Recently in Privacy Category
The Wall Street Journal recently reported on an interesting group of cases that may signal a shift in how workplace privacy is viewed. Employee communication (e.g., e-mail, texting) is the context, and the discussion in the article provides some indication that employees may be gaining more privacy rights.
One case discussed in the article involved an employee of a New Jersey home health care company who sent out e-mail messages to her attorney on her own web-based account. Because the employee accessed the account using a company computer, the company claimed the right to read the messages. Although a lower court agreed, a New Jersey appellate court overturned the verdict, finding that an employee has an expectation of privacy in his or her own private email account. The decision was supported in part by a lack of clarity in the employer's e-mail policies. But it also rested on the social negatives of adopting a rule that unilaterally granted broad search powers to employers for any act carried out on a workplace computer.
Many of my former students will note that this ruling seems directly contrary to the famous Smyth v. Pillsbury case, in which a Pennsylvania employee was fired for writing inappropriate remarks on a company e-mail account. In this case, the court shockingly found that, despite the employer's promise that employee e-mail was private, the employer retained the right to break that promise and access the e-mail at any time. Because it was a work account, any expectation of privacy was misplaced. This case had a great impact nationwide and remains one of the most prominent examples used to advise employees that anything done at work should be presumed to be visible to one's employer.
You could reconcile Pillsbury with this new trend -- if it is one -- by noting that the recent cases involve the use of web-based or third-party accounts. Two other cases cited in the WSJ article (one related to e-mail, one related to text messages) involve outside accounts. Perhaps there is a more reasonable basis for applying privacy principles when one purposely avoids workplace e-mail accounts to send private messages. Still, even this distinction would represent a shift from the common belief that employers have an almost unlimited amount of power to peer into the actions of their employees at work and act on their findings (absent discriminatory intent).
How does this impact the employer-employee relationship going forward? Maybe not that much. Regardless of any shift in privacy law, I believe that courts will continue to place a great deal of weight on the content of workplace policies. When an employer defines what aspects of the job will be monitored, it is very hard to argue later that a reasonable expectation of privacy nonetheless existed. In view of these recent cases, employers are smart to assume that their powers to monitor employees are not limitless, and they should work harder to draft and communicate clear, reasonable policies.
One case discussed in the article involved an employee of a New Jersey home health care company who sent out e-mail messages to her attorney on her own web-based account. Because the employee accessed the account using a company computer, the company claimed the right to read the messages. Although a lower court agreed, a New Jersey appellate court overturned the verdict, finding that an employee has an expectation of privacy in his or her own private email account. The decision was supported in part by a lack of clarity in the employer's e-mail policies. But it also rested on the social negatives of adopting a rule that unilaterally granted broad search powers to employers for any act carried out on a workplace computer.
Many of my former students will note that this ruling seems directly contrary to the famous Smyth v. Pillsbury case, in which a Pennsylvania employee was fired for writing inappropriate remarks on a company e-mail account. In this case, the court shockingly found that, despite the employer's promise that employee e-mail was private, the employer retained the right to break that promise and access the e-mail at any time. Because it was a work account, any expectation of privacy was misplaced. This case had a great impact nationwide and remains one of the most prominent examples used to advise employees that anything done at work should be presumed to be visible to one's employer.
You could reconcile Pillsbury with this new trend -- if it is one -- by noting that the recent cases involve the use of web-based or third-party accounts. Two other cases cited in the WSJ article (one related to e-mail, one related to text messages) involve outside accounts. Perhaps there is a more reasonable basis for applying privacy principles when one purposely avoids workplace e-mail accounts to send private messages. Still, even this distinction would represent a shift from the common belief that employers have an almost unlimited amount of power to peer into the actions of their employees at work and act on their findings (absent discriminatory intent).
How does this impact the employer-employee relationship going forward? Maybe not that much. Regardless of any shift in privacy law, I believe that courts will continue to place a great deal of weight on the content of workplace policies. When an employer defines what aspects of the job will be monitored, it is very hard to argue later that a reasonable expectation of privacy nonetheless existed. In view of these recent cases, employers are smart to assume that their powers to monitor employees are not limitless, and they should work harder to draft and communicate clear, reasonable policies.
Facebook has agreed to revise several of its privacy policies in response to an investigation by the Canadian government's Privacy Commissioner. Several news sources (e.g., NYT, Ottawa Citizen) report that the Commissioner and Facebook reached an agreement in which Facebook will provide more disclosure about what it does with personal information and how users may control that use. Interestingly, the Canadian government's inquiry was initiated by the University of Ottawa's Canadian Internet Policy and Public Interest Clinic's (CIPPIC) complaint about Facebook's privacy practices.
There continues to be a robust debate about how much government intervention is necessary to ensure the security of private information on the web (see, e.g., the recent FTC Report on the self-regulation of online behavioral advertising). Some favor less regulation and suggest that consumer choice should be the most important question -- a market based approach, essentially. Notably, my spouse, who has an expertise on college students' use of web resources including social networking sites, has explained that more computer savvy users are actually pretty good at protecting their private information. But she is quick to add that this is true when users are aware of how information is being used.
