HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Yesterday, the Supreme Court reversed a decision of the Ninth Circuit in City of Ontario v. Quon and unanimously decided in favor of a public employer that had engaged in a review of employee text messages for a legitimate work-related purpose.

Justice Kennedy, writing for all members of the Court except Justice Scalia (who supported the outcome in a concurrence) expressly avoided a decision on what expectation of privacy might be reasonable in new communications devices.  "The Court must proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by a government employer," he wrote.  Instead, the Court assumed the employee, a police officer in Ontario, California, had such an expectation of privacy in his text messages sent on a pager but found that the employer’s review of the messages for administrative/accounting reasons was not unreasonable.      

 For background on the specific facts of the case, see our prior blog post regarding the oral argument before the Supreme Court and our discussion of the case after the Supreme Court granted certiorari.

As observed by Hogan Lovells in an Associated Press interview  “the decision made clear that ‘if the employer is doing something for a legitimate business purpose, it’s not likely to be [deemed by a court to be] unreasonable.’”   Notably, Justice Kennedy in responding to comments of Justice Scalia in his concurrence, observed that just as the public employer's search was reasonable because of its legitimate administrative/accounting purpose, it would also be "regarded as reasonable and normal in the private-employer context".

If, as seems likely, the legitimate business purpose of an employer's search becomes a primary focus of courts following this decision, an earlier e-mail private employer privacy tort cases  Smyth v. Pillsbury, C.A. No.95-5712, (E.D. Pa. 1996) could have new vitality. Smyth held  that held the employer’s legitimate purpose for monitoring trumped an employee'ss expectation of privacy even where employees were told by the employer that that they would not be monitored. 

That is not to say that employer policies limiting or eliminating expectations of privacy are not important, as the Court yesterday observed in dicta: 

[E]mployer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.  

Notably, the Courts’ discussion of appropriate employer policies was in the context of the issue not decided, the reasonable expectation of the employees. But as we reported recently with respect to a New Jersey Supreme Court case on private employer monitoring, employer-set expectations are still very important when it comes to the boundaries for employer searches of electronic communications.    

 While the court expressly did not resolve fundamental issues concerning employees’ expectation of privacy in workplace electronic communications, private employers are well-advised to continue: (1) implementing workplace monitoring policies that clearly communicate the scope of employer rights to monitor workplace electronic communications (over any medium); (2) deploying  appropriate training and other practices to minimize the risk that an employer’s actions might undermine its official policies through mixed signals (and therefore result in employees having an expectation of privacy); and (3)  to only engage in monitoring for “legitimate, work related purpose[s]” that are not “excessive in scope."

• Email This
• Print
• Share Link

On March 30, the New Jersey Supreme Court issued its opinion in Stengart v. Loving Care Agency, Inc., in which it unanimously held that the attorney-client privilege applied to e-mails sent by an employee using a personal, web-based e-mail account to her personal attorney on an employer-provided laptop, even though the employer had a general policy stating that the employee should have no reasonable expectation of privacy in the communications sent over company equipment.

The plaintiff, a nursing manager at Loving Care, was preparing for employment discrimination litigation against her employer when she sent e-mails to her attorney about the case using a personal, password-protected, web-based e-mail account from Yahoo from her employer-issued laptop.  In anticipation of discovery, Loving Care hired a computer forensic expert to recover all files stored on the laptop, and the expert turned up copies of some of the e-mails that, unbeknownst to the plaintiff, her web browser had automatically saved to the computer's hard drive.  Loving Care's attorneys reviewed the e-mails and used information from them during discovery, which was revealed to the plaintiff's attorney later in the case, who then sought to have them returned under the attorney-client privilege.

Loving Care argued that its electronic communications policy, which allowed employees incidental personal use of its computer systems but reserved the right to "review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice," eliminated any expectation of privacy the plaintiff might have had in the e-mails stored on the computer.  Nevertheless, the court found that the plaintiff had a reasonable expectation of privacy for three reasons:

1. The plaintiff had a subjective expectation of privacy due to the fact that she used a personal, and not the company, e-mail account to send the messages to her attorney, and did not store her password on the computer.
2. The plaintiff's expectation of privacy was objectively reasonable, given that her employer's policy did not address the use of private web-based e-mail accounts, even allowing incidental use of employer computers to send and receive personal e-mail.
3. Most importantly, the e-mails clearly were subject to the attorney-client privilege, and contained a standard warning that their contents were confidential and subject to the privilege.

The court went on to hold that, given the public policy concerns underlying the attorney-client privilege, "even a more clearly written company manual -- that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company' computer system -- would not be enforceable."  The court, however, noted that an employee could still be sanctioned under an employment policy for spending excessive time communicating with a personal attorney during the work day, though the employer should still not be able to access the content of the communication.

The court  zeroed in on the attorney-client-privileged nature of the e-mails, and the privilege played a large role in the final disposition of the case.  The court did not address whether Stengart would have had a reasonable expectation of privacy with respect to personal e-mail communications with a non-lawyer.  Nor did the court suggest that Stengart had a cause of action against her employer for an invasion of privacy, which would have required a showing that the e-mail review was "highly offensive to a reasonable person".  The issue was whether a discovered e-mail communication deserved protection under the attorney-client privilege.

While limited in jurisdictional breadth to New Jersey, Stengart is one of the first cases of its kind, and courts in other states could be tempted to follow it .  This could especially be the case as employee use of personal, web-based e-mail in the workplace becomes more common, with many employers relaxing their electronic communications policies to allow for "incidental" use of employee computer systems for personal reasons.

