European Court of Human Rights Expands Privacy Protections: Copland v. United Kingdom
The European Court of Human Rights (ECHR) recently decided Copland v. United Kingdom,[1] in which the ECHR expanded the basis and extent of protection for personal data in a variety of settings, including the workplace. The European Union's Data Protection Directive already mandated very broad protection for such data in EU member states. This decision may further widen the gulf between U.S. and European data protection laws and create challenges for multinational businesses and other organizations operating in Europe. This Insight describes the case and considers the implications of this international legal ruling.
Facts, Applicable Law, and Holding in the Copland Case
Copland involved a complaint by Lynette Copland, the personal assistant to the principal of Carmarthenshire College in the United Kingdom. Copland alleged that the College's deputy principal monitored her e-mail and telephone conversations to discover whether she was making improper use of College facilities for personal purposes.
The parties' representations concerning the intrusiveness and duration of the monitoring differed, but the ECHR accepted the U.K. government's position for the purpose of deciding the case. According to the government, the telephone monitoring was limited to analyzing "college telephone bills showing telephone numbers called, the dates and times of the calls and their length and cost," and lasted for "a few months" in late 1999.[2] The government claimed that the Internet monitoring involved analyzing "the web sites visited, the times and dates of the visits of the web sites and their duration" in October and November 1999.[3]
The ECHR found that, on these facts, the monitoring violated Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (Convention), which provides that "Everyone has the right to respect for his private and family life, his home and his correspondence."[4]
The ECHR's Legal Reasoning
The ECHR's holding involved six conclusions, each of which is significant to understanding the scope, requirements, and impact of data protection law in Europe. These conclusions also highlight the challenge that companies and other institutions, especially those used to operating under U.S. law, face when doing business in Europe.
First, the ECHR concluded that "telephone calls from business premises are prima facie covered by notions of 'private life' and 'correspondence.'"[5] The fact that such calls occurred in the office and, at least in theory, were business related, was irrelevant. The ECHR asserted that the "same expectation should apply in relation to the applicant's e-mail and internet usage."[6] Under the ECHR's ruling, business e-mail and telephone calls affect "private life" and may contain "personal information," protected by human rights and, presumably, data protection law.
Second, the ECHR found that, even if the telephone monitoring was limited to "the date and length of telephone conversations" and "the numbers dialed," the monitoring still gave rise to a cause of action under Article 8.[7] Monitoring did not have to involve the content of the communications to be actionable, although the ECHR noted this could be relevant in calculating damages.[8]
Third, the ECHR noted that the College's argument that it legitimately obtained information about the telephone calls in the form of telephone bills posed no bar to finding that the monitoring violated Article 8.[9] Fourth, the ECHR found that it was "irrelevant that the data held by the college were not disclosed or used against the applicant in disciplinary or other proceedings."[10]
Fifth, the ECHR concluded that, in the absence of any warning that her telephone calls and e-mail could be monitored, Copland had a "reasonable expectation" that they would not be.[11] Even in the absence of applicable national data protection law, Article 8 of the Convention presumes that workplace communications will not be monitored.
Finally, the ECHR stressed that Article 8 requires that monitoring must be "in accordance with the law."[2] In the case of public authorities, Article 8(2) mandates that monitoring must be both "in accordance with the law" and "necessary in a democratic society."[13] According to the ECHR, this provision requires that the terms under which monitoring may be carried out be explicitly stated in the law, and that those terms be compatible with "the rule of law," which means that "the law must be sufficiently clear in its terms to give individuals an adequate indication as to the circumstances in which and the conditions on which authorities are empowered to resort to any such measures."[14]
The ECHR found that the U.K. government's argument that statutory law empowered the College to do "anything necessary or expedient" to providing higher education was insufficient. In the absence of law or regulations specifically regulating telephone and Internet monitoring by employers, the College's monitoring of Copland could not have been "in accordance with the law."[15] The ECHR held open the possibility that such monitoring could be found to be "necessary in a democratic society," but only if governed by appropriate law or regulations.[16]
Copland and EU Data Protection Law
Standing alone, the ECHR's decision in Copland would be sobering for businesses and other organizations operating in Europe, and especially challenging to multinational entities. The holdings that telephone calls and e-mails from a business fall within the Convention's notions of "private life" and are subject to a reasonable expectation of privacy would likely come as a surprise to many employers. But Copland does not stand alone. It is only the most recent in a series of directives, laws, judicial opinions, and working papers from Europe that mark out increasingly broad contours for privacy in the workplace.
