Watching your workers

Article 7 of the 1997 Administration Rules on Safety and Protection of International Connection by Computer Information Networks (Administration Rules) further elaborates citizens' lawful rights in the following terms:

The communication freedom and communication privacy of the user [of computer information networks] are subject to legal protection. No entity or individual may use the internet in a way that violates the law to harm communication freedom and communication privacy.

A recent amendment to the PRC Criminal Law includes a provision that imposes criminal liability for misappropriation of personal information. The amendment can make a company or an individual (“management personnel with direct responsibility”) liable for such misappropriations conducted by the company. Possible penalties include imprisonment for less than three years, fine or detention.

China's Constitution guarantees freedom and privacy of correspondence. Given a systemic lack of judicial interpretation beyond the provisions of the Regulations and the Constitution, an employer's ability to monitor employee online activity is thus dubious.

Legitimacy of internet monitoring

The pro-employer camp of China's legal community contends that monitoring employee online communications is an appropriate means to exercise corporate management. They argue that, during work hours, a business' computers and employees' online communications are owned by the business. Those who advocate freedom of correspondence contend that any monitoring of employee online activity constitutes a fundamental legal infringement upon their privacy. Both camps generally converge, however, in agreement that disputes might be avoided or reduced if an employer notifies employees of its legitimate intent to monitor and its relevant policy.

The accorded model is that employers develop relevant rules and policies for internet monitoring, to reasonably convey the scope of use for online activity (company IT equipment, personal email, instant messaging (IM), etc.) and to explain the purpose and method of monitoring. There remains disagreement as to how broad work-related monitoring can be; for example, whether an employer can monitor employees' email or instant messaging activities outside of the corporate email system.

Striking a balance

Some specialists on Chinese privacy law suggest the following approach:

An employer may formulate an IT policy for inclusion in its employee manual, specifying that personal online activity not related to work is prohibited during work hours (and/or on company IT equipment). Such a policy should specifically prescribe activities for which use of the company email system is deemed appropriate (if applicable). