Friday, February 07, 2014

Digital Surveillance and Privacy Invasions

The prime law in this area is the Electronic Communications Privacy Act of 1986, an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968, commonly known as the "wiretap law." The ECPA was adopted initially to govern third-party interceptions of electronic communications, not to govern employers' rights to monitor their workers. (All states have their own wiretapping” statues that either mirror the federal law or provide their own unique spin in the federal law.)

The ECPA provides civil and criminal penalties for any person who intentionally intercepts, uses, or discloses "any wire, oral, or electronic communication." The term "electronic communication" is defined as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo-electronic or photo optical system that affects interstate or foreign commerce."
Essentially, the ECPA prohibits the interception, use or disclosure of electronic communications to which the interceptor, user or person making the disclosure is not a party – it requires the involvement of a third-party. This is called the “one consent rule.”  One party to the communication can give their consent to its interception, use or disclosure, without violating the ECPA.
The two prime exceptions to the ECPA afford employers broad rights to monitor their employees: An employer may monitor an employee's conversations if the monitoring occurs in the ordinary course of business or with the employee's implied consent.
Most of the cases developed under the ECPA involve criminal justice and investigatory wiretaps of telephone and e-mail communications. Until recently, most of the case law in the civil application of the ECPA involved monitoring telephone communication.
The ECPA also contains a "business exclusion exemption" that exempts interceptions made by equipment "furnished to the subscriber or user by [a communications carrier] in the ordinary course of its business [and being used by the subscriber or user] in the ordinary course of its business." Under this exception, an employer may monitor phone calls made on an employer-supplied telephone system by attaching a device supplied by the employer. The courts look to whether a reasonable business justification exists for the monitoring, whether the employee was informed about the employer's right to monitor, and whether the employer acted consistently in connection therewith.
Additional federal and state legislation have been introduced to afford employees improved rights and weapons in the battle for more privacy. But, so far there's no federal law that requires employers to notify employees that their communications are being monitored. (Union members have protection not afforded to non-unionized workers. The NLRB ruled that the monitoring of employee digital communications and activities. Os a collective bargaining issue.)
Many states have adopted their own version of the ECPA, and some require the consent of both parties for non-exempt interceptions (as opposed to the one-consent ECPA rule). In addition to the state versions of the ECPA, state laws include constitutional provisions, statutes and common law (law that has been developed through case-by-case review and, in the United States is as much part of the law as a statute).
Common Law And Invasion Of Privacy
Given the lack of protection afforded by the ECPA against employee monitoring, the few state-adopted privacy statutes, and the failure of states to adopt legislation protecting employee privacy rights, many employees are seeking recourse under common-law rights of action. Typically, they seek relief under the common-law tort of invasion of privacy. Invasion of privacy laws don't exist in all states, and in some cases, statutes labeled as "privacy invasion" laws do not deal with privacy matters at all. In New York, for example, the privacy statute deals with protection of celebrities and others rights against the commercial exploitation of their images.
In the states that recognize the tort of invasion of privacy, a violation generally requires an intentional intrusion, "physical or otherwise, upon the solitude or seclusion of another upon his private affairs, or concerns if the intrusion would be highly offensive to a reasonable person."
One of the key conditions to successfully prosecuting an action for invasion of privacy is whether the person has a "reasonable expectation of privacy." Courts across the country are finding with more and more frequency that no reasonable expectation of privacy exists with e-mail or employee online communications. When the privacy policy or electronic use policy that we all click without reading explains their practices and that users have no expectation of privacy, it is hard to prove that your expectation was reasonable.
Whether they have a right to privacy under employment circumstances or not, many employees find the intrusion of digital surveillance and monitoring offensive. This makes it a practical problem, not a legal one.
Many employers are choosing to notify employees in advance that their activities may be monitored. These notices can be contained in a written e-mail policy or within an employee handbook. Under all circumstances, the employee should acknowledge them in writing and the employer should retain those written acknowledgements.

An employer simply can't let employees communicate on an e-mail system unmonitored–too many litigants will seek to hold the employer responsible for what is said and done. Employers should monitor, but do it wisely and consistently, and adopt a policy that works for them. They should also find a lawyer who can craft one, just for their business, rather than using one off the shelf. A carefully written, well-enforced policy is smart employee relations–and smart preventive law practice.