LDI NRW confirms: Telecommunications secrecy does not apply to employers who allow the private use of email and telecommunications services

For almost 20 years, there has been an ongoing dispute as to whether employers who allow their employees to use e-mail and telecommunications services privately are subject to telecommunications secrecy. Up to now, the position taken by German data protection supervisory authorities has been restrictive, the case law of the higher courts has been divided and there has been no ruling by the supreme court. Now, however, there is new movement: In its recently published 29th activity report, the State Commissioner for Data Protection and Freedom of Information in NRW ("LDI NRW") has now abandoned its restrictive stance. In the opinion of the LDI NRW, employers are no longer subject to telecommunications secrecy.

Background

The question of whether employers who allow their employees to use email and telecommunications services privately are subject to telecommunications secrecy has not only been highly controversial in the legal literature, but has also been judged inconsistently in case law. Recently, however, the issue has become quieter, with the exception of a decision published by the Higher Regional Court of Thuringia at the beginning of 2024 ((case no. 7 U 521/21) – we reported on this in Update Data Protection No. 172).

A distinction is regularly made as to whether the private use of business email and telecommunications services is prohibited, tolerated or permitted. It has always been agreed that telecommunications secrecy does not apply if the private use of email and telecommunications services is effectively prohibited. In these cases, access to business email inboxes is solely governed by data protection requirements.

The dispute is being conducted solely for the constellation of permitted (and tolerated) private use and regularly has an effect primarily in connection with access to employees' email inboxes (e.g. in the event of illness or internal investigations). Proponents of this view classify employers as providers of a (wholly or partially) commercially provided telecommunications service. The consequence of this would be that employers would have to observe the telecommunications secrecy of Section 3 of the Telecommunications Digital Services Data Protection Act ("TDDDG") and would therefore be severely restricted in their ability to access business email inboxes. If, as is often the case, there is no effective consent from the employee concerned, access is only possible in a few exceptions.

A widespread opposing view, which has been gaining ground in recent years, is that employers are not considered to be providers of such telecommunications services in these constellations. The consequence of this view would be that employers are not subject to telecommunications secrecy. This view has found particular resonance in the case law of the labor courts.

Statement of the LDI NRW: Telecommunications secrecy no longer applies to employers

In its 29th activity report, the LDI NRW supports the latter view. In it, the LDI NRW states that "following the entry into force of the TTDSG" – which now refers to the TDDDG – "German supervisory authorities (Federal Commissioner for Data Protection and Freedom of Information, LDI NRW and other state data protection authorities) assume that a legal assessment has changed: Employers who allow or tolerate their employees' private use of the internet and email are no longer subject to telecommunications law. Therefore, they do not have to guarantee the secrecy of telecommunications to their employees" (29th Activity Report of the LDI NRW, p. 76).

The LDI NRW emphasizes that employers who allow (or tolerate) private use do not act as business telecommunications service providers vis-à-vis their employees. Employers lack the will to be legally bound, which is why they do not want the relevant legal standards to apply to them. The argumentation thus follows the emerging opinion that already held this position under the old version of the TKG.

The LDI NRW goes on to explain that the TDDDG means that the GDPR now applies instead of the rules under telecommunications law, which would provide a sufficiently high level of protection and also requires a legal basis for accessing employees' personal data.

Legal certainty at last?

In our opinion, there have always been good reasons against the applicability of telecommunications secrecy in these cases. Accordingly, the position of the LDI NRW is to be welcomed, as the supervisory authorities – at least under the old legal situation – took exactly the opposite position (see only the DSK's guidance from 2016, for example).

Furthermore, the formulation that "German supervisory authorities (Federal Commissioner for Data Protection and Freedom of Information, LDI NRW and other state data protection authorities)" now apparently share this view (29th Activity Report of the LDI NRW, p. 76) is also a cause for concern. If the other supervisory authorities also agree with this position, this dispute of opinion should finally be largely resolved.

However, as the wording does not indicate that every supervisory authority without exception agrees with this view, it remains to be seen whether there will still be individual contrary positions among the supervisory authorities. There is therefore no absolute legal certainty as yet. Courts are also not bound by the opinions and decisions of the supervisory authorities and could therefore continue to decide differently – although they have already been rather reluctant to apply telecommunications secrecy in the past. However, it is unlikely that there will be any major disputes in business practice if the practice of the supervisory authorities develops as indicated above. In any case, the position of the supervisory authority(ies) would give employers one more weighty argument on their side.

What should companies do now?

In principle, the previous common recommendations that the (private) use of business email accounts and the Internet should be regulated can be upheld. In its above-mentioned activity report, the LDI NRW rightly continues to recommend that the (private) use of e-mail inboxes and the Internet should be regulated in writing. It should be noted that access to an email inbox can also be subject to considerable restrictions from a data protection perspective – irrespective of telecommunications secrecy. Access to an employee's email inbox, for example, always requires a legal basis under data protection law, which must be measured against the purpose of the access. Access to employees' email inboxes is therefore not possible without cause, especially if private use is permitted. As a rule, depending on the permitted scope of private use, appropriate (protective) measures must be taken or recommended for the benefit of employees, such as deletion and labeling options for private messages, and information obligations must be fulfilled (e.g. by means of data protection notices). Properly regulating the (private) use of work email inboxes and the internet can help to comply with these obligations and create the conditions for access to email inboxes in many cases.