Aug 262016

German guidance on employee monitoring a reminder to carefully craft Acceptable Use Policies

Colleen Theresa Brown, Tasha D. Manoranjan and Ludwig von Rigal
, , ,

Earlier this year, German data protection authorities issued guidance (in German) for companies regarding monitoring employees’ work email account and Internet usage.  The guidance establishes a framework based on the German Federal Data Protection Act (“FDPA”) and whether the employer allows employees to use their work email and Internet services for personal use.  Where personal use is prohibited, the data protection recognize a greater scope for monitoring.  The guidance also recognizes that employers may randomly check employees’ Internet use to ensure it is being used only for business purposes.  Further, employers may access an employees’ sent and received emails during a long absence if required for business purposes.

However, if employees are permitted to use work email and Internet services for personal use, the German Telecommunications Act and the Telemedia Act will apply in addition to the FDPA, and accordingly, the guidance warns that employers are more restricted in monitoring.  In particular, there are strict secrecy provisions to protect the privacy of Internet browsing and email communications under the Telecommunications Act.  Accordingly, the guidance explains that employers could be barred from accessing employee emails even if the employer suspects the employee of illegal activity that is harming the employer.  The guidance further explains that a violation of the strict secrecy provisions under the Telecommunications Act could be subject to prosecution under the German Criminal Code.

Restrictions on employee monitoring can vary significantly based on local law, and can significantly complicate global compliance or even information security initiatives.  The effects of company choices on permissible use of IT resources can bring significant consequences.  The 2016 German DPA guidance represents another reminder that such decisions should be taken carefully, and furthermore that companies should consider how their policies are in fact implemented.  For example, where a policy prohibits personal use, but personal use was common, tolerated and perhaps implicitly accepted, there may well be greater restrictions on monitoring.

The German guidance recommends that employers only allow personal use of the Internet, and prohibit personal use of the company’s email system.  Implementing recommendation would enable employees to access their personal email accounts over the Internet, instead of conducting personal communications over the employer email system, and provide greater certainty to companies monitoring of official email accounts where necessary.

In light of the German guidance, and evolving standards in other jurisdictions, companies with a global footprint may wish to examine their acceptable use policies and enforcement practices to ensure a tailored and considered approach that protects monitoring initiatives that may be necessary for critical company objectives.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Tasha D. Manoranjan

tmanoranjan@sidley.com

Ludwig von Rigal

lvonrigal@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.