15/03/18

No, Employee Hard Drive Labelled "Personal Data" Is Not Private

For various reasons, employers may wish or need to check files on an employee's desktop or laptop. From a legal point of view, this is often tricky as privacy laws and other legislation may impose restrictions.

In Libert v France of 22 February 2018 (available in French), the European Court of Human Rights (ECHR) ruled that employers may access files on an employee's computer which are not clearly marked "private" without violating Article 8 of the European Convention on Human Rights. It follows from this decision that files not marked private are considered professional documents which may be freely accessed by the employer.

Facts

The facts of the case can be summarised as follows.

An employee of the French railway company (SNCF) was dismissed following the discovery on his computer of adult material (1562 files) and false declarations made for third parties. The files had been saved on the employee's hard drive, which was labelled données personnelles ("personal data"). The employee challenged his dismissal before the national courts, which sided with the employer.

The ECHR's reasoning

With regard to a possible violation of the right to privacy (Article 8 of the European Convention on Human Rights), the ECHR takes the view that accessing files on an employee's computer in the employee's absence and without informing the employee constitutes an invasion of the employee's right to privacy.

However, in the case at hand, the ECHR found the interference to be acceptable. The Court followed the reasoning of the Amiens Court of Appeal that the files had not been clearly marked "private" (privé).

Indeed, the adult material was saved in a folder entitled Rires ("Laughs") on the D drive which the employee had labelled données personnelles ("personal data"). The false declarations were saved in various folders, under the names "Fred [P.]", "Socrif" and "Catherine".

The D drive is generally made available to SNCF employees for professional documents. The appellate court ruled that an employee cannot consider or label the complete hard drive as private and that, in any case, the term "personal data" could also refer to professional files handled by the employee personally and, therefore, does not clearly indicate that the documents are private. Furthermore, the SCNF's acceptable use policy expressly states that private files must be marked as such.

For these reasons, the ECHR found that the individual's right to privacy had not been violated.

Comments

We agree that in general an employer should be able to monitor the activity of its employees and to this end access professional files. Only individual folders and files (thus not an entire hard disk or substantial part thereof) clearly marked "private" should not be examined by the employer. Employers should also ensure that their IT policies contain clear rules on the acceptable use of IT resources by employees.

As far as e-mails are concerned, the situation is:

  • similar in Luxembourg, provided the message is clearly marked “PRIVATE” and “CONFIDENTIAL” (the Luxembourg Court of Appeal has nevertheless surprisingly ruled that "Privé-Drink Nouvel An” is not sufficient); and
     
  • slightly more complicated under Belgian law. The Electronic Communications Act requires consent if the employer wishes to access e-mails to which it is not a party, regardless of whether the e-mail is professional or private in nature.
dotted_texture