With the growing use of the internet and various technologies in the workplace, employees, as well as employers, have become highly concerned about various privacy issues. From one point of view, employees who use the internet for personal purposes, instead of using it for business, may expose the company to huge risks, and in addition, they waste their working time. In addition, employees may spoil the image of a company by posting inappropriate photos or insulting comments on social networks. As a result, employers often want to monitor the internet activity of all employees, which violates their privacy but improves the security of the company as well as its effectiveness. In some countries, illegal monitoring of employees is a serious crime and may result in huge costs to the employer or even imprisonment.
Before discussing the differences in employee privacy laws in U.S./Illinois, U.S./California, Paris, London, and Berlin, it is necessary to describe general privacy laws differences between the European Union and the United States. The fundamental difference is that the E.U. uses universal laws governing various industries, while the United States. There are two main legal instruments used in the E.U., which are the Data Protection Directive 1995/46/E.C. and the e-Privacy Directive 2002/58/E.C. (Sandoval, 2017). These directives regulate the collection and use of personal data across different sectors of the economy. According to the directive, it is prohibited to process personal data unless it meets three conditions, which are transparency, legitimate purpose, and proportionality.
According to the legitimate purpose principle, there are several criteria that data must meet in order to be processed. All these criteria are listed in article 7 of the directive. According to it:
“the Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).”
According to the principle of proportionality, the data that was collected can be transferred only when “it is proportional to the purposes for which it was collected, and for which it needs to be processed” (Sandoval, 2015). Finally, the principle of transparency claims that a person must always be informed about the purposes for which the data was collected and how it will be processed in the future. The European Union Member States must respect the directive and implement privacy security measures based on the articles of this directive. As it can be seen, European law has quite strict laws and regulations ensuring the safety of private information; thus, there may be certain issues that arise while opening offices in London, Berlin, and Paris.
Germany is one of the most economically developed E.U. countries, and opening a new office there provides numerous potential benefits. Hence, understanding the nuances related to employee privacy laws in Germany is essential. There are four main laws governing the monitoring of employees in Germany which are The Constitution of the Federal Republic of Germany, Federal Data Protection Act, Works Constitution Act, and Civil Code (ELA, 2015). It should be noted that according to these laws, illegal monitoring of employees in Germany is considered an administrative offense and/or criminal act. The fines issued by German data protection agencies can be quite high. To be accurate, they can be up to 1.3 million euros. Works councils take an active part in controlling monitoring implemented by employers. According to the Works Constitution Act, works councils can claim comprehensive information, consultation, and even co-determination right in relation to employee monitoring (ELA, 2015). The co-determination right is triggered when an employee decides to implement a system focused on monitoring the behavior and performance of employees at work. Before implementing this system, Works Council must agree to have employees monitored. This system ensures that the rights to privacy of employees are protected and that they won’t be monitored without permission. Another interesting thing that should be mentioned is that in the case if information about misconduct or breach was acquired illegally, it can be used in the courtroom as evidence; however, it should also meet certain criteria. The court should decide whether it is appropriate to violate the privacy of an employee and use the evidence or not. However, in most cases court doesn’t use illegally gathered information. Hence, even if illegal monitoring has found that employee or employees have violated certain rules of the company or that they’ve committed certain illegal actions in the workplace, it will be quite difficult to sue them. If an employee uploads photos of inappropriate behavior or insulting comments about the employer and other employees on Facebook, it is allowed to fire the employee without a prior warning if contractual duties are seriously breached.
France also has four laws related to employee privacy. These laws are Data Protection Act 1978, French Labour Code (e.g., Article L.2323-32; Article L.1121-1), French case law, and CNIL (“the CNIL in a nutshell”) (ELA, 2015). There are also Works Councils in France; however, their role is not as important as in Germany. When a company decides to implement a monitoring system, it is necessary to inform the Works Council; however, the opinion of the Works Council is not binding. Hence, even if the Works Council is against monitoring, it can still take place (ELA, 2015). Thus, there is no co-determination, and the procedure is used just to inform employees that monitoring is taking place. Similarly to Germany, illegal access to private information of employees may result in serious negative consequences for an employer. Huge fines and imprisonment can be applied, depending on the offense. Additionally, France doesn’t allow to use of illegally gathered evidence in court, similarly to The U.S. “Fruit of the Poisonous Tree Doctrine .”As for insulting Facebook comments, France allows terminating employment in certain cases. For instance, when an employee posts something insulting on a public page, then the employer has a right to terminate employment; however, if the page is private, termination is not possible. Additionally, if the employee doesn’t refer to the employer by name while writing an insulting post on Facebook, employment can’t be terminated.
In the U.K., there are only three laws related to employee privacy. These laws are The Data Protection Act 1998, Regulation of Investigatory Powers Act 2000, and Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. One of the main features making the U.K. quite different from Germany and France is that employers can use monitoring without notifying employees. However, employee monitoring is permissible only when the justification for such monitoring outweighs employee privacy rights (ELA, 2015). Hence, before implementing monitoring, it is recommended to make a Privacy Impact Assessment (PIA). Moreover, PIA should be taken before implementing any monitoring according to the Information Commissioner’s Office (ICO’s) Employment Practices Code. Evidence gathered by monitoring can be used in the courtroom depending on the court’s decision; however, the gathering of evidence must be justified and outweigh the privacy rights of the employee. In this case, if the data controller uses monitoring illegally, fines up to £500,000 can be imposed by ICO. The employee whose privacy rights were violated can also be awarded a compensation of £78,335 (ELA, 2015).
