What Does the Criminal Conviction for Privacy Law Violations of Three Google Executives in Italy Mean for Multi-National Employers in the U.S.?

Posted on March 9, 2010 by Privacy and Data Protection Practice Group

On February 24, 2010, a Milan court convicted Google’s Chief Legal Officer, Global Privacy Counsel, and a former member of Google Italy’s board of directors for violating Italian privacy law and imposed a six-month, suspended jail sentence. The case stemmed from a posting on Google Video® — a YouTube® predecessor — of a video depicting several teenagers bullying a classmate with Down’s Syndrome. Although the Google executives had no involvement in either the posting or in the decision whether and when to remove it, Italian law imposes criminal liability on senior executives for the actions of the corporation. Prosecutors alleged that Google should be held responsible not only for permitting the video to be posted in the first instance, but also for allegedly not having acted quickly enough to remove the video after receiving a complaint.

The convictions have wide ranging implications for e-commerce, but what are the implications for global businesses with employees in the European Union?

First, the Google convictions serve as an important reminder that government authorities in the E.U. are serious about enforcing data protection laws. Thus, U.S.-based multi-nationals need to confirm that their local affiliates are complying with local data protection law. Of equal importance, international transfers of employee data to the U.S. — for example, for inclusion in a centralized human resources data base — must satisfy local data protection requirements. Even after the employee data has been received in the U.S., data protection requirements (in addition to any imposed by U.S. law) will apply.

Second, the Google convictions highlight for U.S. employers a critical distinction between U.S. and E.U. privacy law. Under U.S. law, an employer’s legitimate business interests typically trump an employee’s countervailing privacy interests. U.S. employers, for example, have substantial leeway in conducting workplace video surveillance and searches of employees to prevent theft or deter workplace violence. In the E.U., privacy is a fundamental right that, as the Google convictions demonstrate, does not give way even to the freedom of expression so cherished and zealously protected in the U.S. According to the Italian prosecutor, protecting the dignity of the bullying victim took precedence over Google’s commercial interests, including its interest in being a platform for expression and communication over the Internet.

Finally, “privacy” in the E.U. is conceptually far broader than the “right to be left alone” underpinning U.S. privacy law. In the E.U., “privacy” encompasses the notion of data protection. Consequently, any use of individually identifiable information about a natural person — even a business e-mail address and phone number — is presumed unlawful unless the possessor of that information (known in E.U. law as the “data controller”) has a lawful justification for using the information. This prophylactic approach contrasts starkly with U.S. law which permits the use of personal information at the possessor’s discretion unless the law expressly prohibits or restricts the use. Moreover, such prohibitions and restrictions typically are confined to discrete categories of employee information, such as health information.

In short, the Google convictions should serve as a blinking yellow light to every U.S. employer with operations in the E.U., warning employers to consider potential implications under E.U. data protection law before using individually identifiable information about any employee who resides in the E.U.

This entry was written by Philip L. Gordon.
Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Defeating Liability For Employees' Off-Duty Internet Activity

Posted on November 30, 2009 by Privacy and Data Protection Practice Group

Sometimes cases with disgusting facts provide good law for employers. A case recently decided by the Wisconsin Court of Appeals proved that point in reversing a $1.4 million judgment on claims for negligent training and supervision against a security company based on the off-duty Internet activities of one of its employees.

As security manager at a Polaris Industries facility, Troy Schmidt an employee of Polaris’ security provider, was responsible for creating identification badges of Polaris employees using photographs stored on a Polaris database. Schmidt copied the photographs of approximately thirty, female Polaris employees to a flash drive, printed them at home, ejaculated on them, and posted the adulterated photographs on an adult website that he created through Yahoo!.

Polaris promptly took control of the efforts to reverse the harmful effects of Schmidt’s bizarre conduct. Polaris took the following steps:

  • Investigated and determined that Schmidt was the likely perpetrator;
  • Contacted Yahoo! to request the removal of the photographs;
  • Met with Schmidt and obtained his admission to the conduct;
  • Obtained Schmidt’s agreement to de-activate the website;
  • Obtained confirmation from Yahoo! that Schmidt had de-activated the website;
  • Met with police personnel (who declined to prosecute).

After learning of the matter from Polaris, Schmidt’s employer, the security company, offered to provide assistance, participated in the interview of Schmidt, and fired him shortly after hearing his admission. Notably, the ten plaintiffs sued only the security company and not Polaris.

In reversing the large judgment against the security company, the Wisconsin Court of Appeals pronounced a rule that should provide a measure of relief for all employers: “[E]mployers have no duty to supervise employees' private conduct or to persistently scan the world wide web to ferret out potential employee misconduct.”

Beyond that pronouncement, the court emphasized several other factors. Schmidt’s conduct was “bizarre and unexpected,” indeed “unimaginable.” The security company had trained Schmidt in sexual harassment, employee theft, and his duty to comply with Polaris’ computer usage policy. The security company had no reason to know that Schmidt might engage in Internet abuse. The security company cooperated in Polaris’ response to the incident to the extent permitted by Polaris.

