Can employers monitor their employees' use of electronic equipment?

The digital workplace is upon us. Digital office tools can record large amounts of information about employees. Workplace privacy is changing as new technologies become available to employers.

In this piece, we take a closer look on how an employee's privacy is protected in Scandinavia. Specifically, we analyse the legal boundaries for how employers may monitor their employees' use of electronic equipment. In Norway, workplace privacy has strong traditions, and the monitoring of employees' electronic equipment is restricted. There are, however, exceptions. In Denmark, workplace privacy is also strongly protected, and it is only possible for employers to monitor employees' electronic equipment under certain conditions. In Sweden, the situation is different, as there is no specific legislation that restricts employers from monitoring employees' use of electronic equipment, but the general rules of the GDPR will come into play.

We are constantly leaving digital traces in the workplace. Employees use the tools made available to them by their employer and it can be difficult for them to know what data is collected and what traces they leave.

The Norwegian email regulation regulates when employers may access their employees' email and other electronically stored material. Section 2 paragraph 2 of the regulation imposes a general ban on monitoring employees' use of electronic equipment. The provision reads:

"The employer is not entitled to monitor the employee's use of electronic equipment, including the use of the internet, unless the purpose of the monitoring is

a. to manage the company's computer network or

b. to uncover or investigate security breaches in the network."

The email regulation applies to both present and former employees. Monitoring of contractors or customers is not covered by these rules and is only regulated by the Personal Data Act and the General Data Protection Regulation.

As above, the email regulation gives employees in Norway special protection against their employer monitoring them. The starting point is that it is usually illegal to monitor employees' use of electronic equipment, including the use of the internet. Exceptions apply only in two specific cases.

Section 2 of the regulation concerns (1) the employee's use of "electronic equipment" and (2) to the "monitoring" of that equipment by their employer. Taking each in turn.

The measure must relate to the employee's use of "electronic equipment"

"Electronic equipment" should be understood broadly, and the provision is intended to be technology neutral. Technical solutions developed in the future are also intended to be covered by these rules. This means that electronic equipment includes more or less everything that employees use in the workplace, as long as they are tools that collect or can be used to derive personal data. Examples of electronic equipment are computers, tablets, mobile phones, printers, etc.

The email regulation only applies in cases where the employer has given the employee the equipment for the purpose of using it in their work, but will apply when the employee uses the equipment privately.

The measure must be considered "monitoring"

The measure in question must also be considered "monitoring". What is meant by monitoring is not further defined in the regulation. By ordinary linguistic interpretation, "monitoring" will be when an employer collects data about employees in order to map conduct or attitudes.

The provision covers both the initial mapping of the use of electronic equipment and reviewing personal data. This means that collecting personal data, for instance through logging, is also covered, even if the employer does not necessarily review the data.

For a measure to be considered monitoring, it must exceed a certain threshold. It is not sufficient that there is a theoretical possibility that data can be used to check up on the employees.

What is required for there to be monitoring?

Since the regulation itself does not define which criteria must be present for a measure to be considered monitoring, it is difficult to classify whether a specific measure is to be considered monitoring or not. This is a nuanced area. Several factors will be important to determine whether a measure is monitoring.

The clearest cases of monitoring are when the main purpose of the measure is to check up on employees. This may, for instance, involve software specifically developed to collect, analyse and make available data about individual employees or "bossware".

Bossware can be used to measure employees' feelings, thoughts and opinions through e.g., recordings from webcams and automatic review of messages in internal chat channels. Bossware may also be able to measure work performance through, among other things, the number of keystrokes on the computer during a specific time period, use of social media during working hours, etc.

For measures that do not have monitoring as their main purpose, the employees' perception of being monitored will be an important factor in the assessment of whether the measure is to be considered monitoring. The measure in question must also be of a certain duration or take place repeatedly for it to be defined as monitoring. It is important to be aware that automatic forwarding of emails is considered monitoring of electronic equipment, because it is continuous. Isolated cases of access to emails are not considered monitoring, but frequent isolated cases of access might be.

The employer must have access to the personal data

For the provision to apply, it is also required that the employer has access to the personal data processed through the measure.

The regulation defines two specific cases where monitoring of employees' use of electronic equipment could be considered legal. This applies to measures where the monitoring is carried out to manage the company's computer network, or when the measure is to uncover or investigate security breaches in the network.

It is only in these two cases that monitoring is legal. The regulation itself does not explain the exceptions in any more detail, so to understand their scope, the wording and purpose of the provision must be considered. The General Data Protection Regulation (GDPR) and the principles of data minimisation and purpose limitation are also key. The principle of data minimisation means that the employer must always assess what data is suitable and necessary to achieve one of the two legal purposes of the monitoring, while purpose limitation prohibits employers from using the data for new purposes incompatible with the original purpose.

So, what does the two exceptions involve?

The purpose is to manage the company's computer network

As above, the regulation makes an exception to the ban on monitoring employees' use of electronic equipment in cases where the purpose of the monitoring is to manage the company's computer network.

The exception is assumed to include all practical and technical measures necessary for the company's systems, networks, equipment, and software to function.

The purpose is to uncover or investigate security breaches in the network

An exception has also been made when the purpose is to uncover or investigate "security breaches" in the network. Security breaches include general breaches of information security. In short, information security is about ensuring that information is not disclosed to unauthorised persons, is not changed unintentionally or by unauthorised persons and is available when needed.

