[Translation from the original verrsion in German]

TIM WYBITUL, Hogan Lovells Int’l LLP
New rules for monitoring employee emails
Overview of current opinion and the practical consequences
Many employers permit the personal use by employees of their corporate email accounts. It is unclear, however, whether – and to what extent – these employers may control employee email communication. This is an important issue for companies because, under Sec. 206 Para. 1 of the German Criminal Code [StGB], the persons involved can be prosecuted for violating secrecy of telecommunications laws.
So far, employers that permit such personal use of corporate email accounts have been regarded, in prevailing legal literature and by many German supervisory authorities, as telecommunications service providers pursuant to Sec. 3 No. 6 Telecommunications Act [TKG].
Taking this view, employers are banned by Sec. 88 Telecommunications Act from inspecting corporate email accounts that employees may also use for personal purposes.
However, the Labor Courts of Appeals [Landesarbeitsgerichte–LAGs] of Lower Saxony and of Berlin-Brandenburg have recently ruled that employers permitting the personal use of corporate email accounts are not subject to the restrictions of the Telecommunications Act.
In this article, we provide an overview of the current legal situation and describe the practical consequences of the new case law. It describes legal exposure resulting from email reviews and suggests how to avoid liability. Moreover, the article gives concrete advice on how to deal with the present legal situation.
  1. Grounds for reasonable email monitoring

It is not unusual for companies to find themselves in situations where it would be expedient to review the corporate email accounts of individual employees.[1]There are a number of reasons for this. In many sectors, the email has already largely supplanted the business letter.[2] Consequently, emails are becoming increasingly important as evidence in court proceedings.[3] A further reason may be a request for such evidence from the public prosecutor or a suspicion of corruption established by the company itself. What is more, US courts not infrequently demand that corporations operating internationally submit comprehensive email correspondence in the context of what is known as the discovery process.[4] If the corporation does not comply with this demand, it may lose an American legal dispute for this reason alone. Sec.130 of the German Regulatory Offences Act [Ordnungswidrigkeitsgesetz – OWiG] imposes on company proprietors an obligation to prevent corporate administrative offences and crimes. Analyzing corporate emails can also be expedient in the context of internal investigations to reveal possible breaches of law within the company. The unexpected absence of an employee may also mean that pending emails have to be dealt with.

The following article will show that this kind of monitoring can in fact be completely lawful according to recent rulings – at least, as long as the employer adequately safeguards its employees' privacy rights.

Continuous monitoring of telecommunications behavior, on the other hand, would be inadmissible bearing in mind the general right to privacy.[5] Additionally, a company can only in exceptional cases have a legitimate interest in monitoring private emails.[6] Reviewing without justification, monitoring prompted by curiosity, and selective spying on individual employees do not constitute grounds that satisfy the legal requirements for email monitoring as described in more detail below.

  1. Private use of corporate email accounts a general rule

Experience has shown that many companies do not prohibit their employees from using the corporate email systems, or do not implement any such prohibition rigorously. A complete prohibition of the private use of emails often appears to be rather old-fashioned. Many employers therefore allow their employees to use their corporate email account to a limited extent, at least, for private purposes, too. In practice, where there is permitted or tolerated private use, the problem arises as to how business emails are to be distinguished from private ones. Where it is not possible to separate private from business emails, the widespread view in the literature on the subject is that all emails fall within the scope of the privacy of telecommunications and therefore largely are covered by a monitoring prohibition.[7]

The German government's draft bill for amending the employee data protection law, dated 25 August 2010[8], in its current version regulates only use of telecommunications services for exclusively professional or business purposes within the employment relationship.[9] The present article, by contrast, concentrates on the legal requirements regarding email monitoring in businesses that allow, or at least tolerate, the use of corporate email accounts by its employees for private purposes.

III.Review of the legal situation prior to initiating email monitoring

Companies that find they have a need to monitor their employees' emails should first check the legal admissibility of each individual action they intend to take. The overview that follows shows what points companies must look out for before they are permitted to initiate reasonable email monitoring. These include issues from the fields of criminal law, telecoms law and data protection law. In the past, companies have found that much uncertainty surrounded these matters because German courts had not yet answered the crucial question of whether employers might possibly be held criminally liable if they were to evaluate their employees' emails.

Under Section 202a of the German Criminal Code [Strafgesetzbuch–StGB], data espionage is a criminal offence. Furthermore, Sec.206StGB makes violation of telecommunications privacy a punishable offence. The specialist literature reflects differing viewpoints as regards the requirements set out in the two provisions.[10] So far, there is no sign of any uniformity in established practice regarding the criminal classification of the review and examination of privately used corporate email accounts for employees.[11] However, in two recent judgments the Labor Courts of Appeals of Lower Saxony and Berlin-Brandenburg (LAG Niedersachsen[12] and LAG Berlin-Brandenburg[13]) have set specific criteria for the legal admissibility of analyzing employees' email accounts. These decisions may ensure that significantly greater legal certainty is provided in future.

