The Italian Data Protection Authority (IDPA) is increasingly faced with issues relating to the ways employers may monitor the Internet usage of its employees. In 2016, the Authority handed down two important decisions on this topic.
In the first decision, the IDPA stated that an Italian University (the University of Chieti and Pescara) was acting unlawfully in the way that it used e-mails to trace the identity of Internet users. This University, without having given any prior warning to its employees, implemented a system that retained information regarding personal Internet access, for the purpose of service monitoring, internal security and for the prevention of possible investigative inquiries by the Authorities. In essence, the policy, which controls, filters and monitors information on Internet data, enabled the employer to indiscriminately monitor employees from a distance. The IDPA’s decision was based on the argument that this policy breached the relevant principles of “actual need and proportionality of the treatment”. The IDPA considered that the policy was not in accordance with the law because it did not refer to tools used by the employees in performing their duties and had not been previously communicated to the employees.
In the second decision, the IDPA stated that an employer cannot indiscriminately access e-mails sent and received by its employees. This is because by law, the employer, although permitted to “verify the employees’ fulfillment of their tasks and correct use of their tools,” must nevertheless safeguard their “freedom and dignity.” The IDPA confirmed that an employer that keeps e-mails of employees – and former employees – for a maximum of 6 months before deactivating them and moving them to an archive for a period of 10 years – without providing its employees any information regarding this activity, was not compliant with the relevant principles of “actual need, pertinence and not excess”.
The decisions above are in line with a recent decision of the European Court of Human Rights (ECHR), which stated that an employee’s right to respect for private life and correspondence is not breached where an employer monitors the employee’s personal emails at work, as long as it is in accordance with the relevant principles of reasonableness and proportionality (the Court stated the importance of a balancing of interests between the right of the employer to monitor its employees and the employees’ right to respect for private and family life).