Friday, September 23, 2011

France: Employee Privacy 1 - Employer Surveillance 0

By Judith Beckhard-Cardoso, Partner, Noémie Birnbaum, Associate, and Alexina Chalachin, Associate and member of the New-York Bar, Fasken Martineau

It can no longer be assumed that all emails are work-related. A private email, even if received in the employee professional inbox, cannot be used to sanction that employee. This was the ruling handed down this summer by the labor chamber of the French Supreme Court (Cour de cassation) some 10 years after its ruling in the Nikon case.

On July 5, 2011, the labor chamber of the Cour de cassation added a new cornerstone to its pre-existing case law on the right to privacy in the workplace by holding that "although an employer may consult files not identified as personal by an employee, it may not use them to sanction the employee should the content of those files reveal that they concern his or her private life".

As the exchange of intimate emails and the keeping of erotic photos is a private matter for an employee, it may not regarded as reprehensible behavior as long as doing so does not objectively create a problem for the company.

As the employer could not validly rely on such evidence, the employee obtained damages for dismissal without real and serious cause.

Facts

A senior management employee exchanged various intimate emails with another employee in his firm. He also kept erotic emails in his work-related email messaging system. The employer discovered the emails after an unannounced visit was conducted in the employee's absence, and subsequently dismissed the employee. The case is of interest as the messages in question did not have a subject heading or designation to indicate that they were personal.

Analysis and Scope of the Decision

Given the development of information and communication technologies ("ICT"), the Cour de cassation had to state that an employee's private life did not cease to exist at the threshold to the workplace. In the wake of the landmark "Nikon" case
[1], the Court has regularly defined the employer's power of surveillance by delineating the right to privacy at work. It is restating this notion by imposing an obligation on the employer to interpret the content of emails received on a business messaging system if the employee has not identified them as personal.

(1) From the recognition of privacy in the workplace …

The right to privacy is guaranteed by various legislative provisions: article 9 of the Civil Code, article 8 of the European Convention on Human Rights and Fundamental Freedoms, and article 226-15 of the Penal Code. The Labor Code is not however a source of this right.

Article 9 of the Civil Code was the basis for the Cour de cassation's formulation in 1997
[2] of the related notion of personal life. It covers any act, unrelated to a work-related obligation, committed by an employee in the workplace during or after working hours.

The Nikon case became the jurisprudential cornerstone of that legal construct: as every French employee knows, he or she is entitled "while in the workplace, during working hours, to the right to privacy. This specifically implies the secrecy of correspondence. Thus, an employer may not, without infringing this fundamental freedom, read any personal messages sent or received by the employee using a computer tool made available to the employee for his work, even when the employer has prohibited such non work-related use of the computer".

The development of what was previously called "new" ICTs has rendered the traditional boundary between professional and private life somewhat difficult to grasp.
[3] In the space of a few years, emails have gradually replaced phone calls, smart phones have become the norm for managers, employees and the self-employed, and social media networks have become a preferred recruitment and marketing tool for companies. This change also has a direct impact on employees who are finding it increasingly difficult to disengage from work, even when at home.

Such technologies have also made it difficult for employers to control how their employees spend their time. How can an employer determine if an employee sitting in front of a computer is exchanging business or personal emails during working hours? Is the employee working or taking a break?

The Cour de cassation labor division case law has attempted to achieve a balance between both considerations.

(2) … to an informed oversight of practices

The Nikon case left several issues in abeyance: the assessment of the nature of the correspondence exchanged, the necessity of the employee’s presence when his or her files are opened, and the characterization of the files created with the computer tool made available to the employee.

In its 2004 report on cyber-surveillance in the workplace,
[4] the Commission nationale de l'informatique et des libertés [National Commission on Information Technology and Liberties] (CNIL), reminded employers that the "the use of electronic messaging to send or receive a reasonable number of personal messages is generally and socially acceptable."

The Cour de cassation has gradually adopted a more nuanced solution, mindful of the need to balance an employee's right to privacy against the employer's legitimate interests.

Thus, in 2005, the Labor division formulated a new solution regarding personal computer files
[5] drawing back from the Nikon case and stating that "except in the case of a specific risk or event, an employer may not open any files designated by an employee as personal that are stored on the hard drive of the computer made available to the employee unless the employee is present or has been duly summoned".

The Court hereby held, on the one hand, that it is incumbent on the employee to determine the nature and content of correspondence exchanged and on the other hand that there is an obligation on the employer to ensure that the employee is present when his or her personal files are opened, except in the case of a specific risk or event. The Court thus paved the way for the May 23, 2007 decision reconciling the right to privacy of employees with the right of the employer to conduct in futurum expertise contemplated in article 145 of the New Code of Civil Procedure.
[6]

This shift in case law was heralded in 2006 when the Court stated that files and records created by an employee on a computer provided by the employer for work-related purposes are presumed to be work-related, unless designated by the employee as personal.
[7] Therefore, the employer may access them in the employee's absence.