 Thus, the case suggests the following:

• Make clear in an acknowledged policy that employees have no expectation of privacy in their use of company computers, whether connected to the network or not, even where "incidental" personal use is allowed.
• Make clear in such a policy that employers retain the right to monitor employees' use of employer resources, including the sending and receiving of personal, web-based e-mail, and explain  that e-mails sent through a personal web-based e-mail account can end up being stored on company equipment and suject to review consistent with state law.
• Prohibit the use of company resources to communicate with a personal lawyer and advise employees that they can be disciplined for violations (and all violations of the electronic resources policy).  Companies are not required to allow employee use of company equipment to plan litigation against the company.
• For employers that permit "incidental" personal use of computer systems, emphasize that any use of company computers or electronic resources that rise above the level of "incidental" personal use and affect employee productivity can lead to sanctions under the policy, though this provision must be enforced uniformly and in a non-discriminatory manner.
• Instruct company employees who monitor electronic communications not to review personal attorney-client privileged communications but, rather, to bring such communications to the attention of in-house counsel to review in accordance with the applicable ethical rules regarding waiver.

While Stengart is noteworthy, it did nothing to fundamentally alter the well-established principle that employers retain the right to monitor employee use of company equipment and that they can , through a well-crafted policy, reduce employees' privacy expectations.

• Email This
• Print
• Share Link

This blog entry is provided by Hogan & Hartson litigators Trevor Jefferies in our Houston Office and Alvin F. Lindsay in our Miami Office:

A new decision released on 8 January 2010 from the French high labor court (the Cour de Cassation Chambre Sociale) may provide some grounds for arguing that a party in France can review a French employee’s e-mails and electronically stored information to determine whether the data is relevant to a U.S. litigation, without the employee’s knowledge or presence.  This is a significant development in the perennial tension between EU privacy law and U.S. discovery principles.

European Union policies protecting personal privacy almost always conflict with United States policies that grant litigants full and complete discovery of documents and electronically stored information in U.S. court actions.  The conflict is particularly acute in France, where a French corporation participating in U.S. litigation may easily run afoul of the French Blocking Statute (Law No. 68-678, as amended), data processing laws (e.g. Law No. 78-17, as amended), and the EU Directive 95/46 on Personal Data (“Directive”), among others.

Indeed, after years of goading by U.S. courts, French authorities even prosecuted someone, a French lawyer, under the blocking statute.  His crime was attempting to comply with a U.S. court order compelling production of documents.  See In re Christopher X, Cour de Cassation, Chambre Criminelle, Paris, December 12, 2007, No. 07-83228 (French Supreme Court upholding conviction and €10,000 fine against French lawyer attempting to facilitate collection of evidence for use as ordered in a U.S. judicial proceeding).  Examples of U/S. goading include In re Vivendi Universal S.A. Secs. Litig., No. 02 Civ. 5571, 2006 WL 3378115 at *3 (S.D.N.Y. 2006) (French blocking statute did not subject parties to a “realistic risk of prosecution”) and Minpeco S.A. v. Conticommodity Servs., Inc., 116 F.R.D. 517 at 528 (S.D.N.Y. 1987) (“this is not a situation in which the party resisting discovery has relied on a sham law such as a blocking statute to refuse disclosure"). 

With French and EU law acting to prevent a litigant engaged in the U.S. litigation discovery process even from collecting a relevant employees' e-mails for litigation purposes, let alone viewing the e-mails to see if they contain relevant information, French parties seem at a distinct disadvantage in a U.S. forum.  Failing to produce relevant documents is a direct path to an uncomfortable hearing before the U.S. judge and possibly severe sanctions such as a default judgment being entered against those parties for not complying with discovery orders.

Thus, Bruno B. vs. Giraud et Migot, Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264 is a significant development.  In that case, an accounting firm fired Bruno after the firm discovered files on his work computer addressed to government regulators wherein Bruno disparaged the firm for alleged tax and related fraud as well as working conditions.

The documents held subject lines as “Essay 1”, “Essay 2”, and so on, which the firm discovered without Bruno’s permission or presence. Bruno sued the firm seeking damages for unjustified dismissal, arguing that the firm violated his rights under EU privacy (human rights) conventions, as well as several provisions of the French labor code, claiming the documents were his personal data.  On appeal, the Cour de Cassation Chambre Sociale held for the accounting firm, finding that because Bruno failed to mark the documents as “private,” the firm justifiably assumed that the documents were work-related and could open them.

The Bruno B. case clearly refines the general rule set forth in an earlier case from the same court, Nikon France vs. Onof, Cass. Soc., No. 4164 (Oct. 2, 2001), where the French high labor court established that employees have a right to privacy in the workplace and held that an employer cannot search an employee’s files stored on a work computer without breaching the employee’s right to privacy.  The Nikon case’s broad ruling has been the subject of private criticism, especially from business interests in France, but now, after Bruno B., there is arguably no right to privacy to an employee’s computer-stored data unless the employee takes affirmative steps to designate the information as personal.  Simply labeling the documents as “personal” or “private” may have been enough to compel the Bruno B. court to rule in the employee’s favor, but the holding is still a far cry from the absolute presumption that any data with an employee’s name is private.

• Email This
• Print
• Share Link

Our colleague, Bill Flanagan, has provided this guest blog on a new case from the 9th Circuit construing the Computer Fraud and Abuse Act in the employment context:

The Ninth Circuit Court of Appeals recently weighed in on the question whether an employee who has been granted access to his employer’s computer system – but then uses the properly-accessed information in a manner contrary to the employer’s interest – has acted “without authorization” in violation of the Computer Fraud and Abuse Act (“CFAA”), a federal statute that imposes criminal and civil liability for certain computer crimes (LVRC Holdings LLC, v. Brekka, et al., No. 07-17116 (9^th Cir., Sept. 15, 2009). The court came down on the side of the employee, ruling that because the employee had been given access to the information on the computer, he did not violate when he allegedly misused it.

• Email This
• Print
• Share Link