By Lothar Determann and Lars Brauer
When it comes to protecting intellectual property, ensuring productivity, and identifying bad behavior, the tools available to employers are many and powerful. But their use poses legal risks and challenges. In this article, Lothar Determann and Lars Brauer shed light on the legal environment surrounding employee monitoring.
This is the first article in a Privacy Advisor series on workplace and employee privacy. In future months we’ll explore the privacy-related concerns surrounding background checks, employee surveillance, safekeeping HR data, and more.
State-of-the-art network security tools offer the capability to monitor a variety of aspects of an individual’s computer use. Such tools not only save the addresses of Web sites visited or the e-mail addresses of senders and recipients, but also they permit the review of the actual content of data sent and received, i.e., the actual look of the Web sites visited the way the user saw them, form data submitted by the user to those Web sites, and the full text of e-mails and chat sessions between the user and third parties. Employers of all sizes are, increasingly, using these tools to monitor employees’ IT use. As these tools gain in popularity, companies—particularly multinationals—should be aware of the legal restrictions that apply to their deployment in many jurisdictions.
Providers of network security solutions do not make a secret out of the intrusiveness of their products. One manufacturer of network security tools describes its product as offering “continuous and complete real time surveilling” and “superior drill down forensic analysis, down to packet level” as the product’s key benefits. Another manufacturer advertises its offering as a system that “protects against inadvertent or intentional data leakage by allowing companies to proactively protect sensitive information from leaving the network and enforce correct business processes.”
Many businesses find these monitoring technologies helpful in detecting and preventing the theft of company intellectual property, excessive personal computer use, and illegal or inappropriate employee behavior; or in responding to discovery requests. Companies may also use these technologies to comply with statutory, regulatory, or industry requirements. Examples include obligations relating to the treatment of accounting or audit-related complaints under the Sarbanes-Oxley Act, mandates for the prevention of harassment in the workplace under Title VII of the Civil Rights Act, and stock exchange rules requiring retention of correspondence with the public.
At the same time, the use of these technologies poses a number of legal risks and challenges. Under both domestic and international laws, using monitoring tools to their fullest extent can be illegal or, at a minimum, require affirmative steps to become legal. In the United States, using monitoring tools may violate traditional wiretapping laws that were originally enacted to prohibit third parties from listening in on private phone conversations, but which are broad enough to cover interception of e-mail, instant messaging, and web traffic. Internationally, employee monitoring will often run afoul of the broad omnibus data protection laws in effect in many countries, including the entire European Community (EC), unless such monitoring is made subject to strict limitations
Restrictions on monitoring of Web and e-mail traffic
The federal Electronic Communications Privacy Act (ECPA) prohibits the “interception of electronic communications.” Most of the activities an employee engages in while connected to a network (e.g., web traffic, e-mail and instant messenger sessions) qualify as electronic communications for these purposes. Interception means acquiring the contents of such communication during transmission, and “contents,” in turn, is defined to include “any information concerning the substance, purport, or meaning of that communication.” This means that the ECPA does not prohibit the mere collection of information about the activities engaged in by an employee online (e.g., the time spent online or the volume of data transferred). Rather, it protects the secrecy of the actual data transmitted to and from an employee’s workstation (e.g., the actual appearance of Web sites visited, form data submitted, subject lines and bodies of e-mails sent and received and transcripts of chat sessions, etc…).
There is generally no liability for interception under the ECPA as long as “one of the parties to the communication has given prior consent to such interception….” Thus, with valid consent from the employees involved, the recording of web traffic data, e-mails, and IM sessions will generally not violate the ECPA, even if the communication is with an outside party unaware of the recording. Some states expressly require notice to employees before monitoring mechanisms can be deployed in the workplace. For companies with employees located in one of those states, it will generally make sense to combine this mandatory notice with the request for consent.
