HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

A French Court of Appeals in Caen recently confirmed a lower court's order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision comes as a surprise as it rejects the approval of the whistleblower system by French data protection authority (the "CNIL"). 

Under French law, the implementation of whistleblowing systems is subject to prior authorization by the CNIL. To reduce the burden of such formalities, the CNIL issued, in 2005, a general authorization for whistleblowing systems limited to the reporting of accounting, financial, banking and corruption misconducts (the "General Authorization"). Benoist Girard decided to implement their whistleblowing system in 2008 by relying on the General Authorization, regardless of three negative opinions on the system issued by the company's Works Council (the "CE").

In 2009, Benoist Girard's CE and Hygiene and Security committee (the "CHSCT") contested the validity of the whistleblowing system before the Caen Tribunal of First Instance, arguing that it allowed the reporting of alleged misconducts which exceeded the scope of those covered by the General Authorization. The CE and CHSCT therefore argued that the system required the obtaining of a prior specific authorization from the CNIL. The Tribunal ruled in favour of the CE and CHSCT, considering that the system, as implemented, was therefore in breach of French data protection legislation and posed an immediate and substantial threat to the rights and freedoms of the employees. Benoist Girard appealed this decision.

In its analysis of the matter, the Caen Appeal Court first held that the CE and the CHSCT had to be consulted prior to the implementation or modification of the whistleblowing system and then moved on to it analyse in detail to evaluate its compliance with French law.

• Email This
• Print

Employers have a right, and in some cases a duty, to monitor the e-mail communications of their employees that are sent from the employer's e-mail system. As a general matter, employees have no expectation of privacy in e-mails sent through their workplace system. Since employees who communicate with their personal lawyers through their employer's e-mail are subject to employer monitoring, the American Bar Association has issued a formal ethics opinion stating that lawyers have a duty to warn such employees that their e-mails may not be confidential. 

The Opinion expressly reserves on the question of whether the breach of confidentiality  would vitiate the attorney-client privilege, declaring "the law appears to be evolving." But the cases cited in the ethics opinion on when employee communications with counsel through workplace e-mail will remain privileged show that the circumstances are limited when the privilege is likely to survive, leading to this observation:

Nevertheless, we consider the ethical implications posed by the risks that these communications will be reviewed by others and held admissible in legal proceedings.

Thus, the ABA concluded that a lawyer has an ethical obligation to advise a client of the risks of sending attorney-client communications via workplace e-mail.

The ABA ethics opinion raises the question of whether lawyers who know that their clients are using modes of communication that may not be secure, and may be subject to interception and review by others (thus jeopardizing the privilege) have an ethical duty to warn their clients beyond the context of workplace e-mail. 

In 2008, the New York State Bar opined that the use of Gmail for attorney-client communications, even though e-mails sent through Gmail are subject to scanning by Google computers for the delivery of contextual advertising, retained the attorney-client privilege. But with the advent of many new means of electronic communication, from Facebook to Twitter and beyond, and with smart mobile devices becoming a dominant method of communication, and with varying individual privacy and data security practices on the part of clients, quaere whether a lawyer has an ethical duty to evaluate a client's communications practices and to advise on the risks that confidentiality may be lost. The ABA Opinion opens the door to such an inquiry. 

• Email This
• Print

by Hanno Timner

On February 16, 2011, the Higher Labor Court of Berlin-Brandenburg Germany ruled that an employer has the right to access and review work-related email correspondence of an employee during his/her absence from work (e.g. for reasons of illness or vacation).  According to this ruling, such a review of the employee’s email is not prevented by an employee’s right to use the company email system for private correspondence as well.  Through its decision, the Higher Labor Court has contributed to the ongoing debate in Germany about whether permitting an employee to use company equipment for private email correspondence leads to an application of the so-called "secrecy of telecommunications" (Telekommunikationsgeheimnis) and thus effectively precludes an employer's right to access the employee’s email correspondence at all, including the business correspondence.

