It is not uncommon for employers to want to inspect company emails sent by their employees, current or former. This wish may come up if, for instance, a suspicion exists that an employee committed fraud, stole know-how, or was involved in a breach of competition law. Another reason to want to inspect email is its potential relevance in substantiating or, in fact, defending legal claims.
The employer’s right to monitor company email is not without limits. It is a legal presumption that employees are entitled to some degree of privacy even in a professional working environment. In this blog, the author will set out when employer monitoring of company emails is justified.
What are the facts of the matter?
On 28 December 2021, the ‘s-Hertogenbosch Court of Appeal ruled on the lawfulness of an employer's inspection of company emails sent by an employee. The employer, incidentally, goes by the very apt name of Access World.
The matter arose before the GDPR took effect, so the legal framework on which the Court of Appeal based its ruling was the predecessor of the GDPR, the Personal Data Protection Act [Wet bescherming persoonsgegevens - Wbp for short] and Article 8 of the European Convention on Human Rights (ECHR). Nonetheless, the GDPR has not given rise to an material change in the possibilities - or impossibilities - of employers to monitor employees’ email, which makes the ruling relevant for GDPR purposes as well.
As it was, Access World decided to read the appellant's company email because it wanted to acquaint itself with progress in a number of dossiers in order to complete them. The appellant had previously given consent to Access World to monitor her company email. The employer read the email on 8 and/or 9 June as the appellant had been released from the obligation to perform work with effect from 8 June 2017 and would not return to Access World.
The parties are in agreement on the following:
- The email messages in question are - in any event protected by Article 8 ECHR, which protects the right to private life, even in the situation where the communications were sent from the employer's place of work
- Essentially, an employer is only allowed to monitor an employee's email if the employee has (or could have) been made aware that his/her email is subject to monitoring by the employer (from staff rules, for example, or from a clause in the employment contract), if there is a legitimate business justification, and the proportionality principle has been satisfied
- There may be circumstances where monitoring an employee's email content may be deemed admissible, even if that employee has not (or could not have) been aware that his/her email may be subject to monitoring
In the case before us, the Staff Handbook included the following passage: “All users of the internet and email facilities are expected to act with integrity and professionalism. The employer may monitor the content of internet and email use if there is a suspicion that their use violates the rules set out in the IT Policy Code of Conduct”.
It follows that awareness of the possibility of email monitoring did exist. However, the only possible ground for monitoring would be a suspicion that the appellant had acted in violation of the IT Policy Code of Conduct. No such suspicion had arisen in this case, though.
Therefore, the Court of Appeal held that there was no legitimate justification for the employer to access the email.
Consent as a ground for monitoring
In ground 6.5.3 for the ruling, the Court of Appeal wondered why Access World had not simply asked the appellant whether it could read the company email on the grounds advanced. If the answer had been positive, that would have constituted a legitimate ground for monitoring. After all, the appellant had previously, in 2016, given consent to the employer to read her email.
In the Netherlands, it is generally presumed that an employee's consent does not constitute a legitimate ground under the GDPR for reading email, as being in a relationship of dependence to the employer, the employee is unlikely to give consent freely. As a consequence, such consent tends to be ruled to be invalid. Seen in that light, the Court of Appeal's suggestion is somewhat remarkable. It may have been inspired by the fact that the employee had already left the employer's service. After all, the parties had apparently signed a settlement agreement at the time the email was read. In that situation, the employee can be presumed not to be in a relationship of dependence any longer and therefore in a position to give or refuse to give consent freely.
The previous instance of consent, although given while in service, may have been a valid instance of consent. It transpires from the ruling, after all, that the appellant had insisted on it. The circumstances are not clear, but if the employee did give consent on her own initiative, it is conceivable that her consent must therefore be deemed to have been given freely and - consequently - valid.
Still, even if consent can theoretically be given freely, it would be a tough choice as a ground for justification. After all, what to do if consent is refused? All that considered, the most obvious ground for reading email would be the legitimate business interest and the most obvious course of action would be to notify the employee in advance (unless, in specific circumstances, this would meet with major objections). Prior notification could prompt an objection as meant in Article 21 GDPR. However, it follows from Article 21(1) GDPR that if the grounds for reading the email are sufficiently compelling, they override the employee's objection and the employer has a legitimate ground for reading the email.
Generally, to avoid monitoring from being ruled unlawful, it is wise to do one's homework and perform a Data Protection Impact Assessment (DPIA) in advance.
Processing medical data
The appellant also argued that Access World had invaded her privacy because she had sent an email to the registration system stating: “Dear HR people et al., I have taken up a brief medical leave in order to see my doctor. Kind regards, [appellant].”
According to the appellant, the monitoring constitutes a violation of the prohibition against processing of special personal data laid down in Article 16 Wbp, as this email constitutes medical data, depriving Access World of any legitimate ground to process her data.
The Court of Appeal ruled that the mere announcement of taking up leave to visit a doctor without providing further explanation is not covered by the prohibition of Article 16 Wbp. Although the definition of 'medical data’ does tend to be highly elastic and the registration of a doctor's visit could very well be covered by it, the Court of Appeal can be forgiven for not wanting to open this can of worms. After all, it is difficult to see in what way the appellant was prejudiced or harmed by the registration of this data.
Making reference to the judgment of the Amsterdam District Court of 12 May 2014 (ECLI:RBAMS:2014:2751), the appellant claimed an amount of EUR 5,000 by way of compensation. In said judgment, an amount of EUR 7,500 was awarded as compensation for the unlawful monitoring of an employee's correspondence. A major difference, however, was that in the earlier case law the data concerned private email and text messages, in addition to which the data thus unlawfully gained were used to substantiate a decision to dismiss.
Although the Court of Appeal held the monitoring to be unlawful, it did not perceive any ground to award compensation. No evidence had been presented that the employee had been afflicted in her person, nor did the Court of Appeal hold it likely that such affliction had occurred. All circumstances of this pre-GDPR case taken into consideration, an understandable ruling.