Electronic Communications Surveillance & Privacy in the Workplace[1]

 

By: Justin J Walsh[2]

April 2000

 

I.       Introduction

Workplace privacy has not been a major issue in Canada judging by the dearth of legislation and litigation in this arena.  This is beginning to change, however, with the increased reliance on the Internet and electronic mail for gathering information and for communication.  With e-mail increasingly becoming the preferred mode of communication in the workplace for both personal and business purposes, new programs have developed to allow employers to monitor those communications.   

This paper will analyze the current legal climate regarding employee privacy and electronic communications surveillance in the United States.  American case law and legislation offers guidance for Canadians looking to the extent of workplace surveillance and the controls placed on employers to prevent the electronic monitoring of employees without prior their knowledge and consent.

This paper argues that legislation specifically addressing employee privacy as it pertains to electronic communications is necessary to provide a clear guideline as to the limits of privacy in the workplace.  Additionally this paper seeks to outline the extent of knowledge that an employee must have and the extent of consent that an employee must give before monitoring is legal.  This paper concludes that employers and employees should jointly develop an electronic communications policy that outlines the rights and responsibilities regarding e-mail communications and Internet usage. 

 

II.    E-mail & Privacy

A.   Current Technology

E-mail has emerged as a powerful communications tool for modern business.  In business settings, e-mail is utilized more often than traditional postal mail.[3]  However, while e-mail use is most frequent in business settings, its use for non-business conversation is only expected to increase and e-mail is fast becoming the preferred mode of communication for most people.  E-mail offers advantages that other communication technology cannot match.  Electronic mail software is easy to use and allows an easy way to communicate details in a way that a telephone call is unable and with a quickness that postal mail cannot match.  The instantaneous nature of e-mail is also more efficient than fax machines.  E-mail messages provide permanency and all messages can be retained on the system of the sender or receiver of the communication.  The capabilities of e-mail and its prevalence as a corporate and personal communicative tool are reasons why the technology of e-mail communication raises unique issues of workplace privacy.

The use of e-mail in the workplace offers obvious advantages.  It allows users to type a message in a controlled manner and to review the message prior to sending it.  E-mail also allows the receiver to view messages at her convenience.  E-mail also offers the advantages of allowing the user to send the message to many people or groups at once, to forward messages to other people, and to easily reply to a message from another person.  Since a copy of the e-mail message is stored in the user’s log, he can access the message again for future reference. 

In spite all the advantages of e-mail, most users should be cautious of what they send because of the permanency of e-mail messages.  E-mail servers store e-mail messages even after a user has downloaded the message onto their personal computer.  These messages stored on the server are then backed up in a more permanent manner on magnetic tape.  The primary purpose of the back-up tapes is to aid the program operator in case the system crashes and must be restored.[4]  Back-up tapes are retained by most organizations for several years and messages on these tapes can easily be accessed and searched to provide access to an entire e-mail message in its original form.[5]  The legitimate business and technological purposes of back-up systems has lead to the permanence of e-mail and is the basis for most legal issues surrounding e-mail.

E-mail is an excellent method of sending messages and communicating with people but it is also a convenient way for information to be digitalized, collected, organized, manipulated and monitored.  E-mail is more accessible than a phone call or a desk.  A supervisor has the ability to monitor incoming and outgoing messages without ever entering a user’s physical workspace.  According to data from the American Management Association, as of the first quarter of 1999, nearly 30 percent of major U.S. companies monitor employee e-mails, up from 20 percent in 1998 and 15 percent in 1996.[6]  The statistics will rise in 2000 as more employers worry about employee utilization of the Internet and e-mail for unauthorized purposes while the costs for monitoring software plummet. 

Privacy consultant Robert Gellman expressed employee caution after the New York Times fired twenty people over the sending of “inappropriate and offensive” e-mail messages.  He said, “The law says you can monitor e-mail. How many employees routinely know about it, think about it?  I don’t think people are generally aware.  For a significant percentage of company e-mail users, this will be a revelation”.[7]  Monitoring software can be found at numerous websites and all indications are that sales are brisk.  Content Technologies, for example, has software that reads incoming and outgoing e-mail messages and has seen its software sales double every year from 1996 through 1998.[8]  Surveillance software marketer Telemate.Net says it can help employers detect security breaches, “monitor employees’ compliance with Internet and voice network usage policies and detect abuse” and “measure productivity of Internet and telephone-based sales activities”.[9]  Another software application called Silent Watch allows employers to monitor every keystroke workers make.  Surveillance software allows employees to be monitored with ease by employers.

Why would employers spend monetary and time resources on monitoring employees?  Can such surveillance be justified?  What follows are employee and employer perspectives on electronic surveillance and employee privacy issues.

 

B.   Employer Perspectives & Employee Reaction

The inundation of electronic communication in the workplace and the resulting electronic surveillance potentially exposes employers to various forms of legal liability.  Employers argue that as corporate decision-makers they must decide what policies to adopt regarding the access to, and the use and disclosure of, electronic mail sent and received by their employees on office communications systems.  Employers are concerned that they may be held liable for employee conduct when Internet use or e-mail messages sent or received expose other employees, supervisors or customers to material deemed offensive.  Not monitoring employees can result in significant economic repercussions.  For example, Chevron Corp. was forced to pay four plaintiffs U.S. $2.2 million after employees sent sexually harassing e-mail through the company system.[10]  Arguably, Chevron officials may have caught the problem before it had escalated and could have avoided a lawsuit if they had an electronic monitoring system in place.  

