Summary

The German federal court for labour law matters, the Bundesarbeitsgericht (the ‘BAG’), has held that evidence cannot be used in a dismissal lawsuit if the employer has obtained it from long-term surveillance using keylogger-software. Employers must not keep their employees under constant surveillance and must therefore expect their legal position to be weak if they try to dismiss an employee based on findings from such monitoring. The court ruling preceded the ECtHR Barbulescu ruling of 5 September 2017 (featured in EELC 2017/4) in a similar case.

Facts

The plaintiff was a web developer employed at a German IT firm, which was the defendant in this case.

The defendant did not allow private use of its IT systems. In particular, the private use of the internet was not allowed. In April 2015, the defendant informed its employees by email, that it would log and save all internet traffic. The defendant asked the employees to object if they disagreed with this measure. No employee objected.

The defendant installed so-called ‘keylogger’ software onto the plaintiff’s workplace computer. This recorded every time the employee touched the keyboard and created desktop-screenshots on a regular basis. As a result, the defendant found out that the plaintiff very often used the internet for private reasons: he programmed and played a sci-fi computer game and dealt with email correspondence for his father’s firm. The plaintiff admitted that he used the internet for some private matters, but only to a limited extent, and not enough to justify dismissal. He claimed that he had spent a maximum of three hours on the game over several months, and that he had spent a maximum of 10 minutes a day on emails for his father’s firm – and in each case, only during breaks and other times that he was not required to work. However, the defendant had obtained proof through the keylogger data that the plaintiff had used the internet privately much more than he said.

The defendant dismissed the plaintiff. The plaintiff took legal action against the dismissal and won in all instances, including at the BAG.

Judgment

The BAG held that long-term surveillance via keylogger software violated German data protection law, and that the employer could not use the information derived from this surveillance as evidence in court. Therefore, the defendant could not substantiate the reasons for the termination. As a result, the termination was declared invalid and the plaintiff was reinstated. The BAG founded its judgment on the following reasons.

It is established case law in Germany that evidence cannot be used in court if it violates a party’s privacy rights. This fundamental right follows (implicitly) from the German Constitution and this has, essentially, the same content as Article 8(1) ECHR (on the right to privacy and family life).

The BAG repeated its established case law that German data protection law (Bundesdatenschutzgesetz¹, the ‘BDSG’) sets out the details of the fundamental right to privacy and hence applies to the question of whether evidence can be used in court – even though there are no explicit rules on court evidence in the BDSG.

The BDSG prohibits the collection of personal data unless there is a legal justification. Consequently, the BAG dealt with possible justifications. First, the BAG looked at the first ground of justification: that the affected person gave his or her consent, and held that the defendant did not obtain the plaintiff’s consent. Although the defendant had informed its employees about the surveillance, it had not said that every key they used would be logged and saved and it had in fact downplayed the extent of the surveillance it would use. The BAG noted that the absence of any objection does not count as consent. Last, the BAG hinted that the surveillance measures taken in this case would not have been allowed even with the employee’s consent.

Secondly, the BAG dealt with the legal justifications for data use in employment situations. The BDSG stipulates that collecting personal data about employees is only allowed if, either it is necessary for the employment relationship, or there is a documented suspicion that the employee has committed a crime whilst employed. As there was no suspicion of a crime, the only question was whether the surveillance measures were necessary.

The BDSG does not explicitly contain an explanation of this term, so the court interpreted it in the light of the underlying basic principles: i.e. the general right of privacy versus the interests of the employer. The BAG concluded that, in the case at hand, the plaintiff’s right to privacy outweighed his employer’s interests. Surveillance using keylogger software was not a slight, but severe interference with the plaintiff’s rights, comparable to constant video surveillance. The BAG held that such significant surveillance measures could only be justified as in the interests of the employer if there was hard evidence to suggest the employee was in serious breach of his contractual obligations, which was not the case in this case. Ultimately, the BAG held that the defendant could not use the keylogger evidence in court.

The BAG emphasized that surveillance measures are not prohibited in every case. Whether they are permissible might depend on how draconian they are. For example, there is a difference between just saving the browser history and accessing the content of the employee’s internet use. The BAG was of the view that even if there was no prior documented suspicion, the rights of employees would not be infringed if only the browser history were monitored.

Commentary

There are two important aspects to the BAG’s judgment:

• Strict surveillance measures without evidence to support a suspicion are unlawful and evidence obtained from such measures is inadmissible in court.

• Lesser surveillance measures, such as saving browser history without actual site-content can be justifiable based on the interests of the employer.

Comments from other jurisdictions

Austria (Birgit Vogt-Majarek, Kunz Schima Wallentin Rechtsanwälte): Based on the facts of the case and taking into account Austrian legislation and jurisprudence, the Austrian Supreme Court would probably decide as follows:

The BAG ruled that the collecting of personal data of employees was not allowed in the case at hand as there were no documented reasons to assume the employee violated his contractual obligations in a considerable way (and no suspicion of crime either). The ECtHR ruled that the employee has to know beforehand about data controlling measures to be taken.

