In an increasingly digital age, data protection has become a key
component of business risk management. Companies in every industry
are understandably keen to protect their trade secrets, clients
list and other company data. To that end, companies routinely
include confidentiality and related provisions in employment
contracts, and maintain policies and procedures regarding the
protection of business-related information within and outside the
workplace. Further, employers now more commonly monitor
employees' use of electronic technology, such as email.
Recent decisions from the U.S. and Canada, however, demonstrate
that there remains a potentially uncertain balance between the
ability for law enforcement to investigate potential crimes and the
rights of individuals and employees.
For example, the recent case of United States v. Doe dealt with
the seizure of the defendant's laptops and drives as part of an
investigation into child pornography. Law enforcement was unable to
view the encrypted portions of the drives and a Florida court held
the defendant in contempt of court for refusing to produce the
unencrypted data. Ultimately, the 11 th Circuit found that
the lower court had violated the defendant's Fifth Amendment
right against self-incriminating when the lower court ordered the
production of the unencrypted data.
As some commentators have noted,
while the computers in question did not belong to the
defendant's employer in the Doe case, a similar
situation could occur in a corporate context. What if an employee
were to encrypt data on a company-provided laptop? Would the
employer be prohibited from forcing an employee to produce the
unencrypted data should a suspected violation of laws occur? Would
employment policies claiming corporate ownership over all data
residing on company-owned machines skew the legal analysis in a
The Doe decision is particularly interesting in light
of a Canadian decision handed down last year. As we discussed
in a previous post, in R. v. Cole, the Ontario Court of
Appeal held that a teacher had a reasonable expectation of privacy
with respect to personal files stored on his work laptop in
relation to the search and seizure of those files by the
police. In that case, a school technician that was
monitoring traffic on the school network discovered nude images of
a student on the teacher's laptop and subsequently copied the
images onto a disk for the school's principal and copied
temporary internet files found in the laptop's browsing history
onto another disk to transfer to the police. The Court found
that neither the technician's search, the subsequent search and
seizure by the principal and school board, nor the transfer to the
police of the disk constituted a Charter violation. The
appellant's privacy rights under section 8 of the Charter were
found to have been violated, however, by the warrantless police
search and seizure of the laptop itself.
While it is not clear how the Doe decision (a criminal
case) would apply in the employer context, the Cole
decision does offer some guidance on reasonable expectations of
privacy. Provided employers have clear privacy policies in
place, which afford employers the right to monitor employee
personal activities in the workplace, a reasonable expectation of
privacy will likely not be found to exist. Employers should
monitor subsequent rulings on this issue in the United States to
assess whether a similar approach would be taken there.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).