Privacy, Data Security and Information Law Update
In a case that may have implications across the EU, Spain’s highest constitutional court unanimously held that a company was allowed to access and review communications on company IT resources, including emails and texts, as part of an employee misconduct investigation. Pérez González v. Alcaliber S.A., T.C., released Oct. 9, 2013. The Court held that the employee’s privacy rights were not violated because they are not absolute and had to be applied in light of the employee’s “reasonable expectations of privacy” under the circumstances, and the employer’s legitimate rights.
Like many employee privacy suits, the controversy in González followed the termination of an Alcaliber employee for misconduct. In this case, the employee was fired for disseminating trade secrets to a competitor. The employee sued his former employer, claiming wrongful termination and alleging that the monitoring of his emails and texts had been illegal. The Madrid Labor Court denied his claim. This ruling was affirmed by the High Court of Justice of Madrid before González appealed again to the Tribunal Constitucional.
While the Court acknowledged the constitutional right to secrecy in communications, the Court found that in this case, several relevant factual points affected González’ expectations of privacy in his workplace communications. One significantly relevant point was that the collective bargaining agreement for the company’s employees prohibited use of Alcaliber IT resources for non-work purposes, and noted that misuse could be subject to discipline. Additionally, the company accessed the communications—in the presence of a notary public— only after suspicions of wrong doing and it did so only in order to confirm and justify dismissal. Alcaliber did not access or use the emails for purposes other than this investigation, such as to pry into the employee’s personal or family life.
In affirming the dismissal, the Tribunal Constitucional recognized that employee privacy rights must be balanced against employers’ rights and obligations to investigate and discipline employee wrongdoing. The Court ultimately declared that in this instance, the monitoring was foreseeable and did not violate the employee’s rights. The Court also ruled that termination was not a disproportionate disciplinary measure given the employee’s grave breach of confidentiality.
This case is a significant clarification for employer monitoring programs, which are often fraught with the competing tensions of the employer’s compliance obligations and requirements to respect employer privacy. These tensions are particularly pronounced in the EU, where many Member States have strong presumptions for employee privacy and often turn a skeptical eye towards consent in an employment context. But the Court in González recognized that the right to privacy is “not absolute,” and that expectations must be determined by factual circumstances. Thus, beyond Spain this case may have implications across the EU as courts and administrative agencies deal with these issues.
Recognition that both employer disclosures may be reasonable also indicates some flexibility similar to what is possible under the U.S. legal regime. This “reasonable expectations” analysis could be another bridge towards greater harmony between U.S. and EU privacy approaches, particularly for global companies seeking greater uniformity in their compliance programs.
If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work or
John M. Casanova
William RM Long
Edward R. McNicholas
Alan Charles Raul
We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes lawyers experienced in regulatory compliance, litigation, financial institutions, healthcare, EU regulation, IT licensing, marketing counsel, intellectual property, and criminal issues. Sidley provides services in the following areas:
- Privacy and Consumer Protection Litigation, Enforcement and Regulatory Compliance
- Data Breach, Incident Response, and Cybersecurity Advice
- Global Data Protection, International Data Transfer Solutions and Cross-Border Issues
- Corporate Data Protection, Compliance Programs and Information Governance Assessments
- FTC and State Attorney General Investigations of Unfair or Deceptive Acts and Practices
- Social Media, Cloud Computing, Online Advertising, E-Commerce and Internet Issues
- EU, China and Japan Data Protection and Compliance Counseling
- Gramm-Leach-Bliley and Financial Privacy
- HIPAA and Healthcare Privacy
- Communications Law and Data Protection
- Workplace Privacy and Employee Monitoring
- Website Policies Online Trademarks and Domain Name Protection
- Records Retention, Electronic Discovery, Government Access and National Security
To receive future copies of this and other Sidley updates via email, please sign up at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.