> "Compare that to our email, where I can go into anyone's messages immediately if need-be. This is all very standard corporate IT stuff that you need for HR and legal reasons."
I was under the impression it WAS legal in Europe as well after being litigated to the Court of Human Rights[1]. The requirement is simply that they inform you ahead of time that they can (and will) monitor your email.
In the US there is usually a form you sign at your hiring that says you understand the company may monitor your email. It is couched in terms like "to ensure compliance with laws and company policy" but the actionable part is that they assert the right to monitor it and you agree to that (or you don't work for them).
Note that the ECHR has jurisdiction over the European Convention on Human Rights, which is attached to the Council of Europe, which is a pan-European organization that provides the "lower end" of protection in Europe. Even Russia is a member of the COE.
The EU, on top of requiring COE/ECHR membership provides additional protections under the EU Charter of Fundamental Rights. The highest court for EU law is the European Court of Justice, not the ECHR.
Then on top of that, a number of EU/EEA countries have much stricter rules, some are outlined in the article.
So it's technically right in that it is legal in signatories to the ECHR provided they are not covered by other, stricter rules via one of the other routes, and many are.
We're US based, and it's very explicit that we can and will do this if necessary. We state clearly to all employees that the computers and accounts we give them are not theirs and are subject to monitoring. Thankfully, it's almost never necessary.
Certainly illegal in Norway. Hell, I've heard stories of corporate networks up here that MITM all their computers for security monitoring, and where the admins routinely see evidence of searches for sketchy pornography, but can't legally do anything because this kind of surveillance of your employees is illegal.
This isn't exactly true. Employees do have a higher right of privacy even when using company resources than they do in the US, but monitoring is allowed within certain parameters, and that can include searching email or other "private" storage spaces.
Companies must still be able to comply with eDiscovery and data preservation requests from various police agencies (such as Økokrim), and these may be performed without informing individuals that it is happening.
>Compare that to our email, where I can go into anyone's messages immediately if need-be
The only opening for reading employees' communications that I can find by some quick googling, are (1) if there is good reason to believe that information contained there is required to keep the concern going or (2) if there is suspicion of serious dereliction of duties. And even then, there is a significant checklist required in order to do it legally. (Obviously, legal police requests can be fulfilled without necessarily alerting the owner).
My point being, this is a far cry from legally being able to go into anyone's communications immediately if need-be.
Are you aware of further openings than this, apart from the obvious in the case of a court-ordered request? I am basing this on the statement from Datatilsynet at https://www.datatilsynet.no/rettigheter-og-plikter/personver.... General monitoring would seem like a big no-no.
Datatilsynet's statement actually does give quite a bit of leeway, but I do agree that you can't just monitor without reasonable suspicion that the employee is acting improperly.
In the UK they're allowed to monitor work email[0]. I'm not sure how that compares to the rest of Europe.
In financial services they monitor all kind of chat rooms, especially after the LIBOR scandal. Every chat I open gives me a disclaimer saying that chats will be monitored.
Really? I like to consider myself much more privacy-minded than most, but I would expect an email assigned to an employee to be used for official business purposes should definitely have a paper trail that higher-ups can audit if necessary.
I don't think so. The employer has all the rights to look at company emails, there is no right to privacy when using the company's email addresses. There are quite recent verdicts in Germany IIRC, considering if it was unlawful termination if your employer uses information gathered from your emails as reason for the firing. Looking at the emails in the first place was totally lawful, IIRC.
Please state the relevant law that it'd be breaking, I'm genuinely curious. Compliance tools are built into most cloud and enterprise offerings that allow this. Do you not have experience of enterprise/cloud email offerings?
At least in Switzerland and Germany, I thought they can record, and, in case of legal case, also read your emails provided that it is expected to give strong supporting material for the case.
Well...most work contracts I've signed said something like "working here is not mandatory and we may need access to the mailbox (which we're providing to you for your work duties), such access cases are logged and externally audited. Sign here to agree, take that door to disagree." As long as this is agreed beforehand, I'm not aware of a European state banning it - this is somewhat different from "let's go digging around the computers out of curiosity". (I am in GMT+1, for the reference)
I've seen a situation where this was invoked - employee was fired for an unrelated issue, only kept some documentation in their inbox for whatever reason. Without such a provision, our options would have been a) legally questionable, b) up shit creek sans paddle.
In most of Europe what the employment contract says must be compared to local law - it varies greatly how many rights you are able to contract away in an employment contract.
E.g. while employment contracts in the UK are often fairly long, employment contracts in Norway can be as short as a couple of paragraphs, as almost all the terms are regulated and are costly and/or difficult to deviate from for most roles and most additional terms you might add will be null and void.
Europe consists of plenty of countries, all of them different. It seems like statements on HN about how it is "in Europe" is usually Americans writing fan fiction about some never-never land.
> Europe consists of plenty of countries, all of them different. It seems like statements on HN about how it is "in Europe" is usually Americans writing fan fiction about some never-never land.
Yes, this is a common trope on HN (and the Internet in general). People have selective memories, and it's easy for people - unintentionally - to remember the most favorable laws from individual countries, stitch the together in their minds, and then form perceptions on the composite image. It's generally not conscious, but it happens pretty frequently.
And in some cases - such as this one - people are just flat-out misinformed about the situation in Europe. (As pointed out in other comments, this is legal in the EU, subject to comparable restrictions as it is subject to in the US). It's not surprising that a feature Slack is marketing specifically to business users is, in fact, legal for businesses to use in one of their largest markets.
To wit: “Today’s ruling is fairly clear in how it outlines the parameters of monitoring employees,” said Stephen Ravenscroft, a London-based partner specializing in employment law at White & Case, a law firm. “It won’t be sufficient for employers to have a general policy permitting monitoring — the policy will need to be much more detailed, outlining why, how and where employees may be monitored and explaining how any information gathered through monitoring may be used.”
> In an 11 to 6 ruling, [the ECHR] found that Mr. Barbulescu’s privacy rights had been violated [after he had been fired for sending personal messages using his corporate account].
and
> Furthermore, the chamber found, Romanian courts did not sufficiently examine the company’s need to read the entirety of Mr. Barbulescu’s messages, or the seriousness of the consequences of the monitoring, which resulted in dismissal.
and
> The chamber ruled that countries should ensure that companies’ efforts to monitor employees’ communications are “accompanied by adequate and sufficient safeguards against abuse.”
So at least it's a more nuanced view than "I can go into anyone's messages immediately if need-be".
Wow, THAT is highly illegal in Europe.