In Austria, it is undisputed that the introduction of control measures and technical systems for the control of employees – insofar as these measures (systems) affect human dignity- is subject to the necessary co-determination of the works council by means of an appropriate works agreement (“Betriebsvereinbarung”). If there is no works council, the aforementioned control measures can be established in accordance with § 10 AVRAG provided that the consent of each individual employee has been given. Measures that violate human dignity are inadmissible and cannot be permitted to the employer neither by the competent works council nor by the individual employee.

In the cases underlying the current decisions of the BAG and the ECtHR, according to the information available, neither the introduction of the “Keylogger” program (BAG decision) nor the monitoring and saving of the whole communication (ECtHR decision) by the employer were based on a works agreement nor operated with the consent of the individual employee. Hence, the introduction of the systems would have been inadmissible according to Austrian law as well since both of the aforementioned measures at least affect human dignity. The works council or the affected employee(s) would be entitled to an injunctive relief as well as to claims for damages.

In the BAG decision the court stated that evidence which has been obtained in the aforementioned illegal way is excluded from the court proceeding.

Different from Germany there is no explicit provision in the Austrian Civil Procedure Code (ZPO) that generally prohibits the exploitation of unlawfully obtained evidence.² Hence, an infringement of the “ban on taking evidence” generally remains unpunished insofar as even a “forbidden” taking of evidence does not fulfil the elements of essential procedural deficiency nor for procedural deficiency nor for nullity; therefore there is no specific right of appeal.³

According to parts of the Austrian doctrine⁴ the exclusion of evidence unlawfully obtained is supported if it violates the core area of fundamental rights and freedoms of the person affected (like e.g. the torture convention, which is not relevant in the aforementioned cases). The predominant doctrine argues that a ban on the exploitation of evidence would require the judge to omit essential results of evidence and would therefore lead to an incorrect judgement⁵; exceptions are only supported in cases in which the evidence is the result of intolerable investigative measures.⁶

According to a decision of the Austrian Supreme Court (OGH 19.10.1999 GZ 4 Ob 247/99y) an unlawfully obtained tape recording may be used in exceptional cases (here: in case of obstacles to proof of evidence) and only after appropriate consideration of interests of the parties.⁷

To sum up, based on the facts in the case report, the Austrian Supreme Court would most probably decide that there is no general prohibition of the exploitation of unlawfully obtained evidence. As and insofar as the evidence in the cases underlying the decisions of the BAG and the ECtHR have not been obtained in breach of core areas of fundamental rights, even though the introduction of the controlling systems would be unlawful according to Austrian Law, the evidence unlawfully gathered could still be lawfully used and exploited in court.

Italy (Caterina Rucci, Fieldfisher): Under Italian law this scouting programme would have been equally considered as illegal. Italy, in fact, had a provision against remote control already in 1970, and this was an even criminally sanctioned provision.

More recently, some devices linked to work instruments, have been declared as admissible, and the data collected thought such devices can be used for “any employment purpose”, although an explicit reference is made by the new law also to Italian Data Protection law, and therefore this will further change once GPDR will be fully applicable.

What is quite interesting is that there is an almost equal Italian case, where a similar system, called “Super Scout” was declared unlawful in 2005 by the Court of Appeal of Milan, which confirmed the 1st instance Tribunal decision, and established that the data collected by such device could therefore not be used in in order to justify a termination.

The situation might be different now, after the changes introduced by the Jobs Act, but still an instrument enabling a continuous remote control on the websites visited by employees, would not be allowed.

Subject: Unfair dismissal, right to privacy
Parties: unknown
Court: Bundesarbeitsgericht (Federal Labour Court of Germany)
Date: 27 July 2017
Case number: 2 AZR 681/16
Hard copy publication: NJW 2017, pg. 3258
Internet publication: http://www.bag-urteil.com/27-07-2017-2-azr-681-16/

Notes:

1 Germany was one of the first countries to have a data protection law. It has existed since 1978 and is relatively strict by international standards.
2 cf Graf/ Schöberl, ZAS 2004/30,172.
3 cf G. Kodek, ÖJZ 2001,345; OGH 20.11.1997,2 Ob 272/97g; Rechberger in Fasching/Konecny2 Vor § 266 ZPO para 70 (status 30.04.2004, rdb. at).
4 cf Fasching, Zivilprozessrecht 2 para 936.
5 cf Rechberger in Rechberger, ZPO, para 24 Vor § 266; G. Kodek, Rechtswidrig erlangte Beweismittel im Zivilprozeß, 136 ff.
6 cf Rechberger in Rechberger, ZPO para 24 Vor § 266.
7 See G. Kodek, Die Verwertung rechtswidriger Tonbandaufnahmen und Abhörergebnisse im Zivilverfahren, ÖJZ 2001,334, who supports the subsidiarity of illegally obtained evidence.