Data Protection Report - Norton Rose Fulbright

The German federal labor court held in a recent decision (Bundesarbeitsgericht, 27 July 2017 – case no. 2 AZR 681/16) that the use of evidence obtained through the use of key logger software is not permitted under current German privacy law, if there is no suspicion of a criminal offense. Such monitoring is only allowed when an employer has a concrete suspicion of a criminal offense by an employee or any other serious breach of duty in a specific case. This decision is understood as a general guidance where the highest labor court gave guidance on secret employee monitoring.

In the case, the employer informed its employees generally about the implementation of a new network system and logging all Internet traffic and the use of their systems. Subsequently, the firm installed key logger software on its employees’ computers. The software recorded all keyboard inputs and produced screenshots on a regular basis. When reviewing the files created by the software, the employer became aware that an employee had used his work computer for private purposes during working hours and, thereupon, terminated the employment relationship.

In the subsequent judicial proceeding, the court held that the information gained through the key logger software was obtained in violation of Section 32 par. 1 of the German Federal Data Protection Act (BDSG) and must not be utilized as the use of such software infringes the employee’s right to informational self-determination as a part of the general right of privacy encoded in the German constitution. Therefore, the employer could not lawfully use the information from the key logger to support its decision to terminate the employee. The court further stated that such collection of information was not permitted as the employer did not have any sufficient suspicion of a criminal offense or other serious breach of duty by the employee. Thus, the use of key logger software was, in the court’s opinion, disproportionate and consequently not justified.

Our take

The court’s judgement is consistent with previous decisions regarding secret surveillance of employees. The decision is also consistent with the Article 29 Working Party’s recent guidance regarding data processing at work (WP 249) and prior guidance regarding the surveillance of electronic communications in the workplace (WP 55).

Looking ahead, it is very likely that the German jurisprudence on employee surveillance will prevail under the General Data Protection Regulation (GDPR) because the new German Federal Data Protection Act takes advantage of an “opening clause” in the GDPR, enabling provision of divergent national law regarding employee privacy. The equivalent provision of the new German law (section 26) is comparable to section 32 BDSG, under which the case was decided. Hence, monitoring of employees without cause will most likely remain unlawful under privacy laws as interpreted by German courts and authorities.

Consequently, companies using security tools that monitor employees’ use of IT systems should be careful and review the use of such tools under current and future privacy laws.


Norton Rose Fulbright nominated for Cyber Law Firm of the Year

Norton Rose Fulbright has been shortlisted for ‘Cyber law firm of the year’ at the Insurance Insider Cyber Ranking Awards 2017. Voting is now open, and you can show your support for Norton Rose Fulbright by casting your vote ahead of the award ceremony on 29 September 2017.

The category of “Cyber law firm of the year” is a new addition to the Cyber Ranking Awards and provides brokers and underwriters with a chance to vote for the law firm that they believe has contributed the most to bringing innovative solutions to market over the past 12 months. We are honored to be included as a nominee, and believe that it reflects our leading experience within the cyber insurance sector.

Norton Rose Fulbright provides data protection, privacy and incident response services around the globe, and works closely with the insurance industry to address cyber and technology-related risks.