Temple Environmental Law & Technology Journal – Fall, 2001
20 Temp. Envtl. L. & Tech. J. 73
Workplace E-mail Privacy Concerns: Balancing the Personal Dignity of Employees with the Proprietary
Interests of Employers
By Peter J. Isajiw1
I.
Introduction
The danger of electronic devices eroding personal privacy that Samuel D. Warren and Louis D. Brandeis warned of
over one hundred years ago threaten the modern employee in ways they could never have imagined. These fathers of
privacy successfully argued for the creation of a common law right to be let alone based on the underlying concept
of the “inviolate personality” expressed in various tort actions.2 They took great care to distinguish this right from
property rights.3 Despite this distinction, courts have largely looked to ownership of property and not the inviolate
personality of employees when ruling on reasonable expectations of privacy in the case of employee privacy in
electronic mail (“e-mail”) correspondence accessed at work. While Warren and Brandeis thought the common law
was the best tool for establishing this right,4 years of precedent, including recent decisions, have construed this right
too narrowly in the context of employer/employee relationships.5 In light of this precedent, statutory intervention
seems the only means to protect individual human dignity and privacy in e-mail accessed at work.
Technology often outpaces the law.6 This complaint is heard frequently when discussing employee privacy in e-mail
communications accessed in the workplace.7 This complaint is of particular importance when discussing a [*75]
reasonable expectation of privacy because the legal system’s inherent slowness is intrinsically tied to the
reasonableness of that expectation.8 For example, after a court ruled in 1996 that there is no expectation of privacy
in workplace e-mail, it was much more difficult to argue in 2001 that such an expectation is reasonable.9 This
1
I would like to thank Professor Kathryn M. Stanchi. This article would not be possible without her mentoring, advice, and patience.
2
See id. at 205 (arguing that the right to privacy underlies torts such as libel and slander, and recognizing the inviolate personality of humans
when the law allows recovery for damage to personal reputation, or emotions as opposed to property damage).
3
Id. at 205.
4
Id. at 220.
5
See Smyth v. Pillsbury, 914 F. Supp. 97, 101 (E.D. Pa. 1996) (finding no expectation of privacy in e-mail despite the company’s assurances that
it would not monitor such communications); O’Conner v. Ortega, 480 U.S. 709, 715 (1987) (finding government employee’s privacy rights
superceded by employer’s need to supervise and control); Epps v. Saint Mary’s Hosp. of Athens, Inc., 802 F.2d 412, 417 (11th Cir. 1986)
(finding conversations over company phones between employees could be monitored to prevent potential contamination of the workplace by
negative remarks about supervisors); Wesley Coll. v. Pitts, 974 F. Supp. 375, 385 (D. Del. 1997), aff’d, 172 F.3d 861 (3d Cir. 1998)(holding
employer not liable for reading employee e-mail).
6
See Star Publ’g Co. v. Pima County Attorney’s Office, 891 P.2d 899, 902 (Ariz. Ct. App. 1994) (Espinosa, J., dissenting) (commenting that a
document production request that encompassed 1,300 computer entries raised “new questions concerning the privacy of electronic mail in the
workplace . . . This may indeed be a case where technology has once again outpaced the law.”); United States v. Maxwell, 45 M.J. 406, 410
(C.A.A.F. 1996) (ruling that an Air Force Colonel had a reasonable, albeit limited, expectation of privacy in e-mail messages he sent or received
using America Online). The Maxwell court said: New technologies create interesting challenges to long established legal concepts. Thus, just as
when the telephone gained nationwide use and acceptance, when automobiles became the established mode of transportation, and when cellular
telephones came into widespread use, now personal computers, hooked up to large networks, are so widely used that the scope of Fourth
Amendment core concepts of “privacy” as applied to them must be reexamined. Consequently, this opinion and the ones surely to follow will
affect each one of us who has logged onto the “information superhighway.” Id. at 410.
7
See Margret Steen, When E-mail Puts You at Risk, Info World, Tuesday July 6, 1999, available at
http://www.pcworld.com/news/article/0,aid,11679,00.asp (last visited March 25, 2002) (noting that the legal issues raised by employee e-mail are
not new, rather the novel issue is determining how old laws apply to e-mail and educating employees on the subject).
8
See infra notes 206-207 and accompanying text for a discussion of how the slow pace of law is tied to the reasonableness of expectations of
privacy.
9
Smyth, 914 F. Supp. at 101 (finding, in an intrusion into seclusion case, no expectation of privacy in e-mail despite the company’s assurances
that such communications would not be monitored where an employee voluntarily e-mailed his supervisor).
Copyright (c) 2001 Temple Environmental Law & Technology Journal
Comment calls for a balance between employer and employee interests in the use of electronic communications at
the workplace.10 It examines the failures of the current law that cause litigation to favor the employer and allows the
employer to control the level of privacy employees can expect.11 Furthermore, because the Internet and e-mail are
interstate mediums, this comment calls for federal legislation designed to protect the privacy rights of employees.12
II.
Overview
American employees work more hours per year than any other industrialized nation.13 A recent United Nations
survey conducted by the International Labor Organization indicates that American employees worked an average of
1,966 hours in 1997, which represents a four percent increase in annual hours at work, up from 1,883 in 1980.14 In
order to manage personal and business affairs more efficiently, many turn to e-mail.15 Over 85 percent of adults
send or receive personal e-mail messages at work.16 Studies also show that most employees believe that their emails are private.17 A smaller [*76] percentage of the American workforce believes that although third parties can
probably access their e-mails, those messages are not being read.18 These figures are disturbing because they
contrast starkly with studies indicating over 73.5 percent of employers monitor some form of employee
communication, and 38.1 percent store and review e-mail messages.19 When employers do monitor, less then 66.2
percent actually inform their employees of monitoring.20 The level of privacy employees can expect in their
workplace e-mail is therefore an important issue in the information age.
Recent events and cases highlight the importance of privacy in workplace e-mail correspondence. E-mail use in the
workplace raises concerns for the employer and employee alike. For the employee, personal privacy and job stability
concerns are at the forefront of the debate. For example, in Clark County, Las Vegas, Nevada, a sexually explicit
photograph originating from a deputy district attorney’s computer was sent to a few recipients and forwarded to a
senior judge, who inadvertently forwarded it to a list of county workers.21 Those county employees involved were
suspended without pay.22 In another example, the New York Times Company’s business office in Norfolk, Virginia,
fired ten percent of its work force (22 employees) when an investigation into employee computer files indicated that
10
See infra Parts II and IV.A for a discussion of employer versus employee interests in the use of electronic communications at work.
11
See infra Part II.A-D for a discussion of failures of current applicable law.
12
See infra Part III for a discussion of proposed requirements of workplace privacy legislation.
13
United Nations International Labor Organization Report on Labor Productivity (1999), available at
http://www.ilo.org/public/english/60empfor/polemp/kilm/index.htm (last visited Jan. 31 2000) (on file with the Temple Environmental Law and
Technology Journal); see also, Stephanie Nebehay, Yankee Rat Race -The American Way: Longer Hours! More Productivity!, Reuters
ABCNews.com, Sept. 6, 1999, available at http://abcnews.go.com/sections/us/DailyNews/ilo<_>americans.html (last visited April 11, 2001)
(on file with the Temple Environmental Law and Technology Journal) (discussing the U.N./I.L.O. survey). Compare the United States annual
average in 1997 with: France 1,656, Germany 1,560, Great Britain 1,731, Norway 1,399, Sweden 1,552, Australia 1,867, New Zealand 1,838, and
Canada 1,732.
14
United Nations International Labor Organization Report on Labor Productivity (1999), available at
http://www.ilo.org/public/english/60empfor/polemp/kilm/index.htm (last visited Jan. 31 2000) (on file with the Temple Journal of Environmental
Law and Technology)
15
Steen, supra note 8.
16
Id.
17
See, e.g., Jennifer J. Griffin, The Monitoring of Electronic Mail in the Private Sector Workplace: an Electronic Assault on Employee Privacy
Rights, 4 Software L.J. 493, 494 (1991) (arguing that most employees consider their e-mail private); Jared D. Beeson, Cyberprivacy on the
Corporate Intranet: Does the Law Allow Private-Sector Employers to Read Their Employees’s E-mail?, 20 U. Haw. L. Rev. 165, 167 (1998)
(noting that the majority of employees feel their e-mail is private).
18
Am. Management Ass’n., 2000 AMA Survey on Workplace Testing: Monitoring and Surveillance 1 (2000).
19
Id.
20
Charles Pillar, Bosses With X-Ray Eyes, Macworld, July 1993, at 118, 123 (chart).
21
Adrienne Packer, Obscene E-mail Traced to Deputy DA, Las Vegas Sun, Feb. 9, 2000, available at
http://www.lasvegassun.com/sunbin/stories/1v-gov/2000/feb/09/509825202.html (last visited April 3, 2001).
22
Id.
-2-
these employees sent or forwarded potentially offensive e-mails to others in the office.23 The company served
warning letters to twenty more employees who received but did not forward offensive e-mails.24 Most of the
employees involved were in good standing before this incident, including one who had been recognized as
“employee of the quarter.”25 In yet another example, Northwest Airlines conducted court-authorized searches of the
home computers of more then 12 flight attendants suspected of organizing a “sick-out” over the holiday travel
season.26
These examples illustrate the drastic effects e-mail monitoring can have on an employee, although the debate on email monitoring also implicates the employer’s interests.
For the employer, employee e-mail use raises issues that include productivity, legal liability, market competition,
efficiency and workplace morale. E-mail can be used as evidence in sexual harassment suits, discrimination suits,
and hostile work environment claims. Monitoring e-mail [*77] use can subject the employer to liability for invasion
of employee privacy or violation of state and federal laws. In fact, “any kind of liability that an employee can create
through communication, they can do through e-mail [sic].”27 For example, employees may send or receive racist
jokes28 or sexually explicit e-mail messages,29 either of which could be grounds for or evidence of discrimination or
harassment actions against the company. Furthermore, market competition and the property rights of an employer
can be affected if an employee who takes a job with a competitor uses a company e-mail account to send her future
employer proprietary documents containing trade secrets.30
In fact, recent studies indicate that of the 85 percent of adults who use workplace e-mail for personal messages, 70
percent have sent or received adult-oriented e-mail messages at work, and 64 percent have sent or received sexist or
racist e-mail messages.31 Moreover, even if no illegal activity is suspected, employers have reasons to monitor their
employee’s e-mail.32 By definition, an employee composing a personal e-mail is not working during its composition
and, therefore, personal e-mail use at work affects productivity. 33 Also, as documents can be transmitted as
attachments to e-mail, an employer may need to search through an employee’s e-mails in an attempt to recover
crucial documents that have been lost.34 For these reasons, determining the level of privacy employees can expect
with regard to their e-mail messages accessed in the workplace is of utmost importance in the modern business
environment.