That last point is probably what makes a more market-based approach difficult in a case like this. Consumers cannot make rational choices if they don't have all of the information. While some may argue that users who ignore privacy policies and never read click-wrap contracts deserve any negative consequences they incur, when the information is not reasonably available, government intervention may be the only way to level the playing field.
As an aside, I would argue that there appears to be a growing tension between divergent privacy needs at different phases of one's life. For example, my students tell me that they often make informed choices about disclosing a great amount of information to their online peer groups. This seems appropriate in college, when creating relationships and discovering one's identity is a big part of the experience. But these students are occasionally caught by surprise when the business community expects them to historically conform to different privacy and personal behavior norms (which seem to be progressively more conservative). In particular, one of my upper level business law students told me that he was required to produce his Facebook profile in the course of interviewing for a job. It hadn't occurred to him that this information would be shared in a business environment. It seems that a more open social networking environment is clashing with a more conservative business climate. In view of this, better disclosure of how web sites use private information is even more important.
Of course, rules that limit Facebook won't provide protection to those who migrate to other sites.
There continues to be a robust debate about how much government intervention is necessary to ensure the security of private information on the web (see, e.g., the recent FTC Report on the self-regulation of online behavioral advertising). Some favor less regulation and suggest that consumer choice should be the most important question -- a market based approach, essentially. Notably, my spouse, who has an expertise on college students' use of web resources including social networking sites, has explained that more computer savvy users are actually pretty good at protecting their private information. But she is quick to add that this is true when users are aware of how information is being used.
That last point is probably what makes a more market-based approach difficult in a case like this. Consumers cannot make rational choices if they don't have all of the information. While some may argue that users who ignore privacy policies and never read click-wrap contracts deserve any negative consequences they incur, when the information is not reasonably available, government intervention may be the only way to level the playing field.
As an aside, I would argue that there appears to be a growing tension between divergent privacy needs at different phases of one's life. For example, my students tell me that they often make informed choices about disclosing a great amount of information to their online peer groups. This seems appropriate in college, when creating relationships and discovering one's identity is a big part of the experience. But these students are occasionally caught by surprise when the business community expects them to historically conform to different privacy and personal behavior norms (which seem to be progressively more conservative). In particular, one of my upper level business law students told me that he was required to produce his Facebook profile in the course of interviewing for a job. It hadn't occurred to him that this information would be shared in a business environment. It seems that a more open social networking environment is clashing with a more conservative business climate. In view of this, better disclosure of how web sites use private information is even more important.
Of course, rules that limit Facebook won't provide protection to those who migrate to other sites.
The NYT carried an article yesterday commenting on how difficult it is to remove one's identity from Facebook. In short, it's extremely difficult -- perhaps impossible -- to remove all vestiges of one's participation. Apparently, people are surprised by this. The truth is, the permanency of one's on-line presence has been a fact of life for quite some time. For example, a fascinating site known as the "Wayback Machine" on the "Internet Archive" has silently logged the web for years (try searching for a page you posted years ago, but thought was removed or permanently changed -- it's startling in its comprehensiveness).
Permanency may be the new reality, but I would imagine that most of us are not prepared to face it. There's a duplicity in our Internet interactions. We engage in ever more prolific posting, with the notion that some unwritten code of ethics will prevent it from surfacing in an unexpected context in the future. But most would have no qualms about running a Google search on an acquaintance or prospective employee, perusing all that appears, personal or not. It has been argued that this is a temporary problem because younger people are entirely accustomed to having embarrassing information on the Internet. Perhaps it will become so common place as to be ignored. I'm not so sure. When America's youth graduates to positions of power, I believe concerns about corporate image and personal judgment pose the same issues no matter what one's age or experience. Maybe there will be some increased flexibility on what is acceptable, but it is obviously better to be cautious.
Permanency may be the new reality, but I would imagine that most of us are not prepared to face it. There's a duplicity in our Internet interactions. We engage in ever more prolific posting, with the notion that some unwritten code of ethics will prevent it from surfacing in an unexpected context in the future. But most would have no qualms about running a Google search on an acquaintance or prospective employee, perusing all that appears, personal or not. It has been argued that this is a temporary problem because younger people are entirely accustomed to having embarrassing information on the Internet. Perhaps it will become so common place as to be ignored. I'm not so sure. When America's youth graduates to positions of power, I believe concerns about corporate image and personal judgment pose the same issues no matter what one's age or experience. Maybe there will be some increased flexibility on what is acceptable, but it is obviously better to be cautious.
About the Author
Dan Cahoy is Associate Professor of Business Law at Penn State's Smeal College of Business and Affiliate Professor of Law at the Dickinson School of Law . He is also a registered patent attorney. For more information, take a look at Dan's CV, Web bio or Research Page.
Recent Comments