Monitoring employees’ e-mail correspondence and Internet use – A Finnish perspective – PART I

Abstract

This article examines the prerequisites under which a private sector employer is and should be able to monitor its employees’ use of e-mail and Internet. For purposes of this examination, the article analyses the meaning of the Trade Secrets Directive’s provision requiring the trade secret holder to take reasonable steps to protect its trade secrets, in order to ascertain whether the provision requires the employer to monitor its employees’ e-mail correspondence and Internet use to gain the protection under the Trade Secrets Directive and the relevant Finnish legislation implementing the Trade Secrets Directive. The article also examines the relevant ECtHR case law, and especially the Bărbulescu case, as well as the Article 29 Working Party’s principles applicable to the monitoring of employees’ e-mail correspondence and Internet use. To provide a national context, the article examines the prerequisites under which a Finnish private sector employer may monitor its employees’ use of e-mail and Internet, or more specifically the prerequisites under which the employer may process traffic data, as well as the prerequisites under which an employer may open and retrieve its employees’ e-mails. The Finnish legislation applicable to e-mail and Internet monitoring is particularly interesting as it is significantly more restrictive for employers than the criteria set by the ECtHR and the Article 29 Working Party. Examining Finnish legislation in this context is also interesting, because there has been extensive public debate on whether having legislation in place that enables the employer under certain circumstances to monitor its employees’ e-mail correspondence is at all necessary and justified. Such views have first and foremost been supported by the argument that monitoring employees’ e-mails constitutes an intrusion into the employee’s right to privacy and secrecy of correspondence. Also, Finland is so far the only EU Member State that has enacted a specific act regulating the processing of employee data. The purpose of this article is to provide an overview of the prerequisites under which monitoring of employees’ e-mail correspondence and Internet use is permitted based on ECtHR case law (as well as the relevant guidelines issued by the Article 29 Working Party) and applicable Finnish legislation, and to reflect on the extent to which an employer should have the right to monitor its employees’ e-mail correspondence and Internet use, to ensure inter alia compliance and adequate protection of trade secrets. The purpose of this article is also to provide understanding on the applicable Finnish legal framework as an example of a European national approach highlighting the divergence between the level of protection afforded in different EU Member States and to reflect on why the subject matter is so sensitive.