Special Tribute:
Thank
you Ed
|
|
|
Plug the Hole An Open Letter Steven Brown, -ACLU Rhode Island Privacy
at the Workplace:
Protecting
Faith Versus Protecting Futures
Privacy
vs. the Public’s Right to Know
Chaplinsky:
Defining Freedom of Expression
Of
Genetics and Privacy
Editorial
|
|
|
|
Notes from the Chair |
ThePSCReportonline!
A Semi-Quarterly Journal for the Alumni of the University
of Rhode Island Political Science Department.
Faculty Editors:
Professor Alfred Killilea
Professor Nicolai Petro
Editor:
Michael D. Fox
Associate Editor:
Sherry Keneson-Hall
Supported by the generous
donations of the University of Rhode Island Political
Science Alumni.
| PRIVACY AT THE WORKPLACE:
AN INTERNATIONAL PERSPECTIVE* Lawrence E. Rothstein Presented to the LRC Lunchtime Research Colloquium December 3, 1999 |
 |
INTRODUCTION AND QUESTIONS ASKED
Issues of privacy at the workplace have had a great deal of currency right here in Rhode Island. In the last year, Providence police officers found a hidden camera placed by commanders in their roll call room. A local hi-tech company disciplined and dismissed employees after auditing time spent on web browsing while at work. A Rhode Island employer was charged with violating the Rhode Island wiretap law for listening in on and recording an employee’s phone conversation. In June 1998 Rhode Island, the last state to do so, set up its crime link DNA database which was then linked to the FBI’s national CODIS system one year ago. So while I am making international comparisons, the issues raised have resonance here at home.
I will be dealing with four hypotheticals and comparing the treatment of those hypotheticals according to the laws of the United States with the treatment in France, Italy and Germany. There are two questions to which my presentation will respond. The first is: What are the significant legal concepts embedded in the law of each country regarding the monitoring or surveillance of employees? The second question is: What are the legal restrictions in each country, if any, placed on the employers with regard to the actions outlined in the hypos?
BASIC CONCEPTS INFORMING THE LAW
The legislation and the jurisprudence in the U.S. is informed by an extremely narrow concept of privacy which is treated as “the exclusive right to dispose of access to one’s proper (i.e. private) domain.” Privacy, in this sense, highlights a “possessive individualism”. Privacy implies notions of property, individualism, ownership and expectations with regard to the exclusion of outsiders without specific legal rights to the work premises. The protection of privacy connotes the possession by each individual of a zone of intimacy into which outsiders are not allowed to penetrate without the permission of the individual or without an extremely strong justification. Privacy is associated with one’s home, with intimate relations, and with premises under a person’s control. More fundamentally, this view of privacy stems from the individualist and property- oriented notion that an individual is the proprietor or possessor of her or his own person and capacities, for which nothing is owed to society. Privacy is territorial and is seen as a possessive right that may be alienated preemptively and wholesale. This possessive, territorial view of privacy finds clear expression at the workplace. On the employer’s premises and in the presence of co-workers and customers, an employee can have little or no justifiable expectation of privacy and the at-will employee, moreover, is often deemed to have conosented implicitly to any monitoring that the employer can allege is related to the employee’s work or the employer’s business interests.
European law, on the other hand, emphasizes protecting the worker’s dignity and autonomy rather than privacy. Indeed, in French, Italian, German and also Spanish, there is no exact translation of the English word “privacy.” The notions of human dignity and autonomy include keeping the employer from intruding upon the worker’s private life and assuring that supervision at work is not overly intense, impersonal, or intrusive; that it leaves the employee some freedom concerning, and control over, the means of performing the tasks assigned; and, in particular, that it is not covert. Furthermore, these countries explicitly recognize that, in terms of the effect of concentrated power on citizens, public and private power are not easily distinguished. Considering that a person spends close to half of his or her adulty waking life at work and the rest of life is often organized around the conditions imposed by a job, the law of these countries prohibits private as well as public from infringing on basic human or constitutional rights.
HYPO 1: THE SUPERMARKET SYTEM
For the first hypothetical, let us suppose a large supermarket wishes to install a new point of sale system at the checkout counters. The software for the system, in addition to the usual compilation of data on product flow, inventory and price of products bought, also measures and records the amount of time taken by the clerk between each item scanned, time and errors for manual entry of product codes and the time between customers. Correlated with this electronic recording of each transaction is a hidden video camera recording of the transaction. The company wishes to use the data to improve checkout efficiency, to evaluate the work of the clerks and to reduce employee and customer theft. The company, fearing loss of employee morale, wishes to install the systems without informing the employees. Can the employer do this?
