Workplace Privacy Law
The Need for a New Paradigm
National Workrights Institute
November 3, 2012
What goes around comes around.
American privacy law has been much discussed. A small forest has been consumed producing the judicial opinions and law review articles on the subject. Unfortunately, all of them are wrong.
Officially, employment privacy is a balancing test. In fact it is not. When you look at what courts do, rather than what they say, the rule is very simple; if the employer owns the communications device, it can do anything it wants. If an employer wants to read workers’ personal e-mail sent on company computers it can do so. No justification is needed, much less balanced against employees’ interest in privacy. This rule holds even if workers send e-mail on their own time, such as working on a company laptop at home. The only exception is the rare situation where workers have statutory privacy rights. With the exception of a handful of state laws, this is limited to the Electronic Communications Privacy Act (ECPA). In essence, ECPA says that employers are not allowed to deliberately eavesdrop on workers’ oral conversations on personal subjects.
This rule has destroyed any semblance of privacy at work. The wall between personal lives and work lives has disappeared almost as completely as the Berlin wall. People communicate about work away from the office virtually every day. Workers get cell phone calls from the company on evenings and weekends. They receive, and respond to, e-mail, instant messages, pages, and text messages about work while at home. As hand-held devices proliferate, this process becomes even more ubiquitous. And workers routinely communicate about personal matters while at work, with employers’ blessing. Over 90% of employers today officially permit reasonable personal use of company computers.
But employers make no effort to avoid reading the personal messages they allow workers to send. It would not be difficult for an employer to allow workers to select a handful of e-mail addresses (husband, doctor, etc.) and program monitoring software to ignore these messages. But I don’t know of a single company in America that does it. It wouldn’t be hard to keep people in IT from reading other workers’ e-mail. But I don’t know of a single company in America that does it. One in four employers doesn’t even have a policy on this subject, and the companies that do don’t enforce it.
The end result is that employers routinely monitor the vast majority of personal communication that takes place at work and the law does nothing about it.
Be careful what you wish for. You might get it.
Recently, however, this simplistic rule has begun to work against employers.
Courts have been very reluctant to grant employers access to employees’ personal computers. The only cases in which such access has been allowed have involved employers who had strong evidence that the employee had downloaded confidential company information onto his personal computer and misused it. For example, in RKI Inc. v. Grimes, the employer had evidence that the employee had accessed the company computer from his home computer and downloaded confidential information two days before he quit and went to work for a competitor. But in Sabin v. Miller, the court refused to give the employer access to the employee’s personal computer, even though there was evidence of misconduct and it was undisputed that the employee had frequently downloaded employer records onto her personal computer (with her employer’s permission). In Wyatt Technology v. Smithson, the employer was found to have violated the Computer Fraud and Abuse Act when it accessed the personal computer of a former employee of a company whose assets (including the computer) it had purchased even though it had a good faith belief that the former employee was misusing it’s trade secrets in his work for a competitor. As the line between work and private life continues to disappear, and people do work on their home computers, this problem will become more serious for employers.
The rapid spread of wireless communication under existing law is going to be a nightmare for employers. The 9th Circuit Court of Appeals recently held in Quon v. Arch Wireless that an employer violated the Stored Communications Act when it access and read a worker’s text messages without his consent. The SCA is almost identical to ECPA. The organization that owns the system can monitor it without limit or justification, but others cannot access it without the consent of the individual who sent the message.
Employers’ difficulties are increasing with the spread of wireless communications devices owned by the employee. The rules for employer access to such devices will probably be similar to those described above for personal computers. Employers will often be unable to see communications in which they have a legitimate interest.
The best answer to this growing problem is to change privacy law so that access to information is determined by legitimate interest in the subject matter rather than ownership of the equipment involved.