Concerns about liability have caused employers feel justified in taking any action against employees it deems necessary to protect the corporation.  Thus, New York Times felt justified in firing the twenty employees for sending inappropriate and offensive e-mail and the U.S. Navy felt it appropriate to discipline more than 500 employees at a Pennsylvanian supply depot for sending sexually explicit e-mail.  Xerox fired forty people in October 1999 and Boeing has also fired dozens of employees for violating company computer policies.[11]  

“Corporations may find themselves ultimately liable or responsible for, or its reputation affected by, what its employees are doing online,” said Thomas P. Vartainian, chairman of financial services and technology practice for a major American law firm.[12]  George B. Trubow, director of the Center for Information and Privacy Law at John Marshall Law School agrees that “Employers have the right to monitor what their employees are doing on the Internet, telephone and computers and they can do it without telling them,” but he cautioned that not informing employees of monitoring is not wise.[13]    

Vartanian also addressed another employer concern when he expressed that, “…the science of corporate espionage has become easier to commit, which has caused more companies to redouble their efforts in the protection of their information.”[14]  According to a study commissioned by Elron Software, twenty-seven percent of employees surveyed about personal e-mail usage claimed to have received confidential company data from outside their company compared to 9.2% in 1999.[15]  However, disciplinary actions for employee espionage are not widely reported and no publicly known examples can be found although corporations would attempt to keep such information out of the public realm.

Employee productivity is the ultimate concern for corporations.  “You get suspicious if a person is at a computer eight hours a day and they are not getting anything done,” said Xerox Corporation spokeswoman Christa Carone.[16]  A survey conducted by the American Management Association (AMA) has found that nearly three-quarters of major U.S. firms record and review employee communications and activities on the job, including their phone calls, e-mail, Internet connections and computer files.[17]  This figure has doubled since 1997.[18]  “After all, an employee’s at work to do work,” explained Eric Rolfe Greenberg, director of management studies at the AMA.  “Employers have a legitimate interest in a worker’s performance.”[19]  According to SurfControl, another company providing products that allow employers to keep watch over where employees web surf, about U.S. $1.05 billion of the $3.5 billion corporations spend each year on Internet access is wasted on recreational surfing.[20]    

Despite employer concerns, employees and privacy advocates knowledgeable about employer capability to monitor electronic communications believe that many companies are invading employee privacy.  The American Civil Liberties Association, for example, gets about a half-dozen complaints weekly from “spooked” employees.[21]  Andrew Shen, a policy analyst for the Electronic Privacy Information Center (EPIC), believes that “Companies should not be monitoring their employees unless they have proof they’re failing to complete their work or misusing company resources” because to do so “…. is a violation of their right to privacy”. [22]

A senior engineer at an international engineering company in Las Vegas is an example of an employee concerned with employer’s electronic monitoring practices.  After visiting a stock broker’s website to obtain a stock quote he was immediately visited by an information technology (IT) staff member, who let the engineer know that he was aware of the engineer’s extra-curricular surfing.  “Our company hasn’t come out with any official policy but from what I saw, they are definitely sniffing around,” the engineer said.  The engineer added, “I don’t feel good at all.  I feel as if they were tapping into my home phone.”[23]  Numerous employees from a range of industries have reported similar experiences. 

The remainder of this essay will delve into American cases and legislation that have dealt with conflicts over employee privacy and the employer’s right to electronic monitoring.  Canadian examples will be examined and the inadequacy of Canadian legislation will be highlighted.  A model policy will be developed that takes into consideration the concerns of both employers and employees.   

 

III.  American Law

A.   Electronic Communications Privacy Act

The only federal law currently applicable to the monitoring of workplace e-mail and Internet usage is the Electronic Communications Privacy Act of 1986 (ECPA).[24]  Many of the Act’s provisions that apply to workplace e-mail are untested but some case law has emerged interpreting the applicability of some provisions of the ECPA.  The cases, to be discussed below, demonstrate how American courts may be inclined to apply the ECPA to cases of workplace e-mail privacy but will also demonstrate the inherent weaknesses of the Act in protecting the privacy of e-mail users in the workplace.

The ECPA is an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968.[25]  The 1986 amendment to the statute was to “update and clarify Federal privacy protection and standards in light of dramatic changes in computer and telecommunications technologies.”[26]  The Act provided a federal definition of e-mail and other new communication technologies and rolled them into the previous wiretap law of 1968.  The primary components of the Act are Title I, which addresses the interception of wire, oral and electronic communications and Title II, which addresses access to stored communications.   

The ECPA has been raised primarily in cases of telephone interceptions and has yet to be raised in a case involving workplace e-mail monitoring.[27]  With the focus of Title I on “third party” interception, the ECPA does not explicitly offer protection from employers who access or intercept the electronic communications of their employees but rather it provides protection in situations where an employee or outside individual exceeds his or her authority when accessing, intercepting, or disclosing information on a private corporate system.[28] 

Title II of the ECPA protects against the attainment of electronic communications such as e-mail messages that are stored in a computer system for later retrieval.  The Act defines electronic storage as: “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of back-up protection of such communications.[29]  Title II prohibits breaking into an electronic storage system by anyone who is intentionally accessing the system without authorization or, more importantly for the purposes of this paper, or who is intentionally exceeding authorized access into the system.[30]  Thus, Title II applies in situations where employers or other employees act in a manner that exceeds his or her authority when intercepting an employee’s electronic communication. 

            The differences between Titles I and II of the ECPA as it pertains to e-mail monitoring were examined in the recent case of Steve Jackson Games, Inc. v. United States Secret Service.[31]   This case dealt with the accessing of e-mail messages by the Secret Service on a server that had been seized as part of a raid on a computer bulletin board operator.  The plaintiffs were operators and users of the server used for e-mail communication and an electronic bulletin board.  The court of appeals, in affirming the district court’s action, held that Title II of the ECPA had been violated but not Title I.  Title I had not been violated by the Secret Service’s actions because “[the] acquisition of the contents of the electronic communication was not contemporaneous with the transmission of those communications.”[32]  The actions were not an “interception” for the purposes of Title I but rather they were an accessing of stored communications under Title II.  The court noted the difference between procedural safeguards in standards of Titles II and I were because interception poses a significant risk that officers will obtain access to communications that have no relevance to the investigation they are conducting.  That risk is presented to a lesser degree and can be controlled more easily in the context of stored electronic communications since technology exists so that relevant communications can be located without the necessity of reviewing the entire contents of all stored communications.[33] 

Although the Steve Jackson case dealt with the accessing of e-mail by the Secret Service for the purposes of a law enforcement investigation, it is relevant for our purposes since it demonstrates the difference between the interpretation of an “interception” and a “stored communication” under the ECPA.  Thus, Title II rather than Title I of the ECPA will be considered in matters concerning the accessing of e-mail messages since e-mail messages are routed through a server where they are saved making it near impossible to intercept them while in transmission.

