Sei sulla pagina 1di 5

27/04/2011

Catalog

Books

Member Login

The American Society of International L…

ASIL Insights

European Court of Human Rights Expands Privacy Protections: Copland v. United Kingdom By Fred H. Cate

August 6, 2007 Volume 11, Issue 21

Kingdom By Fred H. Cate August 6, 2007 Volume 11, Issue 21 The European Court of

The European Court of Human Rights (ECHR) recently decided Copland v. United Kingdom,[1] in which the ECHR expanded the basis and extent of protection for personal data in a variety of settings, including the workplace. The European Union's Data Protection Directive already mandated very broad protection for such data in EU member states. This decision may further widen the gulf between U.S. and European data protection laws and create challenges for multinational businesses and other organizations operating in Europe. This Insight describes the case and considers the implications of this international legal ruling.

Facts, Applicable Law, and Holding in the Copland Case

Copland involved a complaint by Lynette Copland, the personal assistant to the principal of Carmarthenshire College in the United Kingdom. Copland alleged that the College's deputy principal monitored her e-mail and telephone conversations to discover whether she was making improper use of College facilities for personal purposes.

The parties' representations concerning the intrusiveness and duration of the monitoring differed, but the ECHR accepted the U.K. government's position for the purpose of deciding the case. According to the government, the telephone monitoring was limited to analyzing "college telephone bills showing telephone numbers called, the dates and times of the calls and their length and cost," and lasted for "a few months" in late 1999.[2] The government claimed that the Internet monitoring involved analyzing "the web sites visited, the times and dates of the visits of the web sites and their duration" in October and November 1999.[3]

The ECHR found that, on these facts, the monitoring violated Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (Convention), which provides that "Everyone has the right to respect for his private and family life, his home and his

correspondence."[4]

The ECHR's Legal Reasoning

The ECHR's holding involved six conclusions, each of which is significant to understanding the scope, requirements, and impact of data protection law in Europe. These conclusions also highlight the challenge that companies and other institutions, especially those used to operating under U.S. law, face when doing business in Europe.

First, the ECHR concluded that "telephone calls from business premises are prima facie covered by notions of 'private life' and 'correspondence.'"[5] The fact that such calls occurred in the office and, at least in theory, were business related, was irrelevant. The ECHR asserted that the "same expectation should apply in relation to the applicant's e-mail and internet usage."[6] Under the ECHR's ruling,

Guest [ Sign In ]

Search

RELATED ASIL INSIGHTS

The Danish Cartoon Row and the International Regulation of ExpressionRELATED ASIL INSIGHTS Insights Archive>> DOCUMENTS OF NOTE Copland v. United Kingdom European Convention for the

Insights Archive>>

DOCUMENTS OF NOTE

Copland v. United Kingdomof Expression Insights Archive>> DOCUMENTS OF NOTE European Convention for the Protection of Human Rights and

European Convention for the Protection of Human Rights and Fundamental FreedomsDOCUMENTS OF NOTE Copland v. United Kingdom Philippe K. v Cathnet- Science Directive of the European

Philippe K. v Cathnet- Sciencefor the Protection of Human Rights and Fundamental Freedoms Directive of the European Parliament on the

Directive of the European Parliament on the Protection of Individualsand Fundamental Freedoms Philippe K. v Cathnet- Science ASIL EISIL>> ORGANIZATIONS OF NOTE European Court of

ASIL EISIL>>

ORGANIZATIONS OF NOTE

European Court of Human Rightsof Individuals ASIL EISIL>> ORGANIZATIONS OF NOTE European Commission, Justice and Home Affairs European

European Commission, Justice and Home AffairsORGANIZATIONS OF NOTE European Court of Human Rights European Parliament, Committee on Citizens' Freedoms and

European Parliament, Committee on Citizens' Freedoms and Rights, Justice and Home AffairsHuman Rights European Commission, Justice and Home Affairs European Commission, Art.29 Data Protection Working Party

European Commission, Art.29 Data Protection Working PartyCitizens' Freedoms and Rights, Justice and Home Affairs Copyright 2007 by The American Society of International

Copyright 2007 by The American Society of International Law ASIL

The purpose of ASIL Insights is to provide concise and informed background for developments of interest to the international community. The American Society of International Law does not take positions on substantive issues, including the ones discussed in this Insight. Educational and new s media copying is permitted w ith due acknow ledgement.

including the ones discussed in this Insight. Educational and new s media copying is permitted w

27/04/2011

The American Society of International L…

business e-mail and telephone calls affect "private life" and may contain "personal information," protected by human rights and, presumably, data protection law.

