132/10). In this case, the employer may perform spot tests of the log data in order to determine whether the permissible limits are being respected (see BAG, decision of July 9, 2013 – 1 ABR 2/13 (A)). If there are specific reasons to suspect abuse – as in this case – the employer may perform personalized checks of the browser history without requiring the employee’s consent.
As long as the highest court have not clarified the issue of whether the employer needs to abide by the Telecommunications Act or the Federal Data Protection Act, employers should assume that they qualify as service providers and observe the strict requirements of the Telecommunications Act in order to avoid committing any offence. Regardless of the above, employers are well advised to introduce specific rules regarding the private use of workplace computers, the Internet and company email addresses and to put in place appropriate monitoring rights. For businesses with a works council it must be borne in mind that such rules are subject to mandatory co-determination rights under section 87(1) no. 6 German Works Constitution Act (Betriebsverfassungsgesetz – BetrVG).