To safeguard information security, companies must identify risks and plan and implement appropriate measures to reduce those risks to an acceptable level. The exception relates to "uncovering" or "investigating" security breaches. A company might, for example, use tools that counteract security breaches, such as a spam filter. A spam filter is an application that identifies both viruses and other types of malware. If the spam filter identifies an email as spam, the email will be placed in quarantine. When an email is quarantined it is typically visible for the employer's "admin".

Logging is another tool that can be used to uncover or investigate security breaches. Logging keeps track of both current and past events in the company's systems. This involves, for example, the monitoring of incoming and outgoing traffic in a network to uncover abnormal traffic and potential network attacks. A well-known example of logging is the use of firewalls, logging of activity and access control.

If an employer is considering a measure that may be covered by the regulation's ban on monitoring employees' use of electronic equipment, a check should be carried out before the measure is implemented.

Under Swedish law, there is no specific act that regulates an employer's monitoring of their employees' use of electronic equipment. If, however, the monitoring involves processing of personal data, the employer must comply with the General Data Protection Regulation and Swedish national data protection legislation (i.e. Act containing supplementary provisions to the EU General Data Protection Regulation (SFS 2018:218)). If the monitoring is carried out with anonymized data this legislation will not apply.

First, the employer should inform the employees about how the electronic equipment may be used. An employer can monitor its employees' use of the electronic equipment, as long as the monitoring is not more intrusive than necessary.

Generally, the employer does not have the right to review the content of the employees' private files or emails. It is only permitted in case of serious suspicion of disloyalty or criminal behavior.

There must be a legal basis for the processing, for example the employer's legitimate interest. Consent does not serve as a legal basis for monitoring employees. In addition, it is important that the employer informs the employees about the monitoring/processing. This must be done no later than when the personal data are collected. The employer shall also inform the employees if they review the contents of the employees' private files or emails and under what conditions. The employer must also account for the principles in the General Data Protection Regulation. Purpose limitation and data minimization are two important principles to take into account when monitoring employees, but storage limitation is equally important, and personal data should not be kept for longer than is necessary for the purposes for which the personal data is processed. Some processing also requires an impact assessment to be carried out before the processing begins, for example if the employer systematically monitors how employees use the internet and e-mail.

In the Opinion of Article 29 Data Protection Working Party, it is stated that prevention should be given much more weight than detection. The employer should therefore see if preventive solutions can be used in the first instance, before deciding whether to monitor the employees' use of electronic equipment. The Swedish Authority for Privacy Protection mentions blocking websites as an example of a technical means to prevent misuse.

As with Norway, an individual's privacy in Denmark is also subject to a strong protection. It is, however, possible for an employer to monitor the employees' electronic equipment under certain conditions.

The protection of an individual's privacy in respect of an employer monitoring of their electronic equipment can be divided into two categories depending on whether you are covered by a collective agreement or not. The rules for those two categories are similar but not identical.

If the employee is covered by a collective agreement

The Danish model is the term for how the labor market in Denmark is organized. The Danish model is largely based on collective agreements.
The protocol to the DA (Confederation of Danish Employers (DA)/LO (the Danish Confederation of Trade Unions (hist.)) general agreement on control measures, regulates when and how employers may implement preventive control measures on their employees' use of email and other electronically stored material, unless the parties in a collective agreement have agreed otherwise.

The protocol's section 1 reads:
"The employer may, pursuant to management rights and in compliance with the provisions of the collective agreements, initiate control measures. Control measures must be objectively (sagligt) justified for operational reasons and have a reasonable purpose; they must not be offensive to the employees, and they must not cause the employees any loss or remarkable disadvantages. Control measures must be arranged so that there is a reasonable proportionality between purpose and means."

However, this is not the only conditions that the employer must fulfill. The employer must also notify the employees about new control measures.

The protocol's section 2 reads:

"The employer must notify the employees about new control measures no later than 6 weeks before they are implemented. However, this does not apply if the purpose of the control measures will thereby be lost, or if compelling operational reasons will prevent it. In that case, the employer must notify the employees as soon as possible, and explain why the 6-week deadline could not be met.".

Similar rules are found on municipal and governmental collective agreement areas which are largely based on the same principles laid down in the protocol between DA and LO.

In addition to the protocol, the General Data Protection Regulation (GDPR) and the Danish Data Protection Act applies in general under certain conditions as well as some specific legislation e.g., the Danish TV Surveillance Act. The basis for processing will be section 12(1) of the Danish Data Protection Act, if processing takes place as part of a control measure under a collective agreement on control measures.

If the employee is not covered by a collective agreement

The General Data Protection Regulation and the Danish Data Protection Act are applicable generally and regulate when employers may process personal data in an employment context, including situations of an employer's control measures. The area of control measures is also regulated by specific legislation, including the Danish TV Surveillance Act

Control measures of employees typically involve the processing of information about those employees, i.e., personal data. This means that the processing of information (the control measures) can only take place if there is a legal basis for the processing and if certain conditions are met, including the general conditions of objectivity (in Danish "saglighed") and proportionality. This is an individual assessment performed on a case-by-case basis.

As such, employers' registration (logging) of employees' website visits and subsequent review of the registration in case of suspected misuse of the internet and similar control measures of emails may take place if the above-mentioned conditions are met.
Employees must be informed in advance in a clear manner about the registration/logging that will take place and that the registration of website visits and use of emails may be reviewed as part of an inspection in case of suspected use in violation of workplace guidelines. The employer must comply with the information obligation in Article 13 or 14 of the GDPR.

However, the employer can refrain from informing employees about control measures if it would hinder the purpose of the control measure, cf. section 22 of the Danish Data Protection Act.