Title II provides several exceptions to the ECPA’s prohibition against accessing electronic communications.  The most significant for the purposes of workplace e-mail are the “business use”, “business-extension”, or “ordinary course of business” exception[34] and the “consent” exception[35].  The consent exemption provides that access is allowed when given with respect to conduct authorized by a user of that service with respect to a communication of or intended for that user.[36]  This means that express consent given by the employee to electronic monitoring protects the employer against liability under the ECPA.  Some commentators have stated that this consent might in some cases be implied from the surrounding situation.[37]  In the voice messaging system case of Bohach v. City of Reno, for example, the court found that the consent exception of Title II of the ECPA included a person’s implied consent to the accessing of messages when he knows prior to using the system that other parties can access messages in the system.[38]

The parameters of the “business use” exception for accessing employee e-mail under the ECPA’s Title II may be even more difficult to clarify than the consent exception.   For the purposes of e-mail § 2701 (c) (1) is considerably vague since an e-mail service provider can be either the firm providing a user with service or a firm providing a user access to a service provided by another company.  E-mail services can be provided to firms by e-mail service providers, general providers of telecommunication services, or the firm may own a server.  In each case it is unclear how the ECPA’s exception applies.  Although no workplace e-mail cases directly address this issue, Bohach provides guidance as to how the American courts will interpret the provider exemption issue.

The court in Bohach found that the City of Reno was a provider of a communications service for the purposes of the ECPA, namely its computerized internal voice messaging system, and was therefore “free to access the stored messages as it pleased.”[39]  Since § 2701 (c)(1) allows service providers to act unreservedly when it pertains to accessing communications in electronic storage, the court reasoned that there was no ECPA access violation.[40]  In concluding that the City of Reno would not violate the ECPA in accessing the voice messaging communications of two police officers under investigation, the court held that since the city was the provider of the ‘service’, neither it nor its employees could be liable under § 2701.[41] 

The court in Anderson Consulting LLP v. UOP also addressed an aspect of the provider exception when it found that the ECPA had not been violated by UOP when it disclosed e-mail messages from Anderson employees to the Wall Street Journal.[42]  The Anderson employees had been using UOP’s e-mail system in the course of their contract work for UOP.  UOP was unhappy with Anderson’s work so released the Anderson employee’s e-mail messages stored on the UOP computer system to the Wall Street Journal for publication in a story about the breach of contract action brought by UOP against Anderson.[43]  As a result of the released e-mail messages, Anderson filed a separate action against UOP alleging a violation of the ECPA.[44]  Anderson argued that as a contractor they were allowed to access UOP’s system causing UOP to be a public service provider, thus UOP’s accessing and releasing of the e-mail messages was in violation of §2702 of the ECPA.[45]  The court found that UOP was not a public service provider under § 2702 (a)(1) but rather it provided services to its employees that included the Anderson employees while they were contracting with UOP, so the court dismissed the action.[46] 

The Anderson case is significant because the court stated that UOP was a service provider.  Although the case does not provide an analysis of Anderson’s claim under § 2701’s exceptions, the outcome assumes that because Anderson was a service provider (but not a provider for the purposes of § 2702) § 2701 was not violated by UOP’s release of the Anderson employee’s e-mail messages to the Wall Street Journal.  The result in this case is consistent with Bohach when the court there stated that because the City was the provider of the service, then neither it nor its employees could be liable under § 2701.  These two cases demonstrate that U.S. courts are disposed to interpret a service provider for the purposes of § 2701 to mean that firms providing e-mail services to their employees are exempted from § 2701’s prohibitions against accessing stored e-mail communications under § 2701 (c)’s exceptions.

B.   Privacy for Consumers & Workers Act

The ECPA case law renders an interpretation of the Act that provides minimal restraint on an employer’s ability to access a user’s e-mail communications and only minimal recognition of a user’s privacy interest in e-mail communications.  As well, the ECPA has not yet been directly applied to the issue of accessing workplace e-mail communications.  This has raised questions about how, when and for what purposes employee e-mail communications may and should be accessed and has resulted in congressional efforts to address the issue of electronic workplace monitoring of employees.  The most significant effort resulted in the Privacy for Consumers and Workers Act (PCWA) originally introduced into Congress in 1991 with similar legislation introduced in 1992 and 1993.  None of this legislation has been enacted into law so they will not be discussed in detail, however, note that these Acts intended to frame solutions to the issue of employee electronic monitoring where the ECPA was lacking. 

The stated goal of the PCWA is to prevent abuses of electronic monitoring by: (1) providing a broad definition of electronic monitoring; (2) requiring that prior notice of monitoring be given to employees; (3) limiting periodic or random electronic monitoring based on employee tenure; (4) restricting an employer’s review of continuous electronic monitoring; (5) allowing employee access to data collected from electronic monitoring; (6) limiting an employer’s subsequent use of data obtained through electronic monitoring; and (7) providing for specific areas of employee privacy in the workplace.[47]  Employers who violate the provisions of the PCWA would be subject to both civil penalties and private civil actions and to make the provisions even stronger; an employee would not be able to waive any rights under the PCWA unless it was part of a court settlement.[48]  Some of the provisions of the PCWA will be returned to in the Solutions section of this paper.

