|
You are here: Eurofound > EIROnline > 2003 > 07 > New technology and respect for privacy at the workplace My Eurofound: Login or Sign Up   

New technology and respect for privacy at the workplace

The use of new information and communication technologies (ICT) at the workplace has spread rapidly in recent years. This raises numerous issues for employers, employees and their representatives, especially in terms of the relationship between workers' privacy and employers' need to control and monitor the use of ICT. The matter is especially topical in Europe at present, with the European Commission due to propose a Directive on workplace data protection in 2004 or 2005. This comparative study focuses on one specific issue raised by the growth of ICT at work - the relationship between internet/e-mail use at work and respect for workers' privacy. It examines: the European and national legal framework on privacy at work, data protection, and workplace internet/mail use; guidelines and codes of conduct in this area; the views and activities of the social partners; and the extent to which collective bargaining deals with such topics.

Information and communication technologies (ICT) now play a significant role in enterprises, with growing use of computers in all aspects of operations and increasing communication and dissemination of information through the internet, internal intranets and the use of e-mail. For both employers and workers, there are new dangers linked to the development of ICT. Notably:

  • for the enterprise, there is the danger that vital data (eg relating to confidential company activities, financial transactions, personnel management and employees' personal data) may be accessed by unauthorised parties, creating a need to instal devices for protecting and monitoring access to such data. There is also a fear on the part of employers that ICT facilities will be used by staff for personal reasons during working hours, to the detriment of their work, and that the enterprise may be held legally responsible for information transmitted by workers in such circumstances; and
  • as far as workers and their representatives are concerned, the main danger lies in the new capacity that exists for monitoring and surveillance. New technology may allow employees' work and productivity to be monitored, and also aspects of their personal lives, while their use of the internet and e-mail can be subject to monitoring (not least because of the traces any such use leaves). This raises questions of both privacy and the relationship of control at the workplace. These dangers can be even greater, and the surveillance technology even more advanced, in situations where there is a physical distance between the worker and the employer. In the words of a document from a French public consultative body on the issue, the National Commission on Information Technology and Civil Liberties (Commission Nationale de l'Informatique et des Libertés, CNIL): 'Development is constant: first, the supervisor, a person who is easy to spot and has responsibility for monitoring the worker’s physical presence at the workplace and the performance of his or her duties; then electronic supervisors, charged with checking physical presence through access badges. Henceforth, there will be the era of the virtual supervisor, able to do anything without the worker always being fully aware of what is going on and, in certain circumstances, and over and above legitimate monitoring of employees’ safety and productivity, able to draw up the virtual employee’s professional, intellectual and psychological profile' (La cybersurveillance des salariés dans l’entreprise, Hubert Bouchet, CNIL, study and public consultation report, March 2001).

These dangers on either side of the employment relationship have grown sharply over the last few years, given the increased use of ICT at the workplace and at all stages in enterprises' activities. Moreover, new developments such as measures associated with ensuring 'quality' have taken root and have had the effect of setting up systems for tracking the various stages in the provision of goods or services in many companies. This is arguably creating a stronger de facto monitoring of workers' activity through technology.

In this context of the spread of ICT at work and its attendant risks, new problems are arising in the relationships between employers and workers. For example, how far can employers' actions aimed at preventing potential dangers be extended without undermining workers’ fundamental rights? The issue of privacy and the use of new technologies at the workplace is thus becoming increasingly important for employers and trade unions (though to varying extents). For example, at international level, Union Network International (UNI) - the global union federation for white-collar and private sector workers' trade unions - and its affiliates have been campaigning for some years on the issue of the protection of workers 'on-line rights' at work (EU0210205F). At national level, trade unions and employers/employers' organisations in many countries are increasingly issuing or proposing guidance, policies and codes of practice on workplace ICT use (see below under 'Social partner views and initiatives' for more information on these various initiatives). An indication of the significance that these issues are gaining at the workplace is provided by a survey conducted in the UK in 2002 by the solicitors KLegal and Personnel Today magazine. It claimed that UK employers spent more time disciplining staff over internet and e-mail abuse than any other workplace issue. The three most commonly disciplined 'cyber crimes' were excessive personal use of the internet or e-mail, sending pornographic messages and looking at pornographic websites. In a number of cases this has led to dismissal - most commonly in relation to the exchange of pornographic e-mails.

International and European institutions are also paying increasing attention to the relationship between ICT and privacy at work, with a number of recommendations and codes drawn up by bodies such as the Council of Europe and the International Labour Organisation (ILO) - for example, in 1996, the ILO issued a code of practice on the protection of workers' personal data, covering general principles of protection of such data and specific provisions regarding their collection, security, storage, use and communication. There have also been relevant recent cases in the European Court of Human Rights. Turning to the EU, in 1995 it adopted a Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data, which is relevant to the privacy issue in that electronic monitoring in the workplace can be treated as a form of collecting or processing personal data. More specifically, the European Commission has recently consulted the social partners on the protection of workers' personal data and now appears to be planning a draft Directive on the issue. At national level, a few countries have started to adopt or propose workplace-specific data protection/privacy legislation, while all countries have general data protection legislation in place (see below under 'National law and guidelines').

The study

This comparative study - based on the contributions of the European Industrial Relations Observatory (EIRO) national centres in the EU Member States and Norway - examines one specific issue raised by the growth of ICT at work, the relationship between internet/e-mail use at work and respect for workers' privacy. Other issues of relevance to ICT-related workplace privacy, such as monitoring and surveillance techniques in other areas, or the protection of stored personal data or medical records, are not dealt with specifically here (except as part of general discussion of the legal context). However, we start with a general overview of the concept of privacy at work before looking at:

  • brief data on the extent of internet and e-mail use;
  • European law - emanating from both the EU and the Council of Europe - on workplace privacy and data protection, in the form of both conventions/charters and specific legislation (and proposed legislation) or recommendations;
  • national law on general protection of privacy, the protection of personal data and the specific protection of privacy in the workplace context, including any provisions relevant to workers' e-mail/internet use - plus case law in this area and guidance from public authorities;
  • the views of the social partners and initiatives they have taken on privacy and internet/e-mail use; and
  • the extent to which these issues are dealt with in collective bargaining or other forms of joint regulation at any level

The concept of privacy at the workplace

The Council of Europe's Convention for the Protection of Human Rights and Fundamental Freedoms- which has been ratified by all the EU Member States and Norway - states in Article 8 ('Right to respect for private and family life'):

In 1970, the Council of Europe's committee of experts in human rights stated that the right to respect for private life is mainly based on a recognition of the interest that individuals have in being protected from all intrusions into their private lives and any parts of their lives that they legitimately want to keep to themselves. This interest, the committee went on, concerns personal communications and relationships, in addition to all matters touching the individual’s privacy and person, and in particular refers to his or her image, voice and home, and to all goods that relate to his or her personal life.

Case law in the European Court of Human Rights has established that the right to respect for private life extends to 'professional or business activities' and that as well as correspondence it applies to telephone conversations (whether business or private) - a principle which suggest that e-mails and internet use may also be covered ('it is anticipated that the concept will continue to be interpreted so as to keep pace with developments in technology which may bring other methods of communication, such as e-mail, within its sphere of protection'- The right to respect for private and family life. A guide to the implementation of Article 8 of the European Convention on Human Rights, Ursula Kilkelly, Council of Europe, Human rights handbooks No. 1, 2001).

The Charter of Fundamental Rights of the European Union signed at the Nice European Council in December 2000 (EU0012288F) essentially repeats (in Article 7) the first paragraph of Article 8 of the Council of Europe Convention, stating that 'Everyone has the right to respect for his or her private and family life, home and communications.'- to take account of developments in technology, the word 'correspondence' in the Convention has been replaced by 'communications'.

There are difficulties in adapting the concept of respect for private life to the workplace. The right, as noted above, is taken to cover professional or business activities and to employees' communications - arguably including e-mail and internet use - thus implying that employers may not, in principle, interfere in these areas. However, such interference is acceptable in certain circumstances - notably where this is necessary for the reasons set out in Article 8(2) of the Conventions, ie 'in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others'. This situation raises many questions about the extent to which workers may be monitored and the relationship between their rights and employers' prerogative. For example, to what extent may a worker use ICT equipment for private reasons given that 'a general, absolute ban on any use of the internet for other than professional reasons does not appear realistic in an information/communication society' (in the words of France's CNIL, in La cybersurveillance sur les lieux de travail, a report adopted in February 2002).

However, a number of principles relating to privacy and employer monitoring at the workplace can be drawn from bodies of national legislation that provide guidelines on the definition of this concept (see 'La preuve en droit du travail: protection de la vie privée et nouvelles technologies. Du contremaître à la cybersurveillance', Gilbert Demez, in Questions de droit social, Formation permanente CUP series, No. 56, Edition Formation permanente CUP, 2002):

  • the principle of relevance (or the principle of aims) - the aims for monitoring by the employer is authorised in respect of electronic online communications data must be relevant to the situation of workers;
  • the principle of proportionality- monitoring must, in all cases, be appropriate, relevant and proportionate with regard to the aims that it is pursuing. This is a matter of finding a balance between the interests of the employer and those of the worker;
  • the principle of transparency (or the principle of precaution) - the concrete expression of this principle is to be found in employee information and consultation procedures that must be complied with by the employer when the monitoring system is installed (see below under 'National law and guidelines'). For example In Belgium, national collective agreement No. 81 (see below) provides that information is to be provided at both individual and collective level, while in Germany, the Federal Constitutional Court and Federal Labour Court have ruled that any 'secret' monitoring (ie without the worker’s consent), including of telephone calls, is an intrusion into a worker's private life; and
  • the principle of non-discrimination:- the measures adopted must not lead to discrimination between workers or groups of workers, and must be applicable to all.

Interestingly, some writers in France are now putting forward the broader idea of employees' 'personal life', alongside that of their 'private life'. The definition of 'private life' (based on Article 9 of the French Civil Code and Article 8 of the Council of Europe Convention) focuses mainly on the intimacy of human life - eg the right to a home; the right to respect for, and the inviolability of, correspondence; the right to a sex life and the right to a normal family life. 'Personal life' also embraces other aspects of workers’ lives, and particularly the public places they go to, the associations and parties they belong to, their cultural and sporting activities, their reading matter, and the opinions they express (see 'Les libertés dans l'entreprise', Phillipe Waquet, in Revue de jurisprudence sociale, 2000, and 'NTIC et vie personnelle au travail', Paul-Henri Antonmattéi, in Droit social No 1, January 2002).

