Monitor with Caution
A recent European court's decision has tightened the employer rules on monitoring employees' emails. Legal experts say the impact on multinationals is likely minimal.
By Tom Starner
With a recent court decision affecting employers across the European Union, legal experts say now is a good time for HR leaders to review and, if necessary, revise their policies on monitoring workers' email and other digital forms of communication.
The ruling reinforces the idea that HR needs to work closely with the IT department to ensure everyone is on the same page, or it could be costly from a legal perspective, say experts about the recent decision by the Grand Chamber of the European Court of Human Rights to roll back a more lenient standard for employers on email monitoring.
In short, the Sept. 6 decision says employers must give advance warning to employees if their work email accounts are being monitored.
With trends such as employer-paid mobile devices and bring your own device to work in play, email and other communications privacy issues are rising as workers use those devices and company email addresses for personal communications. Employers, of course, believe they have a right to monitor computer (and email) use as a way to protect valuable company data, including in many cases customer and employee personal identifiable information.
Philip Gordon, co-chair of the privacy and background checks practice at Littler Mendelson in Denver, says the decision highlights two key HR challenges. First, to protect the organization, HR should -- in collaboration with IT and the legal departments -- take a "programmatic" approach to the implementation of any new workplace monitoring technology.
"HR, however, often is not informed when new monitoring technologies are implemented," he says. Gordon cites the example of many IT departments implementing, without notifying HR, new firewall technology that decrypts encrypted Internet traffic and reads the content.
Another example, he says, could be a company's security department's installation of video surveillance cameras which sometimes include audio-recording capability -- without informing HR.
"These technologies raise significant privacy risks for employers, especially in the European Union after the new General Data Protection Regulation goes into effect on May 25, 2018," he says. "All corporate departments should know to involve HR before implementing any new workplace monitoring technology, especially in the EU and in the many other countries with EU-like data protection laws."
Gordon adds that it may not be obvious to many HR professionals what they should do once they learn that a new monitoring technology will be implemented.
"The decision of the European Court of Human Rights actually is very helpful in this regard," he says, explaining that the ECHR established a list of specific steps that employers should take before implementing any new monitoring technology.
Those steps include: configure the monitoring technology to collect only the minimum information necessary to achieve a legitimate business purpose; determine whether a less intrusive means of monitoring could accomplish the same objective; identify the circumstances where use of the monitoring technology is justified; provide employees with advance, detailed notice of the information that the monitoring technology will capture, when that information will be captured, and from which means of communication; minimize access to the fruits of the monitoring; and use the fruits of the monitoring only for legitimate business purposes and proportionately with the severity of the policy violations that the monitoring reveals.
Annabel Gillham, of counsel in Morrison & Foerster's London office, says monitoring and review of electronic communications at work is often conducted under time-critical circumstances -- for example, where wrongdoing is suspected and there is financial risk to the business).
"One of the key challenges for HR professionals is helping the business to mobilize quickly whilst staying on the right side of European privacy laws," she says.
To get ahead of the curve, Gillham recommends that HR can:
* Ensure that the nature and extent of monitoring is made clear to employees in company policies, explaining any circumstances where message content might be monitored and why.
* Introduce a protocol for monitoring employee communications (whether systematic or occasional monitoring).
* Prepare impact assessment forms, so that the business is clear on the purpose of the monitoring and uses the least intrusive means of achieving it.
"The key message from HR managers to global business leaders should be that employees in the EU have an expectation of privacy in the workplace," she says. "And we need to demonstrate that employees should not be surprised that their communications were monitored in any given scenario."
New York City-based Beth Zoller, legal editor and an attorney with XpertHR, says that while it is true that a U.S. employer generally has great latitude in monitoring employees, it must be for acceptable purposes and within the confines of federal, state and local laws.
"While an employer may have a right to monitor employee activity and conduct including employee email and social media activity, the HR challenge in all of this is that it must be carefully weighted against employee privacy rights and conducted in a lawful manner," Zoller says.
Could a law similar to the one in Europe happen in the U.S.?
Gordon says the nation already has legislation that demands some of the steps required by the European Court of Human Rights' decision. For example, the Federal Wiretap Act prohibits real-time interception of electronic communications -- the type of monitoring at issue in the ECHR case - without the consent of at least one party to the communication. Also, a minority of states require the consent of all parties to the communication.
"Federal courts narrowly construe the consent exception to the Federal Wiretap Act," he says. In order to establish a defense to a claim, employers need to do more than tell employees that they have no "reasonable expectation of privacy" in their e-mail or Internet communications.
Instead, employers must obtain employees' consent to the monitoring by providing them with prior and robust notice of the real-time monitoring and ideally obtaining their written consent, he says.
It's also unlawful under the Federal Wiretap Act to use or "disclose the fruits" of an unlawful interception, Gordon adds. "For that reason, it's in the employer's interest to use real-time monitoring technology only when it truly is necessary for legitimate business objective and no less intrusive alternative is available," he says.
Gordon suggests that when real-time monitoring is necessary, employers can lower risk by minimizing the information collected and by implementing safeguards to prevent unnecessary disclosure of that information.
Christine Lyon, a partner in Morrison & Foerster's Palo Alto, Calif., office, says U.S. courts consider whether employees have a reasonable expectation of privacy in these circumstances. As a result, domestic employers also need to exercise care in their monitoring of employees' electronic communications, to ensure they are complying with applicable laws.
"Employers also would be well-advised to give employees notice of this monitoring, to reduce their potential expectation of privacy," she says.
But Lyon doesn't expect the U.S. to adopt the EU approach of giving employees a fundamental expectation of privacy in the workplace, explaining that the U.S. approach focuses on whether it is reasonable for an employee to expect privacy in a particular situation.
"The U.S. laws and regulations in this area are tailored to specific practices that are viewed as particularly intrusive," she says. And that reflects the U.S. approach of seeking to protect individuals against harm, without providing broad-based privacy rights that may negatively impact businesses and innovation.
"U.S. employers should not fear, as the European decision really does not change much for them," says Zoller. It's a 'best practice' for an employer operating in the U.S. or in Europe to proceed cautiously when it comes to monitoring employee email and online activity."
Send questions or comments about this story to firstname.lastname@example.org.