C.   Californian Initiative

       With Silicon Valley at the heart of the technological thrust into the workplace, it is only befitting that Californians lead the way to protecting employees from overbearing workplace electronic monitoring.  California State Senator Debra Brown reintroduced a workplace privacy bill that would make it illegal for companies to review the e-mail of employees, the Internet sites visited by employees, and the computer files created by the employee, without providing the employee with notification of the company’s computer monitoring policy.[49]  A similar bill was introduced in 1999, which passed both houses of the California legislature by a substantial bipartisan margin, but the Governor vetoed it on the grounds that the bill’s notification requirement would place too great a burden on employers.[50]   

The 2000 bill contains three main requirements.  First, the bill mandates that employers create and distribute to all employees the company’s workplace privacy and electronic monitoring policies and practices. Secondly, the bill would require employees to sign, either in writing or digitally by electronic signature, that they have read, understood, and received the company’s monitoring policies and practices.  The third major provision of the bill would give employees the right to access electronic data that the employer collects through monitoring, and the right to dispute or delete inaccurate data.[51]  Employers would still have the right to terminate the employment of a person who violated company policies and misuses company equipment.  Rather, the bill would empower the employee with prior knowledge of an employer’s electronic monitoring practices. 

.

The bill is a model that B.C. lawmakers may wish to consider.  The bill would be added to the state labour code.  A similarly worded provision should be considered for the B.C. Labour Code since there is currently no provision that prohibits an employer from secretly monitoring electronic mail or other computer records generated by an employee.  While amendments to the Californian Bill have made it applicable only to specified public entities, B.C. legislatures should consider a bill applicable to both public and private employers.      

Before considering the present Canadian situation in detail, American electronic mail cases should be examined.  Many of the unpublished cases come out of California including Shoars v. Epson, Inc.[52], Flanagan v. Epson, Inc.[53] and Bourke v. Nissan Motor Corp.[54] Two additional cases of significance, Smyth v. Pilsbury[55] and Restuccia v. Burk Technology,[56] will also be scrutinized along with the most recent case of United States v. Simons.[57]   

D.   Electronic Mail Cases

Shoars and Flanagan arose out of the same set of facts.  Shoars was an Office Systems Programmer Analyst in the Information Resources Department at Epson when in 1990 she discovered that her direct supervisor had “systematically printed up and read all of the E-mail that was entering and leaving Epson’s place of business….”[58] Shoars had been informing Epson employees that their e-mail transmissions were confidential and she had also believed that nobody in Epson had given her supervisor permission to read the transmissions.[59]  Shoars requested a private e-mail account number from Epson’s main systems administrator that her supervisor could not access.  Her supervisor intercepted the request and he then terminated her for insubordination. 

Shoars brought a claim under California Penal Code § 631, a wiretap law similar to the ECPA, claiming that Epson had violated her right to privacy in the workplace with a wiretap.[60]  However, the claim was dismissed.  Flanagan was a class action suit brought by the employees whose e-mail had been read by Shoars’ supervisor and the case was brought under the same claims as Shoars’ action.  The court dismissed this case as well.[61]  The court refused to extend California’s right to privacy to employee e-mail, which suggests that such a determination should be left to the legislature.  The Bill in the presently in the California senate addresses the shortcomings to employee right to privacy regarding electronic communications.

Another Californian employee e-mail monitoring case arose when Nissan Motors Corp. reviewed the e-mail communications of two of its employees, Bourke and Hall, who were Information Systems Specialists.[62]    Bourke and Hall were involved in an e-mail demonstration where some of their e-mail messages were used to demonstrate the e-mail system at which time another Nissan employee read their messages, reporting their content to a supervisor.[63]  The messages were not business related but rather of a personal and sexual nature. 

An action was brought against Nissan by Bourke and Hall based on Nissan’s violation of California’s constitutional right to privacy, Nissan’s violation of the California wiretap statute, and wrongful discharge in violation of public policy.[64]  In affirming the trial court’s order of summary judgment for Nissan, the appellate court concluded that there was no constitutional violation because the plaintiffs knew that their e-mail could be read since they had signed a company agreement stating that their e-mail use was to be for business use only.[65]  The plaintiffs also had no expectation of privacy since other employees had previously warned them that the company reviewed employee e-mail.  Since there was no invasion of privacy by Nissan in reading the e-mail messages, the court found that there could be no discharge in violation of public policy exception applied to the termination of the at-will employees Bourke and Hall.[66]  

The Smyth v. Pilsbury Company case involved the Pilsbury and its employee Smyth.  Smyth sent an e-mail from home to his supervisor concerning sales and management containing the phrase “kill the backstabbing bastards” and referred to an upcoming holiday party at Pilsbury as the “Jim Jones Koolaid affair”.[67]  Employees at Pilsbury had been informed that their e-mail messages would remain confidential and privileged and that e-mail messages could not be used against an employee as grounds for termination or reprimand.[68]  Nonetheless, his superiors at Pilsbury accessed Smyth’s stored e-mail and he was terminated for transmitting “inappropriate and unprofessional comments”.[69] 

Smyth was an at-will employee and brought a claim in federal district court against Pilsbury for wrongful termination.  The court found that Smyth had no cause of action because Pennsylvania is an at-will jurisdiction and Smyth’s claim did nit fit into one of the recognized public policy exceptions to the rule that an at-will employee may be discharged for any reason, thus a motion to dismiss the claim was granted.[70] 

The court continued in dicta to consider the merits of a claim under the tort of invasion of privacy if Smyth had brought such a claim.[71]  The court compared the situation of a termination for the refusal to take a urinalysis test to that of Smyth’s e-mail and found that Smyth did not have an expectation of privacy despite Pilsbury’s statements to the contrary.  Even if Smyth did have an expectation of privacy, it was lost once he sent the e-mail messages over the company’s system.[72]  The court also found that a reasonable person would not consider Pilsbury’s interception of the e-mail messages a highly offensive invasion of privacy.[73]

Restuccia is the other reported case addressing the monitoring of workplace e-mail.  Restuccia and LoRoe were employed at Burk Technology where they used the office e-mail system.  The president of Burk, Mr. Burk, fired the two after accessing the company’s e-mail system and reviewing their e-mail messages discovering that they referred to him by various nicknames and expressed knowledge about his extra-marital affair.[74]  Mr. Burk reviewed e-mail messages stored in the company system for eight hours after a staff meeting where LoRoe had protested new office policies and another employee told Burk about LoRoe’s e-mail use.  Burk stated that he fired LoRoe and Restuccia for their excessive e-mail use and not for the content of their messages.[75] 

A user had to log on with a personally selected password to access the Burk e-mail system.  The firm had no policy about e-mail use other than “excessive chatting” should not take place.[76]  Restuccia and LoRoe were not told and they were unaware that their supervisors could gain access to their e-mail messages.  After their termination, the two brought suit against Burk Technology for wrongful termination, invasion of privacy, unlawful interception of wire communications, intentional and negligent infliction of emotional distress, loss of consortium and interference with contractual relations.[77]  Summary judgment on all claims was granted except for the claims of wrongful termination, invasion of privacy, negligent infliction of emotional distress and loss of consortium. 

