In its judgment of 5 September 2017, the European Court of Human Rights found that a reasonable balance between the employee’s right to respect for private life and correspondence (including the e-mail correspondence), as laid down in Article 8 of the European Convention of Human Rights on the one hand, and the employer’s right to take measures in order to ensure the smooth running of the company’s IT operations on the other.
The European Court of Human Rights has set up the criteria as to the issues to be taken into account in relation to the assessment of whether measures of monitoring the employee’s correspondence and other messages are reasonable in relation to the purpose pursued. Furthermore, the employee must be protected against “arbitrariness”. Even though a wide margin of discretion applies, free and unlimited discretion does not apply. The national authorities must ensure that the employer’s implementation of measures on monitoring correspondence and other messages, regardless of the extent and duration of such measures, are subject to sufficient safety measures that prevent misuse.
In this case, in which the European Court of Human Rights ruled, the employee had been using Yahoo Messenger for private purposes in relation with a correspondence with his fiancée and his brother during working hours. The Messenger account was originally established in order for the employee to use it for business purposes. The employee was not informed in advance that the account was logged and monitored by the employer. On this basis, the employer terminated the employment, which the employee subsequently challenged. Based on a review of the case, the European Court of Human Rights concluded that the employee was not given sufficient protection of his private life, and that, therefore, Article 8 of the European Convention of Human Rights was violated.
Pursuant to Danish case-law, normally, an employer’s logging of employees’ web page visits may take place in case there is a suspicion of misuse, provided it is in accordance with the rules of the Danish Data Protection Act in relation to fair data processing practice. This is also the case, when the EU General Data Protection Regulation comes into effect – and the Danish data protection law enters into force – in 2018. However, there is a number of conditions that must be fulfilled. The registration and the review hereof must be necessary in order for the employer to be able to pursue his established interests, and the consideration for the employee must not surpass said interests. The established interests of the employer may be technical and safety considerations, e.g. to avoid a virus entering the systems and to avoid breakdowns. Furthermore, the employees must be clearly and unambiguously informed about the logging. If the employer performs back-ups of e-mails and maybe reviews an employee’s e-mails, this is only legal if the employer is able to pursue his established interests, and that the consideration for the employee does not surpass said interests. The established rights may e.g. be considerations for operations, safety, re-establishment and documentation and the consideration for the control of the employee’s use. It is also required that the employees must be clearly and unambiguously informed about the back-up and the review of the employee’s e-mails, if any.
Private e-mails are covered by the secrecy of the mails of Section 263 of the penal code, in which “opening a letter” is a criminal offence. By the review of the employee’s e-mails, the employer must thus not read the employee’s private e-mails. On the other hand, there is no objection to the fact that the employer decides that no private e-mails must be sent through the company’s e-mail system.
Thus, this may be a reason to re-check the company’s IT and e-mail policies, in order to ensure that they meet the above-mentioned demands, and that they can also meet future demands applicable after the implementation of the EU General Data Protection Regulation and the Danish Data Protection Act. The EU General Data Protection Regulation will be effective as of 25 May 2018, and the Danish Data Protection Act is currently in its second consultation exercise and must be expected to be passed – maybe even before Christmas – so that it will be effective at the same time as the regulation.
Thanks to the following contributors to the website: Steen Evald (photograph), Stine Heilmann (photograph), Count Pictures (video), Kunde & Co. A/S (design), WeCode A/S (coding)