Understanding the issue of employee expectations of privacy in workplace e-mail correspondence requires
examining the right to privacy in United States constitutional law,35 the codification of federal legislation to extend
23
Ann Carms, Prying Times: Those Bawdy E-Mails Were Good for a Laugh, Wall St. J., Feb. 4, 2000, at A1.
24
Id.
25
Id.
26
Michael J. McCarthy, Data Raid: In Airline’s Suit, PC Becomes Legal Pawn, Raising Privacy Issues, Wall St. J., May 24, 2000, at A1,
available at 2000 WL-WSJ 3030469.
27
Steen, supra note 8 (quoting Jim Bruce, a partner at the law firm of Wiley Rein & Fielding, in Washington D.C.).
28
See Owens v. Morgan Stanley & Co., 1997 U.S. Dist. LEXIS 20493 (S.D.N.Y. 1997) (transferring of racists jokes over e-mail used as
evidence in employment discrimination suit).
29
See Strauss v. Microsoft, 856 F. Supp. 821 (S.D.N.Y. 1994) (transferring of sexually explicit e-mails used as evidence in sex discrimination
suit).
30
See United States v. Hsu, 155 F.3d 189, 192 (3d Cir. 1998) (discussing evidentiary issues under the Economic Espionage Act of 1996 arising
from an employee sending trade secrets to an undercover F.B.I. agent via e-mail).
31
Steen, supra note 8.
32
Id.
33
Id.
34
Id.
35
See infra Part II.A for a discussion of the Constitutional right to privacy.
-3-
this protection to private sector employees,36 the failings of that federal legislation,37 and the state and common law
that may protect employee privacy in the workplace.38 Furthermore, examining the differences in ideology
underlying United States and European conceptions of privacy reveals that [*78] European law treats privacy as a
matter of human dignity while American law treats privacy as a property right. This may explain the difficulties
American employees face in obtaining favorable treatment with respect to privacy in the workplace.
A.
Privacy and the U.S. Constitution
Although the Constitution does not specifically enumerate the right to privacy, the United States Supreme Court has
recognized that the right to privacy flows from the penumbra and emanations of the First, Third, Fourth, and Fifth
Amendments.39 Constitutional prohibitions, however, apply only to government actors, so the privacy protections of
the Fourth Amendment40 against unreasonable searches and seizures cover only public sector employees.41 Two
significant cases shaped the law of privacy in the workplace under constitutional law. The first case, Katz v. United
States,42 led to Congressional enactment of The Federal Wiretapping Act,43 which extended the privacy protections
granted to public sector employees to the private sector. The second, O’Connor v. Ortega,44 defines the scope of
privacy [*79] protection granted to public employees. 45
In Katz, the Supreme Court held that electronic surveillance without a warrant violated the Fourth Amendment’s
prohibition against unreasonable searches and seizures.46 The Court in Katz47 declared that determining whether a
person has a reasonable expectation of privacy under the Fourth Amendment requires examining whether a person
in the given situation has an actual or subjective expectation of privacy and whether that expectation is one that
36
See infra Part II.B for a discussion of the Electronic Communications Privacy Act.
37
See infra Part II.B for a discussion of how the exceptions to the Electronic Communication Privacy Act prevent it from providing adequate
protection to employee e-mail.
38
See infra Part II.C for a discussion of how the tort of intrusion into seclusion may be applied to the issue of employee e-mail privacy.
39
See Griswold v. Connecticut, 381 U.S. 479, 484-85 (1965) (holding a Connecticut law prohibiting married couples from using contraceptives
unconstitutional because it violated the zone of privacy created by the Bill of Rights); Katz v. United States, 389 U.S. 347, 361 (1967) (holding
warrantless electronic surveillance to be in violation of the Fourth Amendment’s protection from unreasonable search and seizures). An in depth
discussion of the right to privacy is beyond the scope of this comment. See also Ken Gormley, One Hundred Years of Privacy, 1992 Wis. L. Rev.
1335 (1992).
40
U.S. Const. amend. IV, 1 (guaranteeing “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable
searches and seizures”).
41
See O’Connor v. Ortega, 480 U.S. 709, 716 (1987) (noting Fourth Amendment applies to searches conducted by public employers); Simmons
v. Southwestern Bell Tel. Co., 452 F. Supp. 392, 394-95 (W.D. Okla. 1978), aff’d, 611 F.2d 342 (10th Cir. 1979) (noting constitutional privacy
protection is only as against government intrusions into a person’s privacy).
42
See Katz, 389 U.S. 347 at 361 (holding that F.B.I.’s use of listening device on public telephone without warrant violates Fourth Amendment if
the person monitored exhibits an actual (subjective) expectation of privacy that society would recognize as reasonable). Katz overruled Olmstead
v. United States, which held that so long as the government did not enter the home, interceptions obtained by warrantless taps placed on
telephones were not “searches” and were therefore admissible. Olmstead v. United States, 277 U.S. 438, 465 (1928). In the Olmstead dissent,
Justice Brandeis argued that privacy defined as the “right to be let alone” is a right and therefore it was immaterial where the physical connection
to the telephone wires were made. Brandeis’s dissent foreshadowed the e-mail privacy debate when he observed that: Ways may some day be
developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled
to expose to a jury the most intimate occurrences of the home . . . Can it be that the Constitution affords no protection against such invasions of
individual security? Id. at 474. The Court adopted Brandeis’s reasoning when it overruled Olmstead in Katz stating that “the Fourth Amendment
protects people not places. What a person knowingly exposes to the public . . . is not a subject of Fourth Amendment protection . . . But what he
seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.” Id. at 351.
43
Title III of the Omnibus Crime Control and Safe Streets Act (The Federal Wiretapping Act), 18 U.S.C. 2510-2522 (2000)The Senate Report
associated with Title III states “Title III was drafted to . . . conform with Katz . . .” S. Rep. No. 90-1097, at 66 (1968), reprinted in 1968
U.S.C.C.A.N. 2112, 2153.
44
O’Connor, 480 U.S. 709.
45
See infra notes 61-71 and accompanying text for a discussion of the level of privacy that O’Connor extends to public sector employees.
46
Katz, 389 U.S. at 361.
47
Id.
-4-
society recognizes as reasonable.48 At issue in Katz was the government’s warrantless monitoring of a conversation
in a public phone booth.49 The Court devised a two-part test to determine whether the plaintiff exhibited an
“expectation of privacy”50 that “society is prepared to recognize as reasonable.”51 Whether such an expectation
exists is determined by examining a number of factors such as the private nature of the information involved and
whether the individual had “knowingly exposed” the information to the public.52 The first prong of the analysis
looks to whether the individual “exhibited an actual (subjective) expectation of privacy” 53 by showing that she
“seeks to preserve (something) as private.”54 The second prong, which is dispositive55 in most cases, asks whether
the individual’s expectation of privacy is one that society would deem reasonable.56 The principles expressed in
Katz underlie the federal legislation against wiretapping, which will be discussed below.57
At first blush, one would think that secret e-mail monitoring by employers would not pass constitutional muster
under the Katz test considering that most [*80] American employees believe that their e-mails are private.58
However, this does not seem to be the case. Although the United States Supreme Court has not addressed the issue
of employer e-mail monitoring, if an e-mail user knows his employer might intercept his messages courts would
likely consider his use of e-mail a voluntary conveyance of information to the public, thus limiting his subjective
expectation of privacy under Katz.59
The Court’s ruling in O’Connor v. Ortega60 defined the scope of the Fourth Amendment’s privacy protection for
public sector employees. In O’Connor, a psychiatrist claimed that the state hospital in which he worked violated his
Fourth Amendment rights by searching his office and seizing items from his desk and filing cabinets.61 The Court
held that workplace searches must be judged by a “standard of reasonableness”62 and that the Fourth Amendment is
violated only if employees have an “expectation of privacy that society is prepared to consider reasonable.”63
The reasonableness standard allows for an employee’s expectation of privacy to be reduced “by virtue of actual
office practices and procedures . . .”64 The Court balanced the employee’s privacy interests with the employer’s
48
Id.
49
Id. at 348. In Katz, F.B.I. agents monitored defendant’s conversation without a warrant by attaching a listening device to a public phone booth.
50
Id. at 361 (Harlan J., concurring).
51
Id.
52
Id. at 351. Other criteria the Court considered were whether there was a legitimate purpose or “compelling interest” in the disclosure or seizure
of the information; whether there were alternative means of obtaining the information; whether there were property rights implicated in the
seizure of information; and what if any precautions were taken by the government to protect these rights. Id. at 351-354.
53
Id. at 361.
54
Id. at 361.
55
The Katz standard was later adopted in Smith v. Maryland, 442 U.S. 735 (1979). In Smith, police requested a telephone company to use a pen
register to track the numbers dialed from a robbery suspects home. The Court decided that the suspect had no reasonable expectation of privacy
stating that all subscribers realize “that the phone company has facilities for making permanent records of the numbers they dial . . .” Id. at 742.
Further, the Court concluded that any expectation of privacy was unreasonable because Smith knowingly exposed the information about the
numbers dialed when he “voluntarily conveyed numerical information to the telephone company. . . .” Id. at 744.
56
Katz, 389 U.S. at 361.
57
See infra Part II.B for a discussion of Title III.
58
See Caroline M. Cooney & Lisa Arbetter, Who’s Watching the Workplace? The Electronic Monitoring Debate Spreads to Capitol Hill, Sec.
Mgmt., Nov. 1, 1991, at 26, 29 (citing an August 1991 reader survey); Paul E. Hash & Christina M. Ibrahim, E-mail, Electronic Monitoring, and
Employee Privacy, 37 S. Tex. L. Rev. 893, 894 (1996) (arguing that most employees consider their e-mail private).
59
See Smith, 422 U.S. at 744 (noting that the voluntary conveyance of information makes an expectation of privacy unreasonable).
60
480 U.S. 709 (1987).
61
Id. at 714.
62
Id. at 725-26.
63
Id. at 725.
64
Id. at 717.
-5-
interest in workplace supervision and control.65 Therefore, the Court determined that a search of a public
employee’s physical work area is reasonable when the employer has a legitimate business interest that outweighs the
employee’s privacy concerns.66 The Court further declared that non-investigatory, work-related searches carry a
presumption of reasonableness.67 This language, combined with the broad definition of legitimate business interests
found in other cases, in effect leaves the determination of employee expectations of privacy in the hands of the
employer.68 There has been no real test of this standard as applied to the monitoring of e-mail correspondences of
government employees.69 However, [*81] even if this standard would protect such correspondence, the protection is
limited to governmental employment70 and would not apply the vast majority of American employees.
B.
