Crafting a Global Policy for Monitoring Employee Internet Use

February 11, 2013

Contacts
Michael Whitener
Lead Counsel, Technology & Communications m.whitener@clearspire.com +1 202 595 9376

The great divide between the U.S. and EU approaches to regulating data privacy can seem to pose a daunting hurdle to Visit us at global corporations. U.S. companies in particular struggle to www.clearspire.com achieve compliance with the EU Data Protection Directive, which is based on the premise that privacy is a fundamental human right and therefore personal data can only be collected and used as the law explicitly allows. Enlightened companies on both sides of the Atlantic, however, are increasingly recognizing that complying with EU privacy requirements is not just about avoiding legal liability, but an opportunity to embrace best global compliance practices and brand themselves as responsible stewards of personal data, whether of employees, customers, partners or vendors. A good example of regulatory compliance dovetailing with smart business practices is the monitoring and perhaps blocking of employee internet use. This Advisory will (1) examine the laws governing such monitoring by employers in the U.S. and the EU, and (2) provide guidelines for a monitoring policy that should pass muster not only in the EU, but in the increasing number of jurisdictions adopting EU-style data protection laws. Legal Requirements for Employee Internet Monitoring The good news for global employers is that both the U.S. and the EU generally recognize a companys right to monitor employee internet activities when using company equipment and networks. The EU, however, has set far more stringent standards for judging the legitimacy of such monitoring. United States U.S. law gives employers virtually free rein to monitor employee internet use in the workplace. The Electronic Communications Privacy Act of 1986, which extends privacy protection to electronic communications, contains an exception for monitoring that occurs in the normal course of business. The Computer Fraud and Abuse Act is not applicable to an employer monitoring its own computers and networks. No federal law and only two state laws (Connecticut and Delaware) require that employers provide any notice of electronic monitoring of employees. U.S. courts have recognized that employees have a right to enjoy a reasonable expectation of privacy, but that expectation must be balanced against an employers legitimate business purposes for conducting employee monitoring. Employers have consistently prevailed in lawsuits by employees claiming that monitoring violated their privacy rights where the employer provided notice, however cursory, that monitoring might be conducted. Europe EU law extends the privacy protections guaranteed by the EU Data Protection Directive to the workplace. Consequently, employer rights to monitor are considerably more circumscribed than in the United States. Nevertheless, the EU recognizes that employers may have a legitimate need to monitor and restrict employee internet access for purposes of efficiently running a business, protecting corporate assets and guarding against

Clearspire LawCo., PLLC 1747 Pennsylvania Avenue, NW Suite 200 | Washington, DC 20006

+1 202 549 1200 office

liability. As in the U.S., employer interests are balanced against employee privacy rights, but with the balance tilted in the employees favor. While each EU nation has added its own twists to implementation of the Directive, and a few have issued specific guidance regarding the monitoring of employee internet use, the best touchstone for an EU-compliant monitoring policy is guidance from the EUs Article 29 Working Party. The Working Party was established under the Directive to provide expert advice on data protection and to help ensure uniform application of data protection measures across Europe. The Working Party has declared that monitoring of employee internet usage is permissible if employees are provided notice, the monitoring/blocking is reasonable, legitimate business purposes are served, and any personal data collected is kept secure. The Working Party has also offered specific guidance regarding what the employers internet monitoring policy should address, including: Workers need to be informed about the systems implemented both to prevent access to certain sites and to detect misuse. Two additional considerations when conducting internet monitoring in the EU: 1. Any personal information collected will be subject to the full requirements of the EU Data Protection Directive. These requirements include implementing appropriate technical and organizational meaures to protect personal information against loss or unauthorized disclosure or access. In addition, any crossborder transfer of that personal information must satisfy the adequacy requirements of the Directive. If the employer is subject to Works Councils in any of its EU locations, the Works Councils may be required to be notified and consulted regarding any employee monitoring or surveillance.

2.