The ECPA is reflected in the actual practices of most companies today. These companies take advantage of the consent defense by including information about their monitoring activities in their employee handbooks, separate IT-use policies, or on screen banners that appear upon every system logon, and by requiring employees to acknowledge this information by way of a signature or mouse click. Under U.S. federal law, these kinds of measures should generally be sufficient to avoid liability for monitoring an employee’s activities. While most HR and IT professionals have at least a vague idea that the situation may not be as easy in other countries, many do not know that their company’s monitoring activities may be a cause for concern, even domestically. That is true, for instance, if the company, the employees in question, or both, are located in California or certain other states
All-party consent requirements
California’s anti-wiretapping statute is similar to the ECPA in that it prohibits anyone from attempting to read or learn the contents or meaning of electronic communications. However, while the consent of one party suffices as a defense under the federal statute, interception is illegal under the California provision unless all parties to the communication have consented. Other states, including Florida and Illinois, have similar all-party consent statutes in place.
In all party consent states, relying on employee consent alone to justify the recording of web, e-mail, and IM traffic will not completely shield an employer from liability. An employer will generally be able to justify the monitoring of purely intra-company communications in this manner, given that all parties involved will be the employer’s own employees or independent contractors who have acknowledged in writing or electronically that their activities may be monitored. Accordingly, cases dealing with monitoring of employee communications have generally been decided in favor of the employer, even in all-party consent states.
Employee consent alone, however, does not preclude liability for communications with outside parties. Employers might face civil or even criminal liability if such third parties were to complain or sue. Situations in which third parties are likely to find out that their communications were recorded arise, for instance, when the employer wants or has to use the findings of monitoring initiatives to bring suits against the employee or the third party, or to respond to government investigations. In a time of growing awareness of data privacy issues among the general public, and at the same time heightened investigative activity, it seems likely that the privacy law dimension of private party monitoring activities will become a more prevalent theme of suits, complaints, and defenses.
Companies can avoid liability by obtaining consent from all parties to a communication. Call center operators, for example, commonly state at the beginning of a call that the call is monitored. Some operators specifically ask whether the caller agrees with monitoring; others rely on implied consent by callers who continue with the call after receiving the notice regarding monitoring. Similar notices could be displayed in instant messenger and web chat communications.
But it is more difficult to inform third-party Web sites or e-mail and text message recipients of monitoring practices, let alone ask for upfront consent (as the first message presumably is subject to the monitoring).
Theoretically, a company could, as a matter of policy, try to broadcast its monitoring practices to all customers, suppliers, service providers, and other business partners, perhaps even friends and family members of employees who may engage in electronic communication with company employees. In such notices, the company could inform recipients that their communications are subject to monitoring and recording. With respect to suppliers, companies may be able to impose duties on the suppliers to obtain express consent from the individuals. With respect to customers, many companies may shun away from asking for upfront express consent in the early phases of a relationship, but in quite a few instances, companies may be able to rely on implied consent after posting transparent statements about monitoring policies on their Web sites. Also, with respect to monitoring employee access to third-party Web sites and e-mail correspondence, companies can take additional steps and assert additional arguments to establish implied consent by the outside party:
Implied consent: Web sites
”Interception” for purposes of the wiretapping provisions of the ECPA and other wiretapping laws requires acquisition of content during transmission. Therefore, an employer who merely finds out what Web sites an employee viewed and then visits those Web sites after the fact as they then appear does not “intercept.” However, the modern network monitoring tools we are analyzing here record the communication between the user and the Web site (including the request to load each page of the site, the transmission of data by the site to the employer’s computer, and any submission of form data by the employee to the site) as it passes through the network. Under those circumstances, the ECPA and similar wiretapping laws generally apply and employers may therefore not use such tools to monitor their employees’ web communications without consent or another justification.
In the case of publicly accessible Web sites with which employees are communicating on the job, the Web site operator—the other party to such communications whose consent would be required—should be aware that monitoring practices are commonplace in many companies. A Web site operator will generally be unlikely to have objections to employers being able to view its site after it has been visited by an employee, particularly when any member of the public can view the site anyway. Yet, even many publicly accessible Web sites thrive or benefit from access by employees during work hours. Thus, the Web site operators have an interest in employers not monitoring employee access to their Web sites.
