Employers may be violating privacy laws when accessing employees’ e-mail

In October 2005, the Norwegian Data Inspectorate filed two formal complaints against companies for allegedly breaching the Act relating to the processing of personal data. In both cases, the main charges relate to management’s right to access and read e-mail correspondence to and from their own employees.

During October 2005, the Norwegian Data Inspectorate (Datatilsynet) filed two formal complaints against companies for allegedly breaching the Act relating to the processing of personal data (Lov om behandling av personopplysninger). In both cases, the main charges relate to management’s right to access and read e-mail correspondence to and from their own employees. This issue is, according to the Data Inspectorate, becoming an increasing problem in Norwegian working life. A recent study carried out by the Institute of Transport Economics (Transportøkonomisk institutt, TØI), on the other hand, suggests that the general attitude of the Norwegian population is that the right to privacy is well protected in Norway, including in working life.

Background

The Data Inspectorate, which is an independent administrative body or watchdog, is receiving an increasing number of inquiries and complaints about the monitoring and control of e-mail correspondence by employers. It is a problem that is expected to increase in the future, unless something is done to clarify the legal framework (TN0307101S). At the heart of the matter lies the problem of finding the right balance between safeguarding the right of employees to privacy at the workplace, while at the same time protecting the employers’ prerogatives in relation to the day-to-day running of a company. The Data Inspectorate is vested with the responsibility of enforcing the Act relating to the processing of personal data. The purpose of this Act is to protect people from violation of their right to privacy (at work as well as in other social spheres). The Inspectorate is also vested with the authority to develop administrative provisions to supplement and strengthen the Act's provisions.

The e-mail issue has been on the agenda on previous occasions, most recently in connection with the work carried out by a committee considering a reform of work environment legislation (NO0403102F). However, the cases brought by the Data Inspectorate represent the first time that steps have been taken to have the matter tried legally. The Data Inspectorate has long called for changes in this area, and has undertaken to develop new administrative rules to support the existing Act. Thus, the filing of charges with the police and the introduction of new administrative procedures should be seen as an attempt to improve and clarify the legal framework in this area.

Two complaints on privacy breaches filed

In October 2005, the Data Inspectorate filed complaints against two companies suspected of breaching the Act relating to the processing of personal data. Both cases concern the employer’s right to access to employees e-mails correspondence. The first charge was filed against the Norwegian Society for Sea Rescue (Redningsselskapet, NSSR), following complaints made by employees and their trade unions about the alleged mishandling of both the private e-mail correspondence of individual employees as well as correspondence between shop stewards in the company. In one case, the content of these e-mails was used as evidence in an ongoing disciplinary dispute within the company.

In the second case, involving the state-run wine and spirits retailer, Vinmonopolet, the employer gained access to employees’ e-mails (and their content) in connection with an internal investigation of possible corruption among its employees.

The Data Inspectorate states in both cases that: the companies have indiscriminately accessed employees e-mails without giving due consideration to whether or not correspondence is private or company-related; they have not developed sufficient internal procedures for the handling of private information; and the employees (and shop stewards) concerned have not been properly informed of the activity. In the case of Vinmonopolet, however, it is emphasised that while the employer indeed had a vested interest in gaining access to e-mails, the way in which it was carried out was disproportionate to the objective of doing so. In its response to the complaint, NSSR claims that the monitoring of e-mails has been necessary because of disloyal behaviour, and has been carried out in accordance with the legal framework. Vinmonopolet have yet to respond to the charges. It is now up to the police to investigate the matter further.

Survey of attitudes towards privacy issues

Despite the concerns raised by the independent Data Inspectorate watchdog, the attitude towards these issues in the population at large seem to be relatively relaxed. In a recent survey carried out in September 2005 by the Institute of Transport Economics, commissioned by the Data Inspectorate and Ministry of Modernisation (Moderniseringsdepartementet), a large majority of respondents feel that their personal privacy (and information containing personal information) is well protected in Norway, also in relation to their professional life. A large majority (84%) state their confidence in the employer’s ability to handle private or personal information in a responsible manner. People are in fact willing to go relatively far to allow their employer or management access to personal or private information. More than 70% of respondents state that they make allowance for their employer gaining access to information about to whom they send and receive e-mails. Similarly, a majority (70%) are also favourably inclined towards accepting employer access to information about their website visits. The only area in which some reluctance is detectable is allowing the employer insight into the content of e-mails. Almost 60% of the respondents find it difficult to allow the employer such a right. No distinction is drawn in the survey between the private and company-related e-mail correspondence. Broken down by age and income, it appears that it is the youngest (those aged between 15 and 29) and lowest paid employees that are most opposed to allowing their employer access to information about their e-mail correspondence. On the issue of allowing the employer access to the content of e-mails, however, these differences are less clear.

Commentary

The complaints made by the Data Inspectorate are significant in that they are seen to be a first step in the direction of drawing up a clearer line between the right of employees to privacy and employers’ prerogatives in relation to the use of e-mail at work. This may be seen as an a issue of principle, and it will not come as a surprise if at least one of the cases is taken further in the judicial system. Legal precedents in this area are still weak. The issue has been touched upon in a previous Supreme Court ruling, dating from 2002. In this case it was established only that employers have a right to access company related e-mail correspondence, which may be used as evidence in court, but it was emphasised in this ruling that a distinction had to be made between private and company-related e-mails. The Court ruling did not, however, go on to define a line between private and company-related correspondence.

The lack of clarity in this area of privacy law is the reason why these two cases have emerged. In its report following inspections in the two companies, the Data Inspectorate emphasises the fact that both companies have sought external legal support and advice in the process of gaining access to the e-mails, and as such one may argue that both companies have acted in good faith.

The issue has been on the agenda for some time, and it seems that it is increasingly becoming a problem in working life. The Norwegian Confederation of Trade Unions (Landsorganisasjonen i Norge, LO) receives regular inquiries and complaints from their members about possible illegal practices by employers in this area. To meet this challenge, the Confederation of Norwegian Business and Industry (Næringslivets Hovedorganisasjon, NHO) has developed guidelines on the handling of personal information, including e-mail correspondence, for its member companies.

The Data Inspectorate is presently developing new administrative provisions in this area, which is one of the reasons why further legal efforts have not been taken to strengthen the legal framework. (Håvard Lismoen, FAFO Institute for Applied Social Science)