Israeli privacy update: Landmark case establishes guidelines for monitoring employee online activity
By David Mirchin
Employee e-mail use policies usually grant employers wide-ranging powers to monitor and review employees' Internet usage and e-mail correspondence. According to a recent major decision by the Israeli National Labor Court, however, this situation is likely to dramatically change, and generic, sweeping or vague Internet use policies of employers will no longer be allowed. In this privacy update, we review the court's decision and the new guidelines for monitoring and examining the content of employee e-mail and online activity.
The National Labor Court combined two appeals concerning the admissibility of e-mail correspondence as evidence. In the first, Panaya Ltd., a software company, dismissed Tali Isakov Inbar, an employee of the company. Isakov sued Panaya, claiming that she was unlawfully dismissed due to her pregnancy. Panaya contended that the dismissal notice was issued to Isakov prior to her pregnancy and submitted copies of e-mails that Isakov sent to recruiters from her company-provided mailbox that contained her CV (curriculum vitae). Isakov sought to have the court disregard this evidence, claiming that it was private correspondence and therefore unlawful evidence under the Protection of Privacy Law, 5741-1981, and the Eavesdropping Law, 5739-1979. Isakov argued that although the mailbox was provided by Panaya, use of the mailbox for personal purposes was permitted. Panaya countered that each employee was aware of the fact that the company occasionally monitored and reviewed employees' mail, and therefore, this did not invade Isakov’s privacy.
In the second case, Ron Fisher was a senior manager, employed for over 20 years by Afikei Mayim, an agricultural cooperative in the Beit Shean Valley. The employer suspected Fisher of using its trade secrets to run a competing business. Afikei Mayim fired Fisher and supported its action with e-mails from Fisher’s private e-mail account and from paper copies of the e-mails, which Fisher had thrown in his work garbage can.
Summary of the Regional Labor Court Rulings
In Isakov, the Regional Labor Court ruled that there was no violation of the privacy or eavesdropping laws because Panaya provided its employees with mailboxes mainly for professional purposes and informed them that monitoring activity of such mailboxes could occur. The court reasoned that Isakov was aware that the content of her e-mails could be reviewed by Panaya and therefore gave implied consent to any supposed invasion of privacy.
In Fisher, the Regional Labor Court ruled that the company had violated Fisher's privacy and therefore refused the e-mails as evidence.
Summary of the Israeli National Labor Court Ruling
In determining both cases, the Israeli National Labor Court unanimously establishes sweeping principles for what employers are permitted to do in monitoring employee e-mails. These principles significantly increase the privacy rights of employees. In Isakov, the National Labor Court reversed the decision of the Regional Labor Court, accepted Isakov's appeal and decided that the e-mail correspondence submitted by Panaya was not admissible as evidence. The court criticized Panaya for failing to maintain a clear e-mail policy; failing to evaluate less-invasive alternatives for monitoring its employees, and failing to obtain Isakov's informed, willing, written consent to the monitoring activity. In Fisher, the National Labor Court rejected the e-mails as evidence due to the serious invasion of privacy by the employer when it reviewed the private e-mail account of its employee.
A substantial part of the court's decision was devoted to addressing the tension between the employer's prerogatives and proprietary rights in computer equipment weighed against the employee's right to privacy at the workplace. In balancing these rights, the court decided in favor of the employee's right to workplace privacy, noting that monitoring and inspecting an employee's personal e-mail constitute a significant invasion of privacy and may only be permitted under the specific terms and conditions detailed below.
General Principles for Monitoring Employee E-Mails
The court established several general principles for employers to follow prior to and during, monitoring activity:
E-Mail and Computer Use Policy
- Employers must have a clear, written, e-mail and computer use policy that addresses employees' permitted use of the information technology available in the workplace and use limitations and restrictions; circumstances in which employees will be monitored; information about the employer's monitoring tools and technology; how long monitored information is retained by employers, and the employer’s intended use of such information.
- The e-mail policy should be attached to the employment agreement and approved by the employee.
- If the company has an employee handbook, the e-mail policy should be included.
- Employers should appoint a privacy officer to raise awareness of privacy issues and enforce the e-mail policy.
Employers must limit monitoring to circumstances in which it may suffer severe damage—such as criminal or other harmful activity of the employee. Monitoring may only take place if it is proportional, measured in light of the potential harm to the employer and only to the extent there are no less invasive alternatives. The court suggested that automated monitoring or blocking software would be less invasive than human monitoring of e-mail.
Monitoring employees' private information must be founded on a specific, clear and legitimate purpose and employers may not use the information gathered from the monitoring for a purpose other than the purpose for which the monitoring was performed.
Employers must obtain employees' informed, willing, written consent to the monitoring. In order to meet the "informed consent" requirement, employers must disclose to employees the nature of the monitoring tools, the purpose of the monitoring and how long monitored data will be retained. There are two types of consent, general consent to the e-mail policy and specific consent to each instance of monitoring.