In the case at hand, the plaintiff was unable to work due to a long-term illness.  The employer unsuccessfully tried to contact the employee to obtain her consent to the employer accessing and reading her business-related email correspondence in order to respond to customers’ requests.  After several weeks, the employer circumvented the employee’s password and, in the presence of a member of the local works council and the company’s internal data protection officer, read and printed the employee’s business related email correspondence.  The employer did not read or print email correspondence labeled “private.”  The employee’s attempt to obtain a court order prohibiting her employer from accessing her email account during any future absences without her explicit consent was unsuccessful.  The Higher Labor Court did not accept the plaintiff's reasoning that, due the fact that the plaintiff, as well as all other employees, was permitted to use the company’s computer system for private email correspondence, her employer should be considered a so-called “provider of telecommunication services” and thus be required to observe the “secrecy of telecommunications” according to Sec. 88 Telecommunications Act (Telekommunikationsgesetz).

The Higher Labor Court ruling supports a number of recent court decisions which are opposed to the prevailing view in the legal literature and to the position of the German Federal Government (which commented on the issue recently in connection with the law-making procedure for the Employee Data Protection Act), holding that an employer does qualify as a "provider of telecommunication services" and therefore must observe the “secrecy of telecommunications” if the employer permits private email correspondence using the employer’s IT-system.  Such secrecy of telecommunications permits only a professional provider of telecommunication services to collect call detail records or any other information relating to telecommunication services, insofar as required for billing purposes or in order to cure technical defects.

The Higher Labor Court's view is based on the reasoning that allowing use of a company email system for private communication is merely a side effect of the employment relationship and does not fall under the scope of the Telecommunications Act.  Additionally, the Court correctly pointed to the fact that the secrecy of telecommunications, if applicable, would only protect ongoing email traffic and not prevent the employer from accessing business-related email correspondence which has already arrived in the email inbox.

It remains to be seen whether the German Federal Labor Court will have an opportunity to decide this question, thereby putting an end to the ongoing debate about an employer's rights to access its employees' email correspondence.  In the absence of such final ruling by the Federal Labor Court, the Higher Federal Labor Court ruling should constitute a sound basis for employers to access employees' business-related email correspondence, even without the employees' explicit consent, provided that the employer does not interfere with ongoing email traffic and does not access emails which are clearly private.

(See: LAG Berlin-Brandenburg, ruling of 16 February 2011, file number: 4 Sa 2132/19, DB 2011, 1281-1282.)

• Email This
• Print

Social media has been a hot topic of late.  Companies are debating the official use of social media for marketing purposes, social networking privacy has been the subject of recent (failed)  legislation, and the EU has been ratcheting up pressure on prominent social networking sites to enhance privacy protections.  Social media was even a topic of discussion at this May's "eG8" in Paris, an event blogged about recently by Chris Wolf.

The Hogan Lovells Chronicle of Data Protection have covered social media developments over the past year or so, and provide a summary of our coverage for you here in one place, allowing you to take stock:

• Email This
• Print

The National Labor Relations Board (NLRB) has social media in its sights.  We last reported on the NLRB  social media agenda when its Harford Regional Office issued a complaint last year against a company that terminated an employee for posting disparaging comments about her supervisor after an incident at work. That case settled earlier this year, with the company agreeing to change provisions in its social media policy that prohibited employees from making any online remarks about the company or its supervisors. Those statements, according to the NLRB, violated the National Labor Relations Act (NLRA), which prohibits employers from restricting their employees from discussing terms and conditions of employment.

Since then, there has been a spate of activity at the NLRB on the social media front, including the issuing of two new complaints in the last three weeks.

• Email This
• Print

The German Federal Court of Labor ruled on 23 March 2011 that an internal data protection officer's appointment may not be validly terminated because the employer wants to transfer this function to a service provider as external data protection officer. Internal and external data protection officers are widely used in Germany, partly because their appointment is mandatory due to the number of employees processing personal data, partly because their appointment frees the company from filing registrations with local data protection authorities. The use of service providers as external service providers has become more popular after September 2009, when the amendments to the German Federal Data Protection Act provided stronger protection for employees acting as internal data protection officers against termination or withdrawal of their function. This ruling strengthens the position of the employee exercising this function and limits any German employer's ability to outsource this function to an external service provider.