Extent of internet and e-mail use

The importance of the issue of internet/e-mail use and its relationship with privacy at the workplace is underlined by the extensive use of this ICT in companies across the EU and Norway. Data from Eurostat indicate that at the end of 2000 (the most recent date for which statistics are available), over half of enterprises had internet access in all countries examined (no information was available for Belgium, France and Ireland) and around two-thirds or more in the great majority of countries - see table 1 below. Finland and Sweden are leaders in the field, with 91% and 90% respectively of all enterprises of all sizes connected to the internet. At the other end of the scale, Greece and Luxembourg have the lowest internet connection rates at the workplace, at 51% for the former and 55% for the latter. By and large, the proportion of enterprises with internet access rises with the size of the enterprise. There are even more pronounced effects related to size in some countries, where the proportion of small enterprises connected to the internet is particularly low in comparison with medium-sized and large enterprises: examples of this include Spain (63% of small enterprises, compared with 89% for medium-sized enterprises and 97% of large enterprises), Italy (63%/86%/94%), Greece (49%/70%/84%) and the UK (59%/79%/90%). By contrast, size-related differences are least visible in Finland (90%/96%/97%) and Sweden (88%/96%/99%).

Table 1. Enterprises with internet access (%), by size, 2000
Country Total Small enterprises (10-49 workers) Medium-sized enterprises (50-249 workers) Large enterprises (250 workers and above)
Austria 76 73 91 91
Denmark 87 85 96 99
Finland 91 90 96 97
Germany 83 77 90 89
Greece 51 49 70 84
Italy 66 63 86 94
Luxembourg 55 52 63 70
Netherlands 79 77 nd nd
Norway 73 71 87 94
Portugal 72 71 86 94
Spain 67 63 89 97
Sweden 90 88 96 99
UK 63 59 79 90

Sectors covered: manufacturing (NACE D); distribution (NACE G); hotels and restaurants (NACE H); transport, storage and communication (NACE I); financial services (NACE J), and business services (NACE K).

Source: Eurostat e-commerce databank (no data available for France, Ireland and Belgium)

In sectoral terms - see table 2 (no data are available for Belgium, France, Ireland and Spain) - the proportion of enterprises with internet access is usually highest in the business services sector, though in Greece and Portugal, the list is headed by transport, storage and communications. By contrast, the hotels and restaurants sector normally has the lowest connection rate, except in Austria and Denmark, where it is transport, storage and communications that are least well equipped. The unequal distribution of enterprises with internet access is most marked in Greece and Portugal - although coverage in transport, storage and communications reaches 72% in Greece and 90% in Portugal, it is only 37% and 31% respectively in the hotels and restaurants sector.

Table 2. Distribution of enterprises with internet access (%) by sector, 2000
Country Manufacturing (NACE D) Distribution (NACE G) Hotels and restaurants (NACE H Transport, storage and communications (NACE I) Business services (NACE K)
Austria 74 76 76 67 84
Denmark 88 91 83 77 92
Finland 90 91 88 94 96
Germany / 82 73 / nd
Greece 46 55 37 72 64
Italy 66 66 51 65 74
Luxembourg 53 48 36 52 73
Netherlands 81 77 70 72 85
Norway 82 64 63 67 88
Portugal 67 79 32 90 77
Sweden nd nd 92 nd
UK 69 59 47 56 75

Source: Eurostat e-commerce databank (no data available for France, Ireland and Belgium)

European law

As with national law (as we will see below under 'National law and guidelines'), European law - emanating from both the EU and Council of Europe - rarely addresses specifically privacy issues related to the use of new technology at the workplace, with this matter being covered by more general provisions relating to the right to respect for privacy and to the protection of personal data.

Conventions and charters

As noted above (under 'The concept of privacy at the workplace'), the Council of Europe's Convention for the Protection of Human Rights and Fundamental Freedoms guarantees a right to respect for private and family life, which has been interpreted as covering professional or business activities and employees' communications (arguably including e-mail and internet use). The Charter of Fundamental Rights of the European Union restates this right (in a slightly updated form) and includes (in Article 8) a right to protection of personal data, stating:

As far back as 1981, the Council of Europe adopted a Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ratified by all the EU Member States and Norway) which seeks to ensure respect for people's rights and fundamental freedoms, and in particular the right to privacy, with regard to automatic processing of personal data. With the aim of adapting the Convention to the employment context, in 1989, the Council of Europe Committee of Ministers adopted a Recommendation (R(89)2) on the protection of personal data used for employment purposes, with specific reference to automatically processed data. Against a backdrop of growing ICT use in employer/employee relations, this Recommendation seeks to reduce the risks that such methods could present for the rights and fundamental freedoms of workers, notably the right to respect for privacy. It therefore makes recommendations on collecting and processing data in the context, for example, of recruiting, and on the introduction of procedures for monitoring workers’ movements and productivity.

Existing EU legislation

In terms of EU legislation in this area, the main item is the European Parliament and Council Directive (95/46/EC) 'on the protection of individuals with regard to the processing of personal data and on the free movement of such data', whose aim is 'the protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data' in the EU Member States. It also provides that 'Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection' provided by the Directive. The Directive - which had to be implemented by the Member States by October 1998 - seeks, among other goals to, 'give substance to and amplify' the 1981 Council of Europe personal data Convention. As far as protection of personal data is concerned, the Directive deals first with the quality of personal data, stating notably that they must be:

  • processed fairly and lawfully;
  • collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
  • adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
  • accurate and, where necessary, kept up to date; and
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.

With regard to the criteria for making data processing legitimate, personal data may be processed only if:

  • the data subject (ie the person concerned) has unambiguously given consent; or
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
  • processing is necessary for compliance with a legal obligation to which the 'controller' is subject; or
  • processing is necessary in order to protect the vital interests of the data subject; or
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject.

The processing of special categories of personal data is banned - this refers to those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and those concerning health or sex life - though with various exemptions. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of an official authority. There are also exemptions for the processing of data for journalistic reasons, and for the purposes of artistic and literary expression.

Under the terms of the Directive, the person concerned must be informed about the processing of the data and of the aim of the processing, and must have access to the data collected. He or she may oppose the processing of these data, for legitimate reasons, or may have them corrected if they are inaccurate. The party responsible for processing personal data must ensure that the processing is confidential and secure and must notify the monitoring authority prior to an entirely or partly digitised processing exercise, or a series of processing exercises with the same, or linked, aims.

In 1997, a specific EU Directive (97/66/EC) 'concerning the processing of personal data and the protection of privacy' was adopted for the telecommunications sector, aiming to respond to the introduction of new advanced digital technologies in public telecommunications networks. It was repealed, and replaced (in the light of developments in the markets and technologies for electronic communications services) in July 2002 by Directive (2002/58/EC) 'concerning the processing of personal data and the protection of privacy in the electronic communications sector'. The rationale is that 'new advanced digital technologies are currently being introduced in public communications networks in the Community, which give rise to specific requirements concerning the protection of personal data and privacy of the user.'

EU initiative on workers' personal data

In August 2001, the European Commission launched a first stage of consultation of the social partners on the protection of workers' personal data, seeking their views on the possible orientation of policy in this area. It noted that the two existing EU Directives on processing of personal data contain very few provisions on the processing of data in the employment context and asked the social partners if they believed that these Directives, as implemented in the Member States, adequately addressed the protection of workers' personal data. In particular, the social partners were asked if it was advisable that the EU should takes an initiative in this field focusing notably on: consent (to the processing of an individual's data) in the employment context; access to and processing of medical data in the employment context; drug testing and genetic testing in the employment context; and monitoring and surveillance in the workplace. The social partners were also asked what form they thought a Community action should take (Directive, communication, recommendation, code of practice, guidelines etc) and what the main features of such a measure might be.

The responses indicated to the Commission that there was widespread consensus among the social partners as regards the importance of the question of personal data processing in the employment context, given socio-economic and technological advances over the recent years. However, there were disagreements between employers’ associations and trade unions over the need for any further EU-level action and the direction that this should take. For example, employers’ organisations - the Union of Industrial and Employers' Confederations of Europe (UNICE), the European Association of Craft and Small and Medium-sized Enterprises (UEAPME) and the Confederation of German Industries (Bundesverband der Deutschen Industrie, BDI) - did not see the point of having Community legislation on the subject, because they think that Directive 95/46/EC is appropriate and capable of ensuring that workers’ personal data are protected. All employers' organisations emphasised the merits of flexibility and national diversity, as well as the need to avoid over-regulation and supplementary burdens on employers. UNICE highlighted the need for information and transparency as regards national regulations and favoured enhancing awareness and exchange of information and best practices. UNICE favoured 'non-binding instruments at the national level through the social partners who are better placed to tackle possible problems'. UEAPME also stated that non-binding measures at European level, such as a code of conduct along the lines of that established by the ILO (see above), could be useful.

By contrast, the trade unions - the European Trade Union Confederation (ETUC), the Council of European Professional and Managerial Staff (EUROCADRES) and the European Confederation of Executives and Managerial Staff (CEC) - supported the introduction of an EU Directive on the subject. They believed that the existing Directives on personal data protection are useful but not sufficient with regard to the specificity of the employment context. Furthermore, current national legislation implementing the Directives is not seen as totally satisfactory or as covering all aspects. The unions were in favour of a specific Directive, allowing a certain flexibility according to national specificities.

Following these responses, in October 2002, the Commission launched a second stage of consultation, this time on the content of an envisaged proposal in this area (EU0211206F) - having concluded that it is advisable that a framework of employment-specific rules on data protection should established at EU level - giving the social partners the opportunity to negotiate an agreement on the issue and thus forestall a proposed Directive. The second-stage consultation was more concrete and detailed, suggesting a new framework of principles and rules on data protection at the workplace (see box below). However, following the responses of the social partners to the second round of consultations, it appears that this opportunity has been rejected, and the Commission is planning a draft Directive in 2004 or 2005 (according to its June 2003 mid-term review of the social policy agenda).