Under national laws implementing two EU privacy directives,[17] the collection, use, storage, and transmission of personal data are subject to the world's most extensive legal protection. National data protection commissioners, supported by European courts, regard virtually all data about employees as "personal data," subject to the protection of EU directives and national data protection laws.
The Article 29 Working Party-the group of national data protection commissioners created by Article 29 of the 1995 Data Protection Directive and charged with its interpretation-has concluded that "[t]here should no longer be any doubt that data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, internet access, video cameras or location data."[18] The Working Party has even assert that "[I]t is not disputed that an e-mail address assigned by a company to its employees constitutes personal data if it enables an individual to be identified."[19] In 2001, the Article 29 Working Party opined about the processing of personal data in the employment context and stressed that, under the Data Protection Directive, employers may process data concerning their employees only with "unambiguous consent" or if the processing is "necessary."[20]
Consent has proved problematic as a basis for processing. The company must ensure that an employee's consent is "freely given" and capable of being revoked.[21] For example, if a company wishes to transfer employee data to the United States for benefits administration, it must also be able to support the same type of benefits program within Europe for employees who do not agree to have their data transferred. Some countries' national laws prohibit reliance on consent altogether. In Finland, "the employer is only allowed to process personal data directly necessary for the employee's employment relationship."[22] No exceptions are permitted, not "even with the employee's consent."[23]
If consent does not work or is not available, employers must rely on necessity. According to the Article 29 Working Party, only three types of necessity are possible. Processing may be necessary for the employer to perform its contractual obligations vis-Ã -vis an employee (e.g., processing an employee's salary data). Processing may also be necessary to protect an employee's vital interests (e.g., to protect the employee against particular hazards at the workplace).
Finally, processing data may also be necessary for an employer to comply with legal obligations (e.g., processing an employer's data for the purpose of calculating withholding tax). However, such legal obligations are limited to domestic European legal obligations. Compliance with disclosure requirements from the United States or other non-European countries is unavailing.[24] Monitoring to comply with U.S. anti-discrimination or whistleblower laws does not fit within the definition of "necessity."
Copland and European Case Law on Data Protection
Thus, although Copland left open the possibility that reviewing telephone bills and web logs to investigate suspected wrongdoing might be lawful if authorized by a specific law and done with proper notice, other national laws and the Article 29 Working Party's opinions suggest that this possibility may not actually exist. European courts appear to agree.
In two cases interpreting Article 8 and the Data Protection Directive, the French Court of Cassation ruled that, absent exceptional circumstances, an employer has no right to inspect employees' workplace e-mail, files, or computers"even where wrongdoing is suspected and subsequently demonstrated to be occurring.[25]
Philippe K. v Cathnet-Science[26] involved a company's search of an employee's work-issued computer after accidentally discovering "erotic photos" on the worker's desk. The company found that the employee had downloaded pornographic images and, as a result, it terminated the worker's employment. Although lower French courts upheld the search and subsequent firing, the high court disagreed, noting that the presence of pornography on the computer did not present the type particular risk that could justify the search of the computer.[27]
The following year, the Court of Cassation decided Societe Nikon France v. M. Onof,[28] which involved an employer that suspected that an employee was freelancing on company time and using company resources for his side business. The company opened and copied folders entitled "personal" and "fax" from the computer in the worker's office and found that the employee had used the computer for personal activities despite the employer's prohibition on such use. The court found that the search violated the employee's privacy. The existence of particularized suspicion, the presence of an explicit company policy, and the fact that the employee was, in fact, freelancing with company resources were irrelevant.
The French position is not unique. The Greek data protection commissioner found in 2004 that (1) "[t]he intervention of the employer in the electronic communications of the employees constitutes processing of personal data and is illegal if the employee was not previously informed about the possibility of such interventions even for technical reasons," and (2) such processing is illegal if the employer does not provide the employee with "technical means of using special software to protect the secrecy of his own communication."[29] In Italy, employers are generally prohibited from monitoring e-mail content or Internet browsing by employees.[30]
Conclusion
Viewed against this backdrop, Copland's reliance on, and application of, Article 8 of the Convention to employer monitoring of telephone calls and e-mails but not their content are important, but marginal, extensions of European workplace privacy law. More broadly, the case is also a potent reminder of how far European law has moved in the direction of workplace privacy and how great a challenge this movement poses for U.S. and multinational entities.