The data protection officer's function includes the right to contact local data protection authorities if in doubt, and the officer mandatorily reports directly to the company's management.

• Email This
• Print

On January 19, the Supreme Court decided NASA v. Nelson, a case brought by NASA contractors alleging that questions asked by the federal agency in a background check violated their constitutional right to information privacy -- i.e., a constitutional privacy interest in the government "avoiding the disclosure of personal matters" recognized in a pair of 1977 cases, Whalen v. Roe and Nixon v. Administrator of General Services.  At issue were questions asking whether the contractors received "any treatment or counseling" regarding illegal drug use within the previous year (as a follow up to a question regarding whether they used, possessed, supplied, or manufactured illegal drugs within that year), and questions directed toward references for information bearing on "suitability for government employment or security clearance," including any "adverse information" about a contractor's "honesty or trustworthiness," "violations of the law," "financial integrity," "abuse of alcohol and/or drugs," "mental or emotional stability," "general behavior or conduct," or "other matters."

• Email This
• Print

E-mails to an attorney that clearly would otherwise have been privileged were found by the California Court of Appeal not to qualify as a "confidential communication between client and lawyer" within the meaning of California Evidence Code section 952.

In Holmes v. Petrovich Development Co., LLC, an employee appealed from a trial court determination that e-mails she sent to counsel regarding possible legal action against her employer were not privileged.  The employee had used a company computer to send the e-mails, "even though:  (1) she had been told of the company's policy that its computers were to be used only for company business and that employees were prohibited from using them to send or receive personal e-mail; (2) she had been warned that the company would monitor its computers for compliance with this company policy and thus might 'inspect all files and messages . . . at any time;' and (3) she had been explicitly advised that employees using company computers to create or maintain personal information or messages 'have no right of privacy with respect to that information or message.'"

The Court held that while an attorney-client communication does not lose its privileged character for the sole reason that it was communicated by electronic means, the circumstances of the case "were akin to consulting her attorney in her employer's conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard by him."  The Court distinguished Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 882 (9th Cir. 2008), which was reversed by the Supreme Court in City of Ontario v. Quon, 177 L.Ed.2d 216, 231 (2010), on the ground that Quon involved a search and seizure of employee messages by a public employer.  It also stressed that the employee's use of the e-mail account was clearly covered by the company's policy, and that employees had been warned that e-mails were not private and would be subject to random monitoring.  The fact that the employee erroneously believed that the use of a private password protected the confidentiality of her e-mails, or that the company did not in fact randomly monitor employee e-mails, were found to be irrelevant.

• Email This
• Print

The beginning of the New Year gives us an opportunity to reflect on the evolution of privacy in France over the past twelve months and also to consider the new challenges and opportunities that will develop in 2011.

2010 was a year of evolution for the French data protection authority, the Commission Nationale de l'Informatique et des Libertés - "CNIL" and 2011 promises to bring further changes and evolutions. Formal changes came with evolution in the management of formalities with a new online platform for the completion of formalities, which seems to bring a much needed improvement in the delays for management of files. Policy evolutions also resulted from the adoption of documents providing guidance to data controllers with regards to the security of data or with the amendment of the general authorization of certain whistleblowing systems, which although it was needed could be regarded as slightly disappointing. 

In France, 2010 also saw privacy invite itself in the public debate, whether as a result of controls and sanctions conducted and imposed by the CNIL or as a result of high profile cases such as the Google StreetView controversy or the decision acknowledging the legitimacy of the dismissal of an employee on the basis of comments posted on his Facebook page.

The review of the past year also allows us to anticipate some of the CNIL's points of focus for 2011. Firstly, the evolution of technologies will still be at the forefront of data protection discussions during the coming year. In 2010, the CNIL approved a number of processes involving biometric data and the development of these technologies will continue to raise questions and issues this year. In 2011, the CNIL will also focus on the development and implentation of a major project: certification labels for products and services, which could become an important and discriminating factor to attract customers in the short and long term.

