Criminal Law Risks Of Monitoring Employee E-mails And Phone Calls In Germany

A recent criminal law proceeding against a manager of Deutsche Telekom AG ended up in a custodial sentence of three-and-a-half years due to, among other things, a violation of telecommunications secrecy.

Most companies take into consideration the restrictions and obligations under German data privacy law when collecting, processing and using employees’ personal data, being aware of the potential sanctions under Sections 43 and 44 of the German Federal Data Protection Act.

However, the restrictions under the German Telecommunications Act (TKG) protecting telecommunications secrecy are often not considered. The TKG applies not only to the typical commercial telecommunications services provider but also to the employee-employer relationship if a German company allows or tolerates private/personal use of its information technology (IT) resources by its employees. In such a case, the employer qualifies as a “telecommunications provider” under the TKG subject to the respective regulations protecting telecommunications secrecy. Both usage data (e.g., e-mail log files, telephone connection data) and content of private/personal communications (e.g., e-mail content, phone conversations) are protected against unauthorized access by the telecommunications provider and, thus, can no longer be monitored by the employer. As usage and content data relating to private/personal use and business use are often not separated, business communications are also affected by the restrictions of telecommunications secrecy.

Imprisonment Sentence Relating to Violation of Telecommunications Secrecy

Upon the publication of a news article about the mid-term strategic intentions of Deutsche Telekom, the supervisory board suspected that members of the supervisory board leaked company confidential information to the press. The CEO of Deutsche Telekom, Kai Uwe Ricke, and the chairman of the supervisory board, Dr. Klaus Zumwinkel, instructed the head of corporate security, Klaus Trzeschan, to identify “the leak”. In order to do so, the head of corporate security arranged for the telephone connection data of all members of the supervisory board to be retained and checked for contact with the relevant journalists. This operation resulted in the analysis of telephone communications affecting 40 individuals. Data of several journalists who regularly reported about Deutsche Telekom were also stored occasionally.

The criminal investigations of the district attorney of Bonn resulted in the indictment of Klaus Trzeschan and three other members of the corporate security department of Deutsche Telekom who were also involved in the operation for, amongst other things, violation of data privacy laws and telecommunications secrecy. The head of corporate security, as the prime suspect, was also accused of committing disloyalty and fraud and sentenced to three-and-a-half years in prison. The proceedings against the other three accused suspects were either separated due to health reasons or dismissed in return for the payment of a criminal fine.

The criminal investigations against the former CEO and the former chairman of the supervisory board, Dr. Klaus Zumwinkel, were not brought to court but closed due to lack of evidence. Both were accused of having given specific instructions to the head of corporate security to identify the leak by analyzing the telephone connection data of members of the supervisory board. However, in the course of the criminal investigation, it could not be proven with sufficient certainty that both suspects had known about the operation and the measures that should identify the leak.

As concerns civil damages claims, Deutsche Telekom waived in a settlement agreement any potential contract and tort law claims against the managers in exchange for the payment of €600,000 (U.S.$858,300) to Deutsche Telekom by each of the managers. However, due to the managers’ liability insurance, the former CEO and the former chairman of the supervisory board will be required to pay only €250,000 (U.S.$357,617).

The decision in this case was handed down November 30, 2010, but the text has not been publicly released.

Applicability of the German Telecommunications Act

According to the prevailing opinion in Germany, an employer will qualify as a “telecommunications provider” if it allows or tolerates private use of its telecommunications systems, in particular e-mail and telephone systems, by its employees. In such a case, the employer will be treated the same way as any commercial telecommunications provider and be required by law to follow the restrictions and obligations imposed by telecommunications secrecy under Section 88 of the TKG. However, not only employers that explicitly allow private use, but also employers that tolerate private use, may be subject to the telecommunications secrecy of the TKG. A company’s tolerance of private use by its employees, even despite an explicit prohibition against private use in the company’s policies, and non-timely sanctions of breaches, may already suffice to establish a so-called company practice (betriebliche Übung). As a result of such company practice, the employer is regarded as a “telecommunications provider” because the employer created a factual situation providing telecommunications services to its employees. A company practice, and thereby the applicability of the TKG, may be avoided only if the employer seriously ensures compliance with the prohibition of private use by means of regular spot checks (every three to six months) and imposing adequate sanctions in case of breaches.

If the employer effectively enforces the prohibition against private use of its IT systems by means of spot checks, the restrictions under the TKG will not apply. However, monitoring measures are still subject to the German Federal Data Protection Act. Accordingly, while monitoring of employee communications in individual cases based on reasonable suspicion or spot checks is permissible, constant monitoring of e-mails and internet or telephone use of employees is not allowed even if private use is effectively prohibited.