IV.Data espionage, Sec.202 a Para. 1 StGB

Under Sec.202a Para.1 StGB, anyone who unlawfully obtains data that was not intended for that person and was especially protected against unauthorized access is liable to prosecution. According to the correct view, the review of business or private emails does not constitute criminal data espionage. As regards emails with a business-related content, there exists a disposition entitlement on the part of the employer.[14] Nonetheless, bearing in mind the data protection requirements, those involved in email monitoring should always be careful to ensure that they do not view or evaluate any emails with plainly private content.[15]

It is not possible for the parties involved to render themselves liable for prosecution in relation to private emails because the factual element of being "especially protected against unauthorized access" required by Sec.202a StGB is not realized. This is the case even when the employee has protected his workplace computer and/or corporate email account with a password selected by the employee. In relation to an employee's computer, the LAG Hamm correctly ruled such setting up of a password to be a data back-up measure as prescribed by Sec.9 Sentence1of the German Federal Data Protection Act [Bundesdatenschutzgesetz – BDSG] which did nothing to alter the fact that the employer still has access to these files through the person of the administrator.[16] "Unless special circumstances arise, an employee cannot in any respect rely on an employer's wish to provide him with protected personal free space that remains beyond the reach of that employer."[17]Employees' mailboxes set up for business purposes are, as a rule, not especially protected against access by the employer. This means that searching emails in the context of email monitoring is, strictly speaking, not a punishable offence pursuant to Sec.202a Para.1 StGB. According to the specialist literature, there is likewise fundamentally no criminal liability pursuant to Sec.202a Para.1 StGB if an employer actually reads its employees' private emails.[18]

V.Violation of mail or telecommunications secrecy, Sec. 206 Para.1 StGB

Sec.206 Para.1 StGB stipulates that anyone who communicates with another person concerning facts that are subject to mail or telecommunications privacy is liable to prosecution.[19] Moreover, these facts must have become known to that person in its capacity as an owner or employee of a business that performs postal or telecommunications services on a commercial basis. It is thus an essential criterion of criminal liability pursuant to Sec.206 Para.1 StGB that employers who allow their employees private use of the corporate email system thereby become businesses that "perform postal or telecommunications services on a commercial basis".

1. "Service provider" as an element of criminal liability pursuant to Sec. 206 Para. 1 StGB

As far as can be seen, no differentiation is made either in rulings or specialist literature between the element of a "business that performs telecommunications services" and the concept of the "service provider" pursuant to Sec.3 no.6TKG.[20] The two concepts are frequently used in the same way.[21]

2. Specialist literature: are employers service providers?

If employers cannot be categorized as service providers pursuant to Sec.3 Para.6TKG then, correctly, there is similarly no criminal liability pursuant to Sec.3 no.6TKG on the grounds of violation of telecommunications privacy. Before carrying out any monitoring of emails where private usage is allowed, businesses must therefore ask themselves whether they are service providers within the meaning of the TKG. According to Sec.3 No.6TKG, a "service provider" means a person who, on a wholly or partly commercial basis, provides telecommunications services or contributes to the provision of such services. The following overview summarizes the various opinions and demonstrates their practical consequences.

a) View still currently prevailing in literature: employers can be service providers

In the specialist literature, controversy surrounds the question of whether employers who allow their employees private use of the corporate email system can be categorized as service providers.[22] According to the probably still prevailing view, it is presumed that these employers are to be classified as providers of telecommunications services.[23]

If employers are categorized as service providers, the question is begged whether privacy of telecommunications should apply without exception. There is disagreement amongst the proponents of categorization as service providers as to whether, for instance, email monitoring should be permitted, as an exception–Sec.88 TKG notwithstanding–when there is a specific suspicion of a crime or of the betrayal of business secrets.[24] However, if there is a presumption of the applicability of the TKG in the employment relationship, then email monitoring is obviously out of the question even where there is a specific suspicion of criminal acts because Sec.88 Para.3 Sentence3 TKG stipulates that email content may be used only insofar as such use is provided for by the TKG or any other legal provision. Moreover, the wording of the provision states that any such statutory provision must expressly refer to telecommunications activities.[25]

A further viewpoint, based on a decision of the Higher Administrative Court [Verwaltungsgerichtshof–VGH]of Kassel of 19May2009[26] ,makes a differentiation depending on whether or not the employee had the opportunity to gain cognizance of the email communication. This viewpoint takes into account that telecommunications privacy provides protection only to current communications–if an email is stored on the server and the employee has already had the opportunity to download it, then email monitoring is possible in principle.[27] However, this viewpoint is countered by the argument that in practice, employees frequently do not have the technical capability of conclusively deleting emails from the system operator's server.[28]

b) Contrary view: employers are not fundamentally service providers

The contrary view, meanwhile, rejects any application of the provisions of the TKG as regards employers for a variety of reasons.[29] Sec.88 TKG is one of the data protection provisions within telecommunications law, and thus protects the general right to privacy pursuant to Art.2(1) of the German Constitution [Grundgesetz – GG] in conjunction with Art. 2(1) GG; but according to the established practice of the Federal Labor Court [Bundesarbeitsgericht – BAG], an employee's general right to privacy is not, in fact, assured without restriction.[30] Interference with an employee's right to privacy may be justified by interests on the part of the employer that are more worthy of protection–in the event of a conflict with the interests of the employer, the interests in each case must be carefully balanced to establish whether or not the right to privacy takes priority.[31] But precisely this kind of balancing requirement is not provided for in the TKG.

