India: Look Out! You’re Being Watched At Work - E-Mail Monitoring And The Law Of Privacy

The use of email in offices is a common characteristic of modern-day workplaces that has revolutionized communication—both intra-company as well as with outside clients. However, new technologies have also made it possible for employers to effortlessly monitor office email used by the employee, thereby violating the employee’s right to privacy.

There is no Indian legislation that directly protects the privacy rights of individuals. However, the judiciary has expanded the scope of Article 21, one of the most controversial fundamental rights under the Constitution of India, to include the ‘right to privacy’ as an integral part of the ‘right to life and liberty’. The right to privacy, as carved out by the apex court, first emerged in the context of legislation permitting police surveillance on individuals, which was struck down as being violative of the right to privacy in the case of Kharak Singh vs State of UP in 1963.

The subsequent development of the right has seen it being invoked in cases, ranging from the right of a prisoner not to be interviewed to the right of confidentiality of an HIV-infected person. More significantly from the perspective of the employee’s right to privacy, the Supreme Court has held that ‘technological eavesdropping’ is also a violation of the right to privacy in the case of People’s Union for Civil Liberties vs Union of India in 1997.

The case arose out of a challenge to Section 5(2) of the Telegraph Act, 1885, which permits the interception of messages in cases of public emergency or in the interest of public safety. The court held that the right to privacy included the right to hold a telephone conversation in the privacy of one’s home or office and that tapping of phone, infringed this right. While this is significant for the future development of this right, the protection of Article 21 is available only against the state, and individuals whose rights are violated by non-state entities would be left without any remedy.

The Information Technology Act, 2000 in Section 71, makes a reference to privacy in Section 72, where securing access to any electronic correspondence, without the consent of the person concerned, and disclosing such information to any other person has been made an offence punishable with imprisonment for two years, or with a fine of one lakh rupees. The provision would not protect the employee from undesirable electronic surveillance by the employer, if the employer does not disclose the information that he has intercepted to anyone else. It is interesting to note that in no country does the right to privacy enjoy constitutionally guaranteed status.

Privacy in the US:

In the US, the Fourth Amendment and the constitutions of eight states afford some degree of privacy protection, though only to public sector employees. Specific federal statutory protection came into place only with the enactment of the Electronic Communications Privacy Act, 1986, a legislation that prohibited the "intentional or wilful interception, accession, disclosure, or use of one’s electronic communication". Though email was not specifically enumerated, it could be brought within its ambit.

However, the Act is constrained by three exceptions that limit its applicability to employee monitoring. These are: where the employer provides their employees with email through a company-owned system (provider exception), if the employer is monitoring business-related correspondence or has a legitimate business justification for monitoring (ordinary course of business exception), and finally, if the prior consent of the employee has been taken (consent exception). The above exceptions carved out provide the employer with enough loopholes to escape liability. In fact, in most cases, the email system is company-owned. Under the ‘ordinary course of business’ exception, the employer can monitor all business mails, though not personal communications. The consent exception is the most powerful from the employer’s perspective as gaining employee consent may be achieved by circulating a email monitoring policy to all employees. To further protect privacy rights of employees, a new legislation before the US congress, called the Notice of Electronic Monitoring Act, mandates that employers must inform employees about the Electronic Monitoring Policy at the time of hire and notify them annually or whenever there was a change in the policy.

The flip side:

While this may indicate that broad judicial interpretations of enacted privacy legislations is favourable to employee monitoring practices, it may be instructive to hear the other side of the story – the legitimate concerns of employers who monitor employee communications.

Usually, email is monitored to keep tabs on employee productivity or to prevent potential liability for the employer. Employers are concerned with productivity and efficiency of the employee and would not welcome usage of company equipment and company time spent on non-productive activity. However, the issue of liability is a more serious one– email that is racist, sexist or sexually explicit can expose employers to potential liability from other employees based on ‘hostile work environment’ claims. A subsidiary of Chevron Corporation was forced to settle a lawsuit for us $2.2 million after a list called "10 reasons why beer is better than women" was circulated through its email system. In the case of Blakey vs Continental Airlines, in June, ’00, a unanimous New Jersey Supreme Court held that postings on a work-related electronic board could amount to a hostile work environment for which the employer would be liable. Other potential liabilities that the employer could face include disclosure of confidential information by the employee and the infringement of third-party copyright and other intellectual property by the employee.

The courts have sided with the employers in cases where violation of employee privacy has been alleged. In the case of Smyth vs Pillsbury, a federal district court in Pennsylvania upheld the employer’s termination of an employee, based on a review of intercepted mail transmitted over the company system. The court reasoned that the review was not a violation of the employee’s right to privacy, even assuming that the employer promised not to intercept the email or to terminate an employee based on a review of its contents, as the employee has no reasonable expectation of privacy in messages sent over the company email system.

The issue of ‘reasonable expectation’ is thus the determining factor—the use of passwords to gain access to the system, specific references to email messages and mailboxes being private would strengthen the case of the employee as having a reasonable expectation of privacy. On the other hand, the circulation of written policies dealing with email and electronic monitoring to the employees would reduce their reasonable expectation of privacy.

Striking a balance:

Employee privacy issues often arise in other areas. It is common for employers in the US to monitor employee telephone calls and computer terminals. Extreme forms of monitoring verge on the comic - a device placed in the employees’ chair can measure worker ‘wiggling’, on the presumption that more wiggling implies less working! Will there ever be a balance between the genuine concerns of the employer, and the right to privacy of the employee? The answer may well depend on new legislation that successfully keeps abreast with technology.

The views expressed in this article are those of the author and do not represent the views of the firm. This article does not purport to be professional advice, nor a complete or comprehensive study on the subject. It is recommended that professional advice be sought before taking any action pursuant to any matter contained in this article.