Monitoring employee computers and emails is only legal if certain procedures are followed. While E.U. courts limit how businesses can monitor their employees, the application of such regulations remains under the control of each member state. What criteria have been selected to control cyber surveillance and why?
Interview: We speak with Nathalie Devillier, a professor of law at Grenoble Ecole de Management.
Why is employee cyber surveillance allowed?
According to the laws that regulate the workplace, employers have the right to implement electronic monitoring. As we evolve in a world where e-reputations and cyberattacks are essential factors for business, employers must have this capacity.
However, the courts require companies to inform employees of any surveillance and the company's works council must also be consulted. In addition, employees must be informed of these measures via the company rules and regulations, an ethics charter or a guide for best practices before surveillance is implemented. Finally, if an employer decides to implement electronic monitoring, the company must declare the initiative to the CNIL and document all collected information.
What criteria must employers follow if they wish to monitor private electronic activity by employees?
The E.U. courts have set boundaries for such surveillance. States are required to ensure that any surveillance measures are reasonable and accompanied by procedural protective measures. Employers must first clearly inform the employee of any surveillance measures before implementing them.
The E.U. courts distinguish between the flow and content of communications. The more a surveillance method is invasive, the more it must be justified. The E.U. courts encourage employers to favor methods that are less invasive than direct access to content.
Companies must also explain the consequences for employees as well as how the collected data is used. The courts guarantee the protection of an employee's electronic communications if they have not previously been informed of surveillance measures. This forbids companies from accessing content without an employee's knowledge.
Cyber surveillance measures must be proportional to the goals of the employer… Could you explain this concept in greater detail?
According to the courts, consequences such as firing an employee for misconduct could be considered a disproportionate result if the employee was not informed of surveillance measures in advance. In France, all emails written from work locations during work hours are assumed to be professional emails. The same goes for professional mobiles, folders created on a computer or data stored on a USB key.
If the concept of loyalty is respected, an employer can check the content of messages written by an employee in order to ensure there are no secret encryptions or that he or she is not playing games online or using Facebook. In terms of workplace regulations, laws concerning cyber surveillance are first oriented towards protecting the security of the employer.
What about the example of sending an email from work using a "personal" label?
By definition, this is a personal communication and in theory the employee is protected. But according to the E.U. courts, the employer can anticipate the right to open such personal emails by using the company rules and regulations. The need to control an employee's activity in such a case must once again be balanced in terms of the goals and means used for monitoring.
The analysis of social network usage by employees is rather vague...
In this particular case, there are contradictory legal guidelines. In the framework of using social networks for personal reasons (with family and friends for example), workplace laws and regulations are faced with a difficulty if someone expresses an opinion about their company in private. There's some discord between the protection of freedom of speech and the diffamation of one's company.
The courts have published three diverging opinions on these situations and therefore judges are left to themselves to decide the nature of a comment. That means being able to decide if a post is private or public. And if it is considered public, is it diffamatory. There is still work to be done to clarify this issue.
A general regulation for the protection of personal data
On May 25th, 2018, a general regulation will be implemented to protect personal data. The fruit of 10 years of negotiations on the topic of cyber surveillance at work and the right to access data, this regulation confirms that member states can follow their own national legislative measures. However, companies must also comply with European regulations.
Therefore, any employee data that is collected must be tied to professional activities. Some important points in European regulations: a company must inform employees of what data will be collected; a company must inform employees that they have the right to oppose these measures if they have valid reasons; a company must ensure the protection of personal data when designing these methods, including in particular a delegate in charge of data protection who will work with the IT department. For sensitive information, companies must carry out an impact study. They must also clarify who is responsible if digital equipment is stolen or lost (a 72 hour deadline exists to report such loss of equipment) or if there is a cyberattack.
Companies must all protect an individual's health-related data such as information that might be collected during a meeting with the workplace doctor. This is to ensure such data will not be sold to companies in sectors such as health insurance.