European Commission's suggested framework for workplace data protection

The European Commission's October 2002 second-stage consultation of the social partners suggests a new European framework of principles and rules on data protection at the workplace, on the grounds of:

  • technological advances such as the increased use of e-mail, electronic files and teleworking, which is blurring the boundary between work and private life, and cheaper genetic testing technology;
  • globalisation, in particular the growing trend of outsourcing the human resource function of large businesses. This may create difficulties if data protection laws differ from one jurisdiction to another; and
  • 'post-11 September insecurity' . In the USA, for example, companies may be expected to monitor workers as part of government efforts to increase security.

The proposed framework would cover data about employees, such as personal health records, as well as data created by or used by employees, such as e-mails or internet use. It would deal with the issues of consent, medical data, drug and genetic testing and monitoring and surveillance. On the latter issue - which is of most direct relevance to this study's concerns - the Commission notes that a review of the regulatory situation in the Member States in this area shows that surveillance and monitoring of workers by their employers is regulated through a number of principles and rules contained in various legal acts, including national constitutions, legislation on employment, data protection and telecommunications, the penal code etc. The interaction of the relevant provisions, so far as their application in the employment context is concerned, is often not clear and the situation is, in some cases, quite controversial. This situation becomes even more critical taking into account that the traditional monitoring means, such as telephone-tapping and video surveillance, are increasingly complemented by technologically more advanced and potentially more intrusive means - ie monitoring through the workers' own work tools such as their computer (e-mail, internet etc). It therefore suggests that the following principles should form part of the proposed European framework:

  • workers' representatives should be informed and consulted before the introduction, modification or evaluation of any system likely to be used for monitoring/surveillance of workers;
  • a prior check by a national data protection supervisory authority should be considered;
  • continuous monitoring should be permitted only if necessary for health, safety, security or the protection of property;
  • secret monitoring should be permitted only in conformity with the safeguards laid down by national legislation or if there is reasonable suspicion of criminal activity or other serious wrongdoing;
  • personal data collected in order to ensure the security, control or proper operation of processing systems should not be processed to control the behaviour of individual workers except where the latter is linked to the operation of these systems;
  • personal data collected by electronic monitoring should not be the only factors in evaluating workers' performance and taking decisions in their regard;
  • notwithstanding particular cases, such as automated monitoring for purposes of security and proper operation of the system (eg viruses), routine monitoring of each individual worker's e-mail or internet use should be prohibited. Individual monitoring may be carried out where there is reasonable suspicion of criminal activity or serious wrongdoing or misconduct, provided that there are no other less intrusive means to achieve the desired purpose (eg objective monitoring of traffic data rather than of the content of e-mails, or preventive use of technology);
  • there should be a prohibition in principle on employers opening private e-mail and/or other private files, notably those explicitly indicated as such, irrespective of whether use of the work tools for private purposes was allowed or not by the employer. In particular, private e-mails/files should be treated as private correspondence. Secrecy of correspondence should not be able to be waived with a general consent by the worker, in particular upon conclusion of the contract of employment; and
  • communication to occupational health professionals and representatives of workers should receive particular protection.

Finally, it should be noted that one framework agreement concluded by the European intersectoral social partners has some implications, if limited to one particular group of workers, for workplace privacy. The July 2002 agreement on telework (EU0207204F) provides that employers should respect the privacy of teleworkers, and that if any kind of monitoring system is put in place, it needs to be proportionate to the objective and introduced in accordance with EU Directive (90/270/EEC) on visual display units. The agreement - unlike previous such accords - is being implemented by the national social partners themselves, rather than being given the force of law by an EU Directive. Monitoring of teleworkers has also been covered by two sets of European sectoral guidelines on the issue, agreed in the telecommunications sector (February 2001 -EU0102296F) and the commerce sector (April 2001 - EU0105214F).

National law and guidelines

Table 3 below sets out the main laws in the 16 countries examined with regard to: general protection of privacy (including specific rules on privacy of communications); the protection of personal data; and specific protection of privacy in the workplace context, including the rights of workers' representatives in regulating this area. The general privacy provisions listed do not include direct incorporation of the Convention for the Protection of Human Rights and Fundamental Freedoms, which has occurred in many countries, while the workplace-specific provisions do not include the employment aspects of general data protection legislation.

Table 3. Main national laws regulating privacy and data protection, in general and at the workplace
Country General privacy Personal data protection Workplace specific
Austria Austrian Constitution does not explicitly provide right to privacy. However, Article 8 of the European Convention applies, while Data Protection Act has constitutional status and provides right of secrecy of personal data, particularly regarding respect for private and family life. The 2000 Data Protection Act (Bundesgesetz über den Schutz personenbezogener Daten, Datenschutzgesetz) implements Directive 95/46/EC. The Labour Constitution Act, (Arbeitsverfassungsgesetz, ArbVG) provides (§96) that the installation of any technological facilities at work which are (potentially) likely to monitor employees requires an obligatory works agreement (ie with the works council), if the employees’ 'dignity' is affected (even if the individual employee consents to such monitoring facilities). The works council also has information rights in this area (AT9806193F).
Belgium Belgian Constitution (Article 22) states that 'everyone has the right to have his private and family life respected, except in the cases and under the conditions stipulated by law'. Article 314bis of Penal Code outlaws interception of private communications and telecommunications without the permission of participants. Law of of 21 March 1991 ('Belgacom Law') makes it illegal to look at telecommunications from or to other people. Law of 8 December 1992 covers the protection of privacy in relation to the processing of personal data - amended by law of 11 December 1998 to implement Directive 95/46/EC. National collective agreement No. 38 on recruitment (1983) provides that interference in private life of applicants can be justified only when relevant to employment relationship (a rule generally accepted to apply to whole employment relationship). National collective agreement No. 68 (1998) bans video monitoring at the workplace, except in some circumstances and with information and consultation of workers' representatives (BE9807150N). National collective agreement No. 81 (2002) protects private lives of employees with respect to controls on electronic online communications data (see main text) - includes information rights for works councils.
Denmark Danish Constitution (Article 72) provides for secrecy of of letters and other papers, and in postal, telegraph, and telephone matters. Penal Code's provisions on secrecy of mails (§ 263) make it a a criminal offence to open or otherwise acquire access to content of a letter or another closed message addressed to another person. The Act on Processing of Personal Data (Lov om behandling af personoplysninger, Act No. 429 of 31 May 2000) implements Directive 95/46/EC. The 1982 Act on Video Surveillance applies to the workplace, requiring employer to provide employees with general (but not specific) information about such surveillance. Penal Code's provisions on secrecy of mails apply to e-mail and some workplace situations.
Finland Finnish Constitution (section 8) provides for security of private life and secrecy of communications (with restrictions). The Personal Data Act (523/1999) of 22 April 1999 implements Directive 95/46/EC. The Act on Data Protection in Working Life (477/2001) regulates in detail privacy in working life in terms of ICT (FI0106191F) (see main text). Employee representatives have cooperation rights over the purpose, implementation and methods used in technical employee monitoring and the use of electronic mail and data networks (also stipulated in Act on Cooperation within Undertakings).
France The Civil Code (Article 9) provides a right to privacy. The Criminal Code (Article 226) provides that wilfully impinging upon someone else’s privacy is a criminal offence and specifies penalties incurred for interception of correspondence, including electronic communications. Law of 10 July 1991 governs secrecy of communications sent by telecommunications. Law 78-17 of 6 January 1978 on information technology, files and freedoms (Loi relative à l'informatique, aux fichiers et aux libertés) governs collection and storage of personal computerised data. Law 92-1446 of 31 December 1992 applied general principles of 1978 data protection law to the field of employment. The Labour Code: prohibits restriction of workers' rights and individual and collective freedoms unless this is justified by the nature of the task to be accomplished, or proportionate to the desired objective (employers must therefore justify potential restrictions) (Article L120-2); and provides that employees must be made aware of any monitoring that may focus on them (Articles L121-7 and 121-8).
Germany German Constitution (Articles 1(1) and 2(1)) provides for a general right of privacy. The Federal Data Privacy Protection Act (Bundesdatenschutzgesetz, BDSG) governs processing and use of personal data - originally adopted in 1990 and amended in 2001 to implement Directive 95/46/EC (most federal states have also adopted laws to implement Directive). The 1997 Teleservices Data Protection Act (Teledienstedatenschutzgesetz, TDDSG) specifically governs data protection in relation to the internet and the 1997 Telecommunications Act (Telekommunikationsgesetz, TKG) contains data protection provisions. The 1997 TDDSG and TKG both have workplace implications in terms of restrictions on monitoring where the employer has permitted private use of e-mail and internet. The Works Constitution Act (Betriebsverfassungsgesetz, BetrVG) gives works councils co-determination rights over: rules of conduct where the employer permits the use of company e-mail systems for private purposes; and introduction and use of technical equipment intended to monitor conduct or performance of employees.
Greece Greek Constitution provides for inviolability of personal and family life (Article 9) and privacy of correspondence and any other form of communication (Article 19). Law 2472/1997 governs the protection of individuals with regard to processing of personal data, implementing Directive 95/46/EC. Law 2774/1999 governs protection of personal data in telecommunications sector. Data Protection Authority Directive 115/2001 interprets the norms laid down in laws 2472/97 and 2774/99 on data protection for the purpose of applying them in the area of employment relationships.
Ireland Irish Constitution does not explicitly provide right to privacy, though case law implies its protection. The Data Protection Act 1988 (amended April 2003), implemented Directive 95/46/EC. None, apart from employment provisions of Data Protection Act.
Italy Italian Constitution (Article 15) affirms inviolability of freedom and secrecy of correspondence and of all other forms of communication. Law No. 675 of 31 December 1996 regulates 'data protection for individuals and others with regard to the processing of personal data', implementing Directive 95/46/EC. Supplemented and partially amended by Presidential Decree No. 318/99 on 'minimum security measures for personal data handling' and legislative decree No. 467/2001. Workers' Statute (law No. 300/70) regulates a number of privacy matters, notably (in Article 4) forbidding the use of apparatus (including new technologies) to control workers' activities.
Luxembourg Luxembourg Constitution (Article 28) protects secrecy of correspondence. Law of 2 August 2002 governs protection of people in respect of processing of personal data, implementing Directive 95/46/EC. Law of 6 May 1974 establishing joint works committees in private sector enterprises (with over 150 employees) co-determination rights on the introduction and application of technical equipment designed to monitor employees’ behaviour and performance at their work stations.
Netherlands Dutch Constitution states that all citizens are entitled to respect of their personal privacy (§10) and guarantees privacy of correspondence, telephone and telegraph communication (§13). Civil Code (§7:611) states that employers should behave in a reasonable way. Personal Data Protection Act (Wet bescherming persoonsgegevens) of 6 July 2000 implements Directive 95/46/EC. The Works Councils Act (§27.1), gives works council the right of consent (a kind of veto power) when the employer intends to introduce, change or abolish a rule on: the collection and processing of employees' personal data; or facilities aimed at, or suitable for, the observation or control of employees' presence, behaviour or performance.
Norway Norwegian Constitution does not explicitly provide right to privacy. However, courts have established a fundamental legal principle of 'protection of personal integrity.' The 2000 Act relating to the Processing of Personal Data (Personopplysningsloven) implements Directive 95/46/EC. Act relating to Workers Protection and Working Environment (Arbeidsmiljøloven, AML) implies that monitoring of employees may not be carried out if such activity breaches the provisions of the Act by subjecting employees to health-related hazards (however, the AML obliges employers to control and monitor working life).
Portugal Portuguese Constitution recognises rights to personal identity (Article 26), privacy of correspondence and other means of private communication (Article 34) and data protection (Article 35). Law 67/98 of 26 October 1998 on Personal Data Protection (Lei da protecçao de dados pessoais) implements Directive 95/46/EC. The recently introduced Labour Code (PT0305101N) provides that: employers and workers should respect each others' right to personality and to maintain confidentiality of their private lives, including access to and disclosure of matters such as family, emotional or sexual life, health or political and religious convictions; and files and computer applications used by employers to process personal data of job applicants or employees are subject to the law on personal data protection. Law on Employment Contracts indirectly regulates control and monitoring of contents of workers’ e-mails or internet use (eg by prohibiting employers from preventing workers from exercising their rights).
Spain Spanish Constitution (Article 8) provides right to personal and family privacy. Penal Code (Article 167) forbids interception of communications. Organic Law 15/1999 of 13 December 1999 on the Protection of Information of a Personal Nature implements Directive 95/46/EC. Royal Decree 994/1999 regulates security measures for automated files containing personal information. Workers' Statute (Article 64) establishes right of works councils to issue a prior report on the introduction or revision of systems of organisation and control of work, and to monitor fulfilment of regulations and agreements in this area.
Sweden Sweden's constitutional Instrument of Government (Regeringsformen) provides for privacy of correspondence and confidential communications (Chapter 2 Article 6) and protection from infringement of personal integrity resulting from the registration of information by means of electronic data processing (Chapter 2 Article 3). The 1998 Personal Data Act (Personregisterlagen, PUL) implements Directive 95/46/EC. Act on Co-Determination (Medbestämmandelagen, MBL) provides that important changes in the workplace should be negotiated between employer and local trade unions, and this is taken to include personal integrity matters (such as medical tests), including those related to ICT
UK Human Rights Act (HRA) 1998 (incorporating European Convention) provides right to respect for private and family life, home and correspondence. Regulation of Investigatory Powers Act (RIPA) 2000 outlaws interception of private correspondence without consent of both parties, or specific warrant. Data Protection Act (DPA) 1998 implements Directive 95/46/EC. Computer Misuse Act 1990 deals with violations of personal data through 'hacking'. RIPA has been qualified by Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, which allows businesses (including government departments and public authorities) to monitor and/or record many communications without consent to: establish facts relevant to the business; ascertain whether an employee has attained the required standard; prevent or detect crime; investigate or detect unauthorised use of the telecommunications system; or ensure the system’s effective operation. Organisations are also allowed to monitor but not record communications without consent in order to determine whether or not communications are business-related and to monitor communications to a confidential support help line.

