French High Court Ruling Highlights Need to Follow Privacy Rules on Employer Monitoring of Employees

Businesses operating in France must declare all personal data processing tools to the national data protection authority, the Commission nationale de l’informatique et des libertés (CNIL). The decision to operate those tools must also be communicated to employee representatives.

The failure by an employer in France to declare an employment monitoring system as a personal data processing tool to the CNIL may cause it to lose a case brought against it for unfair dismissal by one of its former employees.

This is a possible outcome that could arise following a judgment issued October 8, 2014, by France’s highest court, the Court of Cassation (Court of Cassation, Employment Section, October 8, 2014, No. 13-14.991, published in the Court’s yearly report).

The fact that this judgment was published in the Court’s report is significant, as the Court itself selects the decisions that it deems to be the most important ones in terms of case law making.

Background on the Court of Cassation Case and a Summary of its Ruling

The case before the Court of Cassation concerned an appeal brought by an employee against the decision by her employer to dismiss her from her job. The organisation had taken action after discovering the employee had engaged in use of her work e-mail account for personal purposes. The use was deemed so extensive that the employer deemed that it had had an adverse effect on her performance and was incompatible with the proper performance of her duties.

To support its case for dismissal, the employer used information it had retrieved from an internal system it used to monitor individual employees’ e-mail exchanges. The information recorded by the system showed the number and size of e-mails sent by employees.

The employee challenged her dismissal. She claimed that the information used by the employer in relation to her e-mails was inadmissible before a court because the system was used in breach of privacy regulations.

The information relied on by the employer dated back to a period when the monitoring system had not been declared as a personal data processing tool to the CNIL.

Previously, the Court of Appeal had ruled that the employer’s decision to dismiss the employee was valid, and implicitly admitted the evidence retrieved from the employer’s monitoring system.

However, the Court of Cassation made it clear in its judgment that any information collected from a personal data processing system prior to such system’s declaration with the CNIL is illicit evidence and inadmissible before a court.

The Court of Cassation was not responsible for ruling on the employer’s decision to dismiss the employee. Instead, the case has been referred back to the Court of Appeal for a ruling.

The Likely Outcome of the Case and What This Means for Other Businesses

The Court of Appeal will be unable to consider the information gathered from the e-mail monitoring system when making its ruling on whether the employer’s actions in dismissing the employee were valid or not. This means that it is likely that the Court of Appeal will side with the employee and her challenge against the legitimacy of the employer’s decision to dismiss her.

The decision is a reminder that any monitoring system that involves processing technical data which may be eventually linked to an individual is subject to privacy rules, and businesses using them are obliged to notify the CNIL about their use of them.

The fact that the collected data may be anonymised at a later stage would not remove the requirement to declare the processing to the CNIL. However, should such a system collect purely technical data which cannot be linked, even indirectly, to an individual, data privacy requirements would not apply.

The Court of Cassation decision implies that the validity of the implementation of an employee monitoring system, and its compliance with applicable privacy and employment regulations, would have to be demonstrated if an employer wished to submit evidence extracted from such a system before the courts.

How Does French Employment Law Relate to This Issue?

From an employment law perspective, Article L.2323-32 of France’s Labour Code requires that employees’ representatives be informed about the introduction of any data processing tool or employees’ performance monitoring system within a company.

Employees should also be informed on an individual basis before the introduction of such systems within a company, especially as information extracted from those systems may eventually be used against employees to ground a dismissal or any other measure.

Generally speaking, the safest process for employment law compliance is to have information technology security policies included as part of a company’s internal rules, and declared as such with French authorities.

What Should Businesses Do Now and What Are the Consequences of Getting Things Wrong?

All companies should ensure that their monitoring systems are properly registered. Beyond evidence being inadmissible before French courts, any non-compliance with privacy rules is punishable by five years’ imprisonment and a fine of 300,000 euros (U.S.$375,627), besides possible sanctions for non-compliance with applicable regulations.

It is all the more critical to meet these legal requirements, as the question of monitoring employees during working hours is very sensitive, and French law appears to be very protective about what is acceptable when processing data that may potentially affect employees’ privacy.

The intention of the Court of Cassation is not to invalidate the implementation of employee monitoring or data processing tools, which undoubtedly help companies to achieve security and performance objectives and are effective in managing the various risks generated by employees’ activities when processing business information.

However, this decision underlines the importance of assessing the legal requirements before even considering rolling out any such control system.

Pending the enactment of the proposed new EU Trade Secrets Directive, implementing technical measures to protect confidential information remains a priority for business development. In particular, it is frequent and quite common for companies to implement technical restrictions on the exchange of information in order to prevent the release of confidential documents outside the company. Most companies now monitor data fluxes with the objective to identify when data may be suspiciously extracted from company servers.

The most dangerous, yet implicit, sanction businesses face if they do not meet their legal obligations is being unable to take action against employees who could be identified as trading confidential information or generally representing a threat or a burden to the company.

Annabelle Richard is a Legal Director, Avocat à la Cour (Paris bar) and Attorney at Law (New York bar), and Guillaume Bellmont is an Associate and Avocat à la Cour (Paris bar), with Pinsent Masons, Paris. They may be contacted at annabelle.richard@pinsentmasons.com and guillaume.bellmont@pinsentmasons.com.