blog
Employer access to employee emails and data protection
The Norwegian Data Protection Authority ("Datatilsynet") fined an employer 15,000 euros on June 22, 2021, for using an employee's email box for several weeks after the employee left the company in disregard of both the 2016 European General Data Protection Regulation ("GDPR")[1] and the 2018 regulations issued by the Norwegian Ministry of Labor[2]. Recall that Norway is a member of the European Economic Area and as such complies in many areas, including data protection, with the legislation of the Union.
The Datatilsynet decision invites an update on the issue of employer access to employee email during employment and after leaving the company.
The clarifications made by the Norwegian regulation
According to the 2018 Norwegian regulation, employers have access to their employees' work emails:
(i) when necessary for the conduct of the business or for any other legitimate business interest; or
(ii) if there is reasonable doubt that the employee has violated the rules governing the use of his or her work e-mail; a violation that may constitute grounds for dismissal[3].
The employee should normally be informed that the employer will be accessing his or her emails[4] and the reasons for doing so. The employee may make comments in response to this information. If the employer accesses an employee's emails in the employee's absence or without notice, the employer must inform the employee in writing after the fact, indicating which emails were accessed.
If the employee leaves the company, emails that are no longer useful for the company's business must be deleted within a reasonable period of time[5].
The Norwegian Data Protection Authority's decision[6]
In the case that gave rise to the above-mentioned sanction, the employer - while changing the access password to the professional email of its former employee - had continued for several weeks to use this email box to follow up on clients and process files normally managed by the former employee.
Datatilsynet found that the employer had failed to comply with its obligation to provide information under Article 13 of the GDPR[7], had disregarded the former employee's right to erasure based on Article 17 with respect to data that are no longer necessary for the purpose for which they were collected[8], and had even disregarded his right to object as provided for in Article 21 of the Regulation[9]. In the absence of publication of the decision itself, only the press release is available, one should be cautious in interpreting the Norwegian authority's decision. However, it can be deduced from this that the management of emails in the company must be the subject of a clear internal policy that is well understood by the employees.
The GDPR and employer access to employee email
Messages sent or received on an email system are personal data within the meaning of the GDPR and, for France, of the Data Protection Act[10]. As the Paris Tribunal of first instance reminds us in a judgment of December 17, 2015, "a professional email address... corresponds to a physical person, individualized, holder of this email adress"[11].
Emails related to the professional activity are to be distinguished from those of a private nature, notably on family matters, whether they are stored on the personal mailbox (accessible from the employee's office) or professional mailbox. The employer is entitled to access the employee's professional email outside his presence, including instant messaging[12]. However, the employer may not open emails marked "personal" by the employee.
Personal messages identified as such[14] are in fact covered by the confidentiality of correspondence[15]. On the other hand, e-mails that are not identified as personal on the professional email system "are presumed to be of a professional nature, so that the employer is entitled to open them without the presence of the person concerned"[16].
The employer may only open messages identified as personal on its professional email system in the presence of the employee or if the employee has been duly called[17], except in the case of a "particular risk or event" to be averted[18]. Thus, in a decision of June 17, 2009, the Court of Cassation dealt with the case of the company Sanofi which, in order to determine the identity of the author of anonymous letters containing confidential information, had asked the computer network administrator to check the email accounts of seventeen employees. The employee representatives asked the labour court to order an investigation into the conditions under which these messages were consulted. While recognizing the employer's right to entrust an investigation to the network administrator, the Court of Cassation granted the petitioners' request, holding that it was possible "that through such a wide-ranging investigation and in the absence of reference to personal emails, the employer had access to personal messages”[19].
In the event of a prolonged absence of the employee, e.g., on sick leave, the employer's access to the professional email box does not exempt him from verifying whether or not the content of the box is part of the employee's private life. On the other hand, messages that are professional or presumed to be professional and that have not been identified as personal are accessible to the employer and constitute lawful evidence in the event of litigation[20].
Managing an employee's email after the employee has left
Before the employee leaves, the French Data Protection Authority ("CNIL") recommends that the employee be informed of the date on which his or her email account will be closed in order to allow him or her to purge it of personal messages[21].
