Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Court Rules Companies Must Tell Employees of Email Checks (reuters.com)

Posted by msmash on from the steering-clear dept.

Companies must tell employees in advance if their work email accounts are being monitored and such checks must not unduly infringe workers' privacy, the European Court of Human Rights ruled on Tuesday. From a report: In a judgment in the case of a man fired 10 years ago for using a work messaging account to communicate with his family, the judges found that Romanian courts failed to protect Bogdan Barbulescu's private correspondence because his employer had not given him prior notice it was monitoring his communications. Email privacy has become a hotly contested issue as more people use work addresses for personal correspondence even as employers demand the right to monitor email and computer usage to ensure staff use work email appropriately. Courts in general have sided with employers on this issue.

18 of 103 comments (clear)

  1. I work in IT by Martin+S. · · Score: 3, Insightful

    So I'm going to assume they can and will read anything I do at work and act accordingly.

    1. Re:I work in IT by stealth_finger · · Score: 2

      So I'm going to assume they can and will read anything I do at work and act accordingly.

      Yeah, shouldn't that be the base assumption? Even if it's not actively being monitored or has ever been it has the potential to be and can at least be checked up on.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    2. Re:I work in IT by dindi · · Score: 3, Informative

      +1 ...

      And why on Earth would someone conduct private business on a company email account.

      Now if they sniff my private mails going to my phone through an external provider, or my home email, that would be a different story.

      But again, I wouldn't use the company's wifi to even receive private mail or access private stuff. For that, you have your data plan.

      And yes, a company computer, a company connection and a company account DOES BELONG to the company, thus should and will be monitored by the company.

    3. Re:I work in IT by kwerle · · Score: 2

      And why on Earth would someone conduct private business on a company email account.

      Have you ever met people? They're idiots.

    4. Re:I work in IT by AmiMoJo · · Score: 2

      From TFA:

      The company had presented him with printouts of his private messages to his brother and fiancée on Yahoo Messenger as evidence of his breach of a company ban on such personal use.

      Barbulescu had previously told his employer in writing that he had only used the service for professional purposes.

      So it's not even email, just Yahoo chat. The issue here is not that he lied about using the service for work only, he could still be fired for that, it's that in the EU an employer can't simply read everything on its network because the users of that network have some small expectation of privacy.

      Don't misunderstand this. Network monitoring for detection of intrusion, scanning emails for viruses and spam, that sort of thing is still fine. Even reading employee emails when there is some good reason to is okay in the right circumstances. What isn't okay is the boss being able to read anything an employee writes in a random chat message to their family. Seeing that they are chatting to their family is fine, and the additional invasion of privacy isn't necessary to sanction them for it.

      It's really quite a narrow ruling, but an important one. It reinforces the idea that privacy is a basic human right in the EU and that there must be good reason for violating it. Consider that just because the employer owns a laptop that it gives to you, that doesn't give it the right to remotely turn the web cam and microphone on whenever it likes, e.g. in your home, or even in the office where most people would be upset if you set up a CCTV camera on top of their monitor.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:I work in IT by Carewolf · · Score: 2

      So I'm going to assume they can and will read anything I do at work and act accordingly.

      Yeah, shouldn't that be the base assumption? Even if it's not actively being monitored or has ever been it has the potential to be and can at least be checked up on.

      No, it shouldnt. And in Europe a reasonable expectation of privacy is a codified right.

    6. Re: I work in IT by Cederic · · Score: 2

      Well, no, not end of story at all. The story includes regulatory compliance, which covers things like protecting consumer data, fiduciary responsibility, obligations against modern slavery and various audit controls.

      Failing to monitor work email accounts is in some situations actually illegal.

    7. Re: I work in IT by Teun · · Score: 2

      No it's most certainly not end of story.

      As Carewolf writes in the EU (that includes Romania) there is the codified Expectation of Privacy.
      Virtually all companies that use a law office for their contracts will have their employees sign a paper that they understand the company supplied mail and Internet access can be monitored.
      Such a contract would include that you can to an extend use it for private conversations, abuse will not be accepted.