The presumption that computer stored data is work-related was extended, in 2008, to Internet connections.
[8]

Until the July 2011 decision discussed above, the following rules were thus laid down by case law:

(a) Electronic files or documents in any other media are presumed to be work-related. In the case of express indication of their private or personal nature, the employer may nevertheless search them in the employee's presence, or provided that the employee was warned beforehand;
[9]

(b) Emails, hard-copy correspondence or faxes received and sent from the workplace during working hours are presumed to be work-related. In the case of express designation that they are private,
[10] the employer may nevertheless search such correspondence if it obtains an order to that effect from the Motions Judge pursuant to article 145 of the Civil Code[11].

On July 5, 2011, the Cour de cassation altered this delicate balance by stating that even if an email is not designated as private, if, on reading it, the employer becomes aware that the content is private, it may not use it as evidence against the employee.

Clearly, this is a common-sense decision, but it should be examined solely in the context in which it was rendered.

The July 5, 2011 decision was rendered on evidentiary grounds as opposed to the right to privacy. What can be deduced from that? A new interpretation key on the issue of the employer's respect for the confidentiality of private information:

(a) if the employee states that the content of an email is private, the employer may not access it without a judge's permission;
(b) if the employee does not state that the content of an email is private, the employer may access it;
(c) if on reading an email the employer notes that its content is strictly work-related, it may read it and make use of it;
(d) if on reading an email the employer notes that its content is strictly private, it may read it, but it may not make use of the content.

It must be borne in mind that statements denigrating the management hierarchy are always regarded as work-related and are therefore sanctionable
[12] as is the misuse of the business messaging system solely or primarily for private purposes.[13]

What if an employer, on reading an email, is not sure of its nature? And what if the content of the email is private as well as work-related?

These problems in interpretation arise especially in connection with internal surveillance and monitoring procedures that have had to be implemented in France for the purpose of foreign provisions intended generally to improve corporate governance. Consider internal investigations and other wistleblowing alerts generated by the U.S. Foreign Corrupt Practices Act,
[14] Sarbanes-Oxley legislation[15] or its Japanese counterpart,[16] and more recently Dodd-Frank legislation.[17] Such legislation applies to any French company listed in the U.S. (or in Japan) and to any French subsidiary of a listed American (or Japanese) company.

In case of contravention of any of the aforementioned legislation, the government authorities responsible for implementing the provisions of those statutes and for conducting investigations may impose heavy sanctions including the suspension of access by the companies concerned to governmental procurement contracts. This explains why companies sometimes proactively have an internal investigation conducted by their own counsel and auditors when they suspect the occurrence of potentially illegal practices within the company.

This type of investigation requires the examination of thousands of emails. In practice, software automatically analyze the emails, identifying only those that contain certain key words. Thus, a company can readily decide to automatically exclude emails marked "private" or "personal".

However, what can a company do if it detects suspicious emails that have no specific designation as to their nature?

Let's take the example of an examination of emails conducted on the basis of the key words "payment ", "suitcase" and "benefit". A senior executive is the author of a suspect email containing those words. After analysis, the company dismisses him for proven corrupt practices. According to the July 2011 decision, and despite all precautions taken by the company, will the employee be able to challenge his dismissal? He may be able to argue that the email was in fact personal, the sole purpose of which was to arrange his leave and that the evidence can therefore be challenged…


[1] Cass. soc., October 2, 2001, Sté Nikon v. France, No. 99-17.855;
[2] Cass. soc., May 14, 1997 : Bull. civ. 1997, V, No. 175;
[3] Cf. J.-E. Ray, La Guerre des Temps. Le Net ? Never Enough Time, Droit Social No. January 1st 2006;
[4] Cnil, La cyber-surveillance sur les lieux de travail, March 2004, p. 13 : http://www.cnil.fr;
[5] Cass. soc., May 17, 2005, No. 03-40.017, Klajer v. Sté Cathnet-Science;
[6] Cass. soc., May 23, 2007, No. 05-17.818, SA Datacep v. H;
[7] Cass . soc., October 18, 2006, No. 04-48.025;
[8] Cass. soc., July 9, 2008, No. 06-45.800;
[9] Cass. soc., May 17, 2005, op.cit.;
[10] Cass. soc., December 15, 2010, No. 08-42.486;
[11] Cass. soc., May 23, 2007, No. 05-17.818, op. cit.;
[12] Cass.soc., February 2, 2011, No. s09-72.313 et 09-72.449;
[13] Cass. soc., June 2, 2004, No. 03-45.269;
[14] Foreign Corrupt Practices Act, 1977, § 15 U.S.C. 78, et seq
[15] Pub. L. No. 107-204, 116 Stat. 745, enacted July 31, 2002
[16] Standards published on February 15, 2007 by the Japanese "Financial Services Agency" and codified in the "Financial Instruments and Exchange Act" of June 7, 2006.
[17] Dodd–Frank Wall Street Reform and Consumer Protection Act enacted July 20, 2010 (Pub.L. 111-203, H.R. 4173)