Notes: European Convention = Convention for the Protection of Human Rights and Fundamental Freedoms; Directive 95/46/EC = 1995 European Parliament and Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Source: EIRO.

As indicated by table 3, the EU Member States and Norway have several kinds of legislation relating to the protection of privacy in general, or in the context of work or new technology. These include provisions in constitutions or legal codes, legislation and, in the case of Belgium, collective agreements with the force of law. Of the countries under examination, only Belgium and, to a lesser extent, Denmark and Germany, have provisions that specifically deal with employee e-mail and the internet use and its monitoring.

General provisions

Many national constitutions contain a general right to protection of privacy/private life - as in Belgium, Finland, Germany, Greece, the Netherlands and Spain - while such a right, though not explicit, is implied in other cases - such as Austria, Ireland and Norway. Such a general privacy right may also stem from the Civil Code, as in France, or specific legislation, such as the UK's Human Rights Act (while the ratification of the European Convention for the Protection of Human Rights and Fundamental Freedoms by all countries concerned also implies the application of its privacy provisions). The Italian parliament is currently debating a 'consolidated text' on privacy, aimed at combining all current rules on privacy into a single document, and harmonising them in order to obtain a systematic body of legislation. Many constitutions also guarantee some form of secrecy of communications (sometimes alongside a general privacy right) - such as Denmark, Finland, Greece, Italy, Luxembourg, the Netherlands, Portugal and Sweden. Penal or Criminal Codes forbid interception (without consent or authorisation on specific grounds) of communications and sometimes specifically telecommunications in countries such as Belgium, Denmark, France and Spain, while specific legislation covers these issues in cases such as Belgium, France and the UK. Though some of these basic provisions may be assumed to cover internet/e-mail use, this is rarely explicit, though Denmark is an exception (see below). Sweden is unusual in that there is a specific constitutional right to privacy protection related to electronic data processing.

All countries have data protection legislation. This is either in direct implementation of the EU Directive (95/46/EC) on the issue or pre-existing legislation which has been amended in the light of the Directive (as in Belgium and Germany) - only France does not appear specifically to have transposed the Directive (with draft legislation to this effect currently before the National Assembly). As seen above (under 'Existing EU legislation'), the Directive and its implementing legislation have implications for the employment relationship. However, it is rare for countries to have introduced specific legislation applying data protection rules to the employment context - this has occurred most notably in Finland (see box below) as well as in France, Greece (in the form of a Data Protection Authority directive) and, to some extent, Portugal. EU Directive 97/66/EC, which deals specifically with the telecommunications sector (see above), has been transposed in some countries, including Belgium, Germany, Greece and the UK, again with some employment implications. Germany is unusual in having legislation which governs data protection specifically in the context of the internet.

Finnish Act on Data Protection in Working Life

The Act on Data Protection in Working Life (477/2001) came into force in Finland on 1 October 2001 (FI0106191F). It applies to all employment relationships (including apprenticeship contracts) and to both employees and job applicants. It provides that an employer may process only personal data that directly relates to an employee’s employment relationship. Outdated or unnecessary data must not be kept by employers. Companies must draw up a description of the personal data files they hold, making this available to any interested party, and must also notify the Data Protection Ombudsman (see below) of automated data processing by sending it a description of the files held. There is an employer’s obligation to notify employees about these issues and employees have a right to check personal data concerning them (subject to restrictions related to state security, defence, general order and safety, and the prevention or investigation of crime). The Act covers international transfers of personal data, requiring a Finnish company that transfers employees' personal data outside the EU/EEA to notify the Data Protection Ombudsman.

Beyond the employment-related provisions of general or specific data protection legislation, at least some aspects of privacy at the workplace are governed by employment (or other) law in most countries (with some exceptions, such as Ireland) - though this is rarely comprehensive. On a general level, the French Labour Code prohibits restrictions of workers' rights and freedoms except where justified and proportionate, while a Belgian national collective agreement (such agreements are given the force of law and are thus included here) provides that interference in the private lives of job applicants (and, by extension, employees) can be justified only when relevant to the employment relationship. The Italian Workers' Statute regulates a number of privacy matters, while Portugal's new Labour Code provides for privacy in areas related to workers' personal lives. The specific issue of monitoring and video surveillance at the workplace is made subject to various conditions by legislation in countries such as Belgium (a national collective agreement), Denmark and France.

In some cases, works councils or other workplace employee representatives have a number of powers over the introduction and/or use of equipment for monitoring employees' performance, work etc. Agreement or co-determination is required in Austria (where employees' 'dignity' is affected), Germany, Luxembourg and the Netherlands, while information and consultation is required in Belgium (see below), Finland and Spain. Similar rights relating to the more general issue of introducing new technology may also apply to monitoring equipment in countries such as France. The co-determination rights of local unions in Sweden are taken to include matters related to personal integrity.

Internet and e-mail use

While some of the general and workplace-specific privacy and data protection law outlined above may have implications for employees' e-mail and internet use, there is very little specific legislation on this issue across the countries considered. The most notable exception is a Belgian national collective agreement (with the force of law) on the issue, outlined in the box below.

Belgian national agreement on protection of employees' on-line privacy

On 26 April 2002, employer and employee representatives on the National Labour Council (Conseil National du Travail/Nationaal Arbeidsraad, CNT/NAR) signed national collective agreement No. 81 on the protection of workers' privacy with respect to controls on electronic on-line communications data (BE0209302F). The agreement was declared mandatory under the terms of a Royal Decree of 20 September 1998.

The agreement adapts general provisions concerning the protection of privacy with a view to making them applicable to the working environment, and is valid only for the private sector. The agreement does not relate to the rules for accessing and/or using electronic on-line communications equipment in the company, as these rules are the prerogative of the employer - it thus leaves any applicable company rules and practices on information and consultation in this field intact. Instead, the agreement governs workers' right to privacy when electronic communications data are collected for the purposes of monitoring.

The agreement covers all on-line technologies such as the internet, e-mail and WAP, but has been drafted sufficiently widely that it will also cover future developments. In principle, monitoring of such electronic communications data should not impinge on a worker’s private life but, if it does, this must be kept to an absolute minimum. Only data that are necessary for monitoring may be collected. The monitoring may cover:

  • with regard to internet site controls, the collection of data on the duration of the connection per workstation, but not individual data on the sites visited; and
  • with regard to the use of e-mail, the collection of data on the number of messages sent per workstation and the volume of them, but not identification of the employee who sent them.