Second, the ECHR found that, even if the telephone monitoring was limited to "the date and length of telephone conversations" and "the numbers dialed," the monitoring still gave rise to a cause of action under Article 8.[7] Monitoring did not have to involve the content of the communications to be actionable, although the ECHR noted this could be relevant in calculating damages.[8]

Third, the ECHR noted that the College's argument that it legitimately obtained information about the telephone calls in the form of telephone bills posed no bar to finding that the monitoring violated Article 8.[9] Fourth, the ECHR found that it was "irrelevant that the data held by the college were not disclosed or used against the applicant in disciplinary or other proceedings."[10]

Fifth, the ECHR concluded that, in the absence of any warning that her telephone calls and e-mail could be monitored, Copland had a "reasonable expectation" that they would not be.[11] Even in the absence of applicable national data protection law, Article 8 of the Convention presumes that workplace communications will not be monitored.

Finally, the ECHR stressed that Article 8 requires that monitoring must be "in accordance with the law."[2] In the case of public authorities, Article 8(2) mandates that monitoring must be both "in accordance with the law" and "necessary in a democratic society."[13] According to the ECHR, this provision requires that the terms under which monitoring may be carried out be explicitly stated in the law, and that those terms be compatible with "the rule of law," which means that "the law must be sufficiently clear in its terms to give individuals an adequate indication as to the circumstances in which and the conditions on which authorities are empowered to resort to any such measures."[14]

The ECHR found that the U.K. government's argument that statutory law empowered the College to do "anything necessary or expedient" to providing higher education was insufficient. In the absence of law or regulations specifically regulating telephone and Internet monitoring by employers, the College's monitoring of Copland could not have been "in accordance with the law."[15] The ECHR held open the possibility that such monitoring could be found to be "necessary in a democratic society," but only if governed by appropriate law or regulations.[16]

Copland and EU Data Protection Law

Standing alone, the ECHR's decision in Copland would be sobering for businesses and other organizations operating in Europe, and especially challenging to multinational entities. The holdings that telephone calls and e-mails from a business fall within the Convention's notions of "private life" and are subject to a reasonable expectation of privacy would likely come as a surprise to many employers. But Copland does not stand alone. It is only the most recent in a series of directives, laws, judicial opinions, and working papers from Europe that mark out increasingly broad contours for privacy in the workplace.

Under national laws implementing two EU privacy directives,[17] the collection, use, storage, and transmission of personal data are subject to the world's most extensive legal protection. National data protection commissioners, supported by European courts, regard virtually all data about employees as "personal data," subject to the protection of EU directives and national data protection laws.

The Article 29 Working Party-the group of national data protection commissioners created by Article 29 of the 1995 Data Protection Directive and charged with its interpretation-has concluded that "[t]here should no longer be any doubt that data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, internet access, video cameras or location data."[18] The Working Party has even assert that "[I]t is not disputed that an e-mail address assigned by a company to its employees constitutes personal data if it enables an individual to be identified."[19] In 2001, the Article 29 Working Party opined about the processing of personal data in the

27/04/2011

The American Society of International L…

employment context and stressed that, under the Data Protection Directive, employers may process data concerning their employees only with "unambiguous consent" or if the processing is "necessary."[20]

Consent has proved problematic as a basis for processing. The company must ensure that an employee's consent is "freely given" and capable of being revoked.[21] For example, if a company wishes to transfer employee data to the United States for benefits administration, it must also be able to support the same type of benefits program within Europe for employees who do not agree to have their data transferred. Some countries' national laws prohibit reliance on consent altogether. In Finland, "the employer is only allowed to process personal data directly necessary for the employee's employment relationship."[22] No exceptions are permitted, not "even with the employee's consent."[23]

If consent does not work or is not available, employers must rely on necessity. According to the Article 29 Working Party, only three types of necessity are possible. Processing may be necessary for the employer to perform its contractual obligations vis-à-vis an employee (e.g., processing an employee's salary data). Processing may also be necessary to protect an employee's vital interests (e.g., to protect the employee against particular hazards at the workplace).