An All-Purpose Employee Internet Monitoring Policy Given the differing legal standards for employee internet monitoring between the U.S. and the EU, how does an employer formulate a global compliance policy? It is not as challenging as it might first appear. The employer must simply raise the bar in terms of the level of notice and disclosure provided to employees. Such notice and disclosure via a clear, well-defined and well-communicated corporate monitoring policy will not only be legally compliant, but makes imminently good business sense. Surveys reveal the unsurprising fact that employees do not like having their workplace internet use monitored. But any employee resentment can be greatly mitigated if the employer states in plain terms (1) what the business imperatives are for conducting monitoring and (2) that monitoring will go no further than is necessary to protect the companys business interests i.e., no snooping for the sake of snooping. This approach is far preferable from an employee relations perspective to the typical U.S. policy stating starkly, in Big Brotherish tones, that the employer has the right to monitor and the employee should have no expectation of privacy. An employee internet monitoring policy that would satisfy both U.S. and EU requirements, and would likely be acceptable globally, would include the following elements:

Notice of monitoring. Clear and explicit notice via a corporate policy distributed to all employees that
employee internet usage may be monitored and what that monitoring entails. For instance, if employee access to certain websites will be blocked, and access to certain other websites will be allowed but will be recorded, the policy should say so. The policy should also describe exactly what personal information will be collected and how it will be handled.
Clearspire LawCo., PLLC 1747 Pennsylvania Avenue, NW Suite 200 | Washington, DC 20006 +1 202 549 1200 office

Purposes of monitoring. Employees have a right to know why monitoring is being conducted, and are likely to react more favorably and with greater compliance if they understand the business imperatives behind the monitoring. Typically, the purposes of internet monitoring will include:
o o o o o To avoid harm to corporate IT systems from malware, scam websites and other security threats To protect company confidential information To maintain the security of employee personal data To minimize legal liability (in some jurisdictions, employers may be held liable for unlawful web activities of employees) To foster a friendly and non-offensive work environment

Under EU guidance, the employer must be able to demonstrate that the monitoring is proportionate to the legitimate business concerns being addressed in order to justify the intrusion into employee privacy.

Means of monitoring. Employees should be informed as to how monitoring will be conducted. For
instance, if web scanning software will be used to provide surveillance of workplace internet activity, the policy should describe the software and how it operates. As an example, if a web scanning service like Sophos is employed, the policy should explain that Sophos will (1) scan web content sent to the employees browser to check for viruses, spyware, phishing and other malicious content, (2) validate that websites to which the employee seeks access conform to corporate acceptable use policy, and (3) block access to certain malicious or high risk websites and allow access to certain other questionable websites only after a warning and notice that access will be logged. Disclosure of monitoring means will also help allay any employee concern that monitoring will not be conducted in a fair and even-handed manner.

Although not strictly required under either U.S. or EU law, a best practice is to have all employees sign an acknowledgment that they have received, reviewed and understand the internet monitoring policy. Such a signed acknowledgment will minimize the possibility that an employee will later claim ignorance that he or she would be subject to monitoring. It will also help satisfy the adequate notice requirement under EU law. An employee internet monitoring policy containing these elements will go well beyond the minimal (if any) disclosure of internet monitoring typical among U.S. employers. But it is likely to pay dividends in terms of a more understanding, supportive and cooperative workforce. As the global trend is clearly toward more stringent privacy protection in the workplace, employers can recognize the silver lining and seize the opportunity to upgrade their corporate privacy compliance policies.

Disclaimer notice: This publication is for information only and does not constitute legal advice. It is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. So that we can send you this email and other marketing material we believe may interest you, we keep your email address and other information supplied by you on a database. The database is accessible by all Clearspire offices. To stop receiving email communications from us please email info@clearspire.com.

Clearspire LawCo., PLLC 1747 Pennsylvania Avenue, NW Suite 200 | Washington, DC 20006

+1 202 549 1200 office