Ф franciscronje.com

Equifax's slow response in notifying its EU data subjects under the imminent EU GDPR might have proven even more disastrous for the company, as forseen regulatory fines in the future under the regulation, with its global reach, will not continue to be a mere slap on the wrist. Data Protection fines will now be on par with that of unfair competition, not mentioning the massive reputational damage and potential loss of customers and future business.

​For more news on the topic read here

The recent court case in the EU insofar it relates to the monitoring of employees' private messages at work has raised some eyebrows. 

The European Court of Human Rights (ECHR) said a firm that read a worker's Yahoo Messenger chats sent while he was at work was within its rights.

It is however very important to view this in context and not to draw any blanket assumptions.

In South Africa the yet to commence POPI Act (The Protection of Personal Information Act of 2013) and the existing RICA Act (The Regulation of Interception of Communications and Provision of Communication-Related Information Act of 2002) make provisions for what are allowed.

Section 5 and 6 in RICA have created debate in SA as to what is allowed but there seems to be general consensus that employees' written consent needs to be obtained. An electronic communications policy or addendum to employees' employment agreements reflecting such consent are common practise and allows for so-called snooping or justified monitoring and interception of employees' communications at work.

In the above mentioned ECHR case, this sentiment has not changed.

The BBC reported on this (click here) and in one of their interviews, Lilian Edwards, a professor of internet law at Strathclyde University, said the judgment was in line with UK law and past cases. 

"In this case, the employers say clearly that you are not to use the internet for anything but work. Although it is not popular, it is completely legal. The employer seems to have played this by the book.

She added that blanket bans on personal internet use at work were unreasonable because people retained the right to their own private life even while working.

That was particularly important, she said, as people worked longer hours.

Sally Annereau, a data protection analyst at the law firm Taylor Wessing, said that UK law allowed proportionate checks on employees' communications.
​
"This judgment underlines the importance of having appropriate and lawful employee-monitoring policies in place and making sure both that they are communicated to employees and that they are adhered to by the employer," she said.

In the Telegraph it was reported that the Information Commissioner recommends employers encourage workers to mark messages as 'private' and 'personal' to help them protect their communications and not to open these unless there's a very good reason for doing so.

Steve Peers, a Professor of EU and Human Rights Law at the University of Essex had the following to say:

"A judgment this week in Barbulescu v Romania addressed the issue, but unfortunately has been greeted by press headlines such as ‘EU court allows employers to read all employee e-mails’. This is wrong on two counts: it’s not a judgment of an EU court, but of the separate European Court of Human Rights; and the ruling does not allow employers to read all employee e-mails without limitation."

​He went further to state that:

"The Court is clearly not overturning its prior case law: it distinguishes Halford andCopland, rather than reversing them. So Barbulescu definitely does not give employers carte blanche to put their employees under surveillance. There remain – as there were before this judgment – cases where such surveillance is justified, and cases where it is not. The importance of Barbulescu is some clarification on where the dividing line falls between those two categories.

Legally speaking, that line is determined by the degree of ‘reasonable expectation of privacy’ that employees have at the workplace. They have such an expectation where the employer has expressly allowed them to use a phone or computer for private purposes (Halford), or where it was tolerated (Copland). In this case, the crucial difference is that the employer banned such use."

To sum it all up, blanket surveillance by employers of employees' communications are not allowed in the EU and the same would apply to SA. Clear policies and guidelines together with consent are pre-requisites.