Employee, Employer and Email

Nowadays companies have their own domain names, which allow them to furnish corporate email addresses for their employees. One of the unquestionable advantages of corporate email for an employer is the technical possibility of looking at the messages of its employees. But can one be certain that this kind of technical possibility will be legitimate as well? This is the question we will try to deal with in this article.

Arthur Abouzov

Baker & McKenzie
+7 495 787 2700

Email, or electronic mail, refers to a technology and its ancillary services used to send and receive electronic messages (known in Russian as "letters" (pisma) or "electronic letters") along a distributed (often global) computer network. We use email everywhere - at work, at home, on vacation, and on business trips. It helps us deal with such a large number of tasks that we can understand at any moment how irreplaceable email is in our lives. But being involved with contemporary technologies, we sometimes forget about the legal side of things.

Nowadays numerous companies have their own domain names, which allow them to furnish corporate email addresses for their employees. One of the unquestionable advantages of corporate email for an employer is the technical possibility of looking at the messages of its employees. But can one be certain that this kind of technical possibility will be legitimate as well? This is the question we will try to deal with in this article.

To begin, let's appeal to elementary logic. It is presumed that an employee uses the email address provided to him to perform his job duties, and for everything else, he has a personal email account. Given that, the employer, being the domain owner, logically should have the full right to dispose of it at its own discretion - to look through it, block it, create new addresses, and so on.

After all, if we turn to the employer's basic rights, as set forth in Article 22 of the RF Labour Code, we will see that one of an employer's indisputable rights is to have the possibility to demand that employees fulfil their job-related duties. If our employee's job duties presuppose a high degree of email use (and that is true of practically all office workers at a minimum), then the employer can exercise that right in most cases by monitoring the electronic correspondence of its employees.

What's more, under the provisions of civil legislation (Article 1068 of the RF CC), an employer compensates for damage caused by its employee when carrying out employment (official, job-related) duties if the employees were acting (or should have acted) upon the assignment of the employer and under its supervision of safe work conduct.

At first glance, it might appear that this legislative standard indirectly supports the employer's right to demand that employees fulfil their job-related duties. After all, if an employer is not able to check the work of its employees in time, this might, at a minimum, lead to losses in business activity, loss of a client, disclosure of confidential information, infliction of damage, and so on. Also, one cannot rule out purposeful illegal actions on the part of employees: for example, fraud and abuse of one's powers of office. And if an employer fails to uncover such things in timely fashion, that employer could himself become liable.

It is obvious that in many cases, monitoring of correspondence could make life for companies substantially easier, and as a preventive measure, give advance warning of many negative happenings that would go unnoticed if not for " privacy of correspondence."

To start, let us turn to the RF Constitution. Article 23 states that everyone has the right to keep their private life and personal and family secrets inviolable, and to protect their honour and good name. Everyone has the right to privacy of correspondence, telephone conversations, and postal, telegraphic and other communications. Restriction of this right is allowed only on the basis of a court decision.

Article 63 of Federal Law No. 126-FZ of 7 July 2003 "On communications" likewise guarantees privacy of correspondence, telephone conversations, postal dispatches, and telegraphic and other messages. However, in this standard the legislator developed this principle yet more broadly, extending it, inter alia, to messages transmitted via electronic networks and postal communications networks.

According to Resolution No. 8 of the Plenum of the Supreme Court of the Russian Federation of 31 October 1995 "On certain matters of application by the courts of the Constitution of the Russian Federation when executing justice," the restriction of a citizen's right to privacy of correspondence, telephone conversations, postal, telegraphic and other communications is permitted only on the basis of a court decision (Article 23.2 of the Constitution of the Russian Federation), in connection with which the courts should bear in mind that according to the Federal Law of the Russian Federation "On investigative activity," investigative measures to restrict these constitutional rights of citizens may be taken only if the bodies performing the investigative activity are in possession of information pointing to signs of illegal action in preparation, being committed, or already having been committed, upon which it is mandatory to hold a preliminary investigation; on persons who are preparing, committing or have committed an illegal action, upon which it is mandatory to hold a preliminary investigation; or on events or actions that create a threat to the state, military, economic or ecological safety of the Russian Federation.

The results of investigative measures connected with restriction of the constitutional right of citizens to privacy of correspondence, telephone conversations, postal, telegraphic and other communications may be used as pieces of evidence in cases only when they have been obtained at the permission of a court to undertake such measures, and carried out by the investigative bodies in compliance with criminal procedural legislation.

Article 9 of Federal Law No. 149-FZ of 27 July 2006 "On information, information technologies and protection of information" forbids requiring a citizen (individual) to provide information on his private life, including information that constitutes a personal or family secret, and to obtain such information in spite of the wish of the citizen (individual), if otherwise is not stipulated by federal laws.

According to Article 3.1 of Federal Law No. 152-FZ of 27 July 2006 “On personal data,” such information is classified as the personal data of an individual. It follows from Article 2.7 of Federal Law No. 149-FZ of 27 July 2006 “On information” and Article 6 of “On personal data” that this kind of confidential information, which constitutes personal data, cannot be provided to third parties without the consent of its owner.