• Email This
• Print

Employees who claim a Facebook "zone of privacy" from their employers for complaints about working conditions got a boost recently from the National Labor Relations Board’s (NLRB).

As reported in today's New York Times, on October 27 the NLRB Hartford Regional Office issued a complaint against an ambulance service provider, American Medical Response (AMR), for terminating an employee for posting disparaging comments about her employer on Facebook.  When the employee was denied union representation by a supervisor after an incident at work, she posted negative comments about the supervisor on her Facebook page from her home computer. After discovering the posts, AMR suspended and later terminated the employee for violating a few of the company’s blogging and Internet posting policies. 

Lafe Solomon, the board’s acting general counsel, said, “This is a fairly straightforward case under the National Labor Relations Act — whether it takes place on Facebook or at the water cooler, it was employees talking jointly about working conditions, in this case about their supervisor, and they have a right to do that.”

That act gives workers a federally protected right to form unions, and it prohibits employers from punishing workers — whether union or nonunion — for discussing working conditions or unionization. The labor board said the company’s Facebook rule was “overly broad” and improperly limited employees’ rights to discuss working conditions among themselves.

New York Times

A November 2 press release explained the NLRB’s position that AMR’s policies illegally interfered with its employees’ right to engage in protected activity under the National Labor Relations Act (NLRA) – specifically, policies that prohibited employees from (1) making disparaging remarks about the company or supervisors and (2) depicting the company on the Internet without permission. Under the NLRA, an employer cannot unduly restrict its employees’ ability to discuss terms and conditions of employment, regardless of whether a union exists, for fear that such restriction will impede employees’ ability to fairly unionize. At the same time, the NLRA does not provide carte blanche for employees to criticize or disparage their employers.

Employers should keep an eye on this case and how it may affect their policies regarding employee use of the Internet and social media. Many companies have drafted broad policies like the ones cited here that purport to greatly restrict what employees can say about the company. Though such policies are most likely to be invoked when employees post material to the Internet or social media sites that exhibit clear insubordination or disloyalty to the company, the NLRB was clear in expressing its concern for the possibility for companies to use the policies to stifle union-related employee communications.

As social networking continues to grow in popularity, it is inevitable that employees will post material that criticizes or otherwise goes against the interests of their employers. For example, this past August a Massachusetts teacher was fired for comments she posted on her Facebook page after calling residents of her school district “arrogant and snobby” and her students “germ bags.” And in a recent federal case out of New Jersey that has led to discussion over employer monitoring of employee social networking sites, employees sued their employer after they were fired for starting a Facebook group to vent about work.

When employees are disciplined or terminated for material they post to the Internet, employers will need to demonstrated that their actions did not unduly restrict the employees’ ability to discuss their terms and conditions employment. To bolster this argument, employers should make clear in their Internet, blogging, or social media policies that whatever restrictions there are on employee Internet postings, employees will not be disciplined for activity protected under the NLRA.  

• Email This
• Print

Yesterday, the Supreme Court reversed a decision of the Ninth Circuit in City of Ontario v. Quon and unanimously decided in favor of a public employer that had engaged in a review of employee text messages for a legitimate work-related purpose.

Justice Kennedy, writing for all members of the Court except Justice Scalia (who supported the outcome in a concurrence) expressly avoided a decision on what expectation of privacy might be reasonable in new communications devices.  "The Court must proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by a government employer," he wrote.  Instead, the Court assumed the employee, a police officer in Ontario, California, had such an expectation of privacy in his text messages sent on a pager but found that the employer’s review of the messages for administrative/accounting reasons was not unreasonable.      

 For background on the specific facts of the case, see our prior blog post regarding the oral argument before the Supreme Court and our discussion of the case after the Supreme Court granted certiorari.

As observed by Hogan Lovells in an Associated Press interview  “the decision made clear that ‘if the employer is doing something for a legitimate business purpose, it’s not likely to be [deemed by a court to be] unreasonable.’”   Notably, Justice Kennedy in responding to comments of Justice Scalia in his concurrence, observed that just as the public employer's search was reasonable because of its legitimate administrative/accounting purpose, it would also be "regarded as reasonable and normal in the private-employer context".

