TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, 9 March 2018 Related reading: Notes from the IAPP Europe Managing Director, 16 April 2021



Greetings from Brussels!

An interesting article on employee privacy rights appeared in the Belgian newspaper L’Echo (in French) this week that is worth a wider mention. In a judgment of 22 Feb., the European Court of Human Rights ruled and validated the presumption of "professional purpose" for files stored by employees on professional computers and devices made available by employers. In the case where files are not explicitly labeled "private," they are supposed to be professional in nature and accessible by employers.

The actual case brought before the ECHR concerned a "Mr. L," who had been working for the French railways SNCF administration. In short, having been suspended in 2007 and reinstated in March 2008, he found that his professional computer had been seized by his employer. Summoned by his hierarchy, it was found that among other irregular uses of official documents, a substantial number of files containing illicit images and films were uncovered: He was subsequently dismissed in July 2008. Mr. L appealed to the industrial tribunal of Amiens, which upheld the dismissal decision as justified. Furthermore, the Amiens Court of Appeal essentially upheld the judgment, as well. Seeing these decisions as a violation of his right to respect for private life, as protected by Article 8 of the European Convention on Human Rights, Mr. L appealed to the ECHR.

It's true there was an interference in Mr. L's right to respect for his private life, in that the SNCF, a public authority and employer here, did not deny that the applicant's files were opened on his professional work computer, without the latter being informed or present. But, as provisioned under French law, an employer may have access to employee files, unless they are explicitly identified as "personal." In that case, the employer may proceed to open the said "personal" files only in the presence of the employee concerned, or after they have been duly called or notified.

However, in this case, the intervention was deemed to have had sufficient legal basis where the law provides for specified conditions under which such a control measure is permitted. The purpose of the interference was to guarantee the protection of the "right of others" — in this case, the rights of the employer, who may legitimately wish to ensure that employee use of computer equipment made available is in accordance with employee contractual obligations and applicable organizational codes and regulations.

The Court of Appeal relied on the finding that the photographs and videos in dispute were contained in a folder on the hard drive with the default naming "D: / data," which was used by SNCF employees to store their professional documents and which, on the applicant's computer, had been altered to the naming "D: / personal data." The court then considered that an employee could not use the hard disk location, supposed to record professional data, for private use, and that the generic term "personal data" could reasonably relate to professional files handled personally by the employee and therefore did not explicitly bring into question his privacy rights. The Court of Appeal accepted SNCF's argument that the user should have clearly and explicitly identified files containing private information as such.

The ECHR, therefore, ruled that the domestic courts had duly examined the applicant's plea alleging breach of his right to respect for private life and did not exceed the "margin of appreciation" available to them. It was concluded that there was no violation of Article 8 of the Convention.

The judgment of the ECHR will have little impact in countries that, like France, have a long history of reasonable, flexible and proportionate employee controls. On the other hand, it will probably have more impact in countries with a stricter regime in what concerns employer and employee relations. In Belgium, for example, questions concerning employee controls and access to employee data is currently governed by collective labor agreements (and employee conventions) that were made compulsory by Royal Decree in 2002. The system is relatively administrative and protective of employee rights to data privacy.

One can imagine that the ECHR judgment may very well have a bearing where stricter prescription is in play.


If you want to comment on this post, you need to login.