Federal Statutory Regulation of Employee Privacy
No federal statute explicitly addresses the issue of employers monitoring the e-mail correspondence of their
employees in the workplace. However, the Electronic Communications Privacy Act of 1986 (“ECPA”)71 arguably
limits employer interceptions of employee e-mail messages, although the statutory language speaks of “electronic
communications”72 and does not specifically mention electronic mail. The purpose of the ECPA was to update a law
that an explosion of technological advances had outdated.73 The legislative history of the ECPA makes clear that
Congress intended to update The Federal Wiretapping Act,74 originally designed to limit interceptions of telephone
communications, to include within the definition of “electronic communication,”75 new technology such as pagers,
mobile phones, digital information, and e-mail messages.76 Subsequent case law has also made clear that e-mail falls
into the category of communications covered by the ECPA.77 The few courts that have dealt with employee e-mail
privacy under the ECPA narrowly construe what constitutes an “interception”78 under the Act, requiring an illegal
interception of e-mail to occur in the seconds between when a message is sent and when it was received. This
narrow construction, combined with the three major exceptions to the provisions of the Act, tends to shield
employers from liability.79
65
Id. at 721-722.
66
Id. at 725-726.
67
Id. at 726.
68
See infra Part II.B.1 for a discussion of the broad range of acceptable business interests.
69
It appears that the reasoning of O’Connor would be problematic in the context of employee e-mail. O’Connor dealt with the search of an
employee’s physical space whereas e-mail interceptions would involve an invasion of cyberspace. For a more detailed discussion of the
difficulties in applying the O’Connor criteria to e-mail, see Steven B. Winters, Do Not Fold, Spindle or Mutilate: An Examination of Workplace
Privacy in Electronic Mail, 1 S. Cal. Interdisciplinary. L. J. 85, 100-103 (1992) (arguing that the analysis of Ortega which focuses on the original
intent of the Constitutional framers, and the invasion of a physical space, cannot be accurately applied to e-mail).
70
See supra Part II.A for a discussion of the Fourth Amendments applicability to public sector employees.
71
18 U.S.C. 2510-2522 (2000). The ECPA covers the “interception” of any “wire” or “electronic communications”. Id. at 2511.
72
Id. at 2511.
73
See S. Rep. No. 99-541, 99th Cong., at 13-14 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3562-66 (stating that e-mail is one of many “new
telecommunications and computer technologies referred to in the Electronic Communications Privacy Act”).
74
18 U.S.C. 2510-2525 (1968).
75
Id. at 2511.
76
See S. Rep. No. 99-541, 99th Cong., at 13-14 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3562-66 (stating that e-mail is one of many “new
telecommunications and computer technologies referred to in the Electronic Communications Privacy Act”).
77
See, e.g., Steve Jackson Games, Inc. v. United States Secret Serv., 26 F.3d 457, 461 (5th Cir. 1994) (noting that e-mail can be illegally
intercepted and therefore falls in the purview of the ECPA); Wesley Coll. v. Pitts, 974 F. Supp. 375, 385 (D. Del. 1997) (explaining that the term
“electronic communication” in the ECPA includes e-mail).
78
18 U.S.C. 2510(4) (2000).
79
See infra Parts II.B.1-3 for a discussion of the failings of the ECPA in the context of employee e-mail privacy.
-6-
In 1968, Congress enacted Title III of the Omnibus Crime Control and Safe Streets Act80 to conform to the holdings
of the Supreme Court in Katz v. [*82] United States81 and Berger v. New York.82 Title III was originally intended to
regulate the use of hidden microphones and wiretaps on telephone equipment and to extend this protection to private
business and individuals, as well as government.83 Twenty years after the enactment of Title III, Congress realized
that advances in communications technology rendered the act “hopelessly out of date.”84 In 1986, Congress
amended the Act with the ECPA to account for these communications advances.85
The ECPA contains two sections of statutory text relevant to the issue of employee e-mail privacy. One prohibits the
interception of electronic communications; the other prohibits the unauthorized acquisition of electronic
communications in storage. Title I of the Act prohibits the unauthorized and intentional “interception” of “wire” and
“electronic communications” while those communications are in transit from the sender to the receiver.86 Title I
defines an illegal “interception” as the “aural or other” acquisition of the contents of the communication through use
of any “electronic, mechanical, or other device.”87 The Act defines “electronic communication” as “any transfer of
signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire,
radio, electromagnetic, photoelectric or photooptical system that affects interstate or foreign commerce.”88 The
legislative history of the statute indicates that Congress intended this broad language to encompass electronic mail.89
Title II of the ECPA (“The Stored Communications Act”)90 protects against the unauthorized acquisition of
electronic communications in storage.91 [*83] Title II defines “electronic storage” as “(A) any temporary,
intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B)
any storage of such communication by an electronic communication service for the purposes of backup protection of
such communication.”92 A person violates Title II whenever he or she “intentionally accesses without authorization
a facility through which an electronic communication service is provided.”93 The Act sets forth criminal penalties,94
as well as civil damages of $ 100 per day for each day the Act is violated or $ 10,000, whichever is greater.95
80
18 U.S.C. 2510-2525 (1968); see also Thomas R. Greenberg, Comment, E-mail & Voicemail: Employee Privacy & the Federal Wiretap
Statute, 44 Am. U. L. Rev. 219, 230-46 (1994) (detailing the history of ECPA).
81
389 U.S. 347 (1967); see supra notes 47-59 and accompanying text for a discussion of the Katz Fourth Amendment Analysis.
82
388 U.S. 41 (1967). In Berger, the United States Supreme Court struck down a New York Statute that allowed government eavesdropping. The
Court held the statute unconstitutional because it failed to meet the minimum standards of particularity that are necessary to ensure that the
government does not have too much discretion in wiretapping or eavesdropping. Id. at 59. The Court held that the Fourth Amendment prevents
government eavesdropping unless there is probable cause to believe that a particular crime “has been or is being committed. . . .”, the government
has provided the court with the specifics of the conversations sought, the interception is for a limited time, and notice is given to the party being
searched. Id. at 58-60. The Court did however state that the notice requirement could be waived under some circumstances. Id.
83
H.R. Rep. No. 90-5037 at 5 (1968), reprinted in 1968 U.S.C.C.A.N. 2112, 2157-63 (legislative history of the Omnibus Crime Control and Safe
Streets Act of 1968).
84
S. Rep. No. 99-541, at 14 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3555-56 (legislative history of the Electronic Communications
Privacy Act of 1986).
85
Id.
86
18 U.S.C. 2511 (2000).
87
18 U.S.C. 2510 (2000).
88
18 U.S.C. 2510(12) (2000).
89
See S. Rep. No. 99-541, at 14 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3562-66 (stating that e-mail is one of many “new
telecommunications and computer technologies referred to in the Electronic Communications Privacy Act”).
90
18 U.S.C. 2701-2711 (2000).
91
Id.
92
18 U.S.C. 2510 (17) (2000).
93
18 U.S.C. 2701(a)(1) (2000).
94
For example, intercepting an electronic communication while in transit is a violation of Title I, carrying a jail sentence of up to five years in
prison. 18 U.S.C. 2511 (1968). Unauthorized access of an electronic communication stored in a computer is a violation of Title II, and carries a
potential prison sentence of up to one year for a first offense. 18 U.S.C. 2701 (2000).
95
18 U.S.C. 2520 (2000).
-7-
Although the ECPA would seem to address employee privacy, courts and lawyers have historically had difficulty
interpreting and applying the Act’s prohibitions.96 The majority of cases involve the issue of employee privacy in
the context of telephone use and monitoring at the workplace. Few cases have arisen in the context of office e-mail
monitoring.97 One such case in Delaware exemplifies the difficulties inherent in the ECPA’s interpretation. In
Wesley College v. Pitts,98 the United States District Court for the District of Delaware held that reading an e-mail
message while it was displayed on a computer screen was not an “interception” under the Act, even if the e-mail had
been retrieved from electronic storage in order to be read.99 The court reasoned that a violation of the ECPA
requires an e-mail to be intercepted while in transit.100
This case illustrates just one of the ECPA’s interpretive difficulties. Although Title I prohibits the use of electronic
devices to intercept an electronic communication such as an e-mail, Title II prohibits the unauthorized acquisition of
a stored e-mail message. While the court may [*84] have correctly reasoned that an e-mail displayed on a screen
was not “intercepted” by an electronic device because a computer monitor is not an intercepting device,101 the fact
that the message was retrieved from storage in order to be viewed would certainly fall under the prohibitions of Title
II.102 Unfortunately, this case was decided on a motion for summary judgment. The lawyers for the plaintiff
interpreted Title II as a lesser, included offense to Title I and, therefore, offered no independent evidence of a Title II
violation by unauthorized or illegal accession of the computer storage facility to retrieve the message in question.103
Without evidence of a Title II violation, the court could not reach this question and, therefore, granted summary
judgment in favor of the defendant.104
Further complicating the ECPA are three statutory exceptions to liability that, in effect, immunize employers from
the penalties of the Act: the Ordinary Course of Business exception,105 the Service Provider exception,106 and the
Consent exception.107 Title II allows for access of stored communication when consent has been given “by a user of
the electronic communication service with respect to a communication of or intended for that user.”108
96
See Deal v. Spears, 980 F.2d 1153, 1158 (8th Cir. 1994) (holding that recording 22 hours of employee conversations based on a suspicion of
theft was illegal because it was not in the ordinary course of business); Sanders v. Robert Bosch Corp., 38 F.3d 736, 741 (4th Cir. 1994) (holding
that even a bomb threat did not justify an employer’s 24 hour recording of employee telephone conversations); but see Watkins v. L.M. Berry &
Co., 704 F.2d 577, 583 (11th Cir. 1983) (finding employers can monitor employee calls only to the extent that they are business related); James v.
Newspaper Agency Corp., 591 F.2d 579, 582 (10th Cir. 1979) (finding that employers may monitor employee calls with equipment provided by
the phone service provider if they are perusing a legitimate business interest); Briggs v. Am. Filter Co., 630 F.2d 414, 420 (5th Cir. 1980)
(holding an employer may monitor employee conversation without consent when it serves a legitimate business interest); Epps v. Saint Mary’s
Hosp. of Athens, Inc., 802 F.2d 412, 417 (11th Cir. 1986) (holding an employer may monitor employee conversations to prevent workplace
contamination by negative remarks about co-workers).
97
See Wesley Coll. v. Pitts, 974 F. Supp. 375, 385 (D. Del. 1997) (ruling on an ECPA claim in the context of workplace e-mail correspondence).
98
974 F. Supp. 375 (D. Del. 1997).
99
Id. at 385.
100
Id.
101
Id. at 384.
102
See supra notes 91-96 and accompanying text for a discussion of the prohibitions of Title II.
103
Wesley Coll. v. Pitts, 974 F. Supp. 375, 389 (D. Del. 1997).
104
Id. at 391.
105
18 U.S.C. 2510(5)(a) (2000). This section is also known as the extension telephone exception or business use exception.
106
18 U.S.C. 2511(2)(a)(i), 2701(c)(1) (2000). Both Title I and Title II have service provider exceptions with different statutory language. Title
I’s service provider exception states, in pertinent part: It shall not be unlawful under this chapter for . . . an officer, employee or agent of a
provider of . . . an electronic communications service, whose facilities are used in the transmission of . . . electronic communication, to intercept,
disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the
rendition of his service or to the protection of the rights or property of the provider of that service. . . . 18 U.S.C. 2511(2)(a)(i) (2000).