The plaintiffs failed on their claim of unlawful interception of wire communication, brought pursuant to a Massachusetts statute that prohibits the “secret hearing or secret recording of wire communications by means of an intercepting device”.[78]  The statute also provided for a “business use exception” to the interception prohibitions and the court read the statute to exempt the actions of Burk in accessing the stored e-mail messages.[79]

The court found that Restuccia and LoRoe had raised an issue that presented as question of fact as to whether Burk’s review of their e-mail messages was an invasion of privacy and grounds for wrongful termination.[80]  Whether the two had a reasonable expectation of privacy for their e-mail messages was found to be a question of fact.  Additionally, the court found that there was a material question of fact as to whether the firing of Restuccia and LoRoe, who were at-will employees, violated the public policy of the privacy statute.[81]

In the criminal case United States v. Simons, the U.S. Court of Appeals for the Fourth Circuit held that a government worker did not have a legitimate expectation of privacy with regard to the record or fruits of his Internet use in light of his government employer’s policy.[82]  The defendant, Simons, was an employee of the Foreign Bureau of Information Services (FBIS), a division of the Central Intelligence Agency.  The FBIS instituted a policy in June 1998 regarding Internet usage by employees that stated that employees were to use the Internet for official government business only and that accessing unlawful material was particularly prohibited.[83]  The policy explained that FBIS would conduct electronic audits to ensure compliance and that such audits would include electronic auditing of access to the system, inbound and outbound transfers, terminal connections to and from external systems, sent and received e-mail messages, Web sites visited, and the date, time and user associated with each visit.[84] 

FBIS hired a contractor for the management of its computer network.  The contract included monitoring for any inappropriate use of computer resources.  In July 1998, the contractor entered the word “sex” into the firewall database and found a large number of hits originating from Simons’ computer so the contractor reported the discovery to his FBIS contact.[85]  An FBIS employee was asked to examine Simons’ computer from his own workstation, printed a list of titles from downloaded files, and copied all the files on the hard drive of Simons’ computer.  A series of searches then occurred and Simons was subsequently indicted on one count of knowingly receiving child pornography that had been transported in interstate commerce in violation of 18 U.S.C. §2252A(a)(2)(A) and one count of knowingly possessing material containing images of child pornography that had been transported in interstate commerce in violation of 18 U.S.C. §2252A(a)(5)(b).[86]

Simon argued that the searches of his office and computer violated his Fourth Amendment rights and moved to suppress the evidence.  Simons appealed his conviction on both counts.  The court stated that while government employees may have a legitimate expectation of privacy in their office, “Simons did not have a legitimate expectation of privacy with regard to the record of fruits of his Internet use.  The policy clearly stated that FBIS would ‘audit, inspect, and/or monitor’ employees’ use of the Internet … accordingly, FBIS’ actions in remotely searching and seizing the computer files Simons downloaded from the Internet did not violate the Fourth Amendment.”[87]

The cases in this section have elucidated the shortcomings of existing legislation in protecting the privacy of employee e-mail.  The proposed Californian bill that would amend the labour code and the PCWA would together shore-up the shortcomings of existing legislation.  The Californian Bill and the PCWA also provide two frameworks for Canadian legislatures to consider since the monitoring of employees electronic communications has not been adequately addressed.  What follows is the current state of Canadian laws.

 

IV.Canadian Law

A.   The Current System

Unbeknownst to most, Canadian employees have not surfed the Internet or used company e-mail systems without being monitored by their employers.    However, an examination of various collective agreements over a spectrum of industries resulted in the finding of no provisions addressing the surveillance of employee electronic communications. 

Dominic Petruzzi, for example, was a technical inspector with CAE Electronics Inc. in Montreal.  He was fired last summer after a routine audit of employee computer activity revealed he spent 329 hours over four months surfing the Web at work.  According to the company, most of that time was spent visiting pornographic sites.[88] 

Petruzzi told a Quebec arbitration panel that the company was mistaken since he never spent more than two hours a day on-line but the panel did not believe the defence and denied his appeal of the dismissal.  It was monitoring that led CAE Electronics to Petruzzi.  Every month, managers at CAE receive computer printouts that track the Internet transmissions of 4 200 employees.[89]

Personal information at the federal and provincial levels is protected through statutes aimed at particular industries including provincial statutes that establish the tort of invasion of privacy and common law protection of privacy of individuals in the private sector.   However, existing labour codes, the Charter[90] and privacy laws do not directly address the issues of electronic surveillance and employee privacy rights but do offer some indirect protection to employees.  The law in Canada offers employees in private enterprises little protection in the workplace.  Employers own the communications equipment used in the workplace, including the computers, software and even the messages distributed in the workplace.

With the exception of Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, there is no federal or provincial legislation in Canada that provides comprehensive protection of personal information in the private sector although the federal government has recently passes a new electronic privacy act.  The Canadian Standards Association (CSA) has developed a voluntary code of practiced that has been adopted as a model globally.[91]  The introduction of new federal legislation signifies that Canada is beginning to understand the significance of electronic surveillance of communications.

