Out-Law Analysis | 02 Nov 2014 | 3:00 pm | 4 min. read
Businesses operating in France must declare all personal data processing tools to the Commission nationale de l'informatique et des libertés (CNIL). The decision to operate those tools must also be communicated to employee representatives.
The failure by one employer in France to declare an employment monitoring system as a personal data processing tool to CNIL may cause it to lose a case brought against it for unfair dismissal by one of its former employees.
This is a possible outcome that could arise following a judgment issued in October by the Court of Cassation.
Background on the Court of Cassation case and a summary of its ruling
The case before the Court of Cassation concerned an appeal brought by an employee against the decision by her employer to dismiss her from her job. The organisation had taken action after discovering the employee had engaged in use of her work email account for personal purposes. The use was deemed so extensive that the employer deemed that it had had an adverse effect on her performance and was incompatible with the proper performance of her duties.
To support its case for dismissal, the employer used information it had retrieved from an internal system it used to monitor individual employees' email exchanges. The information recorded by the system showed the number and size of emails sent by the employees.
The employee challenged her dismissal. She claimed that the information used by the employer in relation to her emails was inadmissible before a court because the system was used in breach of privacy regulations.
The information relied on by the employer dated back to a period when the monitoring system had not been declared as a personal data processing tool to CNIL.
The Court of Appeal in France had ruled that the employer's decision to dismiss the employee was valid and implicitly admitted the evidence retrieved from the employer's monitoring system.
However, the Court of Cassation made it clear in its judgment that any information collected from a personal data processing system prior to such system's declaration with CNIL is illicit evidence and inadmissible before a court.
The Court of Cassation was not responsible for ruling on the employer's decision to dismiss the employee. Instead, the case has been referred back to the Court of Appeal for a ruling.
The likely outcome of the case and what this means for other businesses
The Court of Appeal will be unable to consider the information gathered from the email monitoring system when making its ruling on whether the employer's actions in dismissing the employee was valid or not. This means that it is likely that the Court will side with the employee and her challenge against the legitimacy of the employer's decision to dismiss her.
The decision is a reminder that any monitoring system that involves processing technical data which may be eventually linked to an individual is subject to privacy rules and businesses using them are obliged to notify the French national data protection authority (CNIL) about their use of them.
The fact that the collected data may be anonymised at a later stage would not remove the requirement to declare the processing to the CNIL. However, should such a system collect purely technical data, which cannot be linked to an individual, data privacy requirements would not apply.
The Court of Cassation decision implies that the validity of the implementation of an employee monitoring system, and its compliance with applicable privacy and employment regulations, would have to be demonstrated if an employer wished to submit evidence extracted from such a system before the courts.
How does French employment law relate to this issue?
From an employment law perspective, Article L2323-32 of the Labour Code in France requires that employees' representatives be informed about the introduction of any data processing tool or employees' performance monitoring system within the company.
Employees should also be informed on an individual basis before the introduction of such systems within the company, especially as information extracted from those systems may eventually be used against employees to ground a dismissal or any other measure.
Generally speaking, the safest process for employment law compliance is to have IT security policies included as part of the company's internal rules, and declared as such with French authorities.
What should businesses do now and what are the consequences of getting things wrong?
All companies should ensure that their monitoring systems are properly registered. Beyond evidence being inadmissible before French courts, any non-compliance with privacy rules is punishable by five years' imprisonment and a fine of €300,000, beside possible sanctions for a non-compliance with applicable regulations.
It is all the more critical to meet these legal requirements as the question of monitoring employees during working hours is very sensitive and French law appears to be very protective about what is acceptable when processing data that may potentially affect employees' privacy.
The intention of the Court of Cassation is not to invalidate the implementation of employee monitoring or data processing tools, which undoubtedly help companies to achieve security and performance objectives and are effective in managing the various risks generated by the employees' activity when processing business information.
However this decision underlines the importance to assess with the legal requirements before even considering rolling out any such control system.
Pending the enactment of the proposed new EU Trade Secrets Directive, implementing technical measures to protect confidential information remains a priority for business development. In particular, it is frequent and quite common for companies to implement technical restrictions to the exchange of information in order to prevent the release of confidential documents outside the company. Most companies now monitor data fluxes with the objective to identify when data may be suspiciously extracted from the company servers.
The most dangerous, yet implicit, sanction businesses face if they do not meet their legal obligations is being unable to take action against employees who could be identified as trading confidential information or generally representing a threat or a burden for the company.
Annabelle Richard and Guillaume Bellmont are Paris-based technology and privacy law experts at Pinsent Masons, the law firm behind Out-Law.com