The question arises as to how, following that approach, one can speak of an employer’s monitoring of correspondence as a preventive measure; after all, in any inbox of any employee one can find at least one message of a non-business (personal) character. What’s more, these messages might turn out to be personal information not just of our employee, but of all other persons involved with it. And such persons might turn out to be anyone, not just our employee.

In our quest for the truth, let us turn to one more legal standard.

According to Article 25.1 of Federal Law No. 135-FZ of 26 July 2006 “On protection of competition,” commercial and non-commercial organizations (their officers), federal executive authorities (their officers), state authorities of the subjects of the Russian Federation (their officers), local self-government bodies (their officers), other bodies or organizations performing the functions of those bodies (their officers), as well as state non-budgetary funds (their officers) and individuals, including self-employed entrepreneurs, must provide to the antimonopoly authority (its officers), at its reasoned request and within a set deadline, the documents, clarifications, and information, in written and oral form respectively (including information constituting a commercial, official or other secret protected by law) that are required by the antimonopoly authority, including acts, contracts, statements, BUSINESS CORRESPONDENCE, and other documents and materials executed in the form of a digital record or in the form of a record in electronic media.

Does any law really allow the possibility of monitoring employees’ inboxes? That legal standard contains a reference to business correspondence exclusively, and in a formal sense that should not violate the constitutional right to secrecy of personal correspondence. What’s more, technical possibilities allow one to filter correspondence according to subject or by keyword, which undoubtedly reduces the likelihood of opening personal messages from an employee’s inbox. Unfortunately, though, it does not guarantee this. Consequently, in this case too, we risk violating the secrecy of personal correspondence. It turns out that the risk is always there.

But how then can one respond to the antimonopoly authority’s request? Noteworthy is a decision by the Federal Arbitration Court of Moscow (Resolution No. KA-А40/6260-09, dated 15 July 2009).

The court found that the Federal Antimonopoly Service, in accordance with Article 25.1 of Federal Law No. 135-FZ of 26 July 2006 “On protection of competition,” sent a request to a company, under which it was required to submit information on the exercise of the powers it had been entrusted with to the antimonopoly authority by a certain deadline. Among other things, this meant submitting a range of documents, as well as copies of incoming and outgoing messages arriving to the official email addresses of certain specific employees. With the aim of fulfilling that demand, it was proposed that company employees submit the indicated information. However, the employees refused to submit copies of letters and messages arriving at their official email addresses, which they confirmed by declarations sent to the company’s general director. The company informed the antimonopoly authority that it would be impossible to furnish the requested correspondence.

Further, the company sent an inquiry to the antimonopoly authority, requesting clarification of the request to provide copies of incoming and outgoing messages of the company’s employees and an indication of the specific addressees, or the subject of the messages, since the company’s internal rules prohibit use by employees of an official email address for personal correspondence, and providing all messages violates privacy of correspondence of both senders and recipients of those messages.

The court held that the company had taken all measures within its power to fulfil the antimonopoly authority’s demand. Along with that, the restrictions established by the RF Constitution did not allow fulfilment of that demand.

The antimonopoly authority’s argument that the company was obliged to submit the requested information because the email addresses of the employees were located in a domain belonging to the company was not considered by the court, as the owner of that domain, in the court’s view, must guarantee privacy of messages and confidentiality of information on users.

Therefore, analyzing the court’s decision, we come to the conclusion that the employer may look over an employee’s correspondence solely with its prior consent, or in a case when the employer is certain that it does not violate the employer’s constitutional rights. However, we understand that the likelihood of such cases is basically equal to zero.

Considering the court decision gives us one more hint. The court cited the circumstance that the company’s internal rules did not prohibit employees from using the official email address for personal correspondence. It turns out that if we made the employees familiar in timely fashion with the rules of using the corporate email, where an explicit prohibition on using it for personal purposes is set down in black and white, and the whole document is speckled with phrases like “employees must not expect that confidentiality of correspondence will be observed; the correspondence may be opened, read through, copied, destroyed or broadcast without the employer’s knowledge,” then the employee’s consent may not be necessary to us.

It is obvious that in such a situation, the balance of interests of neither the employee nor the employer will be violated. If an employee has been warned that if he uses someone else’s domain name and corporate email for other than its intended purpose (i.e. not for work purposes), nobody will be able to guarantee him privacy of such correspondence, and the entire official correspondence is the employer’s property, because it verifies the employee’s performance of his job duties, for which the employer, incidentally, pays the salary, so one cannot speak of any violation of constitutional rights.

Of course, it cannot be ruled out that such wordings might also be declared to be not in compliance with the RF Constitution. In that case, in the absence of the employee’s consent, his correspondence using the corporate email and company domain will remain an undisclosed secret even after the employee’s dismissal. Such an understanding of the law is far from observing the principle of balance of interests, and provides good soil for abuse of rights by employees, while at the same time putting the company in a position where it cannot avoid violating the law under the principle “the main thing is that the employee not know…” But given such an approach, the result of monitoring will not even allow the employer to undertake a disciplinary investigation, because the company will have to declare that it read the employee’s corporate email without his consent.

It remains to be hoped that in the near future, the courts will not extend by analogy the principle of freedom of movement to corporate transportation. Returning to current realities, and summing up everything said above, one wants to note that in any event, the existence of a developed local normative act regulating the rules for using the corporate email with which the employees will be made familiar will not be superfluous in any company.

Baker & McKenzie