A brief review of Judgment 328/2021, of April 22, of the Criminal Chamber of the Supreme Court
There is a tension between (i) an employer’s right to access digital devices made available to employees; and (ii) workers’ fundamental rights (the rights to privacy, privacy of communications and data protection in the digital environment). This tension must be appropriately dealt with to avoid serious contingencies that could even have criminal implications.
There is a tension between (i) an employer’s right to access digital devices made available to employees; and (ii) workers’ fundamental rights (the rights to privacy, privacy of communications and data protection in the digital environment). This tension must be appropriately dealt with to avoid serious contingencies that could even have criminal implications.
On this matter there is extensive case law from (i) the Labor Chamber of the Supreme Court (including the famous Judgment of September 26, 2007, appeal 966/2006, and Judgment 594/2018, of February 8, the Inditexcase); (ii) the Constitutional Court (e.g., Judgment 241/2012, of December 17, and Judgment 170/2013, of October 7); and (iii) the European Court of Human Rights (ECtHR), the most recent ones being the judgments in Barbulescu I and II of January 12, 2016 and September 5, 2017. However, there are fewer criminal precedents. This is why Judgment 328/2021, of April 22, of the Criminal Chamber of the Supreme Court is particularly significant.
Until this judgment, the two most important criminal rulings had been Supreme Court judgments 528/2014, of June 16, and 489/2018, of October 23. In the first one, the Supreme Court found that access to employees’ unread emails necessarily required a judicial authorization, since the access interfered with the right to the privacy of communications.
After this judgment, there have been (i) legislative modifications (like the amendment to the Criminal Procedure Act to strengthen procedural guarantees and regulate technological investigations under Organic Act 13/2015, of October 5); and (ii) relevant rulings (e.g., ECtHR judgments in Barbulescu I and II) affecting this matter. The latter Supreme Court judgment mentioned above (489/2018, of October 23) took into account the aforesaid legislative and case law developments. In Judgment 489/2018, the Supreme Court qualified its 2014 judgment, downplaying the importance of whether or not the emails are unread, since it is hard to determine and cannot be the key to deciding the case. Rather, the 2018 judgment focuses on the lack of privacy expectations by the employee whose right is affected. This will make the difference between lawful and unlawful interferences.
In the most recent judgment examined here (Judgment 328/2021), a company owner and sole director (the “employer”) is found guilty of breach of confidence, an offencelaid down in article 197(1) of the Criminal Code, for accessing an employee’s work computer, corporate email-note that other employees knew the passwords-and personal email, which had been installed in the work computer although it was prohibited under the collective agreement.
This offence protects the fundamental right to privacy and punishes various conducts, including the (i) misappropriation of documents, letters or emails; and (ii) unlawful use of audio or image listening and recording devices. This offence can give rise to a legal person’s criminal liability unless they take appropriate measures to prevent it from being committed.
In the case at hand, the employer accessed the employee’s computer because he suspected the employee could be working on the side using company resources. In order to produce evidence of the employee’s conduct in criminal proceedings for theft and other offences, the employer printed certain emails sent and received by the employee, there being no proof that the employee had consented to the access to his computer or email.
According to the Supreme Court: “Any express agreement enabling the employer to monitor the employee will exclude all privacy expectations. However, this exclusion must be express and informed. It does not suffice for an implicit or apparent waiver by the employee.”
In this case, neither the prohibition on the personal use of the work computer under the collective agreement, nor the disclosure of the corporate email account’s password, justify the employer accessing the employee’s email account. The Supreme Court thus confirms that the employer should be sentenced to one-year of imprisonment for breach of confidence, because the prohibition on installing or accessing personal email accounts on the work computer does not entitle the employer to access the employee’s private emails.
Employers cannot have unlimited access to their employees’ work computer or corporate email. Rather, this access should be subject to certain requirements provided in the applicable legislation and the case law. On May 18, 2021, the AEPD Guide (see this post) confirmed these requirements:
1. Defining the employees’ privacy expectations by clearly establishing that digital devices are for professional use only.
2. Authorizing the employer-through a provision known by both parties-to carry out the relevant access. This provision must be known and voluntarily agreed by the employee. Any applicable collective agreement provisions will not suffice.
3. In case of lawful access by the employer, the access should (i) respect the employee’s dignity and privacy; and, particularly, (ii) be proportionate. The proportionality test requires that the relevant action meet three requirements:
- Being suitable to achieve the aim pursued (adequacy assessment).
- Being necessary, i.e., there should not be less invasive but equally effective means to achieve the aim pursued (necessity assessment).
- Striking a fair balance, i.e., that the benefits for the general interest outweigh any harm caused to other interests at stake (strict proportionality assessment).
Having passed the proportionality test, employers may carry out the monitoring, although abiding by the employees’ right to privacy and data protection rights in case of personal data processing.
In this context, given the widespread use of remote tools and the significant increase in remote working, it is more important than ever to review corporate policies and consider the case law when conducting internal investigations.