While talking about the United States, it should be noted that U.S. laws govern specific industries and are not universal. Many laws are focused on protecting the needs of various groups of people, such as children or patients. According to Wugmeister (2008), the fundamental differences between the laws of the E.U. and the U.S. is strongly related to two basic aspects of the employment relationship, which are monitoring of employees and background checks before employment. Background checks in the U.S. are governed by The Fair Credit Reporting Act (“FCRA”). Before asking FCRA to provide information related to a background check on an employee, it is required to inform the employee about it and to receive written consent Wugmeister (2008). In E.U., laws provide more possibilities for applicants to hide information they don’t want to share during background checks. For instance, in France, it is allowed to check background information that is directly related to employment. So it is almost impossible to check credit card payment histories, financial information, criminal conviction records, and civil court records unless the applicant’s position allows one to check them; however, there are not so many positions that would allow employers to make a detailed background check. As for employee monitoring in the U.S., there are several federal laws regulating it. The Electronic Communications Privacy Act of 1986 (ECPA) prohibits intercepting oral, electronic, and wire communication. The Stored Communications Act (SCA), which is the Title II of the ECPA, protects the privacy of stored information. According to this act, any unauthorized access to stored information is prohibited except for service providers. Hence, employers may have access to employees’ emails by claiming that they are service providers, so they can monitor emails for any purposes Wugmeister (2008). It should also be mentioned that expectations about privacy are created and shaped by court cases, which is not a common practice in the E.U.
In California, employee privacy is governed by The California State Constitution, Article I, Section 1, which claims that every person has a right to privacy, and if privacy is violated, a person may bring a claim for invasion of privacy (Jacuzzi, 2014). The California Invasion of Privacy Act is another law claiming that the consent of all parties is required before recording a conversation. Hence, it is not allowed for employers to record audio unless employees have provided their consent. Additionally, if the employer has video surveillance in a public place, it is prohibited to record the audio (Jacuzzi, 2014). In this case, if employee privacy is violated, the employer may justify it by a legitimate interest and the absence of alternatives. Employers may also use drug testing and even random drug testing for employees in safety-sensitive positions. It should be noted that The California Confidentiality of Medical Information Act protects employee medical information and limits an employer’s use of it (Fisher & Philips, 2014).
The main law governing employee privacy in Illinois on the state level is the Right to Privacy in the Workplace Act. According to this act, employers are not allowed to ask for or demand any information from employees that would allow getting access to their social media accounts. Moreover, employers are not allowed to ask employees to access the account in the presence of the employer. It is also prohibited to ask employees to add the employer to contact lists (Illinois General Assembly, n.d.). However, the law still doesn’t prohibit employers from monitoring email because it can be considered business property. In this case, if employee privacy is violated, the employer may pay up to 200$ per violation. Additionally, employers may also be found guilty of a petty offense. As it can be seen, fines and punishments for violation of employee privacy are not as huge as in E.U.
All the facts discussed above indicate that while there are various opportunities and potential benefits of opening new offices in the E.U., there are also certain issues that should be considered. Privacy laws in E.U. are stricter, and fines are significantly higher; thus, ensuring employee privacy should be considered one of the primary goals. Additionally, there may be some problems with transferring personal data outside the E.U. because the outside country is required to have an adequate and equivalent level of personal data protection, and The French Data Protection Commission (CNIL) states that the U.S. doesn’t provide an adequate level of protection (ELA, 2015). In the modern environment, it is better to consider the U.K. as the best place for opening a new office because of Brexit. It is likely that sooner or later, the U.K. will leave the E.U.; thus, the E.U. employee privacy laws will be repealed in London.
Directive, E. U. “95/46/E.C. of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” Official Journal of the EC 23.6 (1995).
Employment Law Alliance (ELA). “Employee Data Privacy in Europe: The Essentials for Multinational Employers.” 2015,
Fisher & Philips. “Labor and Employment Laws in the State of California.” 2014, Accessed 2 Mar. 2017.
Illinois General Assembly Home Page, www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2398&. Accessed 2 Mar. 2017.
Jacuzzi, Marc. “What Are the Employee Privacy Laws in California?” H.R. Daily Advisor, 12 Jan. 2014, hrdailyadvisor.blr.com/2012/01/04/what-are-the-employee-privacy-laws-in-California/. Accessed 2 Mar. 2017.
Sandoval, Kristopher. “Privacy Laws and International Data Exchange: Comparing E.U. and U.S. Standards |.” Nordic APIs, nordicapis.com/privacy-laws-and-international-data-exchange-comparing-EU-and-us-standards/. Accessed 2 Mar. 2017.
Sagmeister, Miriam. “Comparing the U.S. and E.U. Approach to Employee Privacy | Publications | Morrison Foerster.” Morrison Foerster, www.mofo.com/resources/publications/comparing-the-us-and-eu-approach-to-employee-privacy.html. Accessed 2 Mar. 2017