Finally, processing data may also be necessary for an employer to comply with legal obligations (e.g., processing an employer's data for the purpose of calculating withholding tax). However, such legal obligations are limited to domestic European legal obligations. Compliance with disclosure requirements from the United States or other non-European countries is unavailing.[24] Monitoring to comply with U.S. anti-discrimination or whistleblower laws does not fit within the definition of "necessity."

Copland and European Case Law on Data Protection

Thus, although Copland left open the possibility that reviewing telephone bills and web logs to investigate suspected wrongdoing might be lawful if authorized by a specific law and done with proper notice, other national laws and the Article 29 Working Party's opinions suggest that this possibility may not actually exist. European courts appear to agree.

In two cases interpreting Article 8 and the Data Protection Directive, the French Court of Cassation ruled that, absent exceptional circumstances, an employer has no right to inspect employees' workplace e-mail, files, or computers"even where wrongdoing is suspected and subsequently demonstrated to be occurring.[25]

Philippe K. v Cathnet-Science[26] involved a company's search of an employee's work-issued computer after accidentally discovering "erotic photos" on the worker's desk. The company found that the employee had downloaded pornographic images and, as a result, it terminated the worker's employment. Although lower French courts upheld the search and subsequent firing, the high court disagreed, noting that the presence of pornography on the computer did not present the type particular risk that could justify the search of the computer.[27]

The following year, the Court of Cassation decided Societe Nikon France v. M. Onof,[28] which involved an employer that suspected that an employee was freelancing on company time and using company resources for his side business. The company opened and copied folders entitled "personal" and "fax" from the computer in the worker's office and found that the employee had used the computer for personal activities despite the employer's prohibition on such use. The court found that the search violated the employee's privacy. The existence of particularized suspicion, the presence of an explicit company policy, and the fact that the employee was, in fact, freelancing with company resources were irrelevant.

The French position is not unique. The Greek data protection commissioner found in 2004 that (1) "[t]he intervention of the employer in the electronic communications of the employees constitutes processing of personal data and is illegal if the employee was not previously informed about the possibility of such interventions even for technical reasons," and (2) such processing is illegal if the employer does not provide the employee with "technical means of using special

27/04/2011

The American Society of International L…

software to protect the secrecy of his own communication."[29] In Italy, employers are generally prohibited from monitoring e-mail content or Internet browsing by employees.[30]

Conclusion

Viewed against this backdrop, Copland's reliance on, and application of, Article 8 of the Convention to employer monitoring of telephone calls and e-mails but not their content are important, but marginal, extensions of European workplace privacy law. More broadly, the case is also a potent reminder of how far European law has moved in the direction of workplace privacy and how great a challenge this movement poses for U.S. and multinational entities.

Employee monitoring has become nearly ubiquitous in the U.S., and is increasingly legally required, to protect trade secrets, avoid liability for workplace discrimination, guard against information security breaches, account for communications expenditures, and comply with Sarbanes- Oxley whistleblower rules and federal document retention requirements. These employee-monitoring activities are increasingly illegal under European law. Technologies and markets may be increasingly global, but Copland is only the most recent addition to a growing body of evidence that data protection law is headed in the other direction.

About the Author Fred H. Cate is a Distinguished Professor and Director of the Center for Applied Cybersecurity Research at Indiana University, and a Senior Policy Advisor to the Center for Information Policy Leadership at Hunton & Williams LLP. He may be contacted at fcate@indiana.edu.