Employee monitoring has become nearly ubiquitous in the U.S., and is increasingly legally required, to protect trade secrets, avoid liability for workplace discrimination, guard against information security breaches, account for communications expenditures, and comply with Sarbanes-Oxley whistleblower rules and federal document retention requirements. These employee-monitoring activities are increasingly illegal under European law. Technologies and markets may be increasingly global, but Copland is only the most recent addition to a growing body of evidence that data protection law is headed in the other direction.
About the Author
Fred H. Cate is a Distinguished Professor and Director of the Center for Applied Cybersecurity Research at Indiana University, and a Senior Policy Advisor to the Center for Information Policy Leadership at Hunton & Williams LLP. He may be contacted at fcate@indiana.edu.
Footnotes
[1]Copland v. United Kingdom, 62617/00 [2007] ECHR 253 (3 April 2007)
[2]Id. ¶ 10.
[3]Id. ¶ 11. Neither of the legal provisions that would currently regulate such monitoring in the U.K.-the Regulation of Investigatory Powers Act (2000) and the Telecommunications (Lawful Business Practice) Regulations (2000)-had been adopted when the monitoring took place, and the case of Douglas v. Hello! Ltd [2001] WLR 992 (Sedley LJ), which established a qualified right to privacy under English law, had not yet been decided.
[4]European Convention for the Protection of Human Rights and Fundamental Rights, as amended by Protocol No. 11, Rome, 4.XI.1950, art. 8.
[5]Copland, supra note 1, at ¶ 41.
[6]Id. ¶ 42.
[7]Id. ¶ 43.
[8]Id. ¶ 54.
[9]Id. ¶ 43.
[10] Id.
[11]Id. ¶ 42.
[12] Id. ¶ 45.
[13] European Convention, supra note 4, at art. 8, § 2.
[14] Copland, supra note 1, at ¶ 46.
[15] Id. ¶¶ 46-47.
[16] Id. ¶ 48.
[17]Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L281) 95; Directive 2002/58/EC of the European Parliament and Council of 12 July 2002 on Privacy and Electronic Communications, 2002 O.J. (L. 201) 37.
[18] Article 29 Data Protection Working Party, Opinion 8/2001 on the Processing of Personal Data in the Employment Context, Sept. 13, 2001 (5062/01/EN/Final WP 48), at 24.
[19] Eighth Annual Report of the Article 29 Working Party on Data Protection (2005), at 38. See also Jorg Rehder and Erika C. Collins, :The Legal Transfer of Employment-Related Data To Outside the European Union: Is It Even Still Possible?" 39 Int'l Law. 129, __ (2005) ("In essence, employers must treat such data as employees' personal property.").
[20] Processing of Personal Data in the Employment Context, supra note 18.
[21]Id. at 23 ("If it is not possible for the worker to refuse, it is not consent. Consent must at all times be freely given. Thus a worker must be able to withdraw consent without prejudice.").
[22]Act on the Protection of Privacy in Working Life (Finland, 759/2004), § 3.
[23]Id.
[24]See Article 29 Data Protection Working Party, Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight Against Bribery, Banking and Financial Crime, Feb. 1, 2006 (00195/06EN WP117), 8; Article 29 Data Protection Working Party, Opinion 3/2006 on the Directive 2006/24/EC of the European Parliament and of the Council on the Retention of Data Generated or Processed In Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, Mar. 25, 2006 (654/06/EN WP 119), 5.
[25]Philippe K. v Cathnet-Science, Cour de Cassation, Chambre Sociale, Arret No. 1089 FS-P+B+R+1, Pourvoi No. J-03-40.017, 5/17/05. Reported in the BNA Privacy Law Watch (June 6, 2005).
[26]Philippe K. v Cathnet-Science, Cour de Cassation, Chambre Sociale, Arret No. 1089 FS-P+B+R+1, Pourvoi No. J-03-40.017, 5/17/05. Reported in the BNA Privacy Law Watch (June 6, 2005).
[27]Id .
[28]Cass. soc., Oct. 2, 2001, Bull Civ. V, No. 291.
[29]Eighth Annual Report, supra note 19, at 44 (citing Decision 61/2004).
[30]"Monitoring Employees E-Mail and Internet Usage in Europe," Internet Law-Business-e-Commerce, May 1, 2005 ("The Supreme Court has held that an employer can only carry out such monitoring if it is aimed at ascertaining unlawful behavior on the part of the employee and provided it has reached an agreement with the local union or has authorization from the local labor office.").