ENN is reporting that an EU court has ruled that monitoring a users usage of company communications resources at work for private purposes is illegal.
The alleged offense took place in Wales, a UK jurisdiction and the ruling body was the European Court of Human Rights. This landmark decision will impact jurisdictions that did not protect employee rights, e.g. Ireland, where our laws are pretty similar to those in the UK.
Anyone who was running pan-European infrastructure should already be aware of differing local legislation. In Germany, you can’t monitor web usage or connect to a user’s PC in any fashion without their permission. In Italy, everything is considered private.
In Ireland, we’ve had two contradicting laws. The employees right to privacy is defined. But so is the corporate requirement to monitor usage to protect company interests. Some industry regulations absolutely require it, e.g. it’s not unusual to see phone recording in place in trading houses to record oral contracts, many organisations record email, etc.
Now we’ve got a ruling from the EU to muddy things up. What’s to be done? I’ve seen one organisation plan an "Internet cafe" on a different network where users could use it for private, unmonitored and unrestricted usage. Is this going to become common practice for every form of electronic communications where there are regulations demanding monitoring that contravenes an employees right to privacy as defined by this ruling? Will all employees end up with two phones on their desks?
It’s all pretty nuts if you ask me. I could be considered pretty liberal but my thinking is that if you are using company resources communications then they should have a right to monitor them so that they don’t get used or prosecuted for illegal activity or negligence. If you want to do something that you don’t want monitored then do it on your own phone or at home.
There is, however, an interesting line in the ruling from the court:
"The applicant in the present case had been given no warning that her calls would be liable to monitoring, therefore she had a reasonable expectation as to the privacy of calls made from her work telephone. The same expectation should apply in relation to the applicant’s e-mail and Internet usage."
Does this mean that if you have informed employees prior to giving them communications resources that they will be monitored then everything is OK? I’ve always been in favour of combining an Internet/email/phone access form (with information about monitoring) with the employee contract. The logic of the above quote would imply that this would protect the employer.
As always … consult the necessary legal experts for the jurisdictions you must cover.
Credit: ENN.