The employer may carry out monitoring of electronic online communications data as long as it is pursuing the following objectives:

  • the prevention of illegal or defamatory acts, acts that are contrary to good ethics or which can damage the dignity of another person;
  • the protection of the economic, commercial and financial interests of the company;
  • the security and good operation of the company's ICT network systems; and
  • the faithful observance of the principles and rules applicable in the company for the use of on-line technologies - in such cases, the employer is obliged to inform the worker of any anomaly, and to seek to avoid it happening again.

The employer must clearly and expressly define the objectives of the control exercised. Moreover, the content of data may be controlled only if the employee and other parties concerned (eg the recipient of the message) have consented to it. Before putting a monitoring system in place, the employer must also notify both the works council and the workforce.

'Individualisation' of electronic on-line communications data, as referred to in the agreement, means an action whose purpose is to process electronic on-line communications data collected during controls by the employer, in order to attribute them to an identified or identifiable person. In principle, the employer will first perform a general control without being able to determine what wrongdoing can be attributed to what employee. Only in the second instance can the employee responsible be sought.

The agreement should be interpreted in the light of existing constitutional and statutory principles, stating: 'It is very important here to respect the constitutional and statutory principles of protecting privacy and the secrecy of telecommunications, but it is important to allow for adjustments that are nonetheless strict as far as introduction in the workplace is concerned.' However, there are those who query the agreement’s legality on the ground that some of its contents are at variance with legal provisions that are hierarchically superior. For example (as pointed out by Gilbert Demez, cited above), authorisation of employer monitoring of the content of e-mails may run counter to Article 314bis of the Penal Code, which bans the interception of communications and private telecommunications without the permission of the participants (see table 3 above).

When adopting this agreement, the social partners nevertheless expressed a wish that a regulation on the matter should be adopted. The employers, in particular, said that they were happy with the balance between respect for privacy and the right to monitor workers; in fact, they thought that the previous rules gave respect for privacy too much importance.

Other privacy provisions which deal specifically with employees' internet and e-mail use are rare, though they include the following:

  • The Danish Penal Code's provisions on secrecy of mails (§263) make it a criminal offence to open or otherwise acquire access to the content of a letter or other closed message that is addressed to person other than oneself. Private e-mails are covered by this provision, though e-mails sent to employees in their capacity as a representative of the employing organisation are not considered to be private. Under these provisions of the Penal Code, along with the Act on Processing of Personal Data, whether or not an employer has the right to read the content of e-mails or register e-mail addresses depends on whether it has a justifiable reason for doing so which does not exceed the employee's legitimate interests. Information about employees' incoming or outgoing e-mails or about what webpages they have visited is considered to be personal information, and any monitoring can be performed only with the consent of the person concerned. In 2000, the Data Protection Agency (see below) stated that considerations relating to computer-system security and control of employees' observation of company policy are legitimate reasons to implement monitoring measures - however, the employer must inform the employee about the surveillance. Unlike private companies, public authorities are obliged to inform the Data Protection Agency about any logging, back-up or reading of employees’ e-mails.
  • Germany's Telecommunications Act (TKG) and Teleservices Data Protection Act (TDDSG) apply where the employer has permitted private e-mail and internet use by employees. In such cases, employers' control of employees' private use of such electronic media is subject to more restrictions than is the case for professional use. Where the TKG applies, the collection and use of data is permitted for accounting purposes, to remedy service disruptions or to ensure an orderly communication process. Generally, any check on content is not permitted, unless there is specific suspicion of a serious criminal offence. Analysis of private e-mail/internet connections must be restricted to the minimum needed for recording costs. If private employee use is permitted without any reimbursement of costs, then the connection data may not be analysed, with the exception of anonymous data needed to check the working of the equipment. Where private internet use is permitted, a provider-user relationship is created between the employer and the employees for the purposes of the TDDSG, because the employer provides access to a range of information to the employee. If the employee is not obliged to reimburse the cost of use, then the employer does not have any right of control without the consent of the employee. Furthermore, if the employer permits the use of the company’s e-mail systems for private purposes, the Works Constitution Act (BetrVG) provides that the relevant rules of conduct must be agreed with the works council and set down in a works agreement.

Despite a lack of specific legislation, the general legal framework and principles are interpreted as having implications for employees' internet and e-mail use in some countries. For example, in Norway it is held that, in terms of the employer's right to read an employee's e-mail or private computerised documents, a distinction is drawn between private and enterprise-related e-mails and documents. The employer may not read an employee's private e-mail (or other documents), unless the employee has given /her consent. Enterprise related e-mails may, however, may be read by the employer, because in this cases the legitimate interest of the employer overrides the interest of the employee. The employer nevertheless has a duty to inform employees about such measures.

Given the general absence of specific legislation on employees' privacy at the workplace, the introduction of such provisions has been discussed or proposed in a number of countries, sometimes with direct relevance to internet/e-mail use:

  • in Finland, a working party (including social partner representatives) established by the Ministry of Labour at the behest of parliament has recently examined certain specific issues not covered by the 2001 Act on Data Protection in Working Life (see above), mostly those raised by the rapid development of ICT. It issued its report in June 2003 (FI0307203F), proposing new legislation defining and limiting employers’ rights to use drug tests and video surveillance and to read employees' e-mails;
  • in Germany, an Employee Data Protection Act (Arbeitnehmerdatenschutzgesetz) has been discussed for some years, and the coalition agreement of the current 'red-Green' government provides for the introduction of such a law. Moreover, several changes to existing laws (eg the TKG) are currently being debated;
  • in Norway, a public committee currently reviewing labour law (NO0210103F) is examining, among other issues, regulations on monitoring and surveillance in working life, and thus protection of employees' privacy. In this area, the committee's brief is to examine the need to establish legal guidelines concerning when and how such monitoring and surveillance may be employed and, if necessary, to propose specific legal rules. The committee's report is due in December 2003; and
  • in Sweden, in March 2002, a government-appointed commissioner (supported by trade unions) submitted a proposal for a new law on the protection of personal integrity in working life (Lagen om integritet i arbetslivet, LIA) (SE0203104F). Under the proposal, the protection of the personal integrity of employees, job applicants and former employees would be strengthened in two main areas - the use of information technology, and medical examinations and drug tests. For example, there would be a general ban on employers reading employees' personal e-mail.. The proposal has been heavily criticised on the grounds that it is overly complicated, and its future is currently uncertain.

Case law

The lack of specific legislation on employees' e-mail/internet use and workplace privacy makes case law important in some countries. Significant rulings on the issue - or on related themes, such as telephone monitoring and video surveillance, which may have implications for e-mail/internet use - are reported at various levels of the judicial apparatus from countries such as Austria, Denmark, France, Germany, Italy, the Netherlands, Norway, Spain, Sweden and the UK. Many of these rulings refer, of course, to very specific individual cases, while judgments from the same country may appear contradictory. However, a few themes seem common across a number of countries. Notably, cases in Denmark, Germany, the Netherlands and the UK have established the necessity for employers to have issued a clear policy or instructions on internet/e-mail use before it is legitimate for them to dismiss or discipline employees on grounds of misuse (though one Dutch court has ruled that an employer had no obligation to give an employee prior notice that private use of internet was not allowed). The courts in some countries - such as Germany, the Netherlands, Spain and the UK - understandably take a very dim view of employees using e-mail or the internet for purposes of crime, harassment (especially sexual) or distributing obscene, pornographic or offensive material. Other specific rulings of interest include the following:

  • a 2002 Supreme Court (Oberster Gerichtshof) ruling in Austria established that employer monitoring of employee telephone use (and thus, by extension, internet and e-mail use) affected employees' 'dignity' (see table 3 above) and thus required consultation of the works council;
  • in 2001, the French Cour de cassation (the country's ultimate appeals court) ruled that an employer cannot read personal messages sent or received by employees using a computer placed at their disposal for work purposes, without violating the fundamental liberty constituted by the right to keep correspondence secret, even when the employer has previously banned non work-related use of the computer;
  • in Italy in 2002, the Court of Milan rejected a complaint by a worker who alleged that her employer had breached the law on privacy by reading her office e-mail (on discovering e-mail entirely unrelated to the worker’s job, the employer dismissed the worker for breach of contract). The Court rejected the complaint on the grounds that the e-mail addresses allocated to employees are normal work instruments, and that the proprietorship of e-mail pertains solely to the employer; and
  • in the Netherlands (which has seen a particularly large amount of case law in this area), in 1998, the Utrecht court ruled that the constitutional right to confidentiality of the mail also applies to e-mail, even if the employee has used the e-mail employer's connection.

Guidance

Given the general paucity of specific legislation on privacy at the workplace and employees' e-mail/internet use, guidelines and opinions issued by public bodies in this area are significant in some countries. These are often the 'supervisory authority' which Member States are required to nominate by the 1995 EU data protection Directive (Article 28). Under the Directive, such supervisory bodies - which must be completely independent - should monitor the application of the provisions adopted by the Member State in question pursuant to the Directive. They must:

  • be consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data;
  • have investigative powers, such as powers of access to data being processed and powers to collect the information necessary for the performance of their supervisory duties;
  • have effective powers of intervention, such as those of delivering opinions before processing operations are carried out, ordering the blocking, erasure or destruction of data, imposing a temporary or definitive ban on processing, warning or admonishing the controller, or referring the matter to national parliaments or other political institutions;
  • have the power to engage in legal proceedings where national provisions adopted pursuant to the Directive have been violated, or to bring these violations to the attention of the judicial authorities; and
  • hear claims lodged by any person, or by an association representing that person, concerning the protection of their rights and freedoms in regard to the processing of personal data.

The supervisory bodies which play this role in the EU Member States and Norway, some of which existed before the Directive came into force, are set out in table 4 below.

