Monitoring of Employee Computer & E-mail Usage – Some Major Differences Between Germany and the United States
The German Practice Alert
November 18, 2013
In recent years, German employers have had to cope with an increasing number of data privacy rules in Germany which try to resolve a perceived conflict between legitimate business interests of the employer and privacy rights of the employee.
Under German law, if an employer permits Internet use only for business purposes, the employee’s constitutional right to “informational self-determination” is protected by the German Federal Data Protection Act (Bundesdatenschutzgesetz). Under that law, data collection, processing, and use is generally only admissible if the statute specifically allows it or if the employee has given his or her prior consent. For example, the employer has the right to monitor randomly the employee’s Internet use to ensure compliance with the prohibition of Internet usage for private purposes. However, permanent and automatic monitoring is not allowed and would be considered an infringement of the employee’s privacy rights. If Internet usage and emails are recorded for the purpose of data protection or backups for business purposes, such data can be used for such purposes only. An exploitation of these data for the control of the conduct and performance of the employee is not allowed. With respect to e-mails, the employer has the right to monitor only business related e-mails, not private e-mails.
If the employer specifically allows Internet use for private purposes, the German Telecommunications Act (Telekommunikationsgesetz) is also applicable. In this instance, the employer is considered a provider of telecommunications services and has to respect the employee’s right to secrecy of telecommunications. Infringements of that right are punishable. Therefore, generally, monitoring of allowed or tolerated private Internet use is prohibited. However, the employer may make the private use of the Internet conditioned upon random (but not permanent) monitoring. This approach is legitimate to the extent the employees are informed about this condition in advance In addition to the statutory data protection provisions, German corporations also often sign agreements with the company’s works council (Betriebsrat) relating to data protection.
German employers with operations in the United States will find the U.S. legal landscape regarding employee data protection significantly more employer friendly:
Employee e-mail and computer usage monitoring is a fairly common and accepted practice in the United States and U.S. employees generally have very limited privacy rights in data accessed or created through corporate-owned hardware or software. Generally, employee computer use monitoring is legally acceptable from both a privacy and criminal perspective. While the more prudent and defensible practice is to notify the employee of such monitoring in advance (and advise of the absence of privacy rights in data created or transmitted on corporate systems), U.S. courts do not require this and it is (with few exceptions) not statutorily required. U.S. law generally allows private sector employers to legally monitor their employees’ use of any computer systems provided and owned by the company, both with or without notice. However, U.S. law is being interpreted (and sometimes modified) continuously, so it is important to stay informed about state and federal legislation and court decisions for any changes. In the absence of statutory regulations regarding monitoring of e-mails, the main source of guidance regarding the employees’ privacy rights are the employer’s employee manuals and policies concerning employee monitoring, privacy rights and data access/ownership. Usually, such manuals, policies (and also employment agreements) provide that all data created, received and sent by employees using company systems, whether for business or personal use, belongs to the employer and is subject to monitoring and that employees should not have any expectation of privacy. Only if these policies are poorly worded, ineffectively disseminated or not effectively enforced, can employees (potentially) invoke a reasonable expectation of privacy claim.
Overall, German employers doing business in the United States should consider and account for the significantly different view of U.S. employee privacy rights and understand the extent to which U.S. laws and courts permit monitoring of employee computer usage and limitations on employee privacy.