Secuity Testing

Page content

General Law Perceptions on Privacy: The EU Law vs. The US Judicial System

Can employees using company e-mail hold a reasonable expectation of privacy? Technologically the answer would be ’no’. However legally, the answer is still not clear and is still evolving. Employer monitoring is an emerging area of law and thus, there is no clear concept of defining the extent of e-mail privacy at workplaces. The legal environment so far has failed to solve such technology related cases.

The EU law has enjoyed greater success as compared to US in this context as it tries to meet the needs of both the employers and employees by bringing a balance between their expectations. This as compared to the US jurisprudence is different as they perceive that employees should not hold any expectation of privacy in the workplace and employers are completely justified by using any form of surveillance.

EU, since the end of World War II have emphasized greatly on privacy laws with Germany, France and United Kingdom taking the front stance with an established legislative framework. The recent privacy related laws include the German Bundestag that had a section which was concerned with privacy in telecommunications. This was called he Teleservices Data Protection Act. Another recent popular act was the British Data Protection Act that was initially enacted in 1984. However, in 2000, it was strengthened to include protection from electronic data too. In order to standardize the EU laws, the EU in 1995 initiated the EU Data Protection Directive which took effect in 1998.

Until 1914, the US Judicial System largely followed the precepts of English law when it came to dealing with introduction of evidence in criminal trials. The EU as compared to the US has an established legislative framework aimed at protecting data in an internet based and information driven economy. The aim of the 1995 directive was to protect individuals with regard to the processing of personal data and free movement of this data. Its supplement in 1997 set forth the protection of privacy and personal data in the telecommunication sector.

U.S. Judiciary Law

The reason for considering US jurisdiction in most researches is, the country’s success is owed to its high tech and financial sector firms where privacy of data is most important and surveillance is most prevalent. So far, no American law believes that its citizens should hold an expectation of privacy in the workplace. However, the Bill of Rights limits the government’s power to interfere with individuals, thus respecting personal privacy. The First Amendment recognizes the right to be left alone by guaranteeing privacy of beliefs. The Fourth Amendment protects persons, houses papers from government. The Fifth Amendment prohibits the government from coercing an individual to reveal private matters.

In the landmark case of Griswold v/s Connecticut in 1960, a law involving prohibited use of contraceptives has been passed. The Supreme Court invalidated the law because it violated the “right to martial privacy”. Since this, the right to privacy was cited in several rulings. In Olmstead v/s United States, it was held that privacy is a “fundamental right” and is quoted as nor shall any State deprive any person of life, liberty or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws

However in the case of workplace privacy or employee surveillance, as recognized by Payne & Adair which define an employment contract as an empowerment to employers to “treat employees as mere suppliers of labor with no recognition of them as persons entitled to personal autonomy”. Thus, employees in the US have no real legal protection of personality except the Electronics Communications Privacy Act of 1986 (ECPA) which offers workers protection in communication privacy. The ECPA sets out the provisions for access, use, disclosure, interception and privacy protections of electronic communications. ECPA prohibits unlawful access and certain disclosures of communication contents. Additionally, the law prevents government entities from requiring disclosure of electronic communications from a provider without proper procedure. The law asks providers to offer written assurances that e-mails would be private so that a basis for reasonable expectation of privacy in the Katz test can be provided and so that they are an undertaking for reach of which service provider could be held liable.

Title 1 of the ECPA protects communication while in transit. Section 2511, prohibits the interception of an e-mail while it is being transmitted. Title II, the Stored Communications Act (SCA) protects messages stored on computers. Section 2701 prohibits the unauthorized access of an e-mail that is temporarily stored on a computer. In United States v/s Councilman, an argument occurred that if the ECPA did not protect e-mail in storage, then other protections were pointless as virtually all e-mail is stored temporarily in transit at least once. Title III prohibits the use recording of dialing, addressing and signaling information. However the loophole that is provided for the employer’s benefit is that under the system provider exception, the system administrator, officer or provider can intercept and monitor. Also employers are allowed to monitor e-mail or phone calls for ‘business’ purposes.

US laws as such have taken decision varying on a case to case basis. Generally speaking, it is difficult to persuade the court that the employer is invading in the employee’s legitimate expectation of privacy in the workplace as the systems are owned by the employer. In Fraser v/s Nationwide Mutual Insurance Company, the Court of Appeal ruled that since Fraser’s e-mails were stored on the Nationwide system, any search by the company was authorized by an exemption in the ECPA for e-mail service providers. It was held that Nationwide did not violate statutory prohibitions against intercepting e-mails.

The common law tort of invasion of privacy defines invasion of privacy as: “…intentionally intruding, physically or otherwise, upon the solitude or seclusion of another…, if the intrusion would be highly offensive to a reasonable person.” The two problems that arouse here is that the employee must have a reasonable expectation of privacy and the intrusion would be very offensive to the person.

In McLaren v/s Microsoft, as part of his employment, Microsoft made available to McLaren the use of an e-mail system owned and administered by Microsoft. McLaren had the right to store e-mail and protect it with a password. Due to suspicion, Microsoft broke into his personal folder. McLaren argued that the folder should have been treated as a secure storage locker and that he expected a reasonable expectation of privacy. This was overruled by the court that held that since the mail first came to the folder and then moved to the protected folder, it was subject to inspection and McLaren should have had no expectation of privacy. In determining if whether the invasion was or was not offensive, the court recognized the importance of whether the act was justified. The fact that McLaren was under investigation, and that he had notified Microsoft about the e-mail’s relevance to the investigation, clearly supported the court’s finding that Microsoft’s was justified.

Reference Section

U.S. Judiciary:

EU Legislation (Information Society):