This post is also available in: Español
The judgment of the Second Division (Criminal) of the Supreme Court on October 23, 2018 (the TRIMARINE case) requires that the rules and objectives for the company’s control of the computer terminal assigned to the worker are clear and proportionate. In this post, we analyze the impact that access by employers, in exercising their disciplinary power, to the computer devices used by workers has in a subsequent criminal court review on the lawfulness or unlawfulness of the evidence obtained in this control.
In labor law, Supreme Court case law on legal evidence has changed in recent years. One of the most recent judgments is Supreme Court judgment 119/2018, of February 8 (Labor Division), known as the INDITEX case, which assumes the case law of the European Court of Human Rights (ECHR) in the judgment of September 5, 2017 (Main Chamber): BARBULESCU II. BARBULESCU II.
The judgment that is the subject matter of this post was handed down in the TRIMARINE case, and the Criminal Division of the Supreme Court established that unauthorized access to computer devices impairs the efficacy of the evidence, rendering it null.
The importance of this judgment lies in the fact that it accepts the case law of the Labor Division, and in the emerging rupture it represents from the case law established by the Second Division in judgment 528/2014, of June 16, 2014, handed down in the PARQUES REUNIDOS case (handed down by Judge José Manuel Maza).
This judgment established that the interference of any subject, including the employer, in the computer of a worker requires court authorization and review; however, it was stated that this authorization would only apply to accessing unread messages, as this is clearly related to the right to the secrecy of communications (article 18.3 of the Spanish Constitution). However, on the contrary, once the emails are received and opened, they do not form part of the content of the communication, but rather of the right to documentary privacy. And it is only in this case that judicial authorization is not always required.
However, on this occasion, the Supreme Court places less importance on whether the emails examined were opened or closed, considering that it is difficult to clarify this matter and that it is not of critical importance. The court added that postal communication processes are not “simply” transferable to electronic and telephone communications.
The Criminal Division now applies the case law of the Labor Division in a case confined to an employment relationship, in which the employer accesses the worker’s computer devices to obtain evidence that is subsequently enforceable in the proceedings. As we show below, the requirements are different. The case heard consists of the misappropriation of funds by a director who carried out commercial transactions in which the company bore the cost overruns or lost profit margins, to the benefit of the director or of the companies related to him. Therefore, the case starts with the indication of the director’s unlawful conduct and the company’s access to his computer.
The company accessed the computer without (i) the director’s consent, (ii) there being a regulatory provision limiting the use of computer tools to exclusively employment-related purposes, and (iii) a clause allowing the employer to control the computer devices, without prejudice to the fact that the measure used was proportionate and the least invasive of all those that the company had available.
The judgment is based on the existence of a general tolerance with certain personal and moderated use of computer and communication devices companies provide to workers. This tolerance gives the worker an expectation of privacy in such use, which forms part of the content of the fundamental right to privacy established in article 18 of the Spanish Constitution.
However, the existence of this expectation of privacy does not preclude the employer’s control, if certain limits established by case law in numerous judgments are observed.
- The first indispensable limit, established by the ECHR in the mentioned BARBULESCU II case, is knowledge by the worker of the existence of a warning or instruction that use of the computer must be limited to professional tasks, and the existence of any clause known by both parties authorizing the company to monitor the computer devices, or at least consent from the person exclusively using the computer.
- It is important to note here that, in its judgment 170/2013 (the ALCALIBER case) of October 7, the Constitutional Court recognized that it was sufficient to prohibit the use of email for non-employment related purposes in the collective labor agreement, indicating that it is a minor offense, to understand that such provision implicitly means that the company has the power to control its use.
- The second limit is ensuring that the company’s conduct regarding control is in line with the requirements of the principle of proportionality, i.e., that the measures the employer carries out are necessary, appropriate and the least invasive of all those admissible.
- Lastly, there must be an indication: a well-founded reason that leads the company to suspect that the worker is involved in any unlawful conduct and that justifies the employer’s control.
Only if these limits are observed will the employer’s involvement be lawful, the means of control be valid and the evidence obtained from such action be legal, as it was not obtained by breaching the worker’s right to privacy.
In this particular case, the Supreme Court declared that the measure was proportionate and the least invasive possible and that there was sufficient indication to carry out the control on the computer devices. However, the access was unlawful, because the employer did not give the worker any warning regarding the use of the computers and the worker did not give consent for such access. The unlawfulness does not arise from the content obtained or from whether the access was more or less intrusive, but rather from the fact that such access was unauthorized and warning was not given.
The Supreme Court declared that the “expectation of privacy” was breached and, therefore, so was the fundamental right to privacy, which rendered the evidence null, such that the case was returned to the lower court for a retrial, where this evidence would not be considered.
It follows that it is essential for companies to have clear policies and warnings regarding the use of the computer tools they provide (and whether there is an expectation of privacy).
We highlight that the Spanish Data Protection Act has just entered into force (see this post for the main developments of this act), under which companies must establish criteria for workers’ use of digital devices. The regulation allows the content to be accessed only to monitor compliance with employment obligations and to ensure the integrity of the digital devices, and access to the content of digital devices that are allowed to be used for private purposes means that the authorized uses must be precisely specified and guarantees must be established to preserve workers’ privacy.
It is advisable for companies to consult with a labor law expert when drafting these policies and criteria and to ensure better coordination when obtaining evidence that may subsequently be necessary to defend a company’s action in a potential lawsuit, or even in criminal proceedings, and to meet the company’s data protection obligations.
In collaboration with Ana Belén Barbero.
This post is also available in: Español