27/04/2011 The American Society of International L…

Guest [ Sign In ]

Search

Catalog ASIL Insights RELATED ASIL INSIGHTS

The Danish Cartoon Row
Books European Court of Human Rights Expands August 6, 2007 and the International
Privacy Protections: Copland v. United Volume 11, Issue 21 Regulation of Expression
Mem ber Login
Kingdom
Insights Archive>>
By Fred H. Cate
DOCUMENTS OF NOTE
Copland v. United Kingdom
The European Court of Human Rights
European Convention for the
(ECHR) recently decided Copland v.
Protection of Human Rights
United Kingdom,[1] in which the ECHR and Fundamental Freedoms
expanded the basis and extent of Philippe K. v Cathnet-
protection for pers onal data in a variety of Science
settings , including the workplace. The Directive of the European
Parliament on the Protection
European Union's Data Protection of Individuals
Directive already mandated very broad
protection for such data in EU member
states. This decision may further widen ASIL EISIL>>
the gulf between U.S. and European data
protection laws and create challenges for multinational busines ses and
ORGANIZATIONS OF NOTE
other organizations operating in Europe. This Ins ight describes the
European Court of Human
case and considers the implications of this international legal ruling.
Rights
European Commission,
Justice and Home Affairs
Facts, Applicable Law, and Holding in the Copland Case European Parliament,
Committee on Citizens'
Freedoms and Rights,
Copland involved a complaint by Lynette Copland, the personal
Justice and Home Affairs
ass istant to the principal of Carmarthens hire College in the United European Commission,
Kingdom. Copland alleged that the College's deputy principal Art.29 Data Protection
monitored her e-mail and telephone conversations to discover whether Working Party
she was making improper us e of College facilities for pers onal
purposes.

The parties' repres entations concerning the intrusivenes s and duration Copyright 2007 by The American
of the monitoring differed, but the ECHR accepted the U.K. Society of International Law
government's position for the purpos e of deciding the case. According ASIL
to the government, the telephone monitoring was limited to analyzing
"college telephone bills s howing telephone numbers called, the dates The purpose of ASIL Insights is
to provide concise and informed
and tim es of the calls and their length and cost," and lasted for "a few background for developments of
months" in late 1999.[2] The governm ent claim ed that the Internet interest to the international
monitoring involved analyzing "the web sites vis ited, the times and community. The American
dates of the visits of the web sites and their duration" in October and Society of International Law
does not take positions on
November 1999.[3]
substantive issues, including the
ones discussed in this Insight.
The ECHR found that, on these facts, the monitoring violated Article 8 of Educational and new s media
the Convention for the Protection of Human Rights and Fundamental copying is permitted w ith due
Freedoms (Convention), which provides that "Everyone has the right to acknow ledgement.
respect for his private and fam ily life, his home and his
correspondence."[4]

The ECHR's Legal Reasoning

The ECHR's holding involved s ix conclus ions, each of which is

significant to understanding the scope, requirements , and impact of
data protection law in Europe. These conclus ions also highlight the
challenge that companies and other institutions, especially those used
to operating under U.S. law, face when doing business in Europe.

Firs t, the ECHR concluded that "telephone calls from business

prem ises are prima facie covered by notions of 'private life' and
'corres pondence.'"[5] The fact that such calls occurred in the office and,
at leas t in theory, were business related, was irrelevant. The ECHR
ass erted that the "same expectation should apply in relation to the
applicant's e-mail and internet usage."[6] Under the ECHR's ruling,

http://www.asil.org/insights070806.cfm 1/5
27/04/2011 The American Society of International L…
bus iness e-mail and telephone calls affect "private life" and may contain
"pers onal inform ation," protected by human rights and, presum ably,
data protection law.

Second, the ECHR found that, even if the telephone m onitoring was
limited to "the date and length of telephone conversations" and "the
num bers dialed," the monitoring still gave rise to a cause of action
under Article 8.[7] Monitoring did not have to involve the content of the
communications to be actionable, although the ECHR noted this could
be relevant in calculating damages.[8]

Third, the ECHR noted that the College's argument that it legitimately
obtained information about the telephone calls in the form of telephone
bills posed no bar to finding that the monitoring violated Article 8.[9]
Fourth, the ECHR found that it was "irrelevant that the data held by the
college were not disclosed or used against the applicant in disciplinary
or other proceedings."[10]

Fifth, the ECHR concluded that, in the abs ence of any warning that her
telephone calls and e-mail could be monitored, Copland had a
"reas onable expectation" that they would not be.[11] Even in the
abs ence of applicable national data protection law, Article 8 of the
Convention presumes that workplace com munications will not be
monitored.