Concerning an employee who wanted to retrieve his messages after his departure, the Lyon Court of Appeal ruled, in a decision of November 10, 2020, that it was valid for the employer to call in a bailiff by recommending key words (private addresses, name of the children's school, etc.) "for the purpose of sorting out the messages, data and files in Mr. X's professional email system from those of a personal nature, and to hand over to the latter on a usable digital medium the data thus identified as being his property".
Following the departure of the employee, it is advisable to close his mailbox so that he no longer receives emails. The CNIL indicates on its website that "the modalities for closing the employee's user account must be organized in the IT charter. The employee's personal email address must then be deleted by the employer"[22].
In conclusion, our field experience allows us to draw the following lessons:
(i) We advice to provide full information to the employee on the possibilities of access by the employer to his email in the company's IT charter.
(ii) It is strongly recommended to plan a mandatory annual training session on the computer charter, using concrete examples within the company or taken from case law.
(iii) It is important to conceive this training as an opportunity for feedback from employees to regularly update the IT charter (The IT charter must also mention the obligations of employees in the use of the company's IT tools)
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[2] Regulation of July 20, 2018, from the Norwegian Ministry of Labor and Social Affairs on employer access to mailboxes and other electronically stored documents.
[3] Article 2 of the regulation.
[4] Article 3 of the regulation.
[5] Article 4 of the regulation.
[6] See Datatilsynet's press release: https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/virksomhet-far-gebyr-for-innsyn-i-tidligere-ansatts-e-postkasse-og-manglende-avslutning-av-e-postkassen/
[7] Article 13 of the GDPR requires the data controller to provide data subjects with complete information enabling them to know the reason for the collection of their data, to understand the processing that will be carried out and to facilitate the exercise of their rights. In particular, Article 13 provides that the controller must indicate "the purposes of the processing for which the personal data are intended as well as the legal basis for the processing"; " the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period"; "the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability."
[8] According to Article 17 of the GDPR, "the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay", in particular when "the personal data are no longer necessary for the purposes for which they were collected".
[9] Article 21 of the GDPR provides: " The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e)[public interest] or (f) of Article 6(1) [legitimate interests of the controller], including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims."
[10] Law no. 78-17 of January 6, 1978, as amended, on information technology, files and freedoms.
[11] Tribunal of first instance of Paris, December 17, 2015, No. 13/11815.
[12] Court of Cassation, Social Division, October 18, 2006, No. 04-48.025; Court of Cassation, Social Division, September 9, 2020, No. 18-20.489.
[13] Court of Cassation, Social Division, October 18, 2006, No. 04-48.025; Court of Cassation, Mixed Division, May 18, 2007, No. 05-40.803; Court of Cassation, Social Division, January 26, 2016, No. 14-15.360.
[14] Court of Appeal of Lyon, 8th chamber, November 10, 2020, n° 20/00935.
[15] CNIL, Le contrôle de l'utilisation d'internet et de la messagerie électronique, December, 1st, 2015. Regarding the violation of the secrecy of correspondence, Article L. 226-15 of the Penal Code provides: "The fact, committed in bad faith, of opening, deleting, delaying or diverting correspondence that has or has not arrived at its destination and is addressed to third parties, or of fraudulently gaining knowledge of it, is punishable by one year's imprisonment and a fine of 45,000 euros."
[16] Court of Cassation, Social Division, June 26, 2012, No. 11-15.310.
[17] Court of Cassation, Social Division, May 17, 2005, 03-40.017.
[18] Court of Cassation, Social Division, June 17, 2009, No. 08-40.274.
[19] Court of Cassation, Social Division, June 17, 2009, No. 08-40.274.
[20] Court of Cassation, Social Division, April 3, 2019, No. 17-20.953 at 957.
[21] CNIL, Messagerie professionnelle : quelles précautions avant de fermer le compte d'un employé ?
[22] Court of Appeal of Lyon, November 10, 2020, n°20/00935.
Noëlle Lenoir Avocats
28 boulevard Raspail
75007 PARIS
+33 1 45 44 67 16
contact@noellelenoir-avocats.com
Noêlle Lenoir Avocats ©2020 All rights reserved