Blurred Boundaries: Rescuing Workers’ Privacy in the Process of Searching Data and Devices – by Virginia Mantouvalou and Michael Veale

Image by Firmbee from Pixabay

1. Introduction

In the context of the UK Covid inquiry, employment law barrister, Jason Braier, commented on social media:

Employees are often told that when they draft emails they should keep in mind that they could be read out in court any day.

The Covid Inquiry hopefully highlights that WhatsApp messages related to work should also be drafted with the same possibility in mind.

For many, this prospect is frightening. We may realise that Facebook or Twitter/X activity may lead to disciplinary action or dismissal, as well as the legal challenges in that front. However, many perceive particular messaging services such as WhatsApp to be for a certain intimate circle, sharing with friends, family and others our personal thoughts, feelings and information. Yet personal and professional lines in practice are not clearly demarcated as peoples’ sentiments about them. We can be friends with colleagues, exchange messages about work but also about much more personal or even intimate issues. How could the employer ever access them? Is it possible technically, and would there ever be a legal basis for this?

Two stories illustrate how this can happen in practice. Αn employee of Apple, Jacob Preston, was told by his manager when he started working at Apple that he needed to link his personal Apple ID and work account. Even though he found it a strange request, knowing that his Apple ID was connected to personal data such messages, photos, and backups of personal devices, he linked them. When he resigned a few years later, he was asked to return his work laptop without wiping the computer’s hard drive. He refused, explaining that the computer contained highly personal information (synced because of the linked accounts), but still he was not permitted to wipe it. His employer would be able to access his private materials.

The case FKJ v RVT and Others involves WhatsApp messages. The claimant was a solicitor working for a law firm and RVT was her supervisor. She was dismissed for falsifying a timesheet and brought a claim to the employment tribunal primarily arguing that she had been subjected to sex discrimination by her supervisor, including inappropriate comments and sexual touching. She lost in the employment tribunal but much of the evidence used was based on her WhatsApp messages, which showed that the conduct was consensual. There were 18,000 messages (about 900 pages), including private and intimate messages to her partner, friends and others, including information on her health and sex life. Her claim in the High Court was that her WhatsApp messages had been hacked by RVT who scanned the WhatsApp QR code used to connect WhatsApp to another device (her work computer in this case). RVT said that some of the messages were found in her work computer when he reviewed it, and other messages were sent to him by an anonymous source. There is no need to go into further detail on the specific case. What it illustrates is that someone’s communications through means that may seem private and may involve some of the most intimate aspects of the person’s private life, can become relevant in workplace disputes, and the employer may be able to access them.

2. What has changed?

A few decades ago, there was a clear and bright division between work and personal materials, which would have been extremely difficult to cross accidentally. People would store personal or family photos in albums at home, and letters they exchanged with their loved ones and others would be in boxes in their bedrooms, while work-related documents would usually be in filing cabinets in the office. Should a situation arise where the employer would require access to documents that the worker had, this might mean accessing the office filing cabinet, but it would not have given access to people’s cupboards, boxes and studies at home. While never perfect, the work/life distinction and the work/life balance was sharper and straightforward to maintain and preserve.

Technological change has reconfigured the home and the workplace. This reconfiguration has led to several serious threats to workers’ privacy. In this blog post, our aim is to highlight the challenges created by practices that greatly blur the line between workers’ private life and life at work, such as the practice of ‘bring your own device’ (BYOD) or the practice of linking work and private devices to cloud storage. The first one of these, BYOD, has workers allowed to use their personal devices for work-related activities, which can be convenient, familiar, and supportive of flexible working, potentially for several employers. Similarly, workers may use online storage tools, such as OneDrive (Microsoft), iCloud (Apple), Google Drive or Dropbox, using either personal or employers’ professional plans, to store personal information from their devices, and connect such storage to work devices. Photos, private messages and other personal items that may even involve intimate aspects of people’s personal life intermingle in a space that is neither purely personal nor purely professional. People may save time by using these tools and engaging in these practices, and may find it simple, efficient and convenient, but they are also presented with a new problem: a real blurring of the boundaries of personal and professional life. Avoiding such blurring requires extreme discipline. This poses a very new challenge for workers’ private life.

3. Basis to request access

What makes the blurring of the lines more difficult to navigate is that the employers sometimes have a legitimate reason to request access to devices or storage. This may not only be for reasons of economic efficiency, which is the most common justification employers use as a basis to restrict workers’ rights. Such a request to access private devices may be based on the rights of third parties. Many legal regimes provide for access to a variety of types of information which may be held on workers’ devices.

Data Protection

Data protection laws around the world offer individual data subjects the right of access to personal data — information which relates to them and which renders them identified or identifiable. In both the EU and the UK, the scope of personal data is wide. It extends into parts of the texts of emails concerning a person, including opinions about that person, whether accurate or inaccurate. Personal data includes large amounts of free text, which has increasingly entered the scope of the law as communication has digitised. Requests can be broad. Depending on the nature of the request, the employer may then have a duty to go through documents, emails, or even messages sent between two colleagues on a messenger such as WhatsApp.