Finally, the ECHR stress ed that Article 8 requires that monitoring must
be "in accordance with the law."[2] In the case of public authorities,
Article 8(2) m andates that monitoring must be both "in accordance with
the law" and "necessary in a democratic society."[13] According to the
ECHR, this provision requires that the terms under which monitoring
may be carried out be explicitly stated in the law, and that those terms
be com patible with "the rule of law," which means that "the law must be
sufficiently clear in its terms to give individuals an adequate indication
as to the circum stances in which and the conditions on which
authorities are empowered to resort to any such measures."[14]

The ECHR found that the U.K. government's argument that s tatutory law
empowered the College to do "anything necessary or expedient" to
providing higher education was insufficient. In the abs ence of law or
regulations s pecifically regulating telephone and Internet monitoring by
employers, the College's monitoring of Copland could not have been "in
accordance with the law."[15] The ECHR held open the possibility that
such m onitoring could be found to be "necessary in a democratic
society," but only if governed by appropriate law or regulations.[16]

Copland and EU Data Protection Law

Standing alone, the ECHR's decision in Copland would be sobering for

bus iness es and other organizations operating in Europe, and
especially challenging to multinational entities. The holdings that
telephone calls and e-mails from a bus iness fall within the
Convention's notions of "private life" and are subject to a reasonable
expectation of privacy would likely come as a surprise to many
employers. But Copland does not stand alone. It is only the most recent
in a series of directives , laws, judicial opinions , and working papers
from Europe that mark out increasingly broad contours for privacy in the
workplace.

Under national laws implementing two EU privacy directives,[17] the

collection, us e, storage, and transm ission of personal data are subject
to the world's most extensive legal protection. National data protection
commiss ioners , supported by European courts , regard virtually all data
about employees as "personal data," subject to the protection of EU
directives and national data protection laws.

The Article 29 Working Party-the group of national data protection

commiss ioners created by Article 29 of the 1995 Data Protection
Directive and charged with its interpretation-has concluded that "[t]here
should no longer be any doubt that data protection requirements apply
to the monitoring and s urveillance of workers whether in terms of em ail
use, internet access, video cameras or location data."[18] The Working
Party has even assert that "[I]t is not disputed that an e-mail address
ass igned by a company to its employees constitutes personal data if it
enables an individual to be identified."[19] In 2001, the Article 29
Working Party opined about the proces sing of personal data in the

http://www.asil.org/insights070806.cfm 2/5
27/04/2011 The American Society of International L…
employment context and stressed that, under the Data Protection
Directive, employers may process data concerning their em ployees only
with "unambiguous consent" or if the processing is "necessary."[20]

Consent has proved problematic as a basis for processing. The

company m ust ensure that an em ployee's consent is "freely given" and
capable of being revoked.[21] For example, if a company wis hes to
transfer employee data to the United States for benefits adm inistration,
it must also be able to support the s ame type of benefits program within
Europe for employees who do not agree to have their data transferred.
Some countries ' national laws prohibit reliance on consent altogether.
In Finland, "the employer is only allowed to process pers onal data
directly necessary for the employee's employment relationship."[22] No
exceptions are permitted, not "even with the employee's consent."[23]

If consent does not work or is not available, employers mus t rely on

necess ity. According to the Article 29 Working Party, only three types of
necess ity are possible. Proces sing may be necessary for the employer
to perform its contractual obligations vis-à-vis an em ployee (e.g.,
processing an employee's salary data). Processing may also be
necess ary to protect an employee's vital interes ts (e.g., to protect the
employee agains t particular hazards at the workplace).

Finally, processing data may also be necessary for an employer to

comply with legal obligations (e.g., processing an employer's data for
the purpose of calculating withholding tax). However, such legal
obligations are limited to domestic European legal obligations.
Compliance with disclosure requirements from the United States or
other non-European countries is unavailing.[24] Monitoring to com ply
with U.S. anti-discrimination or whis tleblower laws does not fit within
the definition of "necessity."

