Employer access to employee emails curtailed
On 1 March 2009, new provisions regulating employers’ access to employee emails came into effect in Norway. Under these provisions, employers may access employees’ emails if it is deemed necessary for the daily operations of the company, or if they suspect that the employee is breaching their contractual obligations. The adopted provisions differ somewhat from the proposal that was issued for consultation in the autumn of 2006.
New regulations came into effect on 1 March 2009 regulating Norwegian employers’ access to their employees’ emails. The new provisions are incorporated into Chapter 9 of the existing ‘Administrative provisions on the protection of individuals with regard to the processing of personal data’ (Personopplysningsforskriften).
Calls had been made for changes to the existing regulations for a long time, including from the Data Inspectorate (Datatilsynet) (NO0510102F). Prior to this regulation, management’s right to access and read email correspondence to and from their own employees was regulated by the general provisions under the Act relating to the processing of personal data (Lov om behandling av personopplysninger). The new administrative provision seeks to improve and clarify the legal framework in this respect.
The Ministry of Government Administration and Reform (Fornyings og administrasjonsdepartementet, FAD) originally issued a proposal for new regulations for consultation in the autumn of 2006. The proposal met with significant resistance from employers (NO0702029I), as they argued that it did not take into account the fact that the computer equipment is provided by the employer and is not intended for private use. Furthermore, the 2006 proposal did not give the employers any general permission to access emails as part of the day-to-day running of the company. Access was only allowed if the employee was absent without notice or where a suspicion arose of criminal activities or disloyalty.
Details of new provisions
The recently adopted regulations differ somewhat from the original proposal. Their main provision, however, remains the same: the employer does not have the right to access emails in the employee’s personal inbox, unless they have justified reasons for doing so. The same applies to accessing information from the employee’s personal folders within the company’s internal computer network.
An employer is only permitted to search, open or read emails in the employee’s inbox if:
- it is considered necessary for the day-to-day running of the company;
- can be justified by other legitimate interests of the business;
- it is suspected that the employee’s email activities may be violating the basic duties arising from their employment contract.
Moreover, the employee is entitled, as far as possible, to be notified and given an opportunity to respond before the employer accesses the email information. They should also be allowed to be present when the emails are being accessed and to be represented by a trade union representative. Of course, where access is requested on the basis of suspicion of serious breaches to duties arising from the employment relationship, an early warning may provide the employee with the opportunity to delete data that may prove their guiltiness. To prevent this from occurring, the employer may therefore make a copy of the appropriate areas of the computer network which is to be subject to inspection before the employee is notified.
Reaction of social partners
Although the Norwegian Confederation of Trade Unions (Landsorganisasjonen i Norge, LO) seems to be satisfied with the new regulation, the employee side as a whole is critical of the provisions. On the employer side, the Confederation of Norwegian Enterprise (Næringslivets Hovedorganisasjon, NHO) believes that it is a step in the right direction to grant employers access to employees’ emails under certain circumstances, but argues that the situation has now been turned upside down. In NHO’s opinion, email should be regarded as a work tool belonging to the employer and, as such, the property of the employer. The regulatory framework is, according to NHO, too strict and time-consuming, and it fears that many companies will not have the knowledge or the resources to comply with it. NHO argues that if the employee has a need for a private email, they can easily set up their own external email account on the internet.
Kristin Alsos, Fafo Institute for Applied Social Science