Mailbox-Specific Monitoring Restrictions
The court distinguished between four different types of employee mailboxes and established different rules for each type of mailbox. These specific rules are in addition to the general standards detailed above which apply to all monitoring activity.
Monitoring of a "Professional Mailbox"
- A “professional mailbox” is a mailbox provided by employers for professional purposes only and employees are restricted from using it for their private needs.
- Employers are required to inform employees of use restrictions and of the employer's ability to monitor e-mail correspondence.
- Employers are required to obtain general consent to monitor professional correspondence, but are not required to obtain consent for each individual instance of monitoring such correspondence.
- As for personal correspondence, although the employee is not authorized to engage in such correspondence, the employer is nevertheless prevented from reviewing its content without the employee's specific consent.
Monitoring of a "Mixed Mailbox"
- A “mixed mailbox” is a mailbox provided by the employer for both professional and personal purposes. Most employers these days tend to provide mixed mailboxes where e-mail is used for both professional and personal purposes.
- Monitoring professional correspondence in the mixed mailbox only requires the general adherence to the company's e-mail policy. Specific consent for each instance of such monitoring is not required.
- Reviewing; i.e., actually inspecting and reading e-mail content, as opposed to merely monitoring personal correspondence in the mixed mailbox requires the employee's specific consent in each instance. In accordance with the High-Tech Sector Agreement from 2008 on E-mail Monitoring and Computer Use, which was referred to on several occasions in Isakov, employers may be required to notify employees that they have a right to be present during such review of e-mail.
Monitoring of an "Employer-Provided Personal Mailbox"
- This mailbox is provided by the employer for the employee’s personal purposes only.
- Any type of monitoring of the personal mailbox—whether actually inspecting the content of e-mails or just monitoring subject lines of the e-mails or other parameters, such as size of the e-mails—regardless of the type of correspondence, personal or professional, requires the employee’s specific consent in each instance.
Monitoring of Employee’s Private Mailbox
- A private mailbox is a mailbox privately held by the employee, such as Hotmail or Gmail, which may be accessed via the workplace’s Internet connection.
- Monitoring of the private mailbox by the employer is prohibited without a court order.
Summary and Recommendations
Based on the holding and rationale in Isakov, we would recommend that Israeli companies
- Maintain an e-mail policy that covers the issues detailed above and clarifies the type of mailbox provided by the company to employees and any use restrictions. The policy should be updated as the company uses new technologies.
- With regard to new employees, revise the company's current template employment agreement to include the e-mail policy and have each new employee agree to the policy in writing as part of the employment agreement.
- With regard to existing employees, present the e-mail policy and obtain their voluntary consent in writing. It is best to do so as an amendment to their employment agreement.
- If an employer wishes to actually inspect the content of e-mails, we suggest obtaining legal advice prior to such action, as the proper course of action is dependent on the specific facts involved and the consequences of incorrect action may be significant.
- Include the e-mail policy in the company’s employee handbook.
- Appoint a chief privacy officer.
- Use technological means to conduct monitoring instead of "human eye" monitoring.
- Evaluate the least invasive technological means available for monitoring to accomplish the company's objectives, and document why the relevant technologies were selected.
Although this 92-page decision is comprehensive, it raises many unanswered questions about how certain monitoring activities are categorized. Is reviewing the subject lines of e-mails an actual inspection of the content of e-mails or not? What about analyzing the "recipients" of the e-mails? How about the format of attached files to see if an employee is sending music or video files? Due to these and other ambiguities, we expect that future cases will further refine the contours of permissible monitoring of employee computer activity.
Potential Impact in the U.S.
While this case will not likely directly impact e-mail privacy in the U.S., it does reflect a general trend of increased sensitivity by the courts outside the U.S. to e-mail privacy. Earlier this year, in the Ontario case of R. v. Cole, a court found that a teacher did have a reasonable expectation of privacy in the files on his laptop, which the school issued to him for his exclusive personal use on weekends. The teacher allegedly had sexually explicit photos of a student. The teacher was arrested after the school investigated the matter and surrendered the laptop to the police. The teacher appealed to the court, which held that the teacher had a reasonable expectation of privacy and that the police's warrantless search was illegal.
In the U.S., however, there is a long line of cases—see, for example, the 2006 case of US v. Ziegler—holding that employees only have protection if, first, they subjectively expected that their computer activity was private and, second, that this expectation was objectively reasonable. As long as employers have an e-mail policy stating they can search employees' computers, or employers routinely search computers, and make this known to employees, courts have consistently held that employees do not have an objective, reasonable basis to believe that their online communications are protected.
It will be interesting to see if any U.S. courts adopt this Israeli decision and strike down employer Internet use policies that provide broad and unlimited searches of employee computers.
David Mirchin chairs the Information Technology and Data Protection Practice of Meitar, Israel’s leading international law firm. He teaches Internet law at the Law School of the Interdisciplinary Center Herzliya and has written two books on U.S. copyright law. He may be reached at email@example.com.