
European court rules companies must tell employees of email checks - mcone
http://www.reuters.com/article/us-privacy-emails-echr/european-court-rules-companies-must-tell-employees-of-email-checks-idUSKCN1BG0YA
======
kozhevnikov
It will as useful as EU's cookie law. Every employee on joining any company
will be notified that corporate emails are monitored, similar to 'CCTV in
operation' signs. It will be another checkbox on the contract.

~~~
cyphunk
The cookie law didn't kill cookies but it did inform people about them. It's
responsibility for bring the discussion about tracking and cookies into
popular discourse was greater than zero. This law and the new checkbox may
have a similar affect.

~~~
kozhevnikov
Completely agree, despite the implementation of it being somewhat of a joke I
believe it brought some needed awareness about the spread of user tracking or
at least it existence to non-tech people.

~~~
walshemj
But at a huge cost

------
Delphiza
The judgement highlights the balancing of "respect for his private life, on
the one hand, and his employer’s right to take measures in order to ensure the
smooth running of the company, on the other".

While it is fair to expect that one "follows the rules", breach should not
imply that your private life is something that the employer can do with what
they wish, Especially, as the court decision notes, when the risks (e.g.
damage and liability) are theoretical.

Occasionally my wife will send me an email to my work address, because she
thinks I may see it quicker. Does this use of company resources mean that the
contents of the email can be used by the company, or is there an expectation
that it is still private?

It seems that the judgement is less about the monitoring and notification
thereof, but whether or not you have an expectation for private things to
remain private at work.

~~~
zeveb
> Occasionally my wife will send me an email to my work address, because she
> thinks I may see it quicker. Does this use of company resources mean that
> the contents of the email can be used by the company, or is there an
> expectation that it is still private?

I think that any expectation of privacy when using work resources to
communicate is unreasonable — IOW, I believe it's illogical to expect that the
company will not be aware of the fact that one has communicated.

The question of whether the company may use the contents of such messages for
its own purposes is a bit trickier, and I can see arguments in either
direction. The best course of action is _don 't use an employer's resources
for private purposes_; then one cannot go astray.

~~~
distances
> I think that any expectation of privacy when using work resources to
> communicate is unreasonable

I assume this must be depend on the society, as I have a very strong
expectation in the contrary. I already mentioned this in another thread; here
the employer may never read e-mail contents, and reading metadata requires
very specific legal steps to be taken.

~~~
closeparen
So your work email doesn't have a spam filter?

~~~
thanksgiving
It is like saying because Google mail goes through the text of the mail to
guess whether a message is spam, it no longer matters that they don't use the
contents of the message for targeted ads. This is clearly not true assuming
Google keeps the spam training data and the ad serving days separate. Am I
missing something?

~~~
closeparen
They aren't equivalent. But they are both examples of processing data about a
person. The GDPR doesn't say anything about advertising vs. security and
network management purposes.

------
izzydata
Everything about this is fine and dandy, but I don't understand why anyone
would use their work email for personal use. An email address isn't a
difficult to obtain resource. Anyone can make a hundred email addresses and
use all of them for different things.

I guess the guy just never thought of it as an issue even if he was being
monitored until it became an issue. I don't know.

~~~
nthao0ent23
I'm finding them harder and harder to obtain privately. I wanted a free throw
away email address recently, so I tried a few of the big names - yahoo,
hotmail, outlook, gmail. I couldn't see a way to sign up for any one of these
without giving out an existing email address to them. If I wanted something
unconnected to anything else, I had no way to do that. I'm not sure how
someone getting on the internet for the first time would do it with any free
service. I'm not opposed to paying for an email account, but it does create a
barrier to entry.

~~~
piaste
Gmail asks you for your current email address, but it isn't actually required.
I just tried it and made a new account in two clicks.

I assume the same applies to at least some of the others.

------
ocdtrekkie
Hmmm... I am pretty pro-privacy, but I am unsure that an employee's corporate
email account should qualify, particularly given that anything said by it
could be construed as a statement by the company itself. If the employee was
not notified email monitoring could happen when they were hired, I suppose
that's a problem, but I almost feel like that should even be common sense.

The article suggests more employees are using their work email for personal
purposes, and that is really the problem, I think. Particularly because it
places your personal data inside your employer's control, and your employer
can terminate that account at any time. It would be much more preferred if you
connect your personal account to your work devices as well, so that you still
have a clearly denoted personal/corporate firewall in your communications, but
can still access both from work.

I don't think employers which heavily monitor their employee's corporate email
are... good employers, persay, but I'd question any suggestion they shouldn't
have the right to.

~~~
mamon
In one of my previous jobs I was specificly encouraged (during introductory
employee training) to use my work email for personal stuff, as all access to
private email boxes was cut off by proxy servers. I wonder how many people
fell for that.

~~~
mseebach
If they are blocking access to private email, it probably because of a
regulatory requirement (common in finance) that they absolute must monitor and
record everything going in and out. If that the case, and they didn't make
that clear, then that's of course bad.

------
KineticLensman
The ruling itself is at [1]. It's a long slog at approx 200 paragraphs of
legalese. The conclusions were that Article 8 [2] had been violated, and that
as a result some of the applicant’s legal costs should be paid (EUR 1,365) but
dismissed the applicant’s claim for substantial damages (loss of earnings and
social standing, fiancée terminating their relationship).