B.   Bill C-6

The passage into law on April 13, 2000, of Bill C-6, the Personal Information Protection and Electronic Documents Act, is a significant measure in protecting Canadian employee privacy.  The privacy provisions of the Act are expected to come into force on January 1, 2001.[92]  Although the primary aim was to protect consumers, the Act also applies to every organization in respect of personal information that “(a) the organization collects, uses or discloses in the course of commercial activities; or (b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”[93] 

Generally an organization will need to meet ten principles relating to accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access and challenging compliance.  The effectiveness of Bill C-6 in regulating the monitoring of employee electronic communications will not be known until the Act comes to force and litigation on its provisions occur but arguably, Bill C-6 does not satisfy the issues unique to workplace surveillance.  What is needed is a provision that deals explicitly with monitoring of employee e-mail and Internet usage.  The current system relies on the various privacy acts  

C.   A Breaking Case in British Columbia

The International Brotherhood of Electrical Workers Locals 213 and 258, et al, statement of claim against BCT.Telus Communications Inc., John Doe and Jane Doe[94] touches on some of the issues discussed in this essay (“IBEW case”).   The Plaintiffs say that the Defendants violated their common law and statutory right to privacy pursuant to the Privacy Act[95].  The Plaintiffs say that at on occasions unknown to them, the Defendants violated their privacy by accessing the telephone and/or e-mail and/or fax records of the Plaintiff union locals and officials in order to obtain information for an improper purpose.[96]  Amongst the claims, the Plaintiffs say that BCT.Telus has no policies in place to prevent a breach of privacy rights or in the alternative, has inadequate policies in place.[97]

If this case goes before trial, a number of laws will apply.  The Privacy Act says that it is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another but the nature and degree of privacy to which a person is entitled to depend on the circumstances.[98]  For other cases that may be brought before the court due to electronic surveillance of employees, there are exceptions to these rules including if a person entitled to consent does so.[99]

In this situation it would be difficult to find that the invasion of privacy was reasonable since the surveillance arose out of a rivalry between unions wishing to represent of BCT.Telus workers.  Where reasonableness may arise is in other workplace settings where an employee, for example, communicates with customers over a company’s e-mail system.  Under that scenario, it may be reasonable for the monitoring of e-mail since it may be related to job performance and customer satisfaction.

            Case law provides some guidance in workplace privacy intrusion cases.  In the Doman case, Arbitrator Vickers found a balance needed to be found between the right of the employer to investigate a potential abuse of sick leave and the right of the griever to be left alone.[100]  Although this case arose out of surveillance of an employee outside the workplace, a similar argument may be made for situations involving the surveillance of employees’ electronic communications and Internet usage.  Three questions had to be considered to achieve this balance:

·         Was it reasonable in all the circumstances to request surveillance?

·         Was the surveillance conducted in a reasonable manner?

·        Were there other alternatives open to the company to obtain the evidence it sought?[101]

In Doman, Vickers held that the surveillance was an unreasonable invasion of the griever’s privacy and therefore, both the videotape evidence and the investigators’ viva voce evidence was inadmissible.  As a result, the dismissal was unwarranted and the griever was reinstated with back pay.[102]  The same three questions could be asked in a situation where a company wishes to monitor its employees’ electronic communications. 

 

V.   Model Policies

The IBEW case could be settled in IBEW’s favour by framing the issues in privacy act language.  Other cases will not be as straight-forward and will demand legislation balances the interests of employers worried about productivity and liability because of the time spent on the Internet and the content of e-mail messages sent and received by their employees.  Relying solely on collective agreements will not be satisfactory because of the high number of employees subject to or potentially subject to electronic monitoring are not and will not likely become part of a union.  However, unions could take a leading role by clarifying the rules for electronic monitoring in the workplace and by instituting a grievance procedure that would protect the jobs of employees that run afoul of the rules (at least on the first occasion).

The Privacy Act provides some protection for employees but the reasonableness language will cause most workplace electronic monitoring to be found acceptable.  What will be most effective is a cooperative effort between employers and employees to create a model policy.  Additionally, language similar to the Californian Bill should be legislated into the provincial and federal labour codes so that the rights and responsibilities of employers and employees regarding electronic communications monitoring are entrenched, no matter what industry a worker is in.

The Ontario Information and Privacy Commissioner published Privacy Protection Principle for Electronic Mail Systems in February 1994.  The seven principles are:

·         The privacy of e-mail users should be respected and protected;

·         Each organization should create an explicit policy which addresses the privacy of e-mail users;

·         Each organization should make its e-mail policy known to users and inform users of their rights and obligations in regard to the confidentiality of messages on the system;

·         Users should receive proper training in regard to e-mail and the security / privacy issues surrounding its use;

·         E-mail systems should not be used for the purposes of collecting, using and disclosing personal information, without adequate safeguards to protect privacy;

·         Providers of e-mail systems should explore technical means to protect privacy;

·        Organizations should develop appropriate security procedures to protect e-mail messages.[103]

The second principle suggests that every individual within the organization should be made aware of his or her rights and obligations under the policy and agrees to adhere to it.  The policy should enable users to protect their own privacy as well as that of their co-workers who send them information and other individuals who are the subjects of e-mail messages.[104]  The policy should establish at a minimum: the purposes for which the e-mail system may be used; access to e-mail on the part of third parties; and consequences of breaches of the e-mail policy.[105]

            From the employers perspective, a written policy that expressly defines the extant to which employees can reasonably expect privacy to attach to their communications.  This ensures that the employer has en enforceable right to monitor its employees’ communications.[106]  A growing number of Canadian companies have instituted written policies.  For instance, the computer screens at General Motors of Canada, Ltd., remind employees every time they log on to a computer of a company policy that restricts Internet and e-mail use to business activities.  The policy also warns that their activity is being recorded and monitored.[107]     An employer may wish to list the following principles:

·         All communications made through the use of the employer’s e-mail, Internet and voicemail systems are the property of the employer;

·         Communications systems are to be used solely for the purposes of conducting business;

·         Communications systems may be monitored by the employer without notice; and

·        Communications shall be treated as confidential to the employer, but not private to the employee.[108]

            However, employers must consider that e-mail users’ expectations about privacy of their e-mail communications may be difficult to change and maybe should not be changed.  One result of modern technology is that people are working longer hours either in an office or at home and affording a workplace privacy interest in e-mail communications enhances the ability of all people to perform their tasks.  By preventing employees from engaging in some personal e-mail communications and web use, the employer threatens to alienate valued workers. 