Table 4. National supervisory bodies on data protection
Country Body
Austria Data Protection Commission (Datenschutzkommission) (part of the Federal Chancellor's Office)
Belgium Commission for the Protection of Privacy (Commission de la protection de la vie privée/Commissie voor de bescherming van de persoonlijke levenssfeer)
Denmark Data Protection Agency (Datatilsynet)
Finland Office of the Data Protection Ombudsman (Tietosuojaviranomaiset)
France National Commission on Information Technology and Civil Liberties (Commission Nationale de l'Informatique et des Libertés, CNIL)
Germany Federal Data Protection Commissioner (Bundesbeauftragte für den Datenschutz)
Greece Data Protection Authority
Ireland Data Protection Commissioner
Italy Regulatory Authority for the Protection of Personal Data (Garante per la protezione dei dati personali)
Luxembourg National Data Protection Commission (Commission Nationale pour la Protection des Données)
Netherlands Data Protection Authority (College Bescherming Persoonsgegevens, CBP)
Norway Data Inspectorate (Datatilsynet)
Portugal National Data Protection Commission (Comissão Nacional de Protecção dos Dados, CNPD)
Spain Data Protection Agency (Agencia de Protección de Datos)
Sweden Data Inspection Board (Datainspektionen)
UK Office of the Information Commissioner

With regard to workplace privacy and ICT, as noted above, the Greek Data Protection Authority has issued a specific directive seeking to apply data protection legislation to the area of employment relationships, covering: the collection, processing and use of workers’ personal data; the transmission and protection of such data; and the protection of workers from the use of control and monitoring systems. The Irish Data Protection Commissioner has recommended that the protection of privacy in the workplace is best served through a policy statement or code of practice from the employer, 'where a balance is struck between employees’ expectations and employers' rights'. Similarly, the Norwegian Data Inspectorate has recommended that employers and employees should jointly establish procedures for monitoring of e-mails at work. In September 2000, the Danish Data Protection Agency issued a statement on legitimate reasons for monitoring of employees' e-mail/internet use by employers (see above). The Italian Regulatory Authority has specified certain cases in which it is not necessary to obtain the prior consent of the person concerned before handling personal data. This exception concerns certain public and private activities (and their employees and users), such as telematic-based communication and information services, interactive marketing (via the internet), services for commercial information and the delivery of publicity material. For each of these sectors, which are less strictly regulated than others, the Authority has drawn up codes of good practice with a view to self-regulation. France's CNIL has issued various consultation documents and reports on issue of relevance to workplace privacy and new technologies.

A number of supervisory bodies have issued detailed codes of practice on employees' e-mail/internet use. In June 2003, the UK Information Commissioner published the third part of an Employment Practices Data Protection Code, covering Monitoring at work, including employees' internet and e-mail use. The Code (which does not impose new legal obligations) aims to strike the correct balance between the legitimate expectations of employees and the interests of employers. Briefly, it provides that where employers have to monitor how staff are using computers at work, the monitoring must be open and transparent and with the knowledge of the employee. There are few circumstances in which covert monitoring is justified. Employees are entitled to expect that their personal lives remain private and they have a degree of privacy in the work environment. The Code seeks to clarify the application of the law and protect employees from unfair or excessive information-gathering in the workplace. The Portuguese National Data Protection Commission has issued detailed guidance on privacy at the workplace in relation to ICT. This includes a number of general principles, such as that: employers should inform their employees of the conditions under which the latter may make personal use of the company’s ICT, the degree of tolerance and the consequences of misuse or improper use; the data to be processed and the means used should be adjusted to the company’s organisation and production, and should be compatible with workers’ rights and duties laid down in labour legislation; and employers should favour generic control methods and avoid individual reference to personal data. The issue of internet and e-mail use is also dealt with in some detail, as set out in the box below.

Portuguese National Data Protection Commission guidance on employees' internet and e-mail use
  • It is illogical and counterproductive for employers to forbid absolutely the use of e-mail and internet access for any purpose other than work. It is desirable for employers to allow their employees to use the resources placed at their disposal with moderation and within reason.
  • Employers should establish clear, precise rules on personal use of e-mail and the internet. These rules should be based on the principles of appropriateness, proportionality, joint cooperation and mutual trust.
  • These rules should be submitted to workers and their representatives for their consideration. They should be publicised and provide clear information on the degree of tolerance, the type of control exercised and the consequences of disobeying the rules;
  • Employers do not have the right to open e-mails addressed to workers.
  • Employers are allowed to process data only if they take into account the legitimate interests of the person concerned and the rights, freedoms and privileges of the owner of the data.
  • Employers should choose non-intrusive control methods that comply with pre-defined principles and of which the workers are aware.
  • Employers should not monitor workers’ e-mails constantly and systematically, but only occasionally, and in areas that pose a greater 'risk' for the company.
  • E-mails may be monitored to guarantee the safety and performance of the system.
  • With the workers’ knowledge, employers may adopt the necessary procedures to 'filter' certain files attached to e-mails which, in view of the nature of the worker’s job, clearly indicate that e-mails are not work-related (eg exe, mp3 and image files).
  • If an employer finds that there has been disproportionate use of e-mail or the internet, the worker should be given a warning and should then be monitored, if possible by alternative, less intrusive methods.
  • Access to e-mails should be the employer’s last resort, and they should preferably be accessed in the presence of the worker in question and of a representative of the works committee. Access should be limited to the recipient’s address, the subject and the date and time sent.
  • There should be a degree of tolerance in relation to personal internet access, especially if it is out of working hours.
  • General statistics may be enough for the employer to ascertain the degree of use of the internet in the workplace, and the extent to which access by employees compromises work or productivity.
  • In order to examine the impact on cost or productivity, a worker may be monitored by counting average time online, rather than the sites visited. If there is found to be excessive, disproportionate internet use, the worker should be warned. It may be necessary to check the number of hours online (beginning and end) to prove that personal access has taken place outside working hours.

Guidelines may also be issued by official bodies other than the supervisory authorities for data protection. For example, Denmark's IT Security Council (IT-Sikkerhedsrådet- an agency within the Ministry of Science, Technology and Innovation) has published a guide on private use of the internet and e-mail at work by employees, setting out some of the considerations for companies in drawing up a policy in this area. The Council stresses the importance of company guidelines on the issue, in view of the lack of specific legislation. Though company management has the right to decide the content of an e-mail and internet policy, the Council stresses that a good policy is one that is supported by the whole organisation. In the Luxembourg public sector, the relevant Minister has issued a 'charter of good practice' for users of ICT facilities belonging to the state, which has applied since 1 January 2003 to all state employees irrespective of their status (ie civil servants, white- and blue-collar workers and trainees). It aims to set out the instructions and restrictions that all users must respect and implement, together with basic rules of courtesy and respect for others. For example:

  • users must not use ICT facilities belonging to the state to load, store, publish, disseminate or distribute data, documents, images or videos that are violent, pornographic, paedophile, racist, Nazi or contrary to the accepted standards of good behaviour, or which are likely to undermine respect for people and their dignity and the protection of minors;
  • users are forbidden to use ICT facilities belonging to the state for the purposes of harassment, threats or abuse, or generally for the purpose of violating rights;
  • e-mail users may not send messages containing personal opinions that are 'alien to their professional activity', or which might damage the state; and
  • users have access to the internet to enable them to visit websites in the performance of their duties. When using the web, their identities and the websites visited may be logged by the state. For purposes associated with statistics, quality of service and security, the state reserves the right to monitor internet traffic and carry out regular checks and audits.

Social partner views and initiatives

The issue of employee e-mail/internet use and privacy is clearly of some concern to employers and trade unions in many countries considered - though the level of interest varies and the topic does not appear to figure highly on their agendas in Greece, Luxembourg and Portugal.

At the level of individual employers, there seems to be an increasing tendency to draw up and apply policies on employees' use of company e-mail and internet facilities (in some cases based on agreement with workplace employee/union representatives - see below), as in countries such as Austria, Denmark, France, Germany, Ireland, Norway and the UK. The need for such policies stressed by some court cases (see above) may increase the pressure to draw them up. In general, employers' organisations - eg in Belgium, Ireland and the Netherlands - tend to stress issues such as the need and the prerogative of employers to monitor employees' activity in this area, on grounds such as: the possible damaging consequences of misuse for the company; the fact that employees are meant to be working during their working hours; and the fact that the equipment and facilities concerned are the employers' property. Employers' organisations in some countries - such as Norway, Spain (where employers are keen to promote regulation by agreement) and the UK - are concerned about the lack of clarity in the legal situation. The UK's Confederation of British Industry (CBI) has criticised the Information Commissioner 's new code on monitoring at work (see above), intended to clarify the situation, as 'confusing' and insufficiently addressing business concerns. By contrast, Austrian employers are reported as in many cases appreciating the freedom provided by a current vagueness of regulation, while German and Swedish employers' bodies are generally happy with the current legislation and opposed to changes in this area. The situation in Italy is different - Confindustria, the main employers' confederation, maintains that current regulations are excessively protective of workers’ right to privacy, and that this is detrimental to entrepreneurship and business development. The obligations imposed by law have increased costs for companies and reduced their competitiveness with respect to those in other countries. The procedures should be streamlined, and adjustments made so that interests are more evenly balanced.

In a number of countries, employers' organisations have drawn up codes of conduct or guidelines related to privacy and e-mail/internet use at work. For example:

  • in February 2003, the Movement of French Businesses (Mouvement des entreprises de France, MEDEF), circulated guidelines to its members, setting out the powers and responsibilities of employers in this area, dealing with both individual employment relations and the position of employee representatives and unions;
  • the Irish Business and Employers Confederation (IBEC) has advised members companies which have electronic communications to 'put a thumb tack policy in place setting down procedures for the use of e-mail and the internet. These should define who can have access to the internet, the extent that it can be used and under what circumstances it can be used. It should also outline the action that will be taken in the event of breaches in company procedure';
  • in 2001, Italy's Confindustria drew up guidelines on the use of information technologies in the workplace;
  • the Confederation of Netherlands Industry and Employers (Vereniging Nederlandse Ondernemers-Nederlands Christelijk Werkgeversverbond, VNO-NCW) - the largest Dutch employers’ organisation - has published a model code for workplace e-mail and internet use; and
  • the Confederation of Norwegian Business and Industry (Næringslivets Hovedorganisasjon, NHO) has developed guidelines for member companies on how to deal with privacy at the workplace.

Trade unions in many countries are concerned that the current relationship between employees' privacy rights and employer monitoring rights is unbalanced, with the latter unfairly privileged. Trade unions are calling for clearer rules in this area and restrictions on employer monitoring in countries such as Austria (where EU legislation is seen by unions as the main hope of action in this area), Denmark, France, Germany, Ireland, Norway, Spain, Sweden and the UK.