Simply put, in the U.S., barring a collective bargaining agreement specifically dealing with methods of employee evaluation or monitoring, there is no legal barrier to the covert installation and use of such a point of sale system by a private employer as long as no voice recordings are made. Voice recordings, depending on how made, might run afoul of the federal Electronic Communication Privacy Act or one of its state counterparts. A public employee might have some limited protection from such a system because of Fourth and Fourteenth Amendment considerations.
In France the law requires,
at a minimum, the registration of the point of sale system with a government
agency outlining its nature and purposes, and the detailed informing of
employees through the works council about the software capabilities and
uses, in advance of any monitoring. French law also prohibits the
use of hidden video camera recordings for employee evaluation and
prevention of employee theft (unless supported by pre-existing, concrete
evidence of a specific employee’s criminal acts and only that employee
is targeted).
The Italian Workers’ Statute expressly prohibits
the use of video cameras for monitoring or evaluating employees.
The introduction of the point of sale equipment and software would have
to be negotiated with the trade union or, failing that, with the works
council. Similarly, in Germany the system could not be installed
covertly. The informing of the employee and negotiation of the introduction
of the system with the works council would be required.
HYPO 2: TELEPHONE MONITORING
Produce Company is a produce wholesaler. The company was founded by I.M. Paranoid, a very successful businessman formerly with the national supermarket firm of Mean & Whitty. Mr. Paranoid believes that his top salesmen are considering opening their own wholesaler firm. In an effort to find out more about this he monitors their incoming telephone calls with customers and field representatives of subsidiary offices of Produce Co. By programming one of his extension lines as a third party on all calls to and from the sales department, Paranoid has listened in surreptitiously on these telephone calls on and off for a period of six (6) months. Morale reaches an all time low at Produce Co., and Paranoid has a dispute with his top salesman, Ken Cell. During a heated argument, Paranoid makes accusations about Ken's sales techniques over the telephone and he fires Ken. Ken realizes that Paranoia could only have come to know this information by listening to his telephone calls.
Under U.S. law, Ken’s position is problematic. If he is an at-will employee, as is likely, the only way he could contest his dismissal is to raise a public policy exception to it on the grounds that Paranoid has violated the federal Electronic Communications Privacy Act or state counterpart. His problems with this are twofold. First, most states, including Rhode Island, do not recognize a public policy exception to the at-will employment doctrine. Secondly, the ECPA and similar state laws exempt “business extension telephones” used by a subscriber “in the ordinary course of its business.” This means that if Paranoid can assert a legitimate business interest for the monitoring and can show that the monitoring was done on a regular or routine basis, he is not subject to the prohibitions of the act. Furthermore, if the telephone system were a proprietary one, owned by Produce Co., the ECPA has an exception for the agent of a provider of a communication service to monitor calls “in the ordinary course of his employment” for the protection of the “rights or property of the provider.” While the implication of this latter exception seems to be for protecting the integrity of communication service and equipment rather than other rights of the provider, this section has not been interpreted by the courts.
Applying French law to our
telephone monitoring hypothetical would clearly place Paranoid in
violation and subject to both criminal and civil penalties as well
as making any dismissal on the basis of such information abusive and illegal.
1992 amendments to the Labor Code, implementing aspects of the 1978 law
on data collection, processing and use, specifically prohibited the monitoring
of telephone conversations by employers. Prior to the Labor Code amendments,
several court decisions had held that monitoring or recording the content
of telephone calls was also an actionable injury to the employee’s private
life forbidden by the Civil Code.
The language of Article 4 of the Italian Workers
Statute of 1970 prohibits remote surveillance or monitoring of workers
by video camera or other devices as an assault on the human dignity of
the worker. Furthermore, the law, recognizing the power of the employer
to coerce consent, does not allow a worker to consent to such monitoring.
Article 4 clearly targeted video and audio recordings and telephone
monitoring. Violations of Article 4 make the employer liable to both
civil and criminal causes of action. Information gleaned from such
monitoring could not be used as the basis for dismissal.
In Germany as well, the Federal Act on the Protection of Human Dignity and Autonomy and the Works Constitution Act, as interpreted by the Federal Labor Court, prohibit the monitoring of an employee’s phone calls through any electronic device (including an extension telephone) without the knowledge of the employee and without the consent of the works council or the employee. Where the works council consents, there still must be a legitimate and important business interest directly served by the monitoring that outweighs the interests of the employee in autonomy and dignity. The employee’s consent must also be real, not implied or based on the threat of any action negatively affecting the employee’s job status.
HYPO 3: EMAIL MONITORING
When hired as a marketing specialist, E. Mailon Honcho was assured by his supervisor, the Personnel Department and fellow employees that the email system and stored messages on the computers and LAN server of Fabrication Industries were not monitored by supervisors. However, he was also told that the email system and Internet access was only for company business, not personal enjoyment. Honcho was a devotee of email for keeping in touch with his colleagues and friends, reviewing marketing research and checking on any mentions of FI or its products.