If, as seems likely, the legitimate business purpose of an employer's search becomes a primary focus of courts following this decision, an earlier e-mail private employer privacy tort cases  Smyth v. Pillsbury, C.A. No.95-5712, (E.D. Pa. 1996) could have new vitality. Smyth held  that held the employer’s legitimate purpose for monitoring trumped an employee'ss expectation of privacy even where employees were told by the employer that that they would not be monitored. 

That is not to say that employer policies limiting or eliminating expectations of privacy are not important, as the Court yesterday observed in dicta: 

[E]mployer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.  

Notably, the Courts’ discussion of appropriate employer policies was in the context of the issue not decided, the reasonable expectation of the employees. But as we reported recently with respect to a New Jersey Supreme Court case on private employer monitoring, employer-set expectations are still very important when it comes to the boundaries for employer searches of electronic communications.    

 While the court expressly did not resolve fundamental issues concerning employees’ expectation of privacy in workplace electronic communications, private employers are well-advised to continue: (1) implementing workplace monitoring policies that clearly communicate the scope of employer rights to monitor workplace electronic communications (over any medium); (2) deploying  appropriate training and other practices to minimize the risk that an employer’s actions might undermine its official policies through mixed signals (and therefore result in employees having an expectation of privacy); and (3)  to only engage in monitoring for “legitimate, work related purpose[s]” that are not “excessive in scope."

• Email This
• Print

Thanks to Elizabeth Khalil in the Hogan & Hartson privacy group for providing this report.

On April 19, 2010, the U.S. Supreme Court heard oral arguments in the case of City of Ontario v. Quon, a Fourth Amendment privacy case on appeal from the Ninth Circuit.

The argument centered primarily on the first of three questions presented in the case:  whether a police officer had a reasonable expectation of privacy in text messages transmitted on his official police department pager given the circumstances.  Specifically, his employer, the city government, had articulated a general policy stating that employees should have no expectation of privacy in their e-mail and Internet usage on official systems.  However, Quon understood the police department to have an informal policy that it would not read the personal text messages of officers who paid for additional text message volume on their pagers to allow for personal use.  The officer in question, Jeff Quon, was a SWAT team member who paid for such personal use of his official pager, from which he sent personal messages to his wife, girlfriend and others.  Department officials accessed Quon’s messages as part of an audit.  In the course of reviewing the volume of the messages, obtained from the city's wireless provider, they came across the personal (and, at times, sexually explicit) content of the messages Quon sent.

At oral argument, Chief Justice John Roberts seemed somewhat sympathetic to the notion that the department had given Quon the impression that as long as he paid for personal use of his pager, “it would be reasonable for him to assume that private messages were his business.”  Overall, however, the Court appeared skeptical of Quon’s claims.

There were two other questions presented in the case that were not the focus of oral argument:  whether the Ninth Circuit contravened the Supreme Court’s Fourth Amendment precedents and created a circuit conflict by analyzing whether the police could have used less intrusive methods of reviewing the text messages, and whether individuals who send messages to a police officer’s pager have a reasonable expectation that their messages will not be reviewed by the recipient’s government employer.  

The justices also touched upon what, if any, bearing statutes such as the Stored Communications Act (SCA) should have on the Fourth Amendment's concept of reasonable expectation of privacy, although the SCA was not an issue before the Court.  It was, however, a subject of Quon’s suit at the district court and appeals court level, where he had named the wireless provider as a defendant.  In Quon v. Arch Wireless, the Ninth Circuit held that Arch Wireless had violated the SCA when it provided the text transcripts to the police department. T he actions of Arch Wireless were not at issue in the Supreme Court appeal.

• Email This
• Print

On March 30, the New Jersey Supreme Court issued its opinion in Stengart v. Loving Care Agency, Inc., in which it unanimously held that the attorney-client privilege applied to e-mails sent by an employee using a personal, web-based e-mail account to her personal attorney on an employer-provided laptop, even though the employer had a general policy stating that the employee should have no reasonable expectation of privacy in the communications sent over company equipment.