Employers only have a duty to provide data if they are the data controller. However, this concept is understood broadly, and the Information Commissioner’s Office in the UK notes that ‘if you [a company] do permit staff to hold personal data on their own devices, they may be processing that data on your behalf’ — which will lead to a determination of controllership. In practice, as the scope of personal data is so wide, it is becoming practically impossible to forbid staff from holding personal data on their own devices, as such data could even consist of a message between two colleagues about a third in a work context. If an individual requests this type of information, an employer’s duty will quickly extend to messages in these spaces. Non-staff members, such as non-executive directors or trustees, are also likely to be in scope, and these individuals rarely have work devices due to their less active engagement.

Courts examining such subject access requests have found that the employer’s duty to supply this information is subject to a test of proportionality: the employer does not have to ‘leave no stone unturned’. Yet this search effort can still be costly, with one case regarding emails in a dispute at the University of Oxford incurring search costs of over £116,000. The process of the search for relevant materials can also be intrusive of personal folders and documents. While there are grounds to refuse to provide data in an access request, such as in cases where providing the data might interfere with rights of others, such as privacy or intellectual property, these only apply after the search has been carried out. For our purposes, the concern is the process of the search itself by the employer, rather than the outcome of the request. While the data subject may be successfully prevented by the data protection regime from receiving private information of another, the employer may still have had to examine potentially sensitive information in order to make that determination, itself an interference with privacy.

Freedom of information

Freedom of information (FOI) laws also exist around the world, in different forms. Public sector workers and other individuals holding information on behalf of an authority with FOI duties, can find their correspondence subject to these rules. While some public sector organisations operate tight operational security, the long tail, such as tiny parish councils, have next-to-no IT capacity or chance of work devices. University workers in jurisdictions including the UK, New Zealand, and some US states, can also find their correspondence at risk of being requested, which has long drawn criticism in relation to the impact upon academic freedom. This tension has become further apparent as FOI requests have hit up against government business carried out through ‘non-corporate communication channels’ such as WhatsApp or Signal, particularly with ‘disappearing messages’ enabled. Attempts to evade freedom of information law using private email accounts have been happening for many years, leading to increased clarity from regulators that there are conditions under which such private channels can fall within the scope of the law.

One response has been to create ex ante clarity about where work discussions can take place, but this has proven challenging. Recent post-pandemic UK government guidance counsels that such systems should rarely be used on BYOD devices except for trivial or logistical matters, and only be used on government-managed devices for certain classifications of business. The Information Commissioner’s Office found that the Department of Health and Social Care was ‘not clear about circumstances under which [staff] could use private communication channels’. In that case, the Department did not regulate BYOD devices, nor did they restrict staff from using personal accounts on corporate devices. In practice, not only have individuals continued to use private accounts, they have done so in situations where their employers should have been reasonably aware they were doing so, thus clearly bringing such information in scope of searches under FOI law.

Data protection and freedom of information requests are not the only regimes that can provide a legitimate basis for the employer to seek access to messages and devices that may also include private information and data — others we have seen include the Inquiries Act, civil disclosure procedures, and even a Humble Address to the Crown — but they serve to illustrate the problem. What is the solution?

4. The Human Right to Private Life

The European Court of Human Rights has examined the right to privacy in the workplace in a line of cases, and set out principles on which we can build. Article 8 of the ECHR protects the right to private and family life. It states:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

In what is perhaps its most important judgment in the field, Barbulescu v Romania, the Court examined the applicant’s dismissal because of how he used his work Yahoo Messenger account. The Court developed a list of criteria to be taken into account when assessing whether restrictions of the right to private life at work are compatible with the Convention. These include the question whether there was advance notification by the employer that the worker is monitored and the extent of the monitoring, and whether there was a legitimate basis to access the content of communications. The problem that we present in this piece is that there will sometimes be such a legitimate basis, at least prima facie. What happens then? There have been a few Strasbourg cases that both illustrate and shed light to this question.

In Garamukanwa v UK, the applicant’s WhatsApp messages, email communications and photos found in his mobile device had been used in disciplinary proceedings that led to his dismissal, and he complained that this constituted a violation of his right to private life. Some of these materials were passed to the employer, an NHS Trust, by the police that held it in the context of a harassment complaint by a colleague of his. Others were voluntarily shared by him. The ECtHR declared the application inadmissible explaining that the applicant had no reasonable expectation of privacy for all these materials and communications: during the disciplinary proceedings he did not complain about their use, while he also provided further intimate materials to the disciplinary panel. Yet this case exemplifies how work and private materials, some of which can be of the most intimate nature, can become relevant in employment disputes, revealed to the employer and to disciplinary proceedings. WhatsApp messages were also at stake in a Scottish case, where police officers were faced with disciplinary action because of the content of their WhatsApp messages. In that case, they lost the claim that these messages were private, given their racist and sexist content and the nature of the job of a police officer.