Telecommunications Secrecy in the Employment Relationship

No Access to and Review of Telecommunications Data for Monitoring Purposes

As a telecommunications provider, an employer is generally not allowed to access and review the usage and content data relating to private telecommunications of its employees, unless legally permitted to do so. However, since companies typically do not separate data relating to private telecommunications from data relating to business telecommunications, the prohibition against access and review of private telecommunications will also affect business telecommunications data, including business e-mail correspondence. Prior to accessing and reviewing business communications such as e-mails, an employer would need to ensure that no private e-mails are amongst the business e-mails. However, in order to perform this determination and separation, the employer would need to somehow access the e-mails, which would already be a violation of telecommunications secrecy if such accessed e-mail is private e-mail.

Only in limited circumstances is access and review of telecommunications data legally permissible under the TKG, but never for monitoring purposes. First, Section 97 of the TKG allows the collection and processing of usage and content data for billing purposes. This exception may, in particular, apply to usage data relating to telephone communications if employees are obliged to compensate the employer for any private telephone calls. However, only data that is necessary to determine what costs are incurred by each employee for private telephone calls may be reviewed. Second, Section 100 (1) of the TKG allows the collection and processing of usage and content data if necessary to identify, locate and eliminate disruptions and malfunctions of the telecommunications system. And third, Section 100 (3) of the TKG permits the collection and processing of usage and content data in order to detect and eliminate fraudulent or unauthorized use of the telecommunications system. Section 100 (3) of the TKG could apply if private use is allowed only during a specific time frame (e.g., lunch break) or for a specific time period each day. In such a case, the employer reviews the usage and content data in order to enforce its policy on limited private use. Again, any of these exceptions allows access and review of the data only for the respective limited purposes; any further review for monitoring purposes is not permitted.

Scope of the Secrecy of Telecommunications with Regard to Private E-mails

With regard to content, the secrecy of telecommunications was understood in the past to be a protection against unauthorized interruption and access to telecommunications during transit. However, a decision of the German Federal Constitutional Court (Bundesverfassungsgericht) of June 16, 2009, suggests that both private e-mails in transit and private e-mails stored on the server of the employer are protected against unauthorized access and review by the employer as the telecommunications provider. The reasoning behind this is that, since the stored e-mails are not in the sole control of the employee, they too face the same risks of unauthorized access as e-mails in transit. This decision explicitly extended the scope of the secrecy of telecommunications and may also affect other documents that are stored on the employer’s server and were received via private e-mails. It could be argued that, if private e-mails are protected by telecommunications secrecy, then any attachments to private e-mails must also be protected as long as they are stored on the employer’s servers.

Consequences of a Violation of Telecommunications Secrecy

Illegal monitoring of usage and content data relating to an employee’s private telecommunications may be a criminal offence (Section 206 of the German Penal Code) subject to a penalty of up to five years’ imprisonment or a fine which can amount to a maximum of €10.8 million (U.S.$15.4 million). Directors and managers of an employer held responsible for any illegal monitoring activities may be subject to a criminal investigation and conviction by a German court, as the recent proceeding relating to Deutsche Telekom demonstrated.

Conclusion and Recommendations for Action

The custodial sentence in the Deutsche Telekom case should be a warning to companies which, while compliant with the requirements and obligations under data protection laws, do not take into account the consequences of private use of their telecommunications systems pursuant to the TKG. The risks and penalties imposed by the TKG should encourage any company and its directors and managers to review their obligations and restrictions under the TKG and to take a strategic decision concerning their employees’ private use of their telecommunications systems.

If private use is allowed or tolerated, the risks of violating telecommunications secrecy could be reduced if a company’s IT use policy required employees to separate private and business e-mails in their e-mail archives or to immediately delete any private e-mails. Nevertheless, such measures do not completely eliminate the risk of violating the TKG.

In order to monitor telecommunications systems to the greatest extent possible, employers should prohibit private use and effectively enforce the prohibition by means of regular spot checks, or at least allow private use only on specifically determined telecommunications equipment such as computers or telephones. In this way, only usage and content data obtained through such equipment would be subject to the secrecy of telecommunications.

Alternatively, employers could consider prohibiting private use as a general policy but allow limited private use in exchange for employees’ consent to limited monitoring measures of any private communications. Such employee consent would be valid for purposes of eliminating the risk of committing a criminal offence, and also from a data privacy point of view, since the employee received something “in return”, the permission to use the IT systems for private purposes.

Whichever recommendation is chosen, it should ideally be implemented in a company-wide IT use policy.

Christoph Rittweger is a Partner and Julia Wendler is an Associate with Baker & McKenzie, Munich. They may be contacted at christoph.rittweger@bakermckenzie.com and julia.wendler@bakermckenzie.com.