EU Balks at Employee Monitoring

By John Wagley
Many companies have sophisticated network tools that can monitor user activity, including e-mails and Web surfing.
In the United States, the courts have ruled generally that employee monitoring is legal as long as employees are given notice. But in the European Union (EU), the laws are starkly different, which is important for any multinational firm doing business within Europe.
Many EU member countries require written, individual consent for any form of monitoring whatsoever, says Lothar Determann, a partner in the Palo Alto, California, office of the law firm Baker & McKenzie. Even then, such permission can be (and has successfully been) challenged; in one case, the permission was dismissed based on the nature of the employee-employer relationship.
Employee monitoring in the EU should be avoided “to the greatest extent possible,” said Arabella Hallawell, a vice president at Gartner Research, speaking at the recent Gartner Information Security Summit. Companies should refrain from generating any report that identifies individual employees, she said. Any kind of “fishing trip” should be strictly avoided.
One way to avoid potential employee lawsuits is to use anonymization, or masking, software, she said, which vendors and third parties are increasingly offering for use with network security tools. Organizations must decide what kinds of information should be masked. Once the system is deployed, she added, only a limited number of managers should be able to change the controls.
Many organizations in Europe use masking software with data loss prevention (DLP) tools, she said. If, for example, an employee wanted to generate a report on DLP-related activity, such as e-mails containing sensitive data that might have been blocked, it might exclude information such as specific employee e-mail addresses. Another increasingly popular tool, called a security information management (SIM) solution, can analyze and cross-reference myriad data logs from throughout the network, but these are slightly more problematic to use within the EU legal framework, Hallawell said.
If suspicious activity is detected, the company should have procedures in place for investigating it. An example of such a situation might include, for instance, a large number of e-mails sent around the time of a sensitive business deal. In such a situation, IT staff could discuss the suspicious activity with the legal and human resources departments to help assess whether further investigation is warranted and to ensure that any inquiry (which could include reviewing unmasked data) would be conducted legally.
Companies should approach employee monitoring on a country-by-country basis in the EU, says Determann. Several countries, including France and the Netherlands, require filings with labor authorities; others such as France, Germany, Italy, and the Netherlands, require employers to consult or at least notify trade unions or similar representative bodies before using any form of surveillance.

As a rule, it’s better to err on the side of too much disclosure when informing employees about monitoring, Determann says. Aside from protecting companies from privacy lawsuits, such a strategy could have other benefits, he says, such as preventing an employee from committing certain crimes.



Companies outside the EU

Companies outside the EU must also approach employee monitoring with tact. While it is understandable that cameras are required to prevent theft, drug use or violence, there is also a need to respect your staff’s right to privacy. If you have one or if you are going to install one, do speak to every employee staff about it, and make sure that the cameras are kept in full view and installed in reasonable areas which are outside dressing rooms or bathrooms for example.




cctv system

Employee monitoring is a

Employee monitoring is a delicate matter, since everybody has concerns over their privacy at work. I insisted on adding privacy terms in my employment contract because we have security surveillance cameras at work and I wanted to have some personal space, so I got the manager to move some of them.


The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.