As above, the email regulation gives employees in Norway special protection against their employer monitoring them. The starting point is that it is usually illegal to monitor employees' use of electronic equipment, including the use of the internet. Exceptions apply only in two specific cases.
Section 2 of the regulation concerns (1) the employee's use of "electronic equipment" and (2) to the "monitoring" of that equipment by their employer. Taking each in turn.
The measure must relate to the employee's use of "electronic equipment"
"Electronic equipment" should be understood broadly, and the provision is intended to be technology neutral. Technical solutions developed in the future are also intended to be covered by these rules. This means that electronic equipment includes more or less everything that employees use in the workplace, as long as they are tools that collect or can be used to derive personal data. Examples of electronic equipment are computers, tablets, mobile phones, printers, etc.
The email regulation only applies in cases where the employer has given the employee the equipment for the purpose of using it in their work, but will apply when the employee uses the equipment privately.
The measure must be considered "monitoring"
The measure in question must also be considered "monitoring". What is meant by monitoring is not further defined in the regulation. By ordinary linguistic interpretation, "monitoring" will be when an employer collects data about employees in order to map conduct or attitudes.
The provision covers both the initial mapping of the use of electronic equipment and reviewing personal data. This means that collecting personal data, for instance through logging, is also covered, even if the employer does not necessarily review the data.
For a measure to be considered monitoring, it must exceed a certain threshold. It is not sufficient that there is a theoretical possibility that data can be used to check up on the employees.
What is required for there to be monitoring?
Since the regulation itself does not define which criteria must be present for a measure to be considered monitoring, it is difficult to classify whether a specific measure is to be considered monitoring or not. This is a nuanced area. Several factors will be important to determine whether a measure is monitoring.
The clearest cases of monitoring are when the main purpose of the measure is to check up on employees. This may, for instance, involve software specifically developed to collect, analyse and make available data about individual employees or "bossware".
Bossware can be used to measure employees' feelings, thoughts and opinions through e.g., recordings from webcams and automatic review of messages in internal chat channels. Bossware may also be able to measure work performance through, among other things, the number of keystrokes on the computer during a specific time period, use of social media during working hours, etc.
For measures that do not have monitoring as their main purpose, the employees' perception of being monitored will be an important factor in the assessment of whether the measure is to be considered monitoring. The measure in question must also be of a certain duration or take place repeatedly for it to be defined as monitoring. It is important to be aware that automatic forwarding of emails is considered monitoring of electronic equipment, because it is continuous. Isolated cases of access to emails are not considered monitoring, but frequent isolated cases of access might be.
The employer must have access to the personal data
For the provision to apply, it is also required that the employer has access to the personal data processed through the measure.