Watching your workers
July 29, 2009 | BY
clpstaff &clp articles &Chinese law includes regulations on internet and email privacy protection. Employers should watch out for the possibility of disputes when they monitor employees' online activities
Two key sets of regulations set forth fundamental rights and rules relating to privacy protection in internet environments. Although these regulations – along with others regarding information technology – provide clear instruction for email service providers regarding privacy protection, many employers lack guidance regarding the circumstances under which they may legally monitor employees' online activities.
It is important for employers and their counsel to develop strategies for managing employees' work-related internet activities while curtailing legal disputes.
Relevant legal provisions
Article 7 of the 1994 Regulations on Safety and Protection of Computer Information Systems (Regulations) provides: “No organisation or individual may utilise computer information systems to endanger … the lawful rights of citizens.”
Article 7 of the 1997 Administration Rules on Safety and Protection of International Connection by Computer Information Networks (Administration Rules) further elaborates citizens' lawful rights in the following terms:
The communication freedom and communication privacy of the user [of computer information networks] are subject to legal protection. No entity or individual may use the internet in a way that violates the law to harm communication freedom and communication privacy.
A recent amendment to the PRC Criminal Law includes a provision that imposes criminal liability for misappropriation of personal information. The amendment can make a company or an individual (“management personnel with direct responsibility”) liable for such misappropriations conducted by the company. Possible penalties include imprisonment for less than three years, fine or detention.
China's Constitution guarantees freedom and privacy of correspondence. Given a systemic lack of judicial interpretation beyond the provisions of the Regulations and the Constitution, an employer's ability to monitor employee online activity is thus dubious.
Legitimacy of internet monitoring
The pro-employer camp of China's legal community contends that monitoring employee online communications is an appropriate means to exercise corporate management. They argue that, during work hours, a business' computers and employees' online communications are owned by the business. Those who advocate freedom of correspondence contend that any monitoring of employee online activity constitutes a fundamental legal infringement upon their privacy. Both camps generally converge, however, in agreement that disputes might be avoided or reduced if an employer notifies employees of its legitimate intent to monitor and its relevant policy.
The accorded model is that employers develop relevant rules and policies for internet monitoring, to reasonably convey the scope of use for online activity (company IT equipment, personal email, instant messaging (IM), etc.) and to explain the purpose and method of monitoring. There remains disagreement as to how broad work-related monitoring can be; for example, whether an employer can monitor employees' email or instant messaging activities outside of the corporate email system.
Striking a balance
Some specialists on Chinese privacy law suggest the following approach:
An employer may formulate an IT policy for inclusion in its employee manual, specifying that personal online activity not related to work is prohibited during work hours (and/or on company IT equipment). Such a policy should specifically prescribe activities for which use of the company email system is deemed appropriate (if applicable). The employer may require its staff to read the employee manual carefully and acknowledge, in writing, having done so before being formally hired. Simply having such policies posted on the company intranet may not be sufficient.
Some experts also suggest that an employer may apply one of several strategies, or a combination thereof, to manage their employees' internet, email and IM activity at work:
• Employers can utilise software that prevents employees' access to personal email, IM or other programs. Use of such blocking software would negate the employer's need to monitor employees' personal email and IM communications, and could be implemented regardless of whether a relevant IT policy, as described above, has been effected;
• Where the employer's relevant IT policy has been acknowledged in writing by the concerned employees, the employer may request employees or supervisors to notify management if they are aware of an employee using personal email, IM, or other programs not related to work (or company IT equipment for personal use). The business could then demand that the violating employee cease such personal activity, rather than directly monitor the employee's online communications; and/or
• Where the employer's relevant IT policy has been acknowledged in writing by the concerned employees, if an employee uses personal email or IM and saves records of such personal online activity on a company-owned computer, the employee can then be deemed to have granted consent for access to the saved content (which could otherwise be deemed private information). The employer may then access and read such saved activity, as company IT equipment is the property of the employer. However, under such a circumstance, it is important that the employer not disseminate personal communications.
• Likewise, where the employer's relevant IT policy has been acknowledged in writing by the concerned employees, if an employee uses the company email system for personal use, he/she can then be deemed to have relinquished his/her right to privacy of such personal email content. Where the employer owns the company email system, and if communications on the system are routed through a server owned by the employer, the employer may access and read such communications, but still should not disseminate the personal communications.
Working with uncertainties
Employers in China face uncertainties when it comes to monitoring employee online activities. To conform with current provisions under the Regulations, the Administration Rules, and the Criminal Law and Constitution, employers should be careful when handling employee online privacy issues.
China's lawmakers have been drafting a privacy protection law (the Personal Information Protection Act) since 2005. During a recent meeting of the National People's Congress, deputies called for the law's finalisation. This Act, when promulgated, will likely provide more certainty for employers.
By Jojo Bai, Kevin Moore and Vincent Wang, Davis Wright Tremaine
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now