One of the aspects of digitalization is that it blurs the lines between personal and professional lives of employees. Such acknowledgement is reflected in EU and French laws, notably with regard to teleworking and the right to privacy in the workplace.
I. Teleworking and the right to disconnect
The French Statutory Order of 22 September 2017 (n°2017-1387) on predictability and security of labor relations provides a legal framework for teleworking.
First, it states that, in principle, teleworking must be regulated based on a collective agreement or by a charter specifically set up by the employer after consultation of the work’s council. This collective agreement or charter should specify :
Second, if the employee and his/her employer deems teleworking adequate for a specific purpose or in certain circumstances (e.g. where no public transportation is available), it may be agreed upon – in the absence of any collective agreement or charter – on a case by case basis by a simple agreement between the employee and his/her employer (e.g., an exchange of emails).
Thirdly, teleworking is almost a right, but in no way an obligation for the employee. On the one hand, the employer cannot refuse a request for teleworking based on a collective agreement or a charter, unless this refusal is precisely motivated. On the other hand, in case of refusal of teleworking, an employee does not incur any breach of his/her employment contract.
Fourth, teleworkers benefit from social coverage. An accident which occurs at home during teleworking hours is presumed of occupational nature: in that case, the compensation granted to the employee is the same as if he/she has had a workplace accident.
As a way to reconcile private and professional lives of employees, French law expressly recognizes the “right to disconnect”. First introduced as part of an Act adopted in 2016, such right is now regulated by the Statutory Order of 22 September 2017 (n°2017-1385) on the strengthening of collective bargaining.
The right to disconnect has not been defined by this text. However French case-law has long contained the seeds of such right which echoes to the traditional right to rest periods at work. In 2004, the French Supreme Court for civil and commercial matters (ruling on 17 February 2004, no 01-45.889) ruled that the fact for an ambulance driver to have abstained answering to an emergency call during his lunch break was not punishable since he was not on duty. Likewise, the same Court (ruling on 29 June 2011, no 09-71.107) considered that company executives who, due to their status, enjoy a larger autonomy to organize their work had the right to reserve non-working time as long as they effectively perform their duty. Such flexibility is what teleworking is about.
Under the 2017 Statutory Order, the right to disconnect must compulsorily be debated on an annual basis at the occasion of the collective bargaining on "professional equality and quality of life" at the company level.
In line with such idea of flexibility regarding rest periods, the European Court of Justice (ruling on 15 November 2017, no C-306/16) interpreted the 2003 directive (no 2003/88/EC) on the organization of working time granting every worker a minimum uninterrupted weekly rest period of 24 hours in the way that this rest period doesn’t have mandatorily to be provided the day following a period of six consecutive working days.
However, more autonomy to self-organize one’s professional life concomitantly implies tracking teleworkers’ activity and attendance notably through mobile devices (e.g. GPS apps integrated in employees’ smartphones). GPS can be aimed at monitoring the location and movement of a vehicle, or at ensuring compliance with safety regulations, whose violation may expose the company to certain liability.
In that respect, the right to disconnect, along with the tracking of the teleworkers’ activity and location are framed not only by French labor Law still quite disparate, but also by EU data protection law: currently the Directive 95/46 / EC dated 24 October 1995 but soon to come the General Data Protection Regulation (“GDPR”), which will enter into force on 25 May 2018. Given the necessary mobility of workers, one can thus expect a more unified framework with regard to the employees’ right to privacy in the workplace, as well as where teleworking takes place.
II. Working at the employer’s premises and employees’ right to privacy
The right to privacy in the workplace has long been recognized by French Courts. In the famous Nikon case (ruling on 2 October 2001, no 99-42.942), the Supreme Court in civil and commercial matters ruled that an employer has no access to its employees’ messages sent or received by email on the company computer tool and identified as “personal”. This applies even where of an employee is on extended sick leave (ruling on 7 April 2016, no 14-27.949). The same principles apply to employee’s files identified as "personal" (and not only emails), whose access is denied to the employer (ruling on 26 January 2016, no 14-15.360 ).
As the logical corollary, emails not mentioned as "personal" do not benefit from the protection of the confidentiality of correspondence (ruling on 10 February 2015, no13-14.779, see also ruling on 1st June, 2017, no 15-23.522).
Besides French Law, reference must be made to the European Court of Human Rights’ case-law which has introduced specific criteria to assess the protection of privacy in the workplace.
In the absence of a European consensus on the right to privacy in the workplace, the ECHR has established the fundamental guarantees to be observed by employers. In Barbulescu v/Romania - dated 5 September 2017 (Decision no 61496/08, §120 and 121) – the Court underlines the need to circumscribe employers monitoring of their employees’ correspondence and other communications so to provide “adequate and sufficient safeguards against abuse”. Mr. Barbulescu, a sales employee who had created a Yahoo messenger account to communicate with his clients was dismissed for having used this account for familial purposes. In an 11 to 6 ruling, the Court found that his privacy rights had been violated.
The ECHR considered that the Romanian Court, whose judgement was challenged should have checked the following elements (i) whether the employee had been informed of the monitoring of his correspondence and other communications; (ii) the degree of intrusion into his privacy, based on the distinction between monitoring of the flow of communications and their content; (iii) whether the employer had provided legitimate reasons to justify this monitoring; (iv) whether less intrusive methods and measures would have been sufficient; (v) the consequences of the monitoring on the employee.
Interestingly, such conditions directly refer to the principles provided for by the Directive 95/46 /EC dated 24 October 1995 and the GDPR which will replace it on 25 May 2018: loyalty, transparency, lawfulness of data collection, minimization of data, limitation of purposes.
Indeed, private communications fall well within the EU definition of personal, notably with that of the GDPR. It is therefore up to the employer to prove that data are collected and monitored “for specified, explicit and legitimate purposes”, and that their “processing is necessary for the purposes of the legitimate interests pursued”. As such, control of a specific employee's communications, in order to detect misconduct or fraud, is deemed legitimate and does not logically require the subject’s consent. Such control may, for instance, occur following a whistleblowing alert.
In an opinion of 9 April 2014 (no 06/2014), the Working Party 29 (“WP29”), which gathered the 28 National Data Protection Authorities of the EU sets out three conditions to be met for a legitimate interest to be recognized: to respect applicable EU and national law (for instance labor law); to be sufficiently specific to safeguard the interests and fundamental rights of the data subject; to concern a current interest and not a speculative one. Amongst the various examples of legitimate interest, the prevention and detection of fraud, misuse of services, or money laundering are quoted, as well as monitoring for safety or management purposes and whistle-blowing schemes.
Even if legitimate, controlling and monitoring must be proportionate. The WP29 considers, for instance, that instead of permanently monitoring the use of its employers’ computers, the employer could preferably use less intrusive methods, such as limiting accessibility of certain websites. More precisely, in its Opinion on data processing at work (8 June 2017, no 2/2017) the WP29 stated that the employer has an obligation to conduct a proportionality test to ensure “that infringements on the right to private life and the right to secrecy of communications are limited to the minimum necessary”.
Even though the EU enjoys a limited jurisdiction over workers’rights, through data protection, these rights will be more unified and hopefully more tailored to the digital age. The example of workers’ privacy in the workplace and at home while using teleworking is illustrative of the challenges at stake, that is increasing flexibility and mobility without weakening their fundamental rights.