      Another way to look at it is when the mail address includes my name it can hardly be claimed it is 100% company property, or do you want to say my hotmail.com address belongs to Microsoft making them responsible for what I write?

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    8. Re: I work in IT by Carewolf · · Score: 2

      No it's most certainly not end of story.

      As Carewolf writes in the EU (that includes Romania) there is the codified Expectation of Privacy.

      Virtually all companies that use a law office for their contracts will have their employees sign a paper that they understand the company supplied mail and Internet access can be monitored.

      The details might depend on the country, but in Germany such contract as only legal and valid if they are exceptions, that is if they only apply to a minority of employees for whom special consideration makes such a contract necessary. If forced on everybody it is not just not valid, it is outright illegal.

  2. Pit it in writing ... by CaptainDork · · Score: 2, Insightful

    ... in a Technology Administrator Policy and designate an administrator.

    I'm retired now, and when I hired on at a law firm 20 years ago, I wrote that policy and amended it as things changed.

    I blocked shit like match.com, Facebook, Twitter, etc.

    I listed taboos like using business email for non-business purposes and I stated clearly that, at the direction of the partners, I would be monitoring emails, browser history, etc.

    For each and every new hire, I read the Policy to them in the kitchen area and invited them to ask question then, and at any other time during their employment.

    The last page had a place for two signatures/dates:

    - Theirs, acknowledging that they participated in the counseling

    - Mine, acknowledging same.

    I got a few calls regarding wrongful termination during the years and, in one matter, the fired employee said, "Well, everyone else was doing it."

    I told the work comp lady to add, "Line item 6.1.a, 'Report any violations or suspected violations of this policy to the Technology Administrator."

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Pit it in writing ... by Kjella · · Score: 4, Insightful

      I got a few calls regarding wrongful termination during the years and, in one matter, the fired employee said, "Well, everyone else was doing it."

      I told the work comp lady to add, "Line item 6.1.a, 'Report any violations or suspected violations of this policy to the Technology Administrator."

      So assuming he wasn't exaggerating you amended a policy nobody followed with another over-the-top rule for them to ignore, brilliant. I've read a few policies like that, in theory they're great. In practice nobody knows, because they're so anal the only real purpose they serve is as legal ammunition against troublesome employees. For example I read my organization's phone application guidelines, install any non-IT approved app and you take full legal liability for any damage it can cause. Meanwhile using it as your personal phone too is encouraged and 95%+ do exactly that, nobody bats an eye at installing anything. It's only there because if shit hits the fan they can throw you to the wolves and blame you for violating policy.

      --
      Live today, because you never know what tomorrow brings
    2. Re:Pit it in writing ... by AmiMoJo · · Score: 3, Insightful

      That sounds like a horrible, Orwellian place to work.

      Did you give employees laptops and phones for travel? Did they routinely turn them off to prevent you activating the camera/microphone and carry a second personal laptop?

      It really sounds like an awful way to live. I wouldn't work at such a place, I'd only go somewhere that doesn't routinely spy on me and largely doesn't care as long as I get stuff done. Even if I didn't care about privacy, I'd assume it was a sign that there were other serious problems with the management style and working environment.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Pit it in writing ... by CaptainDork · · Score: 2

      It's possible that you don't grok it.

      The longer version, that should be apparent, is that a violator got three strikes.

      Well, 4.

      As a coworker, I'd whisper in their ear that what they were doing was a violation and to stop.

      For each violation, I simply witnessed the reprimand given by a partner. That violation was written up, with proof attached; signed by the violator and me.

      That went into their folder.

      Third time was a charm.

      Example:

      Kara downloaded Picasa, a photo editing thing from Google. "Downloads are prohibited without prior permission from the Technology Administrator."