Reflecting their concerns over privacy and employee internet/e-mail use, trade unions have undertaken a number of initiatives in this field. The fact that these issues particularly affect groups such as technical, professional or managerial staff, or specific sectors (such as ICT and telecommunications) is sometimes reflected in the activity of trade unions representing these employees. Initiatives include:

  • setting up working groups or committees to examine the issue - as with the Confederation of Salaried Employees and Civil Servants in Denmark (Funktionærernes og Tjenestemændenes Fællesråd, FTF) and the Norwegian Confederation of Trade Unions (Landsorganisasjonen i Norge, LO) - or launching campaigns - as with the UK/Irish Amicus-MSF technical workers' union;
  • drawing up proposals for new legislation in this field, as with France's General Confederation of Labour (Confédération générale du travail, CGT) and the Confederal Union of Managerial Staff (Union confédérale des cadres) affiliated to the French Democratic Confederation of Labour (Confédération française démocratique du travail, CFDT);
  • promoting the regulation of this topic through agreements - eg at company level in the case of Germany's United Services Union (Vereinte Dienstleistungsgewerkschaft, ver.di) or at national instersectoral level in the case of France's General Confederation of Labour-Force Ouvrière (Confédération générale du travail-Force Ouvrière, CGT-FO); and
  • related to the previous point, issuing and promoting model company agreements or codes of practice on e-mail/internet use. For example, the UK/Irish Amicus-MSF has drawn up a 'model e-facilities agreement ' and draft code of practice for the protection of privacy at work, while the Dutch Trade Union Federation (Federatie Nederlandse Vakbeweging, FNV) has created a model privacy code as a tool for works councils (along with codes of conducts on privacy-related issues such as sickness monitoring and medical testing) and its affiliated Allied Unions (FNV Bondgenoten) has produced a protocol on internet and e-mail use.
UNI code of practice on on-line rights at work

Trade unions have also focused on the issue of workplace privacy and internet/e-mail use at international level. Notably, UNI, which brings together white-collar and private service sector workers' trade unions from around the world (including unions in the ICT sector), has been active in campaigning in the area of employees’ 'on-line rights' since at least 1998. In November 2000, it hosted a conference in Brussels, in collaboration with Flemish Royal Academy of Belgium of the Arts and Sciences, on the legal and practical issues raised by the use of electronic media at work. At the conference, union participants called for an end to the surveillance of workers’ e-mail, and for a right for workers to contact their trade union from their work station. Based on the contributions made at the conference on the issue, and on the experience of companies and unions that have already implemented 'electronic facilities' agreements, UNI drew up a code of practice on on-line rights at work, designed to 'establish an internationally recognised yardstick of what constitutes good practice'.

The code is in four parts:

  1. Trade union communication. Works councils and/or trade unions and their representatives should have the right to access and use enterprise electronic facilities for works council/trade union purposes, both internally and externally. This includes the right to send relevant information to all employees. Employees should have the right to use enterprise electronic facilities to communicate with their trade unions and/or works council and their representatives. This part of the code seeks to extends to electronic means of communication the provisions on workers’ representatives' facilities contained in the 1971 ILO Convention No. 135 and Recommendation No. 143. It notes further that the nature of communication has changed, with employee representatives in different branches of a multinational company now needing to be able to cooperate and coordinate work across international borders. Moreover, an increasing number of employees are working from home, from remote telecentres or on the move.
  2. Non-business communication. Employees should be permitted to use enterprise electronic facilities for non-business purposes, both internally and externally, provided that this is not detrimental to their work responsibilities.
  3. Monitoring and surveillance of communication. The employer should be obliged to undertake not to subject employees’ use of the enterprise's electronic facilities to clandestine surveillance and monitoring. Communication should be subject to surveillance and monitoring only if: this is permitted by collective agreement; the employer is legally obliged to do so; or the employer has reasonable reason to believe that an employee has committed a criminal offence or serious disciplinary offence. Access to surveillance and monitoring records relating to individual employees should take place only in the presence of a trade union representative or a representative selected by the employee. UNI states that these provisions take into account the various international and European law and guidelines on the issue of workplace privacy (see above).
  4. Conditions for use of electronic facilities. Employees’ rights to use enterprises' electronic facilities should be subject to a number of conditions, as follows: communication must be lawful and not include defamatory or libellous statements; enterprises' electronic facilities shall not be used as a means of sexually harassing other members of staff or spreading offensive comments based on an individual’s gender, age, sexuality, race, disability or appearance, or knowingly to visit websites promoting pornography, racism or intolerance; and the employer can require a disclaimer when employees are communicating internally and externally, making clear that the views expressed are those of the author alone and not those of the enterprise.

Only in Belgium (and to some extent Denmark and Norway - see below) does it appear that the views of the social partners on the need for, and content of, regulation in this area have coincided sufficiently for a major joint initiative - the 2002 national agreement on protection of employees' on-line privacy (see above). The issue also does not seem to divide the social partners in Finland, where recent legislation has regulated matters in a detailed way.

Collective bargaining

In most countries considered, there is generally little reference in collective bargaining to the issue of protecting privacy at the workplace, either in general or in relation to the use of e-mail and the internet. This is especially true of bargaining at multi-employer level, and where joint regulation of this matter exists, it generally occurs at company level, either through agreements or through the exercise of the co-determination rights of works councils or other workplace employee representatives.

Despite the general lack of multi-employer bargaining on privacy and e-mail/internet use, there are exceptions. At national intersectoral level, the most notable and specific example is Belgium where, as seen above, a 2002 national collective agreement (No. 81) governs the protection of employees' private lives with respect to controls on electronic online communications data (while earlier agreements covered matters such as workplace video monitoring). On more general privacy/monitoring issues, in Norway, the central 'basic agreement' between the Norwegian Confederation of Trade Unions (Landsorganisasjonen i Norge, LO) and the Confederation of Norwegian Business and Industry (Næringslivets Hovedorganisasjon, NHO) contains a supplementary agreement on monitoring activity in enterprises (there are similar rules in other basic agreements between social partner confederations). The supplementary agreement stipulates a wide range of conditions under which monitoring and control measures may be implemented by the employer, emphasising the principles of objectivity and proportionality. Furthermore, measures should not discriminate between employees or groups of employees, and thus must be applicable to all. The introduction of such measures should be discussed - though negotiations are not required - with trade union representatives as early as possible prior to implementation. Employees should also receive notice of the proposed measures before they are implemented (on the objective of monitoring, its consequences etc). Union representatives should also be consulted with regard to the handling and registration of the information acquired through such monitoring. The agreement also refers to the Act relating to the processing of personal data. If the provisions of the agreement are ignored prior to the implementation of measures, the measures may be deemed unlawful by the Labour Court. It is assumed that the agreement does not apply in cases where there are suspicions of criminal acts such as fraud or theft.

Similarly, in April 2001 the Confederation of Danish Trade Unions (Landsorganisationen i Danmark, LO) and Danish Employers’ Confederation (Dansk Arbejdsgiverforening, DA) agreed a supplement to their 'basic agreement', which concerns the new control initiatives at the workplace. It states that any new control arrangements or mechanisms at the workplace must be announced at least two weeks prior to their introduction. Finally, and very generally, in Greece the National General Collective Agreement refers to protection of personal integrity stating that: 'the contracting employer organisations underscore to their members the obligations for enterprises arising from the legislative framework as regards the protection of the individual relative to matters of a personal nature, aimed at protecting workers’ personal integrity'.

Provisions on privacy and e-mail/internet use in sectoral collective agreements are very rare, with the most relevant example being a framework agreement concerning private e-mail use at the workplace signed by the service sector section of the Union of Commercial and Clerical Employees in Denmark (Handels- og Kontorfunktionærernes Forbund, HK) and the Danish Commerce and Service (Dansk Handel & Service, DHS) employers' association. The aim is to provide a model which can be used by companies to establish a policy on employees’ use of e-mail. Thus is the only known Danish agreement on this topic at present, but it may be developed or copied in other sectors. Elsewhere, only in Italy and the Netherlands are any sectoral agreements reported, and these refer to more general privacy matters. In the Netherlands, the agreement for public transport has an annex containing a model privacy code, while several collective agreements state that employers, when they register sickness absence, should take measures to safeguard employees' privacy. In Italy, some sectoral agreements (notably for chemicals, metalworking, banking/insurance and commerce) make explicit reference to the data protection legislation, and in particular to the protection of 'sensitive' personal information (especially about workers’ state of health). It is thought likely that privacy issues will be widely addressed in the next round of sectoral bargaining.

It is at company/workplace level that joint regulation of employees' privacy and in some cases internet/e-mail use is most common. In some countries - such as Austria, Belgium, Germany, the Netherlands, Norway, Spain and Sweden - bargaining or consultation on at least some aspects of the issue is promoted by legislation (or central agreements) giving works councils or other workplace representatives powers in this area (see table 3 above). At least some company/workplace-level bargaining of relevance is reported from the countries mentioned, as well as from all other countries apart from Finland, Greece, Italy, Luxembourg, Portugal and the UK (where there are some agreements on more traditional privacy issues such as searching individuals or their lockers, and evidence of more informal company-level regulation of ICT-related privacy matters). However, the extent to which such joint regulation is widespread is often hard to assess. Agreements with works councils or local union representatives are reported from a number of countries, but it is not known how many of them there are. For example:

  • in Austria, according to the Union of Salaried Employees (Gewerkschaft der Privatangestellten, GPA), there is a range of works agreements dealing with relevant privacy issues in all sectors. These agreements vary significantly in the quality of their content, depending on the power and goals of the works councils concerned;
  • in Belgium, 'codes of conduct' regarding the use of new communication technologies and the employer's right of control have been agreed by works councils, within the framework set by the 2002 national collective agreement on the issue;
  • in Denmark, agreements on employees' private use of the internet and e-mail have been negotiated at company level by union representatives and cooperation committees;
  • in Ireland, there are reportedly a number of local-level collective agreements on relevant issues;
  • in Norway, the supplementary agreement on workplace monitoring between LO and NHO provides for company-level agreements on the implementation of control and monitoring measures (if agreement is not reached, disputes may be referred to the social partner confederations), but there is no information on the extent of such agreements; and
  • in Sweden, based on the co-determination legislation (see table 3 above), company policies, guidelines and recommendations concerning internet and e-mail use are often decided in cooperation with local unions.