He sent and received a large number of messages every day and regularly forwarded interesting tidbits he received from inside and outside of the company. One day while searching the Internet for articles about Fabrication Industries, he noted a discussion by a business analyst about the shaky financial situation and likely bankruptcy of the HMO the company used for its medical benefits. He copied a portion of the discussion and forwarded it to several colleagues at FI with the comment that: “You can count on old FI to get health care on the cheap.”
Just before this forwarded message, the company had installed new email software which included many new bells and whistles. One of these new features, which generally facilitated group work on reports and other documents, created a cache on the network server that stored each version of a document and any outgoing email message for a period of one month. It allowed members of a workgroup to recover past versions of a document they had worked on and messages they had sent with the appropriate, individual password. It also allowed someone with a master password to access the cache for all employees and workgroups. This last capacity was not known to the employees, not a reason that FI chose the new software and only discovered by a senior manager when questioning the purpose of the master password given him by the software company’s technical consultant.
The senior manager, Yves Drawper, couldn’t resist trying out his new password and reading some email temporarily cached on the server. He happened to read Honcho’s forwarded excerpt and comment. He feared that Honcho was sowing discord among the employees and had a bad attitude about the company — something that Mr. Drawper thought would make Honcho less effective in marketing. He called Honcho into his office, confronted him with the email message and fired him.
While the 1986 amendments to the Wiretap Act which created the Electronic Communication Privacy Act clearly were designed to encompass email, the exceptions again generally favor the employer. As Honcho’s employer is accessing stored communications written on a PC provided by the employer and residing in the network storage provided by the employer, the employer would not be in violation of the ECPA if he searched these storage sites and read the messages. The only electronic storage the ECPA protects is defined as: "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication". Overall court interpretations and commentators on the ECPA have not regarded it as an important protection for workers at the workplace. Indeed, the legislative history of the ECPA reflects overriding concern for company, rather than individual employee privacy".
At the state level, the
application of state statutes and the common law of privacy have provided
no relief for workers in Honcho’s situation. The few existing cases
have held that an at-will employee had no reasonable expectation of privacy
and hence no common law or statutory right to privacy in the contents of
his or her e-mail when it was sent over the employer’s e-mail system.
The courts have generally held an employer’s interest in preventing
inappropriate comments or illegal activity from being transmitted over
its e-mail system far outweighs any privacy interest an employee may have
in his e-mail communications.
With regard to the second hypothetical, French law
would prohibit the senior manager from covertly reading the employee’s
email. The 1992 Labor Code amendments declared that no information
concerning an individual employee can be obtained by means which were not
made known to the employee beforehand. The Labor Code also requires
that the employer must inform and consult the works council (elected by
employees) prior to installing any means or techniques to monitor employees’
activities. In addition the Labor Code requires that the monitoring
must fulfill a legitimate business purpose and the means be proportional
to the importance of that purpose. If a dispute arises, the Ministry
of Labor inspectors, in consultation with the works council, must certify
that this is the case.
The 1978 law on data collection and its use also requires that any system for electronically collecting or processing data concerning named or otherwise identified individuals must be approved by the National Commission on Data Processing and Liberty. Both the Labor Code and the data processing law require that any such system only be used in the ways for which it was originally intended and brought to the attention of the national commission, the employees and the works council. Data obtained from a system not originally intended to evaluate employees may not be so used.
In Italy, again the reading
of the email would be subject to criminal and civil penalties.
For reasons of business necessity, some kinds of electronic monitoring
may be agreed to by union delegations or works councils. The individual
worker may still have legal recourse to challenge the monitoring, even
where the union has agreed, if the means used or the intensity is regarded
by the Ministry of Labor or the courts as an infringement on human dignity.
The employee must also be informed of the methods and timing of the monitoring.
In Germany, the handling of surreptitious email
reading would be similar to the handling of the telephone eavesdropping.
Mr. Drawper would be unable to do it. Any monitoring system is an
issue for codetermination. Prior knowledge of the employee and the
prior consent of the works council or the employee would be required for
any monitoring of email. There must also be a clear business necessity
for the monitoring or consent is not possible.
HYPO 4: GENETIC MONITORING
Harbor Security, Inc., a firm specializing in providing security guards for ports, docks, marinas and marine freight terminals, makes all job offers conditional on the successful completion of a full security check and medical exam, including checks on criminal conviction record, drug screen urinalysis, running fingerprints through the national criminal justice information database, and the collection of a DNA sample for checking against the national crime scene database. Gena Poole, a highly qualified candidate, receives a job offer as a shift supervisor. Her genetic screen turns up the high probability of a match with DNA from a crime scene involving the smuggling of cocaine into the country through a Miami area marina. There is no other information that indicates Ms. Poole’s unsuitability for the position or any connection with the Miami crime. Based on the DNA screen, the company revokes the job offer.