Copland and European Case Law on Data Protection

Thus, although Copland left open the possibility that reviewing

telephone bills and web logs to investigate suspected wrongdoing
might be lawful if authorized by a specific law and done with proper
notice, other national laws and the Article 29 Working Party's opinions
suggest that this poss ibility may not actually exist. European courts
appear to agree.

In two cases interpreting Article 8 and the Data Protection Directive, the
French Court of Cassation ruled that, absent exceptional
circum stances, an em ployer has no right to inspect employees '
workplace e-mail, files, or computers"even where wrongdoing is
sus pected and subsequently demonstrated to be occurring.[25]

Philippe K. v Cathnet-Science[26] involved a company's search of an

employee's work-issued com puter after accidentally discovering "erotic
photos" on the worker's desk. The company found that the employee
had downloaded pornographic images and, as a result, it terminated
the worker's em ployment. Although lower French courts upheld the
search and s ubsequent firing, the high court disagreed, noting that the
pres ence of pornography on the computer did not pres ent the type
particular ris k that could justify the search of the com puter.[27]

The following year, the Court of Cassation decided Societe Nikon

France v. M. Onof,[28] which involved an employer that suspected that
an employee was freelancing on company time and using com pany
resources for his s ide business. The company opened and copied
folders entitled "personal" and "fax" from the com puter in the worker's
office and found that the employee had used the com puter for personal
activities despite the employer's prohibition on s uch use. The court
found that the search violated the employee's privacy. The existence of
particularized s uspicion, the presence of an explicit company policy, and
the fact that the em ployee was , in fact, freelancing with company
resources were irrelevant.

The French position is not unique. The Greek data protection

commiss ioner found in 2004 that (1) "[t]he intervention of the employer
in the electronic communications of the em ployees cons titutes
processing of pers onal data and is illegal if the employee was not
previously informed about the poss ibility of such interventions even for
technical reasons," and (2) s uch processing is illegal if the employer
does not provide the employee with "technical means of using special

http://www.asil.org/insights070806.cfm 3/5
27/04/2011 The American Society of International L…
software to protect the s ecrecy of his own comm unication."[29] In Italy,
employers are generally prohibited from monitoring e-mail content or
Internet browsing by employees.[30]

Conclusion

Viewed against this backdrop, Copland's reliance on, and application

of, Article 8 of the Convention to employer monitoring of telephone calls
and e-mails but not their content are important, but m arginal,
extensions of European workplace privacy law. More broadly, the case
is also a potent reminder of how far European law has moved in the
direction of workplace privacy and how great a challenge this movem ent
pos es for U.S. and multinational entities .

Employee monitoring has become nearly ubiquitous in the U.S., and is

increas ingly legally required, to protect trade s ecrets, avoid liability for
workplace discrimination, guard against information security breaches,
account for com munications expenditures, and comply with Sarbanes-
Oxley whistleblower rules and federal document retention
requirements. These employee-monitoring activities are increasingly
illegal under European law. Technologies and m arkets may be
increas ingly global, but Copland is only the mos t recent addition to a
growing body of evidence that data protection law is headed in the other
direction.

About the Author

Fred H. Cate is a Distinguished Profes sor and Director of the Center for
Applied Cybers ecurity Research at Indiana Univers ity, and a Senior
Policy Advis or to the Center for Information Policy Leadership at Hunton
& Williams LLP. He may be contacted at fcate@indiana.edu.

Footnotes

[1]Copland v. United Kingdom, 62617/00 [2007] ECHR 253 (3 April

2007)

[2]Id. ¶ 10.

[3]Id. ¶ 11. Neither of the legal provisions that would currently regulate
such m onitoring in the U.K.-the Regulation of Inves tigatory Powers Act
(2000) and the Telecommunications (Lawful Business Practice)
Regulations (2000)-had been adopted when the monitoring took place,
and the cas e of Douglas v. Hello! Ltd [2001] WLR 992 (Sedley LJ),
which established a qualified right to privacy under English law, had not
yet been decided.