107
18 U.S.C. 2511 (2)(d); 2701(c)(1)-(2) (2000). The ECPA has two portions of statutory text that provide exceptions based on consenting to be
monitored. Title I (18 U.S.C. 2511 (2)(d)) states that “it shall not be unlawful under this chapter . . . to intercept a wire, oral, or electronic
communication . . . where one of the parties to the communication has given prior consent to such interception. Id.
108
18 U.S.C. 2701(c)(1)-(2) (2000).
-8-
1.
The Ordinary Course of Business Exception
The Ordinary Course of Business exception shields an employer from liability when she intercepts a communication
in the ordinary course of business through use of equipment provided by a communications carrier as part of the
communications network.109 This exception comes from the Act’s [*85] limited definition of “electronic,
mechanical or other device,” which is necessary to conduct an illegal intercept.110 Under the terms of the statute, an
illegal intercept may be accomplished only by use of an electronic device. However, any device “furnished to the
subscriber or user by a provider of . . . communication service in the ordinary course of its business and being used
by the subscriber or user in the ordinary course of its business . . . or furnished by such subscriber or user for
connection to the facilities of such service and used in the ordinary course of its business” is not an electronic device
under the statute.111
In other words, if the telecommunications or e-mail service provider gives an employer a machine capable of
intercepting the contents of a telephone call or e-mail, or if an employer purchases such a device, interceptions
achieved by this machine are legal because a device “furnished . . . by a provider . . . or user” is not an illegal
intercepting device when used in the ordinary course of an employer’s business. To determine whether an
intercepting device is used in the “ordinary course of business,” courts look to whether an employer has a legitimate
legal interest in monitoring the communications. This exception has been tested in the context of private telephone
communications in the workplace but not in that of e-mail correspondence.112
The Circuits are split on how to interpret this portion of statutory language. Some courts apply the “content
approach” while others follow the “context approach.”113 The content approach looks to the nature of the
conversation being monitored and interprets the exception to allow employers to monitor business-related but not
personal conversations.114
[*86]
1(a).
Content Approach
The content approach focuses on the subject matter of the intercepted communication. Under this approach,
employers may monitor all business related calls but face restrictions in their rights to monitor personal calls. The
general rule under the content approach is that an employer may monitor calls only to the extent necessary to further
a legitimate business interest and must stop monitoring when it discovers that a call is personal.115 For example, in
109
18 U.S.C. 2510(5)(a) (2000). The relevant text of the exception is found in the limiting definition of what constitutes an illegal intercepting
device. Under the terms of that statute, an illegal intercepting device is anything other than: any telephone or telegraph instrument, equipment, or
facility, or component thereof, (i) furnished to the subscriber or user . . . in the ordinary course of its business and being used by the subscriber or
user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the
ordinary course of its business. . . . Id.
110
18 U.S.C 2510 (5)(a) (2000).
111
Id.
112
See, e.g., Briggs v. Am. Air Filter Co., 630 F.2d 414, 420 (5th Cir. 1980) (holding an employer was not liable for interceptions that were
limited in duration and scope to that necessary to monitor the portion of the call in which the employee discussed the employer’s business with a
competitor.); Watkins v. L.M. Berry & Co., 704 F.2d 577, 583 (11th Cir. 1983) (finding employers can monitor employee calls only to the extent
they are business related); Epps v. St. Mary’s Hosp. of Athens, Inc., 802 F.2d 412, 415-17 (11th Cir. 1986) (applying the content focused analysis
of the ordinary course of business exception); Sanders v. Robert Bosch Corp., 38 F.3d 736, 741 (4th Cir. 1994) (holding that even a bomb threat
did not justify an employer’s 24 hour recording of employee telephone conversations); Deal v. Spears, 980 F.2d 1153, 1158 (8th Cir. 1992)
(holding that an employer’s attempt to catch a thief did not justify recording 22 hours of and employee’s personal calls).
113
Larry O. Gantt, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace, 8 Harv. J.L. & Tech. 345, 365
(1995) (discussing the difference between content and context analysis); Beeson, supra note 18, at 176-188 (discussing the difference between
content and context analysis).
114
Beeson, supra note 18, at 176 (analyzing the content approach).
115
See, e.g., Briggs v. Am. Air Filter Co., 630 F.2d 414, 420 (5th Cir. 1980) (holding an employer was not liable for interceptions that were
limited in duration and scope to that necessary to monitor the portion of the call in which the employee discussed the employer’s business with a
competitor); Watkins v. L.M. Berry & Co., 704 F.2d 577, 583 (11th Cir. 1983) (finding employers can monitor employee calls only to the extent
-9-
Watkins v. L.M. Berry & Co.,116 the 11th Circuit held an employer liable for illegal intercepts when it monitored an
employee’s personal call involving a discussion about a job interview with a prospective employer, in violation of
its own monitoring policy.117 The court noted that an employer’s monitoring in the ordinary course of business does
not cover portions of private conversations about which the employer is merely curious.118 Furthermore, the court
held that the employer must show that the particular interception was in the ordinary course of business by
demonstrating a “business interest” in the subject matter of the intercepted call.119 The court declared that because
personal calls are never in the ordinary course of business “except to the extent necessary to guard against
unauthorized use of the telephone or to determine whether a call is personal or not,” an employer must stop listening
to a call as soon as it determines the content is personal.120
1(b).
Context Approach
Courts employing the context approach rely more on the workplace environment than on the specific content of the
electronic communication or telephone call. These courts consider whether employees were notified of the potential
for interceptions and whether legitimate business interests existed for monitoring employee communications.121
Courts using the context approach uniformly rule that unlimited monitoring of employee communications violates of
the ECPA. Therefore, the courts look to employers’ motivations for monitoring and tailor the time and scope of
[*87] monitoring to that necessary to achieve these motives.122
Although the approaches the courts take to interpret the exception differ subtly and confusion over the exception’s
meaning still exists, a trend is emerging to interpret the exception to allow the monitoring of telephone
conversations only to the extent necessary to further a legitimate business interest, and only for as long as it takes to
determine that a call is personal and unrelated to a business interest. Examples of legitimate business interests
include preventing abuse of facilities, customers, or employees. Due to the broad category of business interests that
courts are willing to consider legitimate, the Ordinary Course of Business Exception grants employers a great deal
of discretion in determining the level of privacy their employees can expect.
One could argue that the same rules and analysis should apply to employee e-mail monitoring as apply to telephone
monitoring. However, the inherent problem with both the content and context approach as applied to e-mail is that
interceptions would most probably give the employer the entire message at once, unlike voice communication where
those monitoring must listen as the conversation goes. The practical problem becomes a question of how many
words an employer must read before she can distinguish between business and personal e-mail messages. Moreover,
both the content and context approach fundamentally rely on the existence of a legitimate business interest in
monitoring. Courts have not focused on employee privacy when determining whether a legitimate business interest
for monitoring exists.
Courts have favored the employer in their determination of whether a communication is business related. For
example, in Epps v. St. Mary’s Hospital of Athens, Inc,123 a conversation was recorded “during office hours,
they are business related); Epps v. St. Mary’s Hosp. of Athens, Inc., 802 F.2d 412, 415-17 (11th Cir. 1986) (applying the content focused analysis
of the ordinary course of business exception). See also, Beeson, supra note 18, at 177 (describing the content approach); Martha W. Barnett &
Scott D. Makar, In the Ordinary Course of Business: the Legal Limits of Workplace Wiretapping, 10 Hastings Comm. & Ent. L.J. 715, 730
(1988) (discussing the content analysis).
116
704 F.2d 557 (11th Cir. 1983).
117
Id. at 581.
118
Id. at 582-83.
119
Id.
120
Id. at 583.
121
Barnett & Makar, supra note 116, at 727-28 (analyzing the context approach).
122
See, e.g., Sanders v. Robert Bosch Corp., 38 F.3d 736, 741 (4th Cir. 1994) (holding that even a bomb threat did not justify an employer’s 24
hour recording of employee telephone conversations); Deal v. Spears, 980 F.2d 1153, 1158 (8th Cir. 1992) (holding that an employer’s attempt to
catch a thief did not justify recording 22 hours of and employee’s personal calls).
123
802 F.2d 412 (11th Cir. 1986).
-10-
between co-employees, over a specialized extension which connected the principal office to a substation and
concerned scurrilous remarks about supervisory employees in their capacities as supervisors.”124 The court declared
that the employer has a business interest in monitoring conversations to prevent “the potential contamination of a
working environment.”125 Under this reasoning, any e-mail regarding co-employees, especially those over
company-provided intranet services (which may be analogous to the specialized phone line in Epps) would be
readily available for employers to read in their entirety. Backed by this rationale, the Ordinary Course of Business
exception renders the ECPA incapable of affording employees privacy at the workplace.
[*88]
2.
The Service Provider Exception
The ECPA exempts e-mail service providers from liability for all interceptions (Title I Claims) or accessions (Title
II Claims) of e-mail communication in the workplace.126 When service providers are engaged in activities that are
“necessarily incident to the rendition of [his] service or to the protection of the rights or property of the provider of
that service . . .”127 they are immune to liability under the ECPA for any interception or disclosure of electronic
communications. Like its Ordinary Course of Business counterpart, this exception has yet to be tested in the context
of e-mail monitoring, and who qualifies as a service provider is unclear. Some courts128 and commentators believe
the language of the exception is broad enough to encompass any employer who provides employees with e-mail
access. 129
Under Title I of the ECPA, a service provider may intercept and disclose any contents of electronic communications
necessary to render services or to protect the rights or property of the provider.130 In United States v. Mullins,131 an
airline was found to be a “service provider” under the Act.132 In Mullins, an employee noticed discrepancies in the
computer reservation system that lead to the discovery of fraud by an agent.133 The fraud was discovered only after
the airline intercepted the phony reservations. The agent claimed this interception violated the ECPA.134 The Ninth
Circuit rejected the claim and recognized the airline as an exempt “provider of wire or electronic communications
service” under the ECPA.135 Therefore, the employer/provider was, free to intercept and disclose electronic
communications because it was protecting its rights and property.136
The Act itself provides no guidance as to whether the Service Provider Exceptions apply to employee e-mail.
Section 2701(c)(1) of Title II exempts a “person or entity providing a wire or electronic communication service”
124
Id. at 417.
125
Id.
126
See supra notes 87-96 and accompanying text for a discussion of the difference between Title I and Title II claims.
127
18 U.S.C. 2511(2)(a)(i) (2000).
128
Flanagan v. Epson America, No. BC007036, slip op. at 5-6 n.1 (Cal. Super. Ct. Jan. 4, 1991) (asserting that employer-provider monitoring
everything in an intranet system would not violate the ECPA).