The plaintiff, a nursing manager at Loving Care, was preparing for employment discrimination litigation against her employer when she sent e-mails to her attorney about the case using a personal, password-protected, web-based e-mail account from Yahoo from her employer-issued laptop.  In anticipation of discovery, Loving Care hired a computer forensic expert to recover all files stored on the laptop, and the expert turned up copies of some of the e-mails that, unbeknownst to the plaintiff, her web browser had automatically saved to the computer's hard drive.  Loving Care's attorneys reviewed the e-mails and used information from them during discovery, which was revealed to the plaintiff's attorney later in the case, who then sought to have them returned under the attorney-client privilege.

Loving Care argued that its electronic communications policy, which allowed employees incidental personal use of its computer systems but reserved the right to "review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice," eliminated any expectation of privacy the plaintiff might have had in the e-mails stored on the computer.  Nevertheless, the court found that the plaintiff had a reasonable expectation of privacy for three reasons:

1. The plaintiff had a subjective expectation of privacy due to the fact that she used a personal, and not the company, e-mail account to send the messages to her attorney, and did not store her password on the computer.
2. The plaintiff's expectation of privacy was objectively reasonable, given that her employer's policy did not address the use of private web-based e-mail accounts, even allowing incidental use of employer computers to send and receive personal e-mail.
3. Most importantly, the e-mails clearly were subject to the attorney-client privilege, and contained a standard warning that their contents were confidential and subject to the privilege.

The court went on to hold that, given the public policy concerns underlying the attorney-client privilege, "even a more clearly written company manual -- that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company' computer system -- would not be enforceable."  The court, however, noted that an employee could still be sanctioned under an employment policy for spending excessive time communicating with a personal attorney during the work day, though the employer should still not be able to access the content of the communication.

The court  zeroed in on the attorney-client-privileged nature of the e-mails, and the privilege played a large role in the final disposition of the case.  The court did not address whether Stengart would have had a reasonable expectation of privacy with respect to personal e-mail communications with a non-lawyer.  Nor did the court suggest that Stengart had a cause of action against her employer for an invasion of privacy, which would have required a showing that the e-mail review was "highly offensive to a reasonable person".  The issue was whether a discovered e-mail communication deserved protection under the attorney-client privilege.

While limited in jurisdictional breadth to New Jersey, Stengart is one of the first cases of its kind, and courts in other states could be tempted to follow it .  This could especially be the case as employee use of personal, web-based e-mail in the workplace becomes more common, with many employers relaxing their electronic communications policies to allow for "incidental" use of employee computer systems for personal reasons.

 Thus, the case suggests the following:

• Make clear in an acknowledged policy that employees have no expectation of privacy in their use of company computers, whether connected to the network or not, even where "incidental" personal use is allowed.
• Make clear in such a policy that employers retain the right to monitor employees' use of employer resources, including the sending and receiving of personal, web-based e-mail, and explain  that e-mails sent through a personal web-based e-mail account can end up being stored on company equipment and suject to review consistent with state law.
• Prohibit the use of company resources to communicate with a personal lawyer and advise employees that they can be disciplined for violations (and all violations of the electronic resources policy).  Companies are not required to allow employee use of company equipment to plan litigation against the company.
• For employers that permit "incidental" personal use of computer systems, emphasize that any use of company computers or electronic resources that rise above the level of "incidental" personal use and affect employee productivity can lead to sanctions under the policy, though this provision must be enforced uniformly and in a non-discriminatory manner.
• Instruct company employees who monitor electronic communications not to review personal attorney-client privileged communications but, rather, to bring such communications to the attention of in-house counsel to review in accordance with the applicable ethical rules regarding waiver.

While Stengart is noteworthy, it did nothing to fundamentally alter the well-established principle that employers retain the right to monitor employee use of company equipment and that they can , through a well-crafted policy, reduce employees' privacy expectations.

• Email This
• Print

On December 14, the Supreme Court granted certiorari in City of Ontario v. Quon, a case that could set the parameters for the rights of employees in the workplace to privacy in their electronic communications, or just as easily be narrowly resolved on constitutional grounds with little implications for private employers.