Implied consent: e-mails
Monitoring of employee e-mails presents additional issues. As with Web site communications, wiretapping laws typically encompass technological tools that monitor or record the content of e-mails as they are transmitted through the network. And again, even assuming employees have validly consented to having their use of both company and personal e-mail use on work computers monitored, consent has to be on all sides. Therefore, senders and recipients of e-mails received or sent by employees must also have consented to the employer’s monitoring activities for the employer to escape liability.
Implied consent can arguably be assumed where outside parties contact employees at their work e-mail address or via a dialog box on a company web page. One might argue that in doing so, these individuals should expect to be communicating with the company as an organization, rather than with the particular individual they are contacting, and should therefore have no expectation of privacy as to how their communication is passed on within the company. However, such an argument is vulnerable to attack based on the fact that wiretapping statutes typically do not require that the intercepted communication be confidential in nature. Thus, a lowered (or even a missing) expectation of privacy in the communication alone does not serve as a substitute for the required consent. Accordingly, although it could be argued that a lowered expectation of privacy also applies to individuals calling a company’s call center, implied consent is not generally assumed with respect to such callers without an announcement that calls are monitored.
Employers can reduce the expectation of privacy by outsiders by placing a notice at the bottom of all outbound e-mails sent from corporate e-mail accounts. In doing so, the employer gains an argument that, at least when the third-party contacts its employee again after receiving an e-mail with this disclaimer, the third party is on notice of, and impliedly consents to, the employer’s monitoring activities. Similar notices could be included on the company Web site and made accessible from any page on which visitors can submit information to the company.
In scenarios other than the one where third parties contact a company employee at his or her work e-mail address, establishing consent on the part of the third party will be more difficult. For example, monitoring tools configured to record all information transmitted via a company network will generally also capture personal e-mails sent or received by an employee at his or her personal e-mail address, if read via webmail from a work computer. Friends, family members, and other third parties who send or receive such e-mails will often be unaware that the employer has access to these e-mails. Therefore, employers will find it difficult to argue that these parties have consented to being monitored. Employers can attempt to reduce their risk of exposure somewhat by requiring employees to notify their regular e-mail contacts that even e-mails sent to their personal accounts are subject to monitoring if read at work. It seems unlikely that all employees would actually adhere to such a policy, but from a purely legal perspective, employers could benefit from implementing strict outbound e-mail notice requirements, because such notices will help reduce expectations of privacy. Also, the mere existence of a notice requirement on the employee may help employers dissuade employees and third parties, whose loyalties are with employees in particular disputes, from raising the privacy concern in such disputes (because it was arguably the employee’s fault that the third party did not know about the monitoring). Of course, companies also need to carefully consider the impact that such notices will have on their employee and customer relationships and consider whether less actual monitoring is the better option overall (monitoring with less notice, on the other hand, is typically not an acceptable option, as we discuss in this article).
In a global context, legal issues relating to employee monitoring arise not only under laws that resemble wiretapping statutes in the United States, but also under omnibus data protection laws in place all across Europe and in other parts of the world. For instance, national laws passed by the various EU member states broadly prohibit a host of actions with respect to personal data (i.e., data relating to an identified or identifiable individual) absent consent or another means of justification. The prohibited actions include collection, processing, recording, storage, retrieval, and disclosure by transmission, all of which are essential parts of the functionality of many modern-day network security tools.
While required to implement the level of personal data protection provided for in the EU Data Privacy Directive, the legislatures of EU member states are free to impose additional mandates, as are the administrative agencies in charge of enforcement. Many have done so. For instance, in Germany and Italy, only individualized, written consent will justify any level of employee monitoring and merely displaying an information banner upon login and then relying on implied consent would not be acceptable. Even if an employer has observed all formal requirements in obtaining consent, the validity of such consent may still be challenged (and has been challenged successfully) on the ground that in the employer-employee relationship, it cannot be considered freely given. One way to address this problem would be to give employees in problematic countries the ability to temporarily switch off all monitoring tools, e.g., in order to engage in personal communications without being recorded. Excessive use of this capability could be addressed on a case-by-case basis.
An employer who has managed to obtain valid consent from all of its employees may still be far from compliant with local data protection laws.