The wording of Sec.3 TKG ultimately also argues against such categorization of employers, if anything. Sec.3 No.6TKG requires that service providers "provide a telecommunications service". According to Sec.3 No.24TKG, such telecommunications services must be "normally provided for remuneration". This argues against the categorization of employers as service providers because it is precisely not the case that employers demand payment from their employees for using the corporate email systems–this probably happens in exceptional cases at most.[32]

Moreover, the categorization of employers as service providers would require employees to be "third parties" within the meaning of Sec.3 No.10TKG.[33] This provision stipulates that service providers must offer "telecommunications services to third parties on a sustained basis".[34] The TKG itself does not define the term "third parties" in any greater detail. This suggests recourse to the corresponding definition in the BDSG because, where there are no special data protection provisions in the TKG, those contained in the BDSG are to be consulted by way of augmentation.[35] Accordingly, Secs.1 to11BDSG are applicable, with respect to telecommunications activities, in the same way as Secs.33 et seq.BDSG, insofar as Secs.92 et seq.TKG do not contain any more specific provisions to the contrary.[36]

According to Sec.3 Para.8 Sentence2BDSG, "third parties" means any person or legal entity "outside the entity concerned", i.e. outside the company. Accordingly, there is no transfer within the meaning of Sec.3 Para.4 Sentence2 No.3BDSG even when, for instance, personal data is passed on within the entity concerned from one employee to a fellow employee who is working on the same matter.[37] Employees who use corporate email facilities provided by their employer do this not as third parties but as part of the company. Categorizing employees as third parties within the meaning of Sec.3 No.10TKG and employers as companies providing telecommunications services within the meaning of Sec.206 Para.1 StGB on a commercial basis, is therefore correctly ruled out.

3. Evaluating judicial rulings

The fact that opinion is so divided in the specialist literature renders an evaluation of the judicial rulings even more important. There have not so far been any decisions from criminal courts that would indicate whether email monitoring by employers might result in criminal liability under Sec.206StGB despite permitted private usage. However, there are certainly decisions from courts dealing with the legal categorization of employers who allow their employees to use the corporate email system for private purposes. Ultimately, these judicial rulings confirm the view that employers are not service providers within the meaning of Sec.3 No.6TKG.

a)Karlsruhe Court of Appeals: decision of 10 January 2005 and Karlsruhe Administrative Court: judgment of 19 September 2007

The Karlsruhe Court of Appeals [Oberlandesgericht–OLG Karlsruhe][38] and subsequently the Karlsruhe Administrative Court [Verwaltungsgericht–VG Karlsruhe][39] had to decide a case in which a college allowed not only its employees and students but also the Informatik-Hochschulgruppe [campus IT group], i.e. members of an organization outside the college, access to IT systems including email accounts. Since the university was providing telecommunications services to third parties, both courts rightly categorized it as a service provider. However, neither decision gave any indication as to whether this was also to apply to employers in relation to their employees.[40]

b)VGH Kassel: decision of 19May 2009

In the decision referred to earlier concerning the scope of telecommunications privacy, the VGH Kassel expressly left open the question of whether employers are subject to the TKG, and speaks only of a "possible" capacity as a service provider.[41] This question was also expressly left open by the previous instance.[42]

c)LAGLower Saxony: judgment of 31 May 2010

The LAGof Lower Saxony had to decide a case in which a local council had terminated an employment contract with a deputy director of a building authority on grounds of excessive private email use.[43] In the dismissal protection proceedings, the local council submitted numerous emails that it had found when monitoring the employee's workplace PC. It was alleged that the Plaintiff had received up to 173 private emails daily, to some of which at least he had also replied.[44] The court made the following statement: "The Plaintiff, who was being paid approx. EUR 4,800gross per month, could not and should not have assumed that the accused local council would tolerate his trying to arrange private (erotic) contacts using the corporate email system."[45]

In its judgment, the LAGalso investigated whether the emails introduced into the dismissal protection proceedings by the accused local council were covered by a "prohibition of use and exploitation". The court found that this was not the case. The local council had not violated Sec.88TKG since it is not in actual fact a service provider within the meaning of the TKG. If an employer allows its employees to use their workplace PC for private email correspondence, then access by the employer or by third parties is not subject to telecommunications privacy if the employee does not delete the emails immediately after receiving or sending them but instead leaves them in the inbox or outbox or stores them elsewhere. In these cases, the actual transmission process has been completed and it is not telecommunications privacy that applies but rather the basic rights to informational self-determination and to the assured confidentiality and integrity of IT systems. In the event of conflict between the employee's general right to privacy and the interests of the employer, the interests in each case must be carefully balanced to establish whether or not the right to privacy takes priority.[46]