Update Data Protection No. 55
Private use of company email accounts by employees
On 13 March 2019, the State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg (LfDI BaWü) published the latest version of his guidebook on employee data protection. In this brochure, the LfDI BaWü offers an insight into his work and explains his opinion regarding the various points of view surrounding employee data protection. We will address a few of the points of this helpful handout in this and future editions of our Data Protection Updates. One of the topics dealt with is the “long-standing issue” of the “private use of information and communications technology by employees”, particularly the private use of company email accounts by employees and a possible right of access by the employer.
This problem is well-known: Employees use their company email account for private purposes. If the employer has not permitted this type of use, employees may not use the account for private purposes. In this case, the employer may access the account, e.g. when the employee leaves the company, to ensure that data that is important to the company is not lost. However, if the employer expressly permits or tolerates private use, opinions differ on the legal consequences.
The LfDI BaWü’s opinion
In his guidebook, the LfDI BaWü assumes, without any justification, that the employer is to be considered a service provider within the meaning of the German Telecommunications Act (TKG) or the German Telemedia Act (TMG) if employees are permitted to use their company email account for private purposes. This means the employer is subject to telecommunications secrecy and cannot access the email account without making itself liable to prosecution unless it obtains effective consent from the employee and the respective communication partner. This legal opinion, of course, has serious consequences for the employer as a business. It may no longer be able to access important company information, thus, compliance with legal documentation and control obligations (e.g. under the German Fiscal Code and the German Commercial Code) is made more difficult and other important information (e.g. communication with customers) may be lost.
The LfDI BaWü warns in particular that permission to use the company email account for private purposes may not only be given by way of an express rule or statement by the employer. The LfDI BaWü assumes that permission for private use may also be established from company practice. This is the case if employees assume that private use is permitted and they are not actively convinced otherwise by the employer by conducting random inspections and subsequent sanctions, such as written warnings. If this were correct, a dangerous situation would arise for the employer as it would then not be sufficient for the employer to simply not give its permission, the employer would also have to strictly enforce the ban. If the employer does not do so, it runs the risk of no longer being able to access the email accounts at a later date. The employer would then have to obtain consent from the employees and the respective communication partners. However, this can prove difficult, particularly with employees who are leaving or have left the company.
View of case law
The view that employers who tolerate or permit the private use of company email accounts are to be considered telecommunication providers is that of the supervisory authorities. However, the intent and purpose of the TKG in fact contradict this: The TKG regulates the supply of telecommunication services by companies with this as their business purpose. The employer does not provide the email account for business purposes, but as a tool for carrying out daily work. This is not covered by the TKG. Case law offers several examples with good arguments to support this. Several Regional Labor Courts (LAG [Regional Labor Court] Berlin-Brandenburg from 14 January 2016 – 5 Sa 657/15; and LAG Lower Saxony from 31 May 2010 – 12 Sa 875/09) state that the TKG requires that the supply of telecommunications be directed at third parties outside the sphere of the service provider. However, this is not the case for employees of a company. Employees are rather part of the company/employer, not a third party. Nor is the purpose of the TKG compatible with the interpretation of the supervisory authorities. The purpose of the TKG is to promote private competition in the telecommunications sector. In this regard, the legal relations between the state and the telecommunication providers as well as the relations between the telecommunication providers to each other are important. The purpose was not to regulate the legal relationships within the company or the authorities, for example between employer and employee (VG [Administrative Court] Karlsruhe from 27 May 2013 – 2 K 3249/12). As a result, it no longer depends on the permission of the employer, regardless of whether this permission is explicit or company practice, as the TKG is not applicable.
However, if we take the view of the supervisory authorities that the TKG applies to permitted private use, it would have to be clarified in a second step whether a claim to private use could even arise according to the principles of company practice. While the LfDI BaWü does accept this, there are good and convincing arguments against this point of view. Private use of IT infrastructure is not a clearly defined service in terms of duration, frequency and regularity. In this case, there would be a lack of an adequately defined offer of a service by the employer (according to LAG Nuremberg from 5 November 2015 – 5 Sa 58/15). This applies particularly in cases where the employer simply tolerates it. It would also be difficult to define a point in time when a claim would arise. In order to protect itself, the employer would have to actively intervene after every private email.
Conclusion
The LfDI BaWü is of the opinion that an employer can be a telecommunications provider. However, several courts are of a different opinion with good arguments. Case law will be decisive, as it controls the actions of the executive, i.e. the supervisory authorities. Therefore, it is not necessary to obtain consent from individual employees to view their email accounts, as recommended by the supervisory authorities. It can therefore reasonably be maintained based on case law that the employer is not a telecommunications provider. In consequence, the employer does not have to worry about violating telecommunications secrecy if it accesses the employee’s email account without obtaining consent. Of course, the employer must still observe the data protection regulations of the GDPR and particularly Section 26 of the German Data Protection Act (BDSG). To this end, it makes sense to enter into a works agreement for the private use of the IT infrastructure, which would define clear and binding regulations for private use. At the same time, the works agreement would establish a legal basis for data processing/accessing the email account. However, this only applies if the TKG is considered inapplicable, as done in this article.