A related question was examined in Libert v France, a case that involved a work device that contained personal material. The applicant who was in charge of general surveillance at the national railway company found out that, during a period that he had been suspended from work, his work computer had been seized and searched, and a large number of pornographic images and films were found in the hard disk. The search occurred despite that he had stored these materials in a file named ‘fun’ in a folder in the D:\ drive, which he had labelled ‘personal data’. As a result of this finding, he was dismissed. He claimed that the fact that the hard drive was searched without him being present violated his right to private life. The first question for the Strasbourg Court was whether the search was in accordance with law. The French Court de Cassation had ruled in a separate case that for a search of files that are labelled as ‘personal’ to take place, the employee had to be present unless there is a serious risk or other exceptional circumstances. As positive law permitted the employer to search the employees’ device witin certain limits, the ECtHR accepted then that there was a legal basis for the search. On the question whether the employer had a legitimate aim, the Court accepted that this was the case given that they had a right to ensure that work equipment is used in line with their contracts and other regulations of the employer. When it came to the test of proportionality for the restriction of Libert’s right, the Court referred to its margin of appreciation, considered the rulings of the national courts which had taken into account the right considerations (such as the fact that the nature of his job would have required him to be a role model in that respect and the fact that the pornographic materials took a lot of space on the D:\ drive), and found that there had been no violation of the right to private life. The importance of how the employer uses the data collected was examined in a more recent case involving GPS equipment installed in a company vehicle, which collected data on issues such as distances travelled and places visited.

As Libert involved pornographic materials, the case was more difficult than had it involved other private materials, such as personal, private, family and intimate photos of his. The nature of the materials affected the Court’s decision to recognise a margin of appreciation to the French authorities (see also Pay v UK). It is generally highly questionable whether employees should be role models in their private lives, as this can be oppressive and can lead to domination of employers over workers’ lives. What is more interesting to note is that even though Libert was about a work computer, and not a personal device, it can help identify safeguards that should apply in relation to practices that blur the personal/professional boundaries. 

5. Privacy as a right to ex ante and ex post control

The right to private life in this context must be understood as giving power to the worker to control the process of a search both ex ante in order to limit the frequency of the problem and ex post, namely during a search of someone’s private device or storage where there is no clear separation of work and private materials. The ex ante power can limit the frequency of the problem. Safeguards that need to exist ex post, namely during a search of someone’s private device or storage, can also protect workers’ privacy.

In terms of ex ante conditions, in line with French law as described in Libert, it is important for workers to aim to separate private from work documents. If there is such clear separation, the employer should not access files marked as private. The employer should both inform the workers about the importance of such separation and support their digital literacy. Yet such separation may often not happen in practice, for example because people do not think to do it, tools do not make it easy, or because they lack the capacity. While individuals increasingly practice complex personal forms of digital separation of different aspects of their lives, particularly to avoid ‘context collapse’, where these areas fall into each other, they are not always successful in doing so.

Ex post, then and during the process of a search of private devices, a central condition that needs to be met is that workers should not only be generally informed, or even concretely informed about a search that will take place, but that they either undertake the search themselves, or should be present so that they give access only to materials that are strictly relevant to the search. The fact that (unlike in the Libert case) we may be looking at people’s private devices, messages or storage, which may contain a large amount of highly personal and sensitive documents and materials, make it essential for workers to be in control of the situation, and provide access only to materials that are strictly relevant to any legitimate aim of the employer. In a case such as Libert, had the device that was searched been private, the search and resulting dismissal would have been a clear violation of his right to private life.

A further challenge here is that technologies are often not designed to be easily searchable, even with supervision. Current tools for ‘e-discovery’ and similar compliance technologies do not envisage co-operative, privacy sensitive discovery with workers, but typify centralised managerialism and co-ordinated control. We could imagine design obligations helping us out here — perhaps a ‘searchability by design’ to accompany ‘data protection by design’, ‘privacy by design’ or ‘security by design’ — an obligation on employers to have regard to tools that enable compliance in privacy sensitive ways. However, this too becomes difficult because by definition we are talking about private storage and communication channels over which the employer does not have design responsibility. Obligations of this kind would have to be structured in such a way that would propagate broadly and support individuals even when using technology that was not chosen by their employer. This broadly falls in line with literature on human–computer interaction which calls for designers to better facilitate the separation and management of different contexts — whether it be work or personal, different friendship groups, or friends and family.

6. Conclusion

Workers should be aware that the boundaries between personal and professional life are increasingly blurred. It is not the first time that workers face intrusions with their private life because of technology of course. We also see this in dismissals for social media activity, examined in the first piece published in this blog, and in working from home practices (discussed here, here and here on this blog). Yet the problem is becoming all the more persistent, and there is a pressing need to develop both technological tools and legal principles and processes that can protect workers from extensive intrusions in their private life and employer domination.

About the authors

(Suggested citation: V Mantouvalou and M Veale, ‘Blurred Boundaries: Rescuing Workers’ Privacy in the Process of Searching Data and Devices’ UK Labour Law Blog, 27 November 2023 available at https://uklabourlawblog.com/)