[1]
[https://hudoc.echr.coe.int/eng#{%22languageisocode%22:[%22EN...](https://hudoc.echr.coe.int/eng#{%22languageisocode%22:\[%22ENG%22\],%22documentcollectionid2%22:\[%22JUDGMENTS%22\],%22itemid%22:\[%22001-177082%22\])}

[2] Any person shall be enabled: (a) to establish the existence of an
automated personal data file, its main purposes, as well as the identity and
habitual residence or principal place of business of the controller of the
file; (b) to obtain at reasonable intervals and without excessive delay or
expense confirmation of whether personal data relating to him are stored in
the automated data file as well as communication to him of such data in an
intelligible form; ... (d) to have a remedy if a request for confirmation or,
as the case may be, communication, rectification or erasure as referred to in
paragraphs b and c of this article is not complied with.”

------
lisper
I don't understand why this is even remotely controversial. I am as jealous a
guard of my personal privacy as anyone, but I would expect my employer to be
able to monitor my work-related email. The resolution is simple: conduct your
personal correspondence through a separate email account that is not owned by
your employer.

In fact, I keep strictly segregated work and personal email, and I run my own
company!

~~~
distances
And I expect my employer to leave all my communication unmonitored, be it
e-mail, snail mail or private face-to-face discussions. Here, controversy
created.

~~~
lisper
OK, please explain to me why you think that's reasonable?

~~~
distances
That's what the law says in Finland. Also, I personally believe the
confidentiality of communication should never depend on the used medium or the
ownership of the equipment used for the communication.

~~~
lisper
It's not about the ownership of the equipment, it's about whether the
communications are official actions performed by an employee on behalf of the
company. If they are, then the employer obviously (IMHO) has a right to know
about them. And the best way to keep things from getting complicated (again
IMHO) is to segregate work email (which the employer can read) from personal
email (which no one but the user can read) in separate accounts.

I really don't see how any reasonable person could disagree with that.

------
PeachPlum
This case is confused. The title and some of the editorial say "email" but the
messages were sent via Yahoo Messenger, which isn't email.

> The company had presented him with printouts of his private messages to his
> brother and fiancée on Yahoo Messenger as evidence of his breach of a
> company ban on such personal use.

I know the distinction is a fine one, but it is still a difference.

They didn't need to produce a message, just having a non-business contact
would have sufficed.

~~~
s73ver_
I don't think the court really cares if the messages were actual emails or if
they were IMs. To them, the difference is immaterial.

------
cbg0
You can grab a PDF with more details from the European Court of Human Rights
here:

[https://hudoc.echr.coe.int/eng-
press?i=003-5825428-7419362](https://hudoc.echr.coe.int/eng-
press?i=003-5825428-7419362)

And judgement:
[https://hudoc.echr.coe.int/eng#{"itemid":["001-177082"]](https://hudoc.echr.coe.int/eng#{"itemid":\["001-177082"\])}

------
duxup
I get there is a different tradition in Europe than compared to what I'm used
to and that's cool.

For me my company email is a company provided resource that they own and it
belongs to them entirely. That includes their ability to monitor, read, or do
most anything.

No matter what the legal protections it seems like mixing personal life with
work resources / tools carries an infinite number of possible issues and
complications.

------
mc32
Will this apply to automated email screening, the kind the big companies very
likely do to get alerted to IP theft and the like?

I would have to believe the likes of FB, Aapl, GOOG, MSFT, etc. likely have
some process in place to detect exfiltration.

------
PeachPlum
While I have no desire to read an employees private correspondance, am even
less desirous of paying money to store data I will get prosecuted for looking
at!

~~~
babygoat
Then don't.

~~~
PeachPlum
People leave / die / are sick / go on holiday

"I can't look in that Inbox, there might be an email from his brother"

Puhleeze

~~~
s73ver_
I've never needed to look into someone else's email because they weren't
there.

~~~
zlynx
It happens all the time. Say that Adam handles technical support for some of
your best customers, but he's out with pneumonia, or some other serious
illness. He's not going to be responding to that urgent request for help with
a new API feature, so you need to assign his inbox to Brian.

Yes, if Adam had notice he was going to be out there'd be a controlled
handoff, but that didn't happen, so you have to just open up his email and
move onwards.

~~~
viridian
I have never in my life seen this happen. Typically we use mailing
distributions where I work to avoid this issue. We also can only respond to
clients using specific email addresses, like the one tied to the mailbox that
multiple people have access to.

------
ucaetano
Yay, another useless piece of information, like the "we use cookies" and "this
entire building contains chemicals known to the state of California to cause
cancer".

------
Karunamon
Yeah.. I can't really find anything wrong or onerous with requiring a
disclosure. Everyone _should_ know, but just in case they don't, a piece of
paper explaining this during onboarding isn't a huge deal.

~~~
koolba
Where doesn't it end?

You yourself just said that everyone _should_ know. Rather than creating
needless paperwork for everybody they'd be better served with a public
relations campaign by the government to teach people that your work email is
owned by your company which means they can read and monitor it.

~~~
Karunamon
Somewhere around where the slippery slope fallacy starts.

Snark aside, there's no real downside to mandating something in an employment
contract that is probably already in most employment contracts anyways. This
catches the stragglers.

~~~
gjjrfcbugxbhf
Why don't governments produce standard draft employment contacts? They already
do so for many things (e.g. buying/renting property).

Employer could ignore the standard or modify it and the employee could still
amend it but it would help small companies get this sort of thing right and
help with protecting both parties (which is the point of an employment
contract).

~~~
vertex-four
In practice, lawyers will produce/modify standard contracts for extremely
cheap, and as a bonus, if something goes wrong, you now have a relationship
with a lawyer. If you're _really_ cheap, in my country, you can literally go
to the local book store and pick a model contract off the shelf.

I don't think this is a problem that needs solving by the Government, since
these contracts are essentially a commodity and have wound up being priced as
such.