[4]European Convention for the Protection of Hum an Rights and

Fundamental Rights, as am ended by Protocol No. 11, Rome, 4.XI.1950,
art. 8.

[5]Copland, supra note 1, at ¶ 41.

[6]Id. ¶ 42.

[7]Id. ¶ 43.

[8]Id. ¶ 54.

[9]Id. ¶ 43.

[10] Id.

[11]Id. ¶ 42.

[12] Id. ¶ 45.

[13] European Convention, supra note 4, at art. 8, § 2.

[14] Copland, supra note 1, at ¶ 46.

[15] Id. ¶¶ 46-47.

[16] Id. ¶ 48.

[17]Directive 95/46/EC of the European Parliam ent and of the Council

http://www.asil.org/insights070806.cfm 4/5
27/04/2011 The American Society of International L…
on the Protection of Individuals with Regard to the Processing of
Personal Data and on the Free Movement of Such Data, 1995 O.J.
(L281) 95; Directive 2002/58/EC of the European Parliament and
Council of 12 July 2002 on Privacy and Electronic Communications,
2002 O.J. (L. 201) 37.

[18] Article 29 Data Protection Working Party, Opinion 8/2001 on the

Processing of Personal Data in the Employment Context, Sept. 13, 2001
(5062/01/EN/Final WP 48), at 24.

[19] Eighth Annual Report of the Article 29 Working Party on Data

Protection (2005), at 38. See also Jorg Rehder and Erika C. Collins,
:The Legal Transfer of Employment-Related Data To Outside the
European Union: Is It Even Still Poss ible?" 39 Int'l Law. 129, __ (2005)
("In essence, employers mus t treat such data as employees' pers onal
property.").

[20] Processing of Personal Data in the Employment Context, supra

note 18.

[21]Id. at 23 ("If it is not poss ible for the worker to refuse, it is not
consent. Consent must at all times be freely given. Thus a worker must
be able to withdraw consent without prejudice.").

[22]Act on the Protection of Privacy in Working Life (Finland, 759/2004), §

3.

[23]Id.

[24]See Article 29 Data Protection Working Party, Opinion 1/2006 on the

Application of EU Data Protection Rules to Internal Whistleb lowing
Schemes in the Fields of Accounting, Internal Accounting Controls,
Auditing Matters, Fight Against Brib ery, Banking and Financial Crime,
Feb. 1, 2006 (00195/06EN WP117), 8; Article 29 Data Protection
Working Party, Opinion 3/2006 on the Directive 2006/24/EC of the
European Parliament and of the Council on the Retention of Data
Generated or Processed In Connection with the Provision of Pub licly
Availab le Electronic Communications Services or of Pub lic
Communications Networks and Amending Directive 2002/58/EC, Mar.
25, 2006 (654/06/EN WP 119), 5.

[25]Philippe K. v Cathnet-Science, Cour de Cas sation, Chambre

Sociale, Arret No. 1089 FS-P+B+R+1, Pourvoi No. J-03-40.017, 5/17/05.
Reported in the BNA Privacy Law Watch (June 6, 2005).

[26]Philippe K. v Cathnet-Science, Cour de Cas sation, Chambre

Sociale, Arret No. 1089 FS-P+B+R+1, Pourvoi No. J-03-40.017, 5/17/05.
Reported in the BNA Privacy Law Watch (June 6, 2005).

[27]Id .

[28]Cass. soc., Oct. 2, 2001, Bull Civ. V, No. 291.

[29]Eighth Annual Report, supra note 19, at 44 (citing Decision

61/2004).

[30]"Monitoring Em ployees E-Mail and Internet Us age in Europe,"

Internet Law-Business-e-Commerce, May 1, 2005 ("The Supreme Court
has held that an employer can only carry out such monitoring if it is
aimed at ascertaining unlawful behavior on the part of the employee
and provided it has reached an agreem ent with the local union or has
authorization from the local labor office.").

Contact Us © 2011 The American Soci ety of International Law • 2223 Massachusetts Avenue, NW Washi ngton DC 20008 • Phone 202-939-6000
Association Software Powered by AMO - Coldfusi on Programming by Minneapolis Web Design Fi rm ArcStone

http://www.asil.org/insights070806.cfm 5/5