By Flemming Moos

Flemming Moos explores the workplace spying scandals that have rocked German businesses in recent months and have led to a hastened cry for passage of an Employee Privacy Act.

The cat was set among the pigeons when it was revealed last year that the major German retail chain, Lidl, which employs about 53,000 people in the nation, had systematically monitored its employees with hidden cameras. And what seemed to be a regrettable singular case at first glance quickly turned out to be just the first in a series of employee-spying scandals among German companies. Prestigious and well-established businesses such as national rail operator Deutsche Bahn, Airbus, and Deutsche Telekom, Europe’s biggest phone company, all confirmed they had conducted clandestine surveillance on their staff. The companies defended many of these activities as part of their efforts to root out corruption. In the case of the Deutsche Bahn, for example, the personal details—including names, addresses, and bank details of some 173,000 employees (including train conductors and others)—were compared with approximately 80,000 suppliers. In the case of Deutsche Telekom, officials tracked senior executives’ phone calls in order to identify the source in leaks of sensitive financial information to journalists.

Sanctions for unlawful spying on staff

In the wake of these privacy scandals, political leaders held an emergency summit in Berlin in February 2009. They agreed that an “Employee Privacy Act” should be included in an update of current data protection laws. This new law is expected to be accepted soon after the new German government is elected this fall. In the course of this legislative action, statutory provisions will be introduced which shall, inter alia, regulate if and under which conditions monitoring employees can be carried out lawfully.
Yet, even current applicable German data protection laws do not permit spying on employees in any case. Rather, many monitoring practices are unlawful and can be punished by harsh fines. Lidl experienced this quite dramatically. Its hidden-camera surveillance activities were found to have violated data protection laws and the company was ordered to pay a fine of 1.5 million Euros (approximately two million dollars). This is, by far, the highest fine ever issued by German data privacy watchdogs. Moreover, several managers from the companies caught up in privacy scandals have already lost their jobs, including the head of Lidl’s German operations, Frank-Michael Mros, and even Deutsche Bahn chief executive Hartmut Mehdorn—his justifications for the surveillance practices were found insufficient.

Therefore, in order to avoid such consequences, companies should ensure that all surveillance practices comply with legal requirements. Here they are in brief:

Data privacy background for employee surveillance measures

Even though, for the moment, Germany has no Employee Privacy Act, there are several laws that mandate rather strict protection of employee data. First of all, the provisions of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) apply to the collection, processing, and use of employees’ personal data. Secondly, specific data protection obligations might follow from applicable Works Agreements.

Moreover, the employee’s privacy is protected by his or her respective personal right (allgemeines Persönlichkeitsrecht), which is enshrined in the German Constitution. In particular, the fundamental right on informational self-determination and the fundamental right on confidentiality and integrity of IT systems are significant constitutional guarantees for employment relationships in Germany. The employer is obliged to safeguard and promote the free development of its employees’ personalities (Sec. 75 (2) Works Constitution Act). On top of the aforementioned constitutional rights, labour courts’ extensive case law has developed principles for protecting the right to privacy of German employees.

Monitoring mechanisms in the workplace affect the privacy rights of employees. Under the BDSG, video surveillance of premises that are open to the public (which may include salerooms and restaurants) might be allowed, however, only subject to the following requirements: (1) there is no indication of a prevailing legitimate interest of the individuals and (2) the surveillance is necessary for the purpose of:

•      enabling public agencies to fulfill their tasks;

•     keeping out trespassers; or

•     achieving justified interests in certain defined situations (e.g. suspicion of crime).

Employers must make clear in advance that surveillance will be conducted and must specify who will be included. The data must be deleted as soon as it is no longer needed for the defined purpose. Clandestine surveillance of public premises is not permissible at all.

More relevant in practice is the surveillance of premises with restricted access. According to case law, the right to informational self-determination of the employees implies that they can freely decide whether they may be videotaped and whether the pictures can be used against them. Moreover, there is also protection for the spoken word. For example, the right to determine for oneself whether the spoken word should be available to the partner of the conversation only, or also made accessible to third parties or even the general public, and whether it may be recorded by electronic or other means.

The assertion of the overriding legitimate interests of the employer may justify interference in the employee’s privacy rights. When there is a conflict between the general privacy rights of the employee and the employers' interests, the legally protected interests have to be weighed against the employers’ interests to determine on a case-by-case basis whether the general right to privacy merits priority.
According to the Federal Labour Court, clandestine surveillance by technical devices is only permitted if there is a:

•     specific indication of a criminal offence or other serious misconduct at the expense of the employer;

•     less drastic means to clear up the suspicion have been exhausted;

•     covert surveillance is practically the only remaining means; and

•     the surveillance is proportionate (for example, a cash deficit that cannot be cleared up in any other way).

Surveillance measures are not allowed to invade the employee’s private sphere. Therefore, video surveillance is never permitted in such places as changing rooms and toilets (which had reportedly happened at Lidl). Even if the employees have been informed that a video camera or a similar technical device will be installed at the workplace, it does not mean that surveillance is automatically admissible. In most cases, continuous surveillance is considered an infringement on employees’ personal rights due to the pressure brought about by the constant observation. This applies particularly in situations where the employer has the potential to use undetected surveillance. Again, in this case the interests of the employees have to be weighed against the legitimate interests of the employer.

The above-mentioned principles to safeguard the employee’s privacy also apply to other surveillance measures by employers, such as eavesdropping on employees’ phone calls. Employees must be notified in advance if such calls are to be intercepted.

Apart from this notification requirement, which is also enshrined in Article 10 of the EC Directive 95/46, the principle of necessity must be observed when monitoring employees. According to Article 6 para 1 (c) EC Directive 95/46, the data processing must be “adequate, relevant, and not excessive in relation to the purposes.” Privacy watchdogs have cast doubts as to whether the above-mentioned surveillance practices comply with these requirements. In particular, they have challenged that, for the purpose of fighting corruption, it is necessary to include every employee—independent of his or her function—into the monitoring measures, irrespective of whether there had been a relevant risk for corruption in the individual case.

Involvement of the Works Council and the data protection officers

Additionally, the monitoring of employees triggers a co-determination right by the Works Council (sec. 87 para. 1 no. 6 of the German Works Constitution Act). The Works Council has a right of co-determination, especially in the event of the introduction and application of technical systems which are suitable for monitoring the conduct or performance of the employees. This will generally be the case for all surveillance systems, such as closed-circuit television (CCTV), and others.

Finally, in most of the cases mentioned above, the companies’ internal data protection officers had not been involved before the surveillance practices began, despite the data controller’s statutory obligation to inform the data privacy officer in good time of its plans for such data processing steps.

Outlook

It remains to be seen whether the legislator, when drafting the new Employee Privacy Act, will confine itself to merely taking over these existing restrictions on employee surveillance into the new law, or rather tighten the legal framework (as he currently plans to do for the marketing use of customer data). The Federal Ministry of Labour and Social Affairs, which will present the draft, has announced that it will not only attempt to regulate video surveillance but also will craft detailed provisions for issues such as e-mail and Internet monitoring in the workplace, and for protecting whistleblowers. The first announcements of ministry officials argue for a stricter approach. The declared aim of the new law is to specify the existing workplace rules, and to adapt them to the requirements of a modern working environment. Even more reason for companies to revise duly their employee surveillance and data governance practices in Germany.

Flemming Moos is an attorney at DLA Piper and chair of the IAPP KnowledgeNet in Hamburg, Germany. He is a certified specialist for information technology law and a member of the IAPP Publications Advisory Board. He can be reached at flemming.moos@dlapiper.com.