New directive on privacy in the workplace

By EDRi · September 25, 2003

The European Commission is planning a new Directive on privacy in the
workplace, in 2004 or 2005. After two consultations with the social
partners, in August 2001 and October 2002, the Commission is convinced of
the necessity of such a new directive. 3 main grounds for the new
legislatory framework are: technological advances that increasingly blur
the boundary between work and private life; globalisation and the
outsourcing of human resources and finally; ‘post-11 September insecurity’.

In preparation of the new directive the European Industrial Relations
Observatory (EIRO) published a very interesting and detailed comparative
legal study on privacy and e-mail at the workplace.

The study states that “it is rare for countries to have introduced
specific legislation applying data protection rules to the employment
context.” The most notable exception is Finland, which introduced its Act
on Data Protection in Working Life in 2001. However, earlier this summer
the Ministry of Labour released a draft revision of this act that would
considerably lower the level of privacy protection (see EDRI-gram 12, item
6).

Many member states include general privacy provisions in their national
constitutions that can be applied to the workplace. Additionally,
employment law can also contain provisions on workers’ privacy. For
example, the report says that the “French Labour Code prohibits
restrictions of workers’ rights and freedoms except where justified and
proportionate.”

A common theme in court cases about e-mail and internet use is whether a
company has a code of conduct or instructions on internet and e-mail use.
In Denmark, Germany, the Netherlands and the UK, courts have refused to
dismiss employees if the company didn’t have a clear acceptable use
policy.

According to the Article 29 Working Party (the coalition of all EU data
protection authorities) “it should be clear that the simple fact that a
monitoring activity or surveillance is considered convenient to serve the
employer’s interest would not solely justify any intrusion in worker’s
privacy.” In their working document on the surveillance of electronic
communications in the workplace, the data protection authorities suggest a
test of 4 questions that each monitoring measure must pass:

1) Is the monitoring activity transparent to the workers?
2) Is it necessary? Could not the employer obtain the same result with
traditional methods of supervision?
3) Is the processing of personal data proposed fair to the workers?
4) Is it proportionate to the concerns that it tries to ally?

EU companies challenged by workplace monitoring rules (09.2003)
http://www.eiro.eurofound.eu.int/2003/07/study/TN0307101S.html

Art. 29 Working Document (29.05.2002)
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2002/wp55_en.pdf