A reasonable balance between employer and employee interests has been communicated by Bob Young, chairman of Red Hat, “We do not monitor our staff members’ online activities.  The reason is that if we did they’d quit.  Seriously.  And I wouldn’t blame them one bit.  On the other hand we do hold them responsible for their online activities, in exactly the same way that companies have always held their staff responsible for any activities outside of work that affected the employer.”[109]   

 

VI.Conclusion

Workplace privacy is quickly becoming a major issue in Canada.  With e-mail increasingly becoming the preferred mode of communication in the workplace for both personal and business purposes, new programs have developed to allow employers to monitor those communications and employees have begun to realize how little privacy they have in a computerized environment.

The introduction of Bill C-6 is a step in the right direction but the provincial and federal governments must do more to enshrine laws governing electronic surveillance in the workplace. This paper analyzed the current legal climate regarding employee privacy and electronic communications surveillance in the United States and found that efforts have been made, especially in California, to protect worker privacy, although no electronic surveillance cases have yet been decided in favour of the employees.  Canadians can learn from the American case law and legislation.

This paper argued that legislation, especially as amendments to federal and provincial labour codes, specifically addressing employee privacy as it pertains to electronic communications is necessary to provide a clear guideline as to the limits of privacy in the workplace.  However, in the hopes of fostering a trustworthy environment, employers and employees should jointly develop an electronic communications policy that outlines the rights and responsibilities regarding e-mail communications and Internet usage. 

VII.          Bibliography

A.   News Articles

“American Companies Increase Use of Electronic Monitoring”, American Management Association (April 12, 2000), at http://www.amanet.org/research/press.htm

“Gotcha! Snoopware on the Job”, American Civil Liberties Union Freedom Network (Aug. 2, 1999), at http://aclu.org/news/1999/w080299a.html

“Government of Canada Delivers on Promise to Protect Consumer Privacy”, Industry Canada (April 13, 2000), at http://e-com.ic.gc.ca/english/releases/41d13.html?front=e

“More U.S. Firms Checking E-Mail, Computer Files, and Phone Calls, Says American Management Association Survey”, American Management Association (April 14, 1999), at http://www.apanet.org/research/specials/monit.htm

“New Study Shows Confidential Data Loss via E-mail Increases 170% from Last Year”, Elron Software (2000), at http://www.elronsw.com/connection/newsletter.cfm?STORY=122

“Search of Gov. Employee’s Net Use, Computer Not Unconstitutional”, E-Commerce Law Weekly (March 10, 2000).

Steven Bonisteel, “At-Work Surfers Hide Their Online Habit – Web Survey”, Newsbytes (Nov.30, 1999), at http://www.newsbytes.com

Susan Boyles, “Monitoring employee e-mail: What workers do in the office can reflect on your company”, CNNfn (Aug. 12, 1999), at http://cgi.cnnfn.com/output/pfv/1999/08/12/smbusiness/women_email/

Sherman Fridman, “California Bosses Can Keep Snooping On Their Workers”, Newsbytes (Oct. 11, 1999), at http://www.newsbytes.com

Sherman Fridman, “Workplace E-Mail Privacy Bill” Newsbytes (March 06, 2000) at http://www.computeruser.com/news/00/03/06/news11.html

Gannett News Service, “Cybersnooping reaching down to the keystroke”, San Jose Mercury News (April 13, 2000), at http://www.mercurycenter.com/cgi-bin/edtools/printpage/printpage.pl

Sally D. Garr, “Employee Monitoring and Privacy in the Internet Age”, SB 53 ALI-ABA 1 (1997).

Margot Gibb-Clark, “When a company plays Big Brother”, The Globe and Mail (Sept. 14, 1999), at http://www.globeandmail.com

Reed Karaim, “Setting e-privacy rules: More companies form policies on workers’ use of communications tech”, CNNfn (Dec. 09, 1999), at http://cgi.cnnfn.com/output/pfv/1999/12/09/smbusiness/women_emonitoring/

Maura Kelly, “Your boss may be monitoring your e-mail”, Salon (Dec. 8, 1999), at http://www.salon.com/tech/feature/1999/12/08/email_monitoring

Diane Kunde, “Privacy Clashes With Employer Need to Monitor E-Mail”, The Dallas Morning News Knight Ridder / Tribune Business News (July 22, 1998), at http://www.amanet.org/research/specials/email.htm

Howard Kurtz, “New York Times Fires 20 People Over E-Mail”, The Washington Post (Dec. 01, 1999), at http://www.washingtonpost.com

Gayle MacDonald & Michael Posner, “Porno for office pyros”, The Globe and Mail (Feb. 12, 2000), at http://www.globeandmail.com

Michele Masterson, “Cyberveillance at work: Surfing the wrong Internet sites on the job could get you fired”, CNNfn (Jan. 04, 2000), at http://cgi.cnnfn.com/output/pfv/2000/01/04/technology/webspy/

Jacquie McNish & Gayle MacDonald, “Crackdown on Internet cowboys”, The Globe and Mail (Feb. 12, 2000), at http://www.globeandmail.com

Pamela Mendels, “E-Mail Abuse Leads to Firings at Investment Firm”, The New York Times, Cyberlaw Journal (May 14, 1999), at http://www.newyorktimes.com

Laura Randall, “More Firms Track Worker Web Use, Designate Browsers – Study”, Newsbytes (May 18, 1999), at http://www.newbytes.com

Shelly K. Schwartz, “Pulling the Internet plug: Corporate America sets up Web blocks to curtail employee surfing”, CNNfn (July 16, 1999), at http://cgi.cnnfn.com/output/pfv/1999/07/16/companies/q_surfing/ 

Liz Stevens, “Big Brother invading Workplace: And most employee monitoring in workplace is perfectly legal”, The Globe and Mail (Sept. 29, 1999), at http://www.globeandmail.com

Stephanie Stoughton & Kirstin Downey Grimsley, “Companies Move to Curb Web Surfing on the Job”, The Washington Post (Dec. 20, 1999), at http://www.washingtonpost.com

Clive Thompson, “Bang on that Drum All Day”, (March 2000).