129
See Gantt, supra note 114, at 360 n.101 (discussing that ECPA not strictly limit the term “provider” to public entities so some employers may
be deemed service providers under that statute); James Baird et al., Public Employee Privacy: A Legal and Practical Guide to Issues Affecting the
Workplace 60 (1995) (arguing that a broad interpretation of the service provider exception is justified because the company networks are the
employer’s property).
130
18 U.S.C. 2511(2)(a)(i) (2000).
131
992 F.2d 1472 (9th Cir. 1993).
132
Id. at 1478.
133
Id. at 1475.
134
Id. at 1478.
135
Id.
136
Id.
-11-
[*89] from liability for illegally accessing stored communications.137 This section of the statute does not include any
language limiting interceptions to the scope of normal business dealings.138 In addition, section 2702 of Title II
allows public service providers to escape liability when they intercept or disclose the contents of stored
communications necessary to provide their service or when protecting their rights or property.139 The confusion
stems from the fact that Congress never defined the term “public service” in the Act. Therefore, who qualifies for
the Service Provider exception is unclear, but many commentators believe it is broad enough to encompass an
employer that provides e-mail to its employees.140
3.
The Consent Exception
Both Title I and Title II of the ECPA contain a consent exception shielding employers from liability when
employees give permission for monitoring.141 The issue most threatening to the privacy of employees in this context
is implied consent. Fortunately, from an employee perspective, the emerging case law on implied consent requires
actual or “full knowledge or adequate notification” before consent to monitoring can be said to be implied.142
Unfortunately, an employee signature on a company e-mail monitoring policy would constitute “full knowledge or
adequate notification” of monitoring. An employee would thereby sign away her right to sue under the ECPA’s
consent requirement whether or not she had actually read the form before signing. This signature may also bar any
common law claims for intrusion into seclusion or violation of privacy rights.
C.
Common Law
With the confusion over the proper interpretation of the ECPA, its three exceptions, and Constitutional protections
limited to public sector work, the common law may be the employee’s best avenue for redress of workplace e-mail
interceptions. The tort of intrusion into seclusion provides that one who intentionally intrudes, physically or
otherwise, upon the solitude or seclusion of another or his private affairs or concerns is subject to liability to the
other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.143
[*90] The applicability of this tort to e-mail monitoring is limited for three reasons. First, the existence of a written
policy for e-mail monitoring may diminish the likelihood of there being a reasonable expectation of privacy.144
Second, recent court rulings have not recognized a reasonable expectation of privacy in e-mail correspondence, and
these recent decisions are unlikely to be overruled.145 Third, courts have not found employer monitoring of personal
e-mails to be highly offensive to a reasonable person and have distinguished it from such highly offensive acts as
locker searches or mandatory urinalysis.146
137
18 U.S.C. 2701(c)(1) (2000); see also 2511 (2)(a)(i) (2000); see supra note 107 for relevant statutory text.
138
18 U.S.C. 2701(c)(1) (2000).
139
18 U.S.C. 2702(a)(1) (2000).
140
See Gantt, supra note 114 for a discussion of who qualifies as a service provider.
141
18 U.S.C. 2511(2)(d) (2000); 18 U.S.C. 2701(c)(1)-(2) (2000). See supra note 108 for the relevant statutory text.
142
Ali v. Douglas Cable Communications, 929 F. Supp. 1362, 1377 (D. Kan. 1996); see also, Deal v. Spears, 980 F.2d 1153, 1157 (8th Cir.
1994) (holding as a matter of law that the employer failed to show implied consent by merely warning employee that phone calls might be
monitored).
143
Restatement (Second) of Torts 652A (1977).
144
See Kevin P. Kopp, Electronic Communications in the Workplace: E-mail Monitoring and the Right of Privacy, 8 Seton Hall Const. L.J. 861,
885 (discussing Bourke v. Nissan Motor Corp., No. YC003979 (Cal. Super. Ct. App. 1991)).
145
See Bourke v. Nissan Motor Corp., No. YC003979 (Cal. Super. Ct. App. 1991) (ruling that employees had no reasonable expectation of
privacy in e-mail messages because they had signed a form indicating that e-mail was for company business only); Smyth v. Pillsbury Co., 914 F.
Supp. 97, 101 (E.D. Pa. 1996) (holding that an employee could not have a reasonable expectation of privacy in e-mail messages voluntarily made
over the company e-mail system).
146
Smyth v. Pillsbury Co., 914 F. Supp. 97, 101 (E.D. Pa. 1996).
-12-
For example, in Smyth v. Pillsbury Co.,147 the United States District Court for the Eastern District of Pennsylvania
rejected an intrusion into seclusion claim. In Smyth, the plaintiff was fired because of an e-mail he sent to his
supervisor.148 Although the company had assured its employees that e-mails would remain private and that they
would not be intercepted or disclosed, the court found that an employee loses any expectation of privacy he may
have had by using an e-mail system that the entire company used.149 Furthermore, the court did not find the
interception highly offensive to a reasonable person and distinguished it from mandatory urinalysis or locker
searches, in that e-mail monitoring did not invade an employee’s person.150 Finally, the court found that the
company’s interests in preventing illegal use of e-mail systems and the company’s “interest in preventing
inappropriate and unprofessional comments . . . over its e-mail system” outweigh any privacy interest of
employees. 151
D.
State Law
Several states have constitutional provisions guaranteeing a right to privacy.152 Only California, however, has held
that this right extends to both private and public sector employees.153 In California, a private sector [*91] employer
used to be required to show a “compelling interest” in order to justify an intrusion into an employee’s right to
privacy.154 However, in Hill v. National Collegiate Athletic Ass’n.,155 the “compelling interest” standard was
replaced with a balancing test that required the privacy interest in question to be specifically identified and
compared to the countervailing non-privacy interests of the company. The California Supreme Court indicated that
the compelling interest standard would still be applied against private employers when the privacy interest involved
was “fundamental to personal autonomy,” such as the interest implicated in forced sterilization.156 Even though
California has taken a seemingly progressive stance on workplace privacy issues, the Superior Court of the state
refused, in Flanagan v. Epson America,157 to enforce an employee’s right to privacy to e-mail correspondence. In its
ruling, the court suggested that the expansion of constitutional privacy rights was the job of the legislature, not of the
judiciary.158
The majority of states have statutes that prohibit the interception of electronic communications, mirroring the
ECPA.159 Many of these statutes contain the same Consent, Ordinary Course of Business, and Service Provider
exceptions found in the ECPA. However, twenty-two states and the District of Columbia have no Ordinary Course
of Business Exception or restrict the Service Provider Exception to communication common carriers, thereby
147
914 F. Supp. at 97.
148
Id. at 98-99.
149
Id. at 101.
150
Id.
151
Id.
152
The constitutions of ten states expressly protect a right to privacy; Alaska Const. art. I 22; Ariz. Const. art. II, 8; Cal. Const. art. I, 1; Fla.
Const. art. I, 23; Haw. Const. art. I, 6; Ill. Const. art. I, 6, 12; La. Const. art. I, 5; Mont. Const. art. II, 10; S.C. Const. art. 1, 10; Wash. Const. art.
I, 7.
153
See Luck v. S. Pac. Transp. Co., 267 Cal. Rptr. 618, 627-29 (Cal. Ct. App. 1990) (holding that California employers are bound by California
constitutional protections of privacy); Semore v. Pool, 266 Cal. Rptr. 280, 283-284 (Cal. Ct. App. 1990) (finding that the right to privacy in the
California Constitution protects Californians from actions of private employers and government agents); Porten v. Univ. of San Francisco, 134
Cal. Rptr. 839, 843 (1976) (holding a private university liable for disclosing a students grades to the State Scholarship and Loan Commission);
see also Alexander Rodriguez, All Bark, No Byte: Employee E-mail Privacy Rights in the Private Sector Workplace, 47 Emory L.J. 1439, 1447
(1998) (discussing state constitutional laws for protection of employee privacy).
154
See, e.g., Luck, 267 Cal. Rptr. at 631-32 (noting the compelling interest standard); Porten, 134 Cal. Rptr. at 843 (discussing the compelling
interest standard).
155
865 P.2d 633, 655 (Cal. 1994).
156
Id. at 654.
157
No. BC007036, slip op. at 4 (Cal. Super. Ct. Jan. 4 1991).
158
Id.
159
South Carolina and Vermont do not have statutes modeled after the ECPA.
-13-
excluding employer-providers from the exception.160 Furthermore, thirteen state statutes require all parties to give
prior consent in contrast to the ECPA’s provision for one-party consent.161
Although these jurisdictions may seem to provide more protection than does the ECPA for workplace e-mail
monitoring, courts in these states have interpreted their statutes in much the same way as federal courts have the
ECPA. Consequently, these statutes fail to protect employee e-mail monitoring for many of the same reasons the
ECPA does. For example, Illinois courts have interpreted the all-party consent language of their law to [*92] be
consistent with the one-party consent language of the federal exception.162 Also, as each of these states are at-will
employment states, implied consent to monitoring of employee communications is generally assumed. Finally, like
the ECPA, these statutes have been tested only in the context of employee telephone use and not e-mail monitoring,
and the language of these Acts, like the ECPA, only speaks of “wire communications” and not specifically e-mail.
These statutes, therefore, suffer from the same ambiguity as the ECPA, which was their model.
State and federal laws regarding electronic monitoring defer to the employer’s property or proprietary interests in
employee monitoring cases.163 This deference to property owners goes a long way in explaining the United States
courts’ anti-employee stance on workplace monitoring. Therefore, to examine how other democracies view the
issues of privacy and workplace surveillance helps clarify the underlying concepts at play in rulings of the courts.
E.
United States v. European Conceptions of Privacy
American employees have less legal protection against electronic surveillance in the workplace than do their
continental European counterparts.164 While many variables may explain the differences,165 the underlying
difference in the source of privacy rights is common to all these variables. The United States legal system views
privacy as a right closely connected to private property, while European countries view this right as a matter of
human dignity.166 As some commentators have argued, the European conception better represents the origin of the
right to privacy in Warren and Brandeis’ Right to Privacy than does that of the prevailing United States
conception.167
[*93]
160
Alabama, Delaware, the District of Columbia, Georgia, Idaho, Indiana, Iowa, Kentucky, Louisiana, Maine, Minnesota, Mississippi, Missouri,
New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Dakota, and Texas.
161
California, Connecticut, Delaware, Florida, Georgia, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Pennsylvania,
and Washington.
162
See, e.g., People v. Beardsley, 503 N.E.2d 346, 350 (Ill. 1986) (noting that the court will interpret the state’s eavesdropping statute consistent
with article III of the Omnibus Crime Control & Safe Streets Act of 1968).
163
See Baird, supra note 130, at 60 (arguing that interpretation of eavesdropping laws should take into consideration the property interests of the
employer).