More specific information is available from only a few countries. In France, company policies on internet/e-mail use ('information charters') have in some cases been agreed with employee representative bodies (such as works councils). An example is the the Renault group’s July 2001 'charter on the correct use of data technology, electronic and digital resources', which was endorsed by the company and group works councils. The charter sets out the rules governing the use of the group’s various collectively accessible ICT resources. Company-level bargaining involving trade unions has been more active in other aspects of the use of new technologies, especially in terms of access for union officials and members to corporate information and communication resources. The conclusion of such agreements has increased rapidly in 2002 and 2003 - usually in larger companies such as VediorBis, EADS, Orange, BNF and COGEMA- following precedents set previously, for example by an agreement signed at Alstom in 2001, which included provisions on trade union access to the company's internal communication networks (FR0109105F).

In Spain, there is some limited company-level bargaining on employee internet and e-mail use, mainly in the finance and telecommunications sectors, with examples including an agreement at Ericsson. As in France, electronic facilities for trade unions have been an issue for company agreements. Notably, in May 2002 a significant agreement was reached at Barclays Bank SA between management and the Trade Union Confederation of Workers’ Commissions (Comisiones Obreras, CC.OO). It enables CC.OO's national banking section to inform and communicate with employees, giving it an e-mail account with a direct channel to employees' personal accounts. The union is responsible for the content and proper use of its messages (which are subject to volume restrictions) and has committed itself to decreasing progressively its other means of information, such as notice boards and information sheets. Employees may use their e-mail account to communicate with the union, and the company has agreed to respect the confidentiality of communications.

Commentary

Against the backdrop of increasing use of new technology, and particularly of e-mail and the internet, in the employment context, the frontier between private life and work life is becoming increasingly blurred. The use of new technology at the workplace must therefore be examined as part of a broader context incorporating respect for privacy and the protection of personal data in a work setting.

At EU level, the issue is high on the agenda from both a legislative and an industrial relations point of view. The European Commission is now planning to propose a specific Directive establishing a regulatory framework governing the issue of the protection of workers’ personal data, building on general data protection legislation. The European social partners were invited to negotiate on this issue during the preparatory phase of this initiative, but apparently without success. At international level, the ILO has drawn up a code of practice on the protection of workers' personal data, while a global trade union body, UNI, has issued a code of practice on on-line rights at work.

Examination of the various national situations as regards this issue in the EU Member States and Norway allows us to draw some conclusions. As far as the use of new technology at the workplace is concerned, it is important to distinguish: on the one hand, the issue of the use of these new facilities by workers, and the opportunity for these workers to use them for private reasons; and, on the other hand, the issue of the monitoring and surveillance of workers by the employer. Both of these questions are governed both by 'a priori' measures - ie by the regulatory framework (which varies from country to country in the restrictions it imposes) - and 'a posteriori'- ie through the courts.

First of all, a priori, the principle of the use by workers of the internet and e-mail for private purposes is not regulated at national level, either by legislation or by collective agreements - in other words, there are no regulations permitting or preventing workers using the internet or e-mail at work. Usually, it is at the discretion of individual employers to permit or forbid the use of this technology at the workplace for private reasons. The idea that employees should be entitled to at least reasonable personal use of their employers' internet and e-mail facilities is raised only in a few guidelines from national regulatory bodies such as Portugal's National Data Protection Commission, or in trade union codes of practice or model agreements at international (notably the UNI code) and national level, or in individual company policies - or more rarely company agreements.

Where employees are permitted, explicitly or implicitly, to use workplace internet and e-mail facilities for private reasons, then a modus operandi for such use may be laid down in codes of practice and policies, drawn up by regulatory authorities (eg in Portugal), employers' organisations (eg in France, Italy and the Netherlands) or individual employers (eg in Austria, Denmark, France, Germany, Ireland, Luxembourg, Norway and the UK), or proposed by trade unions (eg in Ireland and the Netherlands) - and, less commonly, laid down in company agreements.

Measures that a priori regulate the monitoring and surveillance of workers' use of new technology are primarily based on a body of law in each country, made up of: general (often constitutional) provisions relating to respect for privacy and the secrecy of correspondence; personal data protection provisions; and, less extensively, workplace-specific privacy provisions. While general privacy and secrecy provisions may often be assumed to cover internet/e-mail use, this is rarely explicit. With regard to personal data protection, most national measures implement the EU Directive (95/46/EC) on the issue and thus have implications for the employment relationship. However, specific legislation applying data protection rules to the employment context is rare, with the main example being Finland (plus France, Greece and, to some extent, Portugal). Beyond data protection, some general protection of workers' privacy is provided by law in countries such as France, Belgium (a national collective agreement), Italy and Portugal. The specific issue of video surveillance and monitoring at the workplace is regulated by legislation in countries such as Belgium (national collective agreement), Denmark and France. In some cases, works councils or other workplace employee representatives have powers over the introduction and/or use of monitoring equipment. Agreement or co-determination is required in Austria, Germany, Luxembourg, the Netherlands and Sweden while information and/or consultation is required in Belgium, Denmark, Finland, Norway and Spain. Specific legislation on the monitoring of employees' e-mail and internet use exists only in Belgian (national collective agreement) and, to a lesser extent, Denmark and Germany. New legislation in this area is under debate in countries such as Finland, Germany, Norway and Sweden.

Outside the field of legislation, employer surveillance and monitoring of employees' e-mail and internet use has been the subject of guidance or codes from regulatory authorities in countries such as Denmark, Greece, Portugal and the UK. It is also dealt with in codes of practice and policies drawn up by various employers' organisations or individual employers or proposed by trade unions (eg the UNI code). This is also an issue regulated by the little multi-employer bargaining which relates to employee e-mail and internet use (eg in Belgium, Denmark and Norway) and in company agreements on the matter.

Turning from the 'a priori' regulatory framework, to the 'a posteriori' role of the courts, the key question dealt with in case law is the link between the employer’s right to monitor and respect for workers’ privacy. In practice, the courts are often called on to rule on both whether or not the dismissal (or disciplining) of a worker for 'improper' private use of e-mail or the internet is justified, and whether or not an employer’s intrusion into the worker’s private life is justified. In some countries, such as Spain, these issues appear to be becoming increasingly 'judicialised', and in some countries, case law has become an essential source of law for the regulation of disputes associated with the use of new technology at the workplace.

Examination of the internet/e-mail use cases that have reached the courts in the various countries under examination indicates that rulings sometimes go the way of the employers and sometimes the way of the workers - this varies from country to country, but also within a given country. However, some of the criteria used in assessing the cases appear to be recurrent. The first criterion is whether or not the employer concerned has a written policy on the private use of e-mails and the internet at the workplace - if not, the decision will probably be in favour of a worker complaining of unfair dismissal, on the grounds that the employer had no stated policy on the issue, or the policy was not clear enough. However, whether the use of new technology for private reasons is permitted or not, some situations will usually result in the worker’s dismissal being regarded as fair - for example: if e-mails or webpages visited are pornographic, discriminatory, obscene or violent; if the use of e-mails or the internet for private purposes is done improperly, or leads to a serious loss of working time; or if the messages sent are tantamount to an attack on other people, or constitute harassment. In such a posteriori situations, the role of the trade unions will consist of supporting and defending workers involved in court cases.

Individual employers in many countries (eg Austria, Denmark, France, Germany, Ireland, Norway and the UK) seem increasingly aware of some of the issues raised by employee internet/e-mail use, and a number of employers draw up and apply policies in this area (though the extent of this practice is not known). However, at the level of employers’ associations and trade unions, interest in these matters appears to vary considerably, and few see them as a major priority. Among national instersectoral employers' organisations, there has been some activity in drawing up codes of conduct or guidelines for their member companies, as in France, Ireland, Italy, the Netherlands and Norway. One factor which seems to focus the attention of employers' organisations on workplace privacy and internet/e-mail use issues is the prospect of legislation in this area, as currently discussed in Germany, Norway and Sweden, or of regulatory guidance, as recently in the UK, with employers keen to protect their prerogatives.

Trade unions, while generally promoting workers' privacy rights, rarely give the topic the highest priority, but like employers' organisations may be spurred into action by the prospect of legislation. Unions representing technical, professional or managerial staff, or sectors such as ICT and telecommunications, may tend to take a greater interest in workplace internet/e-mail use issues - an example being UNI and its affiliates - for example, launching campaigns and promoting codes of practice or model agreements.

The issue of protecting privacy at the workplace, either in general or in relation to the use of e-mail and the internet, is rarely addressed in collective bargaining (especially above the individual enterprise level). At intersectoral level, Belgium has a notable agreement on workers' privacy related to electronic online communications data (plus other privacy-related central agreements), while some more general privacy provisions can be found in central agreements in Norway, Denmark and (to a lesser extent) Greece. At sectoral level, there is one specific agreement on workers' e-mail use in the Danish service sector, plus a handful of less specific privacy provisions in some Dutch or Italian agreements. It is at company/workplace level that joint regulation of employees' privacy and in some cases internet/e-mail use is most common, either through agreements or through the exercise of co-determination rights by works councils or other workplace employee representatives. Some such bargaining is reported from countries such as Austria, Belgium, Denmark, France, Germany, Ireland, the Netherlands, Norway, Spain and Sweden, though the extent to which such joint regulation is widespread is hard to assess.

To sum up, the various roles taken by trade unions and employers’ associations in relation to workers' privacy and internet/e-mail use are principally as follows:

  • in some countries, union representatives (along with works councils etc) are informed, consulted or entitled to negotiate over the installation or use of measures for monitoring workers;
  • the social partners rarely conclude collective agreements on this issue, though this is slightly more common between enterprise/workplace-level union representatives (along with works councils etc) and management;
  • in a number of countries, trade unions and employers’ associations are invited to comment on draft legislation or guidance on relevant issues, and they sometimes formulate proposals and recommendations;
  • in some cases, employers’ associations or trade unions have drawn up codes of practice or similar documents relating to the use of new technology at the workplace and/or the monitoring by the employer of workers, which may be important where the regulatory framework is unclear; and
  • trade unions give members assistance in court cases arising from alleged 'improper' workplace use of e-mail and the internet for private reasons.

(Catherine Delbar, Marinette Mormont and Marie Schots, Institut des Sciences du Travail)

Page last updated: 12 August, 2003
About this document
  • ID: TN0307101S
  • Author: Catherine Delbar, Marinette Mormont and Marie Schots
  • Country: EU Countries
  • Language: EN
  • Publication date: 12-08-2003