A number of EU member states—including Germany, Italy, the Netherlands, Spain, and the United Kingdom—strictly prohibit ongoing monitoring of employee communications and permit electronic monitoring only in very limited circumstances (e.g., where an employer already has concrete suspicions of wrongdoing against particular employees) and subject to significant restrictions with respect to the duration, mode, and subjects of the monitoring activities. Several jurisdictions worldwide—including France, the Netherlands, and Israel—require filings with data protection or labor authorities, while others—France, Germany, Italy, the Netherlands, and China—require employers to consult or at least notify trade unions or other employee representative bodies before subjecting their employees to surveillance measures.
Lessons for multinational employers
Because many multinational companies have centralized IT systems that process data flows from office locations in multiple countries, deploying network monitoring tools in one country can have implications under the laws of a number of jurisdictions at once. Choosing a state or country with no or few legal restrictions on employee monitoring as the physical location of their IT systems will not shield such companies from exposure in jurisdictions with more stringent requirements. Regardless of where the equipment in question is located, a complaint by an employee in a country with a high level of data protection can trigger investigations and suits by data protection authorities, trade unions, consumer watchdogs, and similar organizations, and can also lead to criminal complaints. Employers found in non-compliance may face steep penalties, damages awards, and possibly even prison time, along with plenty of bad press, as some recent examples show.
Recently, the CEO of Deutsche Bahn AG resigned for questionable data processing practices that included automated comparisons of the addresses and bank account information of 175,000 employees with those of Deutsche Bahn suppliers, performed in an effort to uncover instances of fraud, nepotism, and bribery. Prosecutors are currently considering whether further investigations against the management of Deutsche Bahn are warranted. In September 2008, German authorities ordered discount retailer Lidl to pay fines totaling around 1.5 million Euros for a variety of alleged data protection violations against its employees, including monitoring employees and customers through the use of in-store hidden cameras to counter a theft wave. Earlier last year, Deutsche Telekom was the center of attention when the company admitted to having collected and reviewed telephone call data of its directors and executives in order to investigate management irregularities. Deutsche Telekom reacted by creating a management board position dedicated to data privacy and security matters. The fact that even companies based in Europe, with its long-time emphasis on data protection, struggle with privacy compliance shows that it is imperative for U.S. companies with operations abroad to obtain legal advice on the implications of their contemplated monitoring activities under the laws of all jurisdictions in which affected employees are located.
Most multinational companies cannot refrain from the use of monitoring technology altogether. They need to engage in some monitoring to satisfy their legal obligations to protect assets and company data (including trade secrets and personal data), provide a harassment-free workplace, and ensure compliance with statutory, regulatory, or industry requirements. But, multinational companies should consider that some of the applicable requirements may only be applicable in particular countries (such as the United States), where the relevant technologies also raise privacy concerns to a lesser degree. In other countries, the privacy concerns weigh heavier, and companies are not required or expected to engage in monitoring to the same extent. In addition, the use of monitoring technology across borders may trigger specific compliance obligations in certain countries. For instance, in the case of deployment of such tools on the systems of an international company with European subsidiaries or branch offices, there may be a need to implement standard contractual clauses or alternative means of justification for the transfer of personal data between the European subsidiary and the non-European parent.
Companies can avoid many legal conflicts and can maximize the extent of visibility into their employee’s IT use within the limits of the law by selecting, deploying, and configuring monitoring technologies and implementing related policies on a country-by-country basis. To what extent this is feasible will depend in part on the way in which the company network is set up. Suppliers of monitoring technologies, on the other hand, can support this effort by designing the relevant tools in a manner that enables such differentiation. In light of international legal trends in the regulation of employee monitoring, it is likely that providers of customizable solutions allowing employers to monitor to the greatest extent permissible in each jurisdiction will have a competitive edge over suppliers of (would-be) one-size-fits-all solutions.
Lothar Determann is a partner in the technology practice group of Baker & McKenzie LLP, San Francisco/Palo Alto office (www.bakernet.com) and teaches Computer and Internet law at the University of California Berkeley School of Law (Boalt Hall), University of San Francisco School of Law, and Freie Universität Berlin (www.lothar.determann.name). Lars F. Brauer is an associate in the same practice group.