The third hypothetical regarding
the employee’s genetic profile is more problematic. While some 16
states have limited the use of genetic testing or genetic information in
employment decisions, the effectiveness of the limitation varies.
Because the genetic monitoring in our hypothetical four was not done for
health reasons, however, it could evade most of these laws, including the
fairly progressive Rhode Island law. Furthermore, for the 60% of
employers whose health care plans are self insured, federal ERISA law preempts
state limitations on access to health care information and medical records,
including genetic data.
By contrast, the French Labor Code is extremely
strict regarding anything that might be considered health information.
While the employer may require an extensive medical exam prior to employment,
the doctor may not reveal to the employer any of the basic medical information
found and is required to certify only that the employee is or is not presently
able to perform the tasks required by the job. Furthermore, the employer
may not dismiss or discriminate against any employee because of his or
her “condition of health” unless a doctor certifies that the condition
makes the employee presently unable to perform the tasks required.
Again, the employer may not access any other information about the employee’s
health. There are significant criminal penalties attached to these
prohibitions. The process of taking and matching the employee’s or
prospective employee’s genetic profile would also fall under the laws governing
the electronic collection and treatment of data which place the conditions
of national commission approval, works council consultation, prior notice
to the one profiled and direct relation and proportionality to a legitimate
business interest upon the institution of such a procedure. In practice,
therefore, such a job requirement is highly unlikely in France.
Italian law affecting genetic monitoring is very similar to French law. Article 8 of the Worker’s Statute prohibits employers from investigating any aspect of an employee’s or prospective employee’s private life not directly and closely related to the job description. With regard to health information, the employer only has access to a doctor’s determination that the employee is presently fit or not to perform the required job tasks with no access to the medical information underlying that decision. Even though the genetic screen in our case is not really for health reasons and the connection to criminal activity might be considered to have some connection to the job requirements, Italian law is likely to prohibit it because of the judicial preference for personal and human monitoring and evidence directly and clearly related to the employee’s fulfillment of job requirements over impersonal and invasive technological devices and methods. Italian law only makes requiring disclosure of a record of criminal conviction permissible when there is a direct link established to the obligations of the job. Finally, even if demonstrated to be a business necessity, the genetic testing and matching process is one that would require the negotiation of a trade union agreement, the approval of the works council or the permission of the employee to establish its validity.
Similarly in Germany medical information is protected from the employer’s perusal. While the employer may require pre-employment physicals, the doctor may only state whether the employee or candidate is presently capable of doing the job. The employer may not request the underlying medical information. Any testing must be approved by the works council and be directly and closely related to the performance of the job requirements. The employer may only ask about specific types of criminal convictions that are directly related to the nature of the job requirements. Therefore comparing a genetic profile to all crime scene genetic data would clearly go beyond this. As a result of the euthanasia and sterilization programs and genocide of the Nazi era, the Germans have a particular horror of the use of genetic data to perform any kind of discrimination or categorization of people.
To be sure, in spite of these legal protections, and support for them in the EU’s directive on data protection, European employers do at times obtain data covertly and act upon it without detection or without an effective protest by the concerned employee. Furthermore where unions or works councils may approve certain practices because of their acceptance of business necessity or because of their concern for the collective interests of all employees, the individual worker may find herself or himself without adequate protection. Finally, the rapidly increasing sophistication of technology allows the simultaneous collection of massive amounts of employee data by the very processes and equipment with which the employee works. The use of this data for purposes other than those originally intended or about which the employee, union or works council was originally informed is a constantly evolving problem which legislatures and courts merely pursue, but cannot seem to catch. This being said, however, European protection of workers from electronic and genetic monitoring or surveillance far surpasses U.S. protections and can at least be in part attributed to the underlying notion of human dignity, rather than privacy, which is the foundation of the European legal protections.
*Not for quotation or citation without permission of author. As this is the text of an oral presentation, notes have been omitted.
You can e-mail Professor Larry Rothstein at: ler@uri.edu
Comments? Please contact Professor Al Killilea at: hookshot@uri.edu
The PSC Report invites unsolicited submissions (really, we need the material!!) of essays, articles and editorial comments. Submissions should be sent via e-mail to hookshot@uri.edu or via US Mail on 3 1/2" diskette or CD-ROM with hardcopy to:
The PSC Report
Al Killilea, Faculty Editor
Political Science Department
University of Rhode Island
Washburn Hall
Kingston, RI 02881