Footnotes

[1]Copland v. United Kingdom, 62617/00 [2007] ECHR 253 (3 April

2007)

[2]Id. ¶ 10.

[3]Id. ¶ 11. Neither of the legal provisions that would currently regulate such monitoring in the U.K.-the Regulation of Investigatory Powers Act (2000) and the Telecommunications (Lawful Business Practice) Regulations (2000)-had been adopted when the monitoring took place, and the case of Douglas v. Hello! Ltd [2001] WLR 992 (Sedley LJ), which established a qualified right to privacy under English law, had not yet been decided.

[4]European Convention for the Protection of Human Rights and Fundamental Rights, as amended by Protocol No. 11, Rome, 4.XI.1950, art. 8.

[5]Copland, supra note 1, at ¶ 41.

[6]Id. ¶ 42.

[7]Id. ¶ 43.

[8]Id. ¶ 54.

[9]Id. ¶ 43.

[10] Id.

[11]Id. ¶ 42.

[12] Id. ¶ 45.

[13] European Convention, supra note 4, at art. 8, § 2.

[14] Copland, supra note 1, at ¶ 46.

[15] Id. ¶¶ 46-47.

[16] Id. ¶ 48.

[17]Directive 95/46/EC of the European Parliament and of the Council

27/04/2011

Contact Us

The American Society of International L…

on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L281) 95; Directive 2002/58/EC of the European Parliament and Council of 12 July 2002 on Privacy and Electronic Communications, 2002 O.J. (L. 201) 37.

[18] Article 29 Data Protection Working Party, Opinion 8/2001 on the Processing of Personal Data in the Employment Context, Sept. 13, 2001 (5062/01/EN/Final WP 48), at 24.

[19] Eighth Annual Report of the Article 29 Working Party on Data

Protection (2005), at 38. See also Jorg Rehder and Erika C. Collins, :The Legal Transfer of Employment-Related Data To Outside the

European Union: Is It Even Still Possible?" 39 Int'l Law. 129,

("In essence, employers must treat such data as employees' personal property.").

(2005)

[20] Processing of Personal Data in the Employment Context, supra note 18.

[21]Id. at 23 ("If it is not possible for the worker to refuse, it is not consent. Consent must at all times be freely given. Thus a worker must be able to withdraw consent without prejudice.").

[22]Act on the Protection of Privacy in Working Life (Finland, 759/2004), §

3.

[23]Id.

[24]See Article 29 Data Protection Working Party, Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight Against Bribery, Banking and Financial Crime, Feb. 1, 2006 (00195/06EN WP117), 8; Article 29 Data Protection Working Party, Opinion 3/2006 on the Directive 2006/24/EC of the European Parliament and of the Council on the Retention of Data Generated or Processed In Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, Mar. 25, 2006 (654/06/EN WP 119), 5.

[25]Philippe K. v Cathnet-Science, Cour de Cassation, Chambre Sociale, Arret No. 1089 FS-P+B+R+1, Pourvoi No. J-03-40.017, 5/17/05. Reported in the BNA Privacy Law Watch (June 6, 2005).

[26]Philippe K. v Cathnet-Science, Cour de Cassation, Chambre Sociale, Arret No. 1089 FS-P+B+R+1, Pourvoi No. J-03-40.017, 5/17/05. Reported in the BNA Privacy Law Watch (June 6, 2005).

[27]Id .

[28]Cass. soc., Oct. 2, 2001, Bull Civ. V, No. 291.

[29]Eighth Annual Report, supra note 19, at 44 (citing Decision

61/2004).

[30]"Monitoring Employees E-Mail and Internet Usage in Europe," Internet Law-Business-e-Commerce, May 1, 2005 ("The Supreme Court has held that an employer can only carry out such monitoring if it is aimed at ascertaining unlawful behavior on the part of the employee and provided it has reached an agreement with the local union or has authorization from the local labor office.").

© 2011 The American Society of International Law • 2223 Massachusetts Avenue, NW Washington DC 20008 • Phone 202-939-6000 Association Software Powered by AMO - Coldfusion Programming by Minneapolis Web Design Firm ArcStone