164
See Colin Bennett, Convergence Revisited: Toward a Global Policy for the Protection of Personal Data?, in Technology and Privacy: The
New Landscape 99, 113-14 (Philip E. Agre & Marc Rotenberg eds., 1997) (comparing privacy protections of European and American
employees); Paul M. Schwartz, European Data Protection Law and Medical Privacy, in Genetic Secrets 392, 397 (Mark A. Rothstein ed., 1997)
(comparing privacy protections of European and American employees).
165
For example, the number and strength of employee labor unions are two such variables that may account for these differences.
166
Lawrence E. Rothstein, Privacy or Dignity?: Electronic Monitoring in the Workplace, 19 N.Y.L. Sch. J. Int’l & Comp. L. 379, 380-81 nn.1314 (2000). Rothstein notes that U.S. cases such as those following Katz turn on determining whether surveillance balances an employer’s
proprietary rights with an employee’s reasonable expectation of privacy while the E.U. decisions are based on a more absolute standard of
inviolable human dignity. This difference is noticeable when comparing the U.S. Constitution’s Fourth Amendment protection against
“unreasonable searches and seizures” with the German Constitution’s Article 1, Section 1, which states “Human dignity is inviolable. To respect
and protect it is the duty of all state authority.”
167
For a discussion of this issue, see infra Part IV.C.
-14-
1.
United States View of Privacy as Linked to Personal Property
Privacy issues in the United States legal system are infused with notions of control over personal property. The legal
system of the United States treats privacy as protecting a sphere of individual space that cannot be trespassed upon
without permission or strong justification. The sphere of control that is privacy is commonly associated with a
person’s home or the marital relationship. The roots of both are tied to property. Privacy can be said to reflect a
sense of “possessive individualism,”168 implying that we own our personhood or reputation. We own this reputation
or personal sphere of intimacy and have the “exclusive right to dispose of access to one’s proper (private)
domain.”169 Therefore, privacy rights mimic property rights in that they are primarily concerned with the ability to
exclude intruders who do not have overriding legal justification to trespass into our sphere of control.170
The relationship between privacy rights and property rights is borne out more clearly in the workplace. An employee
sells her time and labor capacity to an employer, and thereby alienates certain aspects of her personhood by putting
them under the control of the employer.171 For instance, she alienates some aspects of her freedom by subjecting
herself to her employer’s requirements for schedule and location.172 As for those intimate aspects of her personhood
or reputation that are her privacy rights, they are generally superseded by the employer’s property rights.173
Consequently, courts decide that in most cases employees have no legitimate expectation of privacy at work.174 The
employer, by virtue of ownership of the premises and equipment, has the right to oversee the activities of
employees. 175 The employee, it seems, sells her control over her personhood to the employer while she is at work. In
other words, the at-will employee has implicitly consented to being monitored while at work. Therefore, barring
some statutory limitation of the rights of employers, an employee can be monitored for any reason or no reason at
all.
2.
European View of Privacy as Linked to Human Dignity
European communities employ the notion of human dignity in determining the outcome of workplace monitoring
issues.176 Where the American courts [*94] see workplace monitoring as a property issue, European countries see it
as an intrusion into a person’s autonomy or intimacy. Such an intrusion reduces a person’s status as a thinking being
or community member.177 Intrusions into a person’s intimacy or autonomy are, thus, an affront to human dignity as
opposed to an invasion of legally constructed privacy rights.178
The protection of human dignity is a broader concept than protection of personal privacy. It is rooted in the notion
that each person is unique and autonomous and, therefore, should be free from the manipulation and domination of
others, including employers.179 This philosophical framework looks at workplace monitoring generally, and e-mail
monitoring specifically, from a different perspective than that of the United States Courts. From this perspective,
treating an employee as a cog of production or merely as a factor of productivity ignores her individuality and denies
168
C.B. MacPherson, The Political Theory of Possessive Individualism 3 (1970).
169
Ernest Van Den Haag, On Privacy, in Privacy: Nomos XIII 149, 151 (J. Roland Pennock & John W. Chapmann eds., 1971).
170
MacPherson, supra note 169, at 3.
171
See Rothstein, supra note 167.
172
Id.
173
Id.
174
With the rare exceptions of rest rooms and lockers.
175
See Rothstein, supra note 167.
176
See Rothstein, supra note 167 for a more detailed discussion of the European view of workplace monitoring, which is beyond the scope of this
comment,
177
Rothstein, supra note 167, at 383.
178
Id.
179
Rothstein, supra note 167, at 383; see also, Alan F. Westin, Privacy and Freedom 33 (1967) (linking autonomy and dignity to advocate for
attention to privacy protections).
-15-
her dignity. Human dignity is diminished when an employee is treated as “a mechanism transparent to the view of
others . . . and therefore manipulable or disposable without the ability to confront the observer.”180
The European approach severely restricts an employer’s ability to monitor an employee’s e-mail correspondence
and other workplace activities. In France and Italy, for example, any employee monitoring requires notification and
must be directly related to the employee’s work.181 Furthermore, monitoring must be proportional in both nature and
intensity to the importance of the employee’s tasks.182 This approach realizes that employees have private lives that
extend beyond and are bound up with the workplace. As employees spend a majority of their time at work,
inevitably some non-business related activity intrudes in their day, requiring inherently private, personal
communication to take place while at work. Moreover, this view recognizes that while a person subordinates herself
to her employer while at work, this subordination extends only to the performance of work-related activities.183 The
employee sells her services to the employer and nothing more. Her autonomy and intimate personality cannot be
sold.
III.
Proposal for a Statutory Solution
Given the inadequacies of existing federal,184 state,185 and common law186 [*95] discussed above, a new federal
statute should address employee privacy in e-mail. This law should balance the interests of employers and
employees concerning workplace privacy. It should require that employers explain the details of monitoring
practices to their employees and also should require monitoring to be related to and proportional to specific business
interests in both manner and duration.187 Furthermore, employees should be granted access to all e-mails or other
information that is collected under the law. To be effective, it should provide for a reasonable yet significant penalty.
To be fair, it should allow employers to escape liability by showing a compelling business interest or urgency that
requires monitoring outside the provisions of the law. Most importantly, it should eliminate clearly the legal fiction
of implied consent to monitoring.
Laws such as this have been proposed and have failed in the past. Congress voted down the Privacy for Consumers
and Workers Act of 1993 (“PWCA”),188 and the Massachusetts legislature vetoed a similar law in that state.189 The
PWCA would have required all workplace monitoring to be related to work performance and would have guaranteed
employee access to data collected about her work performance.190 It also would have limited the disclosure and use
of this data by the employer and would have prevented employers from collecting data about their employees’
exercise of First Amendment rights.
Currently, Congress is considering the Notice of Electronic Monitoring Act (“NEMA”), a law requiring notification
of monitoring. NEMA would require that employers notify employees annually of monitoring procedures,
frequency, and reasons. NEMA contains an exception for employers who have a reasonable belief that an employee
180
Rothstein, supra note 167, at 384.
181
Id.
182
Id.
183
Id.
184
See supra Part II.B for a discussion of the inadequacies of existing federal law in protecting employee privacy in workplace e-mail.
185
See supra Part II.D for a discussion of the inadequacies of existing state law in protecting employee privacy in workplace e-mail.
186
See supra Part II.C for a discussion of the inadequacies of existing common law in protecting employee privacy in workplace e-mail.
187
U.S. laws regarding electronic monitoring in the workplace might do well to mimic Italian laws that have these requirements. See Rothstein,
supra note 167 at 384 for a discussion of such laws.
188
H.R. 1900, 103d Cong. (1993).
189
Shefali N. Baxi & Alisa A. Nickel, Big Brother or Better Business: Striking a Balance in the Workplace, 4 Kan. J.L. & Pub Pol’y 137, 145
(1994) (discussing the PWCA and similar state laws); Frank C. Morris, Jr. Workplace Privacy Issues: Avoiding Liability, SD52 ALI-ABA 697,
722 (1999) (discussing proposed federal and state legislation of workplace privacy).
190
139 Cong. Rec. E1077-02, E1077 (daily ed. April 28, 1993) (describing the purpose of the Privacy for Consumers and Workers Act of 1993).
-16-
is causing significant harm and violating the legal rights of the employer or another person.191 Furthermore,
Congress is debating The Digital Privacy Act of 2000192 and The Electronic Communications Privacy Act of
2000.193 These would extend the ECPA explicitly to cover e-mail. These legislative proposals are a step in the right
[*96] direction, but fail to balance the interests of employers with the interests of employees. These proposals do
little to address the privacy concerns of employees. Rather, they merely require employers to inform employees that
the company reserves the right to invade its employees’ private lives.
In light of the failings of these proposed statutes, many commentators have suggested alternative means for
addressing employee privacy in e-mail.194 These suggestions range from statutory amendments195 to contractual
negotiations.196 However, for reasons that will be discussed below, these alternatives to legislation fail to protect
employee rights adequately. Consequently, new legislation is required to balance the privacy and proprietary
interests within the employment context. This new legislation must have the requirements set out at the start of this
section.
IV.
Discussion
Employees should not check their right to an inviolate personality at the office door. Privacy is a fundamental right
at the core of an organized free society. Warren and Brandeis aptly pointed out the importance of the right to be left
alone and the danger that new technology poses to that right.197 Although their concerns were raised nearly a
hundred years ago, these concerns are at the forefront of society in the new millennium. Unless decisive steps are
taken, privacy at work, and by extension privacy in general, may be seriously eroded. Reacting to this concern,
scholars and legislatures have proposed several solutions to the e-mail privacy problem. Those that focus on
strengthening existing law fail for the various reasons discussed in this comment. Those that suggest new laws are
on the right track, but need to find new arguments to support them in order to defeat the powerful lobbies of
business interests working against them.
A.
Why Regulate the Employee’s Expectation of Privacy?
An employer has many valid reasons for monitoring employee activity. Ensuring efficiency, security and quality of
service are just a few.198 Nevertheless, as Americans begin to spend more time at their jobs, the need for conducting
personal business while at work becomes more pressing.199 An increasingly common means of doing so is e-mail.200
A balance between employer and employee interests in workplace e-mail, therefore, is critical to today’s information
economy.
These interests are not as diametrically opposed as they may appear to be. [*97] Efficiency and employee privacy
are not mutually exclusive, nor are efficiency and employee ability to conduct personal business while at work. In
fact, respecting employee autonomy and privacy by not monitoring e-mail may be in the employer’s best interest
191
H.R. 4908, 106th Cong. (2000). The Notice of Electronic Monitoring Act (NEMA) was introduced to the senate by Charles Schumer (D-New
York) and in the House by Bob Barr (R-Georgia) and Charles Canady (R-Florida). The legislation is designed to amend the ECPA.
192
H.R. 4987, 106th Cong. (2000). The Digital Privacy Act of 2000 was sponsored by Rep. Bob Barr (D-Georgia) on July 27, 2000 and would
explicitly add e-mail messages and stored computer communications to those communications currently covered by the ECPA.