Blaise Zerega, “Policing Internet usage: With concerns of lost productivity and reduced bandwidth, management needs to establish an Internet usage policy”, InfoWorld Electric (July 20, 1998), at http://www.infoworld.com/cgi-bin/displayStory.pl?/features/980720policing.htm

 

B.   Legal Journals, Publications, Laws, Surveys

Canadian Charter of Rights and Freedoms, R.S.C. 1985, c. C-11 Schedule B.

Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2711 (1998).

Employee Computer Records, California Bill SB 1822, at http://info.sen.ca.gov/pub/bill/sen/sb_1801-1850/sb_1822_bill_20000425_amended_sen.html 

Personal Information Protection and Electronic Documents Act, Bill C-6 (2000).

Privacy Act, R.S.B.C. 1996, Chapter 373.

Privacy Act, R.S.C. 1985, c. P‑21.

“1999 Email Abuse Study” Elron Software Inc. (1999), at http://elronsoftware.com/pdf/1999Email.pdf

“2000 AMA Survey: Workplace Monitoring & Surveillance”, American Management Association (2000), at http://www.amanet.org/research/pdfs/WT2EMS.pdf

 “A Model Access and Privacy Agreement”, Information and Privacy Commissioner/Ontario (Aug. 1997), at http://www.ipc.on.ca/web_site.eng/matters/sum_pap/papers/model-ag.htm

 “Draft Model Code for the Protection of Personal Information: Principles in Summary”, Canadian Standards Association, at http://www.privacy.org/pi/canada/APPENDIXB.TXT

“Employer Communications: Employer Concerns and Rights”, Cassels Brock & Blackwell’s Labour & Employment Newsletter (Spring 1998), at http://www.cassellsbrock.com/employ498.html

 “Privacy Protection Principles for Electronic Mail Systems”, Information and Privacy Commissioner/Ontario (Feb. 1994), at http://www.ipc.on.ca/web_site.eng/matters/sum_pap/papers/email-e.htm

“Protection of Personal Information”, B.C. Civil Liberties Association (1998), at http://www.bccla.org/positions/privacy/protecting98.html

“Workplace Rights: Electronic Monitoring (Legislative Kit #2)”, American Civil Liberties Union Freedom Network, at http://www.aclu.org/issues/worker/legkit2.html

Bernard Adell, “Evidence in Labour Arbitration: Is There Too Much Pressure to Admit Almost Everything?” 23 Queen’s L.J. 67 (Fall 1997).

Kristen Bell DeTienne & Richard D. Flint, “The Boss’ Eyes and Ears: A Case Study of Electronic Employee Monitoring and the Privacy for Consumers and Workers Act”, 12 Lab. Law. 93 (Spring 1996).

Mark S. Dichter & Michael S. Burkhardt, “Electronic Interaction in the Workplace: Monitoring, Retrieving and Storing Employee Communications in the Internet Age”, Morgan, Lewis & Bockius (1999), at http://www.mlb.com/art61499.htm 

Anthony J. Dreyer, “When the Postman Beeps Twice: The Admissibility of Electronic Mail Under the Business Records Exception of the Federal Rules of Evidence”, 64 Fordham L. Rev. 2285 (1996)

John R. Gilmore, “Monitoring Employee Workplace Communications”, Bennett Jones Publications’ Labour & Employment Review (Summer 1999), at http://www.bennettjones.ca/publications.html

Diba Majzub, “Employee Privacy: A Critical Examination of the Doman Decision”, 4 Appeal 72 (1998).

Larry O. Natt Gantt, “An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace” 8 Harv. J.L. & Tech. 345 (Spring 1995).

Bruce Phillips, “Privacy in a “Surveillance Society””, 46 U.N.B.L.J. (1997).

Peter Schnaitman, “Building Community Through Workplace E-mail: The New Privacy Frontier”, 5 Mich. Telecomm. Tech. L. Rev. 177 (1999), at http://www.mttlr.org/volfive/schnaitman.html

C.   Cases

a)    American

Bohach v. Reno, 932 F. Supp 1232 (D.Nev. 1996).

Bourke v. Nissan Motor Corp., No. BO68705 (Cal.Ct. App. July 26, 1993).

Deal v. Spears, 980 F. 2d. 1153 (8^th Cir. 1992).

Flanagan v. Epson America, Inc., No. BC 007036 (Cal. Super. Ct. filed July 31, 1990).

Restuccia v. Burk Technology, Inc., 5 Mass. L. Rptr. No. 31, 712 (Nov. 4, 1996).

Shoars v. Epson America, Inc., No. SWC 112749 (Cal. Super. Ct. filed Mar. 26, 1990).

Smyth v. Pilsbury Company, 914 F. Supp. 97 (E.D. Penn. 1996).

Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (3d Cir. 1996).

United States v. Simons, No. 99-4238 (4^th Cir. USCA, Feb. 28 2000). 

Watkins v. L.M. Berry & Co., 704 F. 2d. 577 (11^th Cir. 1983).

b)    Canadian

International Brotherhood of Electrical Workers Locals 213 and 258, Dan Olson, David Thompson, Wayne Brazeau, Ron Dickson, and Lester Buss v. BCT. Telus Communications Ltd., John Doe, and Jane Doe, Writ of Summons & Statement of Claim, No. S002427 Vancouver Registry (BCSC May 1, 2000).

Re Canadian Pacific Ltd. and B.M.W.E.(1997), 59 L.A.C. (4^th) 111.

Re Doman Forest Products Limited, New Westminster Division (Preliminary Award) (1990), 13 L.A.C. (4^th) 275; (Award) summarized 21 C.L.A.S. 479.

Re Greater Vancouver Regional District and G.V.R.D.E.U. (1997), 59 L.A.C. (4^th) 45.

Re Steels Industrial Products and Teamsters Union, Local 213 (1992), 24 L.A.C. (4^th) 259.