The court’s rejection of a duty to monitor employees’ off-duty Internet activities appears to provide employers with an unbeatable defense in cases like this one. Still, the result might have been different had Schmidt’s employer not provided training, or if Polaris and the security company had not acted promptly once the offending conduct became known. Consequently, when there is a tight nexus between an employee’s job duties and an employee’s off-duty Internet abuse, employers should consider taking some of the proactive measures that Polaris and the security company took. Such measures might not only help to defeat liability but prevent the filing of a lawsuit in the first place.

This entry was written by Philip L. Gordon.

Photo Credit: Matthew Bowden
Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Web-Based E-mail Accounts Accessed At Work: Private Or Not? Look To The Handbook

Posted on March 24, 2009 by Privacy and Data Protection Practice Group

Employers often put employees on notice, through an electronic resources policy, that communication via company e-mail accounts is not private. Far fewer policies, however, address employees’ use of their personal Internet-based e-mail accounts using company computer resources. What should an electronic resources policy tell employees on that subject?

A recent New Jersey case, Stengart v. Loving Care, sheds some light on the answer. Before Maria Stengart resigned and sued Loving Care, her employer, she e-mailed her lawyer through her personal web-based account from her company-issued computer with Loving Care’s Internet access. With the help of a computer forensic expert, Loving Care was able to recover temporary files stored on the hard drive of the company-issued computer which contained copies of Stengart’s attorney-client communications. (Employers should note that many web-based e-mail applications leave such temporary files on the hard drive of the sender’s computer).

When Stengart discovered that Loving Care’s lawyers planned to use her e-mail in the litigation, she objected. The trial court was asked to decide whether the e-mail, sent during work hours on a company laptop, was protected by the attorney-client privilege. The court held that it was not.
 

Key to the decision was the following company policy: “[I]nternet use and communication . . . are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.” Put another way, Loving Care told its employees that their Internet use is not private. Stengart’s Internet-based e-mail fell squarely within the policy. As a result, she could not claim the e-mail was protected by attorney-client privilege.

There are two important takeaways for employers. First, be specific about online privacy using the company’s electronic resources. In particular, tell employees that they should not use the company’s Internet connection to access personal e-mail accounts for purposes of conducting company business or to send any e-mail that they wish to keep private.

Second, ensure that you can prove each employee knows the rules. Stengart tried to claim that she was not aware of Loving Care’s Internet policy. The trial court rejected that argument because she was a long-time employee with significant management responsibility. Lower-level, shorter-term employees may have a more credible argument. To defeat that argument before it is made, employers should document that each employee has acknowledged receipt of the company’s electronic resources policy.

This entry was co-authored by Philip L. Gordon and Kate H. Bally.
Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

It's Time To Dust Off Your "Use Of Electronic Resources Policy"

Posted on August 29, 2007 by Philip Gordon

Certain provisions of employer policies governing the use of electronic resources have become mantra:  “Employees should have no expectation of privacy in their e-mail or Internet use”; “Employer reserves the right to access, monitor, and review any communication sent or received using corporate communications resources”; “Corporate communications resources can not be used to send or receive harassing, pornographic, or offensive messages,” etc.  But, employers who do not want their policies to become anachronistic should review and update those policies regularly to stay abreast of new technologies and new uses of technologies flooding the workplace as well as recent developments in pertinent case law.  Here are a few changes to consider.  We will follow with more in future blog entries:

            Blogging:  Blogging by employees is common.  With more than 70 million blogs on the World Wide Web and nearly 1.4 million new blog entries daily, employers need to consider the impact that employee blogging may have on their business and workplace.  Employers who do not endorse blogging should consider adding to their electronic resources policy a provision which bars employees from using corporate communications resources to view or post to any blog that is unrelated to work.  Employers also should consider a separate blogging policy to address off-duty blogging on the employee’s own time. 

            Video In The Workplace:  That employee who has spent the last three hours glued to her computer monitor without pause may be watching Gone With The Wind.  According to a recent Pew Foundation study, 57% of online adults have used the Internet to watch or download video, and 19% do so on a typical day.  Three-quarters of broadband users (74%) who enjoy high-speed connections at both home and work watch or download video online.  Employers who do not currently prohibit viewing or downloading video unrelated to work should now consider doing so before “bandwidth hogs” interfere with business operations.

            Web-Based E-Mail:  According to a report in the New York Times earlier this year, employees frequently rely on their personal Web-based e-mail accounts to conduct business or to store business-related material.  This trend raises a host of issues for employers including the inability to monitor the messages, if necessary, and the difficulty of preserving the messages as part of the litigation hold process.  Employers should consider barring employees from using personal Web-based e-mail for business purposes.

            Electronic Communications May Be Disclosed To Law Enforcement:  Recent cases, such as United States v. Ziegler, Doe v. XYC Corp., and United States v. Angevine, suggest that child pornography in the workplace is becoming all too common.  When the child porn is disclosed to law enforcement authorities without a warrant, the employee may be able to succeed in suppressing the evidence, thereby defeating the criminal investigation – as happened in United States v. Long, 64 M.J. 57 (C.A.A.F. 2006).  Employers can make this result less likely by warning employees that their electronic communications may be disclosed to law enforcement authorities if they create a suspicion of criminal conduct.
Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks (1)
  • Share Link