In an increasingly digital age, data protection has become a key component of business risk management. Companies in every industry are understandably keen to protect their trade secrets, clients list and other company data. To that end, companies routinely include confidentiality and related provisions in employment contracts, and maintain policies and procedures regarding the protection of business-related information within and outside the workplace. Further, employers now more commonly monitor employees' use of electronic technology, such as email.

Recent decisions from the U.S. and Canada, however, demonstrate that there remains a potentially uncertain balance between the ability for law enforcement to investigate potential crimes and the rights of individuals and employees.

For example, the recent case of United States v. Doe dealt with the seizure of the defendant's laptops and drives as part of an investigation into child pornography. Law enforcement was unable to view the encrypted portions of the drives and a Florida court held the defendant in contempt of court for refusing to produce the unencrypted data.  Ultimately, the 11 th Circuit found that the lower court had violated the defendant's Fifth Amendment right against self-incriminating when the lower court ordered the production of the unencrypted data.

As some commentators have noted, while the computers in question did not belong to the defendant's employer in the Doe case, a similar situation could occur in a corporate context. What if an employee were to encrypt data on a company-provided laptop? Would the employer be prohibited from forcing an employee to produce the unencrypted data should a suspected violation of laws occur? Would employment policies claiming corporate ownership over all data residing on company-owned machines skew the legal analysis in a different direction?

The Doe decision is particularly interesting in light of a Canadian decision handed down last year. As we discussed in a previous post, in R. v. Cole, the Ontario Court of Appeal held that a teacher had a reasonable expectation of privacy with respect to personal files stored on his work laptop in relation to the search and seizure of those files by the police. In that case, a school technician that was monitoring traffic on the school network discovered nude images of a student on the teacher's laptop and subsequently copied the images onto a disk for the school's principal and copied temporary internet files found in the laptop's browsing history onto another disk to transfer to the police. The Court found that neither the technician's search, the subsequent search and seizure by the principal and school board, nor the transfer to the police of the disk constituted a Charter violation. The appellant's privacy rights under section 8 of the Charter were found to have been violated, however, by the warrantless police search and seizure of the laptop itself.

While it is not clear how the Doe decision (a criminal case) would apply in the employer context, the Cole decision does offer some guidance on reasonable expectations of privacy. Provided employers have clear privacy policies in place, which afford employers the right to monitor employee personal activities in the workplace, a reasonable expectation of privacy will likely not be found to exist. Employers should monitor subsequent rulings on this issue in the United States to assess whether a similar approach would be taken there.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.