Quon, an officer with the Ontario, California Police Department, was discharged after his employer searched the records of his city-issued pager and found personal and sexually explicit messages between Quon, his wife, his girlfriend, and a co-worker.  Though the city had a policy that it could monitor all employee electronic communications for inappropriate use, Quon's supervisor had communicated an informal policy under which the supervisor would not review the contents of text messages so long as officers exceeding their monthly allotment paid the difference.  Quon had paid the difference in every month that he had exceeded his allotment.

Notwithstanding this informal policy, the police department, as account holder, requested a copy of certain text message transcripts to determine why officers were exceeding their message limits, and discovered Quon's messages.  After being discharged, Quon sued his public employer for a violation of his Fourth Amendment rights, claiming that his supervisor created a constitutionally cognizable reasonable expectation of privacy in the messages by informally mentioning that they would not be reviewed.  In addition, Quon sued the telecommunications provider, Arch Wireless, under the federal Stored Communications Act ("SCA"), which prohibits electronic communication services, which transmit electronic communications such as e-mails and text messages, from disclosing these messages to anyone except to the sender, to the recipient, or in other limited circumstances.

Though the district court ruled against Quon on all claims, the Ninth Circuit reversed, finding that Quon and the recipients of the text messages had a reasonable expectation in the privacy of their messages, as guaranteed by the supervisor's informal policy.  It also ruled that the telecommunications provider violated the SCA by disclosing the content of the communications to the city which, despite being the actual subscriber to the text messaging service, was not the technical "sender" or "recipient" of the text messages.  The Ninth Circuit denied a review of the case en banc, over the dissent of seven circuit judges.

Though Supreme Court will determine whether the search of the text messages violated the Fourth Amendment, it could be important to private employers given that state law privacy rights are governed by an often-overlapping "reasonable expectation of privacy" standard.  Currently, many  employers, like the city of Ontario, institute policies expressly disclaiming any potential right to privacy in their employees' electronic communications using company resources.  The disciplinary force of employment policies can be weakened by inaction or inconsistent application, but there would be serious implications for employers if they could also be affected by conflicting representations by low-level managers that are not sanctioned by the company.

The Court will also review whether the city was required to abstain from reviewing the content of the text messages in favor of non-content information that could have revealed the information about pager use for which it was searching, and whether the recipients of the text messages -- Quon's wife, girlfriend, and co-worker -- had their constitutional rights violated by the city's search.

Though this case might provide some pause for employers, this Supreme Court's grant of certiorari in a Ninth Circuit case creating new case law contrary to that of other circuits, over the dissent of a number of their conservative colleagues, seems ripe for overturning.  Nevertheless, it remains good law in the Ninth Circuit and is potential fodder for other employment lawsuits until and when the Supreme Court issues a decision in the case.  The more permanent and significant result of this appeal could be the Court's denial of certiorari on the SCA issue, leaving as good law in the Ninth Circuit that electronic communication services cannot disclose the content of stored messages to organizational clients without the specific approval of the person either sending or receiving a particular message.  Employers, especially in the Ninth Circuit, should amend their electronic communications policies to receive authorization from employees to review e-mails, text messages, and other electronic communications stored remotely by the vendors that process these messages, especially as more employers migrate their e-mail and other services to servers not owned or operated in-house.

• Email This
• Print

Our colleague, Bill Flanagan, has provided this guest blog on a new case from the 9th Circuit construing the Computer Fraud and Abuse Act in the employment context:

The Ninth Circuit Court of Appeals recently weighed in on the question whether an employee who has been granted access to his employer’s computer system – but then uses the properly-accessed information in a manner contrary to the employer’s interest – has acted “without authorization” in violation of the Computer Fraud and Abuse Act (“CFAA”), a federal statute that imposes criminal and civil liability for certain computer crimes (LVRC Holdings LLC, v. Brekka, et al., No. 07-17116 (9^th Cir., Sept. 15, 2009). The court came down on the side of the employee, ruling that because the employee had been given access to the information on the computer, he did not violate when he allegedly misused it.

• Email This
• Print