193
H.R. 5018, 106th Cong. (2000). The Electronic Communications Privacy Act of 2000 was sponsored by Reps. Charles Canady (R-Florida)
and Asa Hutchinson (R-Arkansas) and would explicitly extend the prohibitions of the ECPA to e-mail.
194
See infra Part IV.B for a discussion of various proposals to address employee privacy in workplace e-mail.
195
See infra note 208 and accompanying text for a discussion of suggestions for new statutes.
196
See infra notes 209-212 and accompanying text for a discussion of contractual solutions.
197
Warren & Brandeis, supra note 2, at 195.
198
See supra notes 28-35 for a discussion of reasons for employers to monitor employee e-mail.
199
See supra note 14.
200
Steen, supra note 8.
-17-
because monitoring lowers morale, and low morale sponsors low productivity.201 Employees who feel as if “Big
Brother” is always watching tend to work less.202 On the other hand, employees who feel the company supports
them as autonomous individuals with outside interests and privacy concerns tend to have higher morale and
productivity levels. 203 This view is commonly accepted by C.E.O.s of European corporations.204 Employers should
respect their employees’ personal dignity and autonomy by allowing them to function without the threat of constant
supervision. For these reasons, solving the problem of e-mail privacy is essential to both employer and employee
alike.
B.
Problems with Various Proposed Solutions
A common solution proposed to protect employee privacy in e-mail correspondence at work is strengthening
existing tort law to cover invasions.205 This approach is flawed for two reasons. First, recent precedent-setting
decisions have found no expectation of privacy in e-mail, and these decisions are unlikely to be overturned.206
Second, any solution founded on a subjective reasonableness standard such as those used in tort or Fourth
Amendment cases is destined to fail because of the slow pace of the law. It becomes increasingly more difficult to
argue that a person had a reasonable expectation of privacy in e-mail correspondence at work five or ten years after
the courts [*98] have stated that no such expectation exists. It simply becomes established law, and ignorance of the
law has never been a persuasive argument. In light of recent court rulings, such an expectation of privacy may be
legitimate, but it is certainly unreasonable.
Other commentators support statutes that merely require notice before monitoring can commence.207 As stated
before, this measure will not protect employee privacy. It will merely alert employees that their e-mails may be
monitored. An employer could easily manipulate the language of such a notification or e-mail policy in a way that
destroys any expectation of privacy for the employee. This type of law creates a hoop for the employer to jump
through, but leaves her in control over the level of privacy her employees can expect at work.
Still others have suggested that the best time to deal with employee privacy issues is at the negotiation table.208
Pointing to the inherent contractual nature of the employer-employee relationship, some commentators call for
201
See Gantt, supra note 114, at 420 (citing studies which show that monitored employees experience tension and anxiety, which causes a
decline in productivity); see also, Ronald E. Roel, Injured by Big Brother, Newsday, Oct. 5, 1990, at 49 (discussing study by Communications
Workers of America, which concluded electronic monitoring is linked to increased health problems and psychological stress); Robert B.
Fitzpatrick, Privacy Issues in Surveillance, Search, and Monitoring of Employees, C669 A.L.I.-A.B.A. Course Study 23 at 36 (1991) (noting that
employee monitoring is linked to higher levels of stress, depression, anxiety, fatigue, and anger and employee stress has cost U.S. businesses $ 50
to $ 75 billion annually); Peter Blackman & Barbara Franklin, Blocking Big Brother: Proposed Law Limits Employer’s Right to Snoop, N.Y.
L.J., Aug 19, 1993, at 5 (citing Massachusetts survey reporting that 65% of employees at companies which monitor for efficiency worked
inefficiently because they were required to work too quickly).
202
See Gantt, supra note 114, at 422 (citing studies which indicate increasing employee privacy increases productivity).
203
See Winters, supra note 70, at 106 (arguing that employees who have a clear zone of workplace privacy may work more efficiently then those
scrutinized by employers).
204
See Donald E. Berenbeim, Employee Privacy 2 (Conference Board Research Report No. 945, 1990) (finding that a higher percentage of
Canadian and European C.E.O.s see electronic monitoring as detrimental to employee morale); see also, Rothstein, supra note 167, at 380-81
(arguing more Canadian and European C.E.O.s view electronic monitoring of employees as detrimental to worker morale and productivity based
on the conception of employee privacy rooted in the notion of human dignity as opposed to employer proprietary interests).
205
See, e.g., Beeson, supra note 18, at 218 (arguing that until new legislation is passed, the best method for protecting employee claims would be
to analogize e-mail to lockers under the tort of intrusion into seclusion).
206
See supra Part II.C for a discussion of recent court decisions on the reasonable expectation of privacy.
207
Laura Thomas Lee, Watch Your E-mail! Employee E-mail Monitoring and Privacy Law in the Age of the Electronic Sweatshop, 28 J.
Marshall L. Rev. 139, 170-174 (1994) (arguing, inter alia, that a key requirement of adequate statutory protection of employee e-mail privacy is
notification of monitoring procedures); for similar proposals see Kevin J. Baum, E-mail in the Workplace and the Right to Privacy, 42 Vill. L.
Rev. 1011, 1035-41 (1997) (arguing that notice of monitoring is needed to protect employee privacy); Thomas R. Greenberg, E-mail and Voice
Mail: Employee Privacy and the Federal Wiretap Statute, 44 Am. U. L. Rev. 219, 250 (1994) (recommending that employers alert employees to
monitoring policies).
208
See, Lisa Brunn, Privacy and the Employment Relationship, 24 Hous. L. Rev. 389, 401 (1988) (arguing that employment contracts, employee
hand books, company mission statements, etc. may be considered binding against the employer therefore privacy protections contained therein
could be enforceable); Rodriguez, supra note 155, at 1467 (arguing that legislation dictating a presumption of employee right to privacy in
-18-
employees to take the initiative in defining the extent and purpose of employer monitoring.209 Privacy, therefore,
will become a bargained-for commodity before employment, preventing the need for post-invasion litigation.
Unacceptable e-mail monitoring would constitute a breach of contract. This approach fails because an action for
breach is intended to put the aggrieved party in the same position as it would have been in had the contract been
fully performed.210 In the invasion of privacy context, how does an employer make the employee whole? If sensitive
information is disseminated from an intercepted e-mail, is it possible to undo the harm? Only in limited situations
does contract law allow for consequential or punitive damages.211 Because this contract would not govern the
exchange of goods, the U.C.C. may not apply. Therefore, this solution may be subject to different treatment under
the common law of contracts in various jurisdictions.
[*99] Furthermore, most employees, even in a good economy, do not come to the employment negotiation table
with equal bargaining power. Only the rare professional, expert, artisan or powerful labor union can actually afford
to dictate the terms under which an employer will evaluate it. Therefore, this measure would not significantly affect
the average American employee. This measure further fails to address the fact that a majority of American
employees may not even realize that they have no privacy rights in workplace e-mail and, therefore, would not think
to discuss monitoring policies at hiring.
Drafting a statute with the requirements set out in Part III of this comment, one that requires an employer to show a
compelling business interest in monitoring employee e-mail, is the most feasible and most effective means of
addressing this issue. Courts should interpret the compelling business interest language as mirroring the compelling
governmental interest requirement of any law that addresses a fundamental right.212 If properly interpreted, this
language in a statue would eliminate the pro-employer presumption that an employee waives her right to privacy in
exchange for a salary. It would, therefore, eliminate the defense of implied consent to monitoring. It also would
require the employer to use the least restrictive means to achieve whatever compelling interest she is pursuing and
achieve the goal of limiting e-mail monitoring to work-related tasks, as well as requiring the duration of monitoring
to be proportional to the importance of those tasks.213 The compelling business interest requirement would restore
the notions of human dignity, autonomy, and “inviolate personality”214 that are at the core of privacy, while still
allowing an employer to protect proprietary and security concerns presented by the increased ease of employee
access to, and transfer of, information.
C.
Better Arguments for a Statutory Solution
The most potentially effective and progressive statutory proposals covering workplace e-mail privacy have fallen
victim to the lobbying power of corporate America.215 In order to draft a balanced law regulating employee privacy
in workplace e-mail, the issue of privacy in general must be re-examined. The European model of privacy as related
to human dignity, the Warren and Brandeis article that gave rise to the right of privacy, and a focus on the benefits
conferred on an employer through respect of employee rights should guide this debate.
workplace e-mail would force workplace monitoring policies to be negotiated and agreed upon at hiring and therefore enforceable under contract
law).
209
See Brunn, supra note 209, at 401; Rodriguez supra note 154, at 1467.
210
See, e.g., U.C.C. 1-106 (1977) (stating that remedies for breach of contract should be “liberally administered to the end that the aggrieved
party may be put in as good a position as if the other party had fully performed” but baring consequential and punitive damages unless
specifically provided for in the act). Id.
211
Id.
212
See Gantt, supra note 114, at 416 (arguing that a “compelling business interest” standard should be interpreted as analogous to the
“compelling government interest” standard and require a “least restrictive alternative” analysis).
213
Id.
214
Warren & Brandeis, supra note 2, at 205.
215
Business lobbyists often argue that monitoring allows them to ensure quality and productivity of employees. See, e.g., J.W. Waks & C.R.
Brewster, Privacy Bill Targets Work Site Monitoring, Nat’l L.J., Jan. 18, 1993 at 18-20 (arguing that workplace monitoring is a valuable tool for
management to measure productivity).
-19-
The United States should study the stance of countries like France and Italy [*100] in dealing with workplace
privacy concerns. These countries follow the message of Warren and Brandeis more closely than does the American
notion of privacy, which is bound up with property rights.216 Warren and Brandeis were reacting to the danger that
new technology might expose the intimate details of one’s personal life.217 In response to advanced newspaper
printing and photographic technology, they were calling for recognition of a fundamental right to be let alone that
would, in effect, create a presumption of human dignity and autonomy that would prevent exposure of the details of
one’s intimate life without one’s consent.218 They saw this right to privacy as a fundamental right. Granting
employers carte blanche in e-mail monitoring erodes this right. Since the common law treatment of privacy is
unlikely to change, a statute is necessary. Such a statute will cure the defects in privacy law and restore the
protection of the “inviolate personality”219 that the right was based on. The fact that other countries use such a model
without compromising business efficiency strongly supports the argument.220
Recasting the debate in terms of employer benefit will nullify some of the most persuasive arguments against a
statute designed to guarantee employee privacy in workplace e-mail.221 Statistical data linking productivity to
morale and morale to surveillance makes a strong public policy argument for enacting employee privacy legislation
that protects e-mail and other new forms of communication. If such protection would benefit the employer as well as
the economy, it would be difficult to argue that it should not be enacted.
V.
In the Meantime: Advice for Employers and Employees on Balancing Privacy and Proprietary
Interests in Workplace E-Mail Messages
Given the confusion over what laws, if any, govern the extent to which an employer can monitor employee e-mails,
both parties must limit their exposure to legal action. Employers, must create a detailed e-mail monitoring policy,
and explain it fully to all employees. Employees should know the privacy risks posed by e-mail, and limit the
transmission of sensitive information. The following suggestions are guidelines only and are not intended as legal
advice.
