Is an employer allowed to access an employee’s email account when the employee is on sick leave? To what extent is control permissible when an employee is suspected of illegal activities, e.g., of leaking trade secrets? In Germany, these questions are at the crossroads of data privacy and telecommunications law with their respective administrative and even criminal sanctions. The proper rules and best practice examples have been recapped in a guideline (the “Guideline”) issued in January 2016 by the Conference of Data Protection Authorities of the Federation and of the States in Germany (“DPA Conference”).
Private use excluded, employers may dispense with employee consent
To the extent that private email and Internet use is banned or restricted by the employer, only data privacy law applies. Thus, concerns relating to the Telecommunications Act, employment law, or the Telemedia Act are not applicable if all private use is prohibited. Internet protocol data may be accessed without prior consent, e.g., in order to verify compliance with the restrictions on private use or to protect the network. However, access even to IP addresses should take into account the proportionality principle. According to the Guideline, the employer should, as a first step, evaluate Internet protocol data on an anonymous basis, followed by individual spot tests where necessary.
With regard to emails, the employer is not required to obtain the employee’s consent and may review the content of professional emails relevant to a specific business transaction or as pre‑defined by other specific categories. A constant review of all professional emails is not permissible. Consequently, for employees on leave, out of office messages are the method of choice to inform recipients that the individual may not respond (rather than having someone else check the emails). Alternatively, it is permissible to completely reroute emails if the demands of the workplace require such a solution. Full surveillance of an employee’s online activity is generally prohibited, unless there is a reasonable basis for believing that the employee’s use of the IT services violates the law and the proposed measures are proportional.
Private use of workplace IT triggers telecommunication secrecy consent requirement
Employers should carefully consider whether they wish to permit private use of their workplace IT systems or whether such use should be limited or banned altogether. To the extent that private use is permitted, the DPAs view employers as telecommunication service providers who are bound by the stringent rules of telecommunication secrecy. The chance that the employee’s inbox contains private emails (when private use is allowed) will prevent the employer from accessing the professional account altogether, unless such access is permitted by the employee on a case-by-case basis. Accordingly, to the extent that employees are entitled to use the Internet for private purposes, the employer is prohibited from reviewing the employee’s Internet usage (i.e., who accessed which website at what time and for how long). In contrast, where private use by employees is prohibited, the employer may review such Internet usage without prior consent of the employee.
While a number of lower courts disagree with the DPAs’ view, the question has not yet been decided by a German Federal Court, and employers should follow the DPAs’ interpretation. In practice, sanctions are limited to fines; however, in theory, improper access to private email or to an employee’s private use of the Internet could result in criminal liability.
Permission for private use may be construed where employers fail to sanction private use
The DPA Conference points out that failure to lay down the rules of use will often amount to permission for private use. The same is true for a ban of private use that is not effectively monitored and sanctioned. If an employer tolerates private use for a significant period of time, this conduct may give rise to an (unwritten) company practice, binding the employer for the future. As a consequence, the DPA Conference prompts employers to lay out the rules of workplace use of the IT services in writing, either in the employment contract, a corporate guideline, or, where a works council is established, in a works agreement. The employer may subject permission to specific conditions, e.g., limitations in time, rules of conduct, and general rules limiting the employer’s access to employee emails or Internet data.
Consent is valid only where it is genuinely free
The Guideline does not elaborate on the conditions of consent by the employee. On the European level, the Working Party 29 (WP 29) recognizes consent in the employment context to the extent that it is genuinely free (see Opinion 15/2011 on the definition of consent, dated July 13, 2011, p. 13). Notably, the WP 29 considers consent invalid where it is a condition of employment, such as consent required in the employment contract. Where it is provided in an ongoing employment relationship, consent is valid unless “it is not possible for the worker to refuse.” This conforms to a decision by the Federal Labor Court of December 11, 2014 (docket no. 8 AZR 1010/13, juris). In this decision, the Court held that employee consent provided in an ongoing employment relationship is valid unless concrete evidence indicates pressure or coercion or otherwise a lack of choice.
New Guideline dispenses with requirement of consent by third‑party communication partners
For access to an employee’s email account, the DPAs have, in the past, also required the thirdparty’s consent, i.e., the consent of the sender of an email to the employee. Interestingly, the DPA Conference has now confirmed in its Guideline that employers may dispense with consent of the third‑party sender or recipient, which is naturally hard to obtain in practice. When access to emails is required by the course of business, the DPA Conference states that the employer can rely solely on the employee’s consent.