      She brought in her personal camera and uploaded pictures to her computer, then to Picasa. "Employees will not use personal technology at work and will not make changes to any of the Firm's technology without prior permission from the Technology Administrator."

      Management was suspicious of her and asked me to look at her activity on the firewall.

      She was on match.com (this was the trigger for the firewall block, per my recommendation) on a Friday from 2 pm to 5 pm.

      It was all documented, signed by her, and she was let go.

      --
      It little behooves the best of us to comment on the rest of us.
  3. Invitation To Theft by forkfail · · Score: 2, Insightful

    As soon as it becomes impossible for an organization to maintain complete control of the communications on it's own networks, connections to other networks, and data transfers to and from those external networks, you have given carte blance to those who would steal company secrets, data, and technology.

    This is insane. Folks have cell phones that they don't have to put on corporate/company networks. Use that for personal.

    --
    Check your premises.
  4. Re:Don't do that with your work account by KiloByte · · Score: 2

    And that's the reason why this company lost: they didn't tell the employee about the monitoring.

    So there'll be a single line added in an obscure place to the pile of paper you're required to sign upon being hired, without even an opportunity to actually read what you're signing.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  5. Re:Don't do that with your work account by war4peace · · Score: 2

    No, because the EU laws don't allow for that douchebaggery to exist.
    I work in the EU and there are big signs at entry doors warning that the place is being monitored through CCTV,
    We have signed a separate document which details what exactly is being monitored, how and for how long, with a list of cases where monitoring would happen, etc.
    I do know that all files on my company-issued laptop are scanned and their file names (NOT the contents) are saved for later scrutiny if need be, but in order for that scrutiny to occur, there needs to be a good, legally-established reason.
    Files and their contents are backed into the cloud, but I get to choose which ones should be backed up, it's my responsibility to select them (and the privilege to not select the ones I don't want backed up).
    There is an expectation for reasonable use of company assets for personal reasons, with top 5% overall users of, say, mobile data being informed they are in top 5% and still not monitored in detail, only told "hey, during the last X months you've been using a lot of mobile data, please try to reduce usage".

    This helps employees be less paranoid and focus on work rather than avoiding employer scrutiny.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  6. Grey area: ruling makes sense by Roger+W+Moore · · Score: 2

    Yeah, shouldn't that be the base assumption?

    No. It might be the cautious assumption but that does not mean that someone who expects some level of privacy has unreasonable expectations. There are many different levels of private email correspondence. For example, if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email. However, if you tried to run a small business of eBay selling things through your work email then yes I would expect any employer would likely fire you for that!

    This means that there is a certain grey area between what an employer wants to let you do and what a reasonable person might assume that they can do. Hence this ruling seems to make a lot of sense: employers can do what they want with an employee's email account, they just have to say exactly what they will do and what they will allow beforehand. This way everyone's different assumptions about what is ok do not matter because the rules are spelled out.

  7. Email? IM? by nine-times · · Score: 3, Interesting

    From the summary, I had assumed that this was a standard case of a company accessing a person's email that was sent through that company's own mail server. I was pretty much ready to side with the employer. If you send an email through your company's mail server, you should expect that someone might view that email. Even if the employer isn't snooping, there are any number of reasons why someone at the company may need to review your work emails. However, the article states:

    The company had presented Barbulescu with printouts of his private messages to his brother and fiancée on Yahoo Messenger as evidence of his breach of a company ban on such personal use.

    So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.

    However, that doesn't really explain how they got access to his chats, unless they were stored on his work computer. I don't feel comfortable saying that a company shouldn't be allowed to review the contents of a company-owned computer. And this is further complicated by the fact that the employee stated, in writing, that the account was being used solely for work purposes. In that case, I could see an argument that the account is a work account, not a personal account, and so the employer should be allowed to access it.

    In any case, I think there's some space between "what an employer should be legally allowed to do" and "what an employer should do". Even if employers can spy on employees and review private email, they should try to avoid reading anything that's not business related.