[*101]
A.
Employer Precautionary Measures
A detailed, comprehensive, and clear e-mail use policy is the best way for an employer to limit potential legal
liability while protecting legitimate business interests in e-mail monitoring. An adequate e-mail usage policy must,
at the very least, inform employees that all e-mail, business related or personal, is subject to monitoring.222 This
policy must be in writing and be fully explained to all employees.223 Employees should sign these policies,
indicating that they understand and consent to all measures contained in the writing. Actual, informed consent to
monitoring is a defense to just about any of the potential causes of action discussed above.224
216
Warren & Brandeis, supra note 2, at 205 (arguing that the principle underlying the torts of slander and libel is “in reality not the principle of
private property, but that of an inviolate personality” and this is the principle that supports a right to privacy).
217
Warren & Brandeis, supra note 2, at 196 (reacting to the detrimental effect of tabloids stating that “Gossip . . . has become a trade”).
218
Id.
219
Warren & Brandeis, supra note 2, at 205.
220
See Gantt, supra note 114, at 420 (noting that other countries have recognized surreptitious monitoring lowers productivity); Fitzpatrick, supra
note 198, at 1170 (noting that Japan, Germany, and Sweden impose tight restrictions on employee monitoring and productivity levels have
remained among the best in the world).
221
Waks, supra note 216.
222
See, e.g., Grover J. Brittain, Drafting an E-mail and Internet Usage Policy for Your Firm, 27-Oct Colo. Law. 17, 18 (1998) (suggesting e-mail
usage policies require consent to monitoring as a condition of employment); John C. Yates, E-Compliance: Internet Law and Privacy Issues, 1177
PLI/Corp 195, 205 (2000) (suggesting that corporations establish written standards for review of e-mail); Frank C. Morris, Jr. Workplace Privacy
Issues: Avoiding Liability, ALI-ABA Course of Study June 3-5, 1999, SD52 A.L.I.-A.B.A. 697, 730 (suggesting written polices).
223
See Waks, supra note 216.
224
See supra Part II for a discussion of potential causes of action arising from e-mail monitoring.
-20-
As informed consent is a major factor in workplace monitoring cases, detailed and understandable e-mail usage
policies better insulate employers from legal liability. Employers, therefore, should distribute these policies to
employees through as many channels as possible to ensure employee awareness of their terms. E-mail usage polices
should be explained on hiring, sent to employees in periodic e-mails, be included in employee handbooks, and
possibly displayed on the screens of users while they access e-mail programs.225 Periodically sending employees
consent to monitoring forms and regular reminders of the monitoring policies might also be wise.
Better e-mail usage policies provide the rationale for monitoring and the extent of employee privacy rights in
electronic correspondence. Such policies clearly explain that the company e-mail system is the property of the
company, and is intended for business purposes.226 The company, therefore, reserves the right to monitor the use of
e-mail at its discretion in order to insure against misuse.227
Above all, a policy should make clear that employees have no expectation of privacy in any matter contained in an
e-mail sent or received over the company system.228 The policy should explain that employee accounts which are
password protected or e-mails labeled personal either in transit or in [*102] storage are not granted any additional
privacy protections.229 Furthermore, the policy should limit the use of passwords for employee accounts. If
passwords are used, employees should be required to provide passwords to management, thereby eliminating any
impression of privacy in these accounts.230
Comprehensive policies should define the proper use of company e-mail systems. They should include written
prohibitions expressly forbidding the transmission of threatening, hostile, harassing, offensive or otherwise
inappropriate messages.231 They should also expressly prohibit the transfer of proprietary information, trade secrets,
confidential documents, or any privileged communications to anyone outside the company.232
These policies should describe the methods of monitoring and enforcement to inform employees and guide
management.233 Requiring management to adhere to these policies when monitoring will decrease the likelihood of
employer abuse of monitoring capabilities. Therefore, the policy should advise employees that management can and
may monitor any e-mail, including deleted e-mails, and that deleting does not create privacy rights.234 It should
create clear guidelines governing how long old messages will be kept and who is authorized to read employee
messages.235 It should remind employees that e-mail is easily sent, forwarded or printed and that deleted e-mails
remain accessible for an indefinite time. Finally, all e-mail usage policies should warn that violations can lead to
immediate discipline, termination, and even civil or criminal charges.236
After drafting a detailed e-mail usage policy, the employer should take precautionary measures to ensure
management complies with its terms. E-mail should be monitored only for legitimate business reasons such as
225
See Morris, supra note 223, at 730-735 (advising employers to periodically distribute e-mail policies to employees over diverse channels).
Additionally, if Congress passes NEMA (supra Section III), employers would be required to provide adequate notification of monitoring policies
to employees. What constitutes adequate notification would need to be determined by the courts but an employer’s ability to show a broad and
varied notification scheme would certainly aide in the prevention of liability.
226
See Brittain, supra note 219, at 17 (advising that policies explain a firm’s proprietary interest in e-mail systems and use).
227
Id.
228
Morris, supra note 223, at 730.
229
Id. at 731.
230
Id. This is an important precaution because password protected e-mail accounts are arguably analogous to employee lockers and would
therefore carry an increased expectation of privacy.
231
Id.; Brittain, supra note 223, at 18.
232
Morris, supra note 223, at 731; Yates, supra note 223, at 205.
233
Yates, supra note 223, at 205; Morris, supra note 223, at 731.
234
Yates, supra note 223, at 205; Morris, supra note 223, at 731.
235
Yates, supra note 223, at 205; Morris, supra note 223, at 731.
236
Yates, supra note 223, at 205; Morris, supra note 223, at 731.
-21-
suspicion of illegal activity or corporate espionage.237 Furthermore, monitoring should be conducted only for the
limited time required to achieve the legitimate purpose for which it is undertaken.238 At all times during monitoring,
management should act to limit the intrusions into employee privacy and avoid monitoring any personal
messages.239
[*103]
B.
Employee Precautionary Measures
The only proposed legislation protecting employee privacy in e-mail are statutes that merely require employers to
remind employees periodically that employers can read all e-mail.240 Employees, therefore, should become aware of
privacy risks associated with e-mail and avoid sending or receiving sensitive information.
E-mail is analogous to a post card; anyone can read it while it is in transit, stored, or even after it is thrown out.
Accordingly, employees should limit sensitive personal or business information contained in e-mail messages.
Employees should also understand that e-mail is discoverable for civil or criminal actions against them and that email is not anonymous. 241 Any computer used to send or receive e-mail can be traced and potentially used to identify
an employee. Furthermore, e-mail has an extremely long shelf life. It can be viewed, manipulated, accessed or
forwarded even after a user deletes it.
Simply limiting the use of e-mail is the best way to ensure that an employer does not intercept private information.
However, more technical ways of decreasing the chances of unwanted interception of e-mail messages exist. For
example, software options can reduce one’s susceptibility to surreptitious monitoring.
Employees might consider, to the extent allowed by an employer’s e-mail usage policy, using encryption programs.
Essentially, these programs encode an e-mail, rendering it undecipherable to anyone without the proper decoding
information. Ideally, these programs prevent anyone other than the intended recipient from viewing a specific
message. Some forms of these programs are freely available on the Internet, but they are not without their
problems.242 While encryption programs may allow a greater degree of anonymity and privacy in e-mail messages,
the encryption does not guarantee privacy because the codes can be cracked. Also, some of these programs require
both the sender and the receiver to have the same software, thus making e-mailing less convenient.
Software is also available that shortens the shelf life of e-mail, making it more difficult to discover.243 These
programs cause messages to “self-destruct’ [*104] after a set period of time, decreasing the danger of discovery after
deletion. Nevertheless, system requirements, a changing state of the art, and compatibility issues with various e-mail
237
Limiting e-mail interceptions by management to legitimate business interests would conform with the interpretation of acceptable phone
monitoring under the ECPA and probably limit liability. Furthermore, limiting interceptions to cases where serious infractions are suspected
would conform with legislation such as the recently defeated PWCA or the kind suggested by this comment.
238
Time limitations should conform to those for acceptable phone monitoring.
239
This would ensure that employers comply with the “compelling business interest” standard, including the “least restrictive alternative”
analysis of the legislation proposed by this comment.
240
See supra Part III for a discussion of NEMA and other proposed legislation to protect employee e-mail privacy; see also The Notice of
Electronic Monitoring Act of 2000, H.R. 4908, 146th Cong. (2000).
241
See Morris, supra note 223, at 729 (noting that Rule 34 of the Federal Rules of Civil Procedure provides for discovery of electronic records
such as e-mail).
242
Some forms of these programs, offering free encryption software, are available on the Internet. See http://www.privacy.com;
http://www.zixit.com; https://www.ziplip.com/ps/ZLPlus/home.jsp. For more information on Internet privacy issues and solutions in general, visit
The Privacy Rights Clearinghouse at http://www.privacyrights.org. These examples are offered for informational value only and should not be
viewed as product endorsements or as a guaranty of effectiveness.
243
For instance, Omniva Policy Systems provides software that allows an e-mail to self-destruct after reading limiting the danger of recovery
after deletion. Ominiva Policy Systems, available at http://www.omniva.com. These examples are offered for informational value only and should
not be viewed as product endorsements or as a guaranty of effectiveness.
-22-
service providers and account access programs limit all software protections. The best privacy protection, therefore,
is to remember that third parties could view anything in an e-mail message.
VI.
Conclusion
An employee’s expectation of privacy should not run out when she clocks in. Privacy is a fundamental right at the
core of an organized free society. Warren and Brandeis aptly pointed out the importance of the right to be left alone
and the danger of new technology impinging on that right.244 Although their concerns were raised nearly a hundred
years ago, these concerns are at the forefront of society in the new millennium. Unless decisive steps are taken,
privacy at work, and privacy in general, may be seriously eroded. In the current information economy, Congress
must act quickly to prevent the term “private information”245 from becoming anachronistic. Reacting to this concern,
scholars and legislatures have proposed several solutions to the e-mail privacy problem. However, those that focus
on strengthening existing law fail for various reasons. Those that suggest new laws are on the right track, but need to
find new supporting arguments in order to defeat the powerful business lobbies working against them. Perhaps the
best arguments for such a statute borrow from the political philosophy of the European countries and center on
individual autonomy and dignity as opposed to the proprietary interests of employers. Recasting the argument in this
way finds support in the origins of the right to privacy, Warren and Brandeis’ piece one hundred years ago,246 and
may finally accomplish the goal of achieving “the right to be let alone.”247
244
Warren & Brandeis, supra note 2, at 196 (citing the printing press and photography as new technology which threatens individual privacy).
245
Rodriguez, supra note 154, at 1473.
246
Warren & Brandeis, supra note 2, at 205 (arguing that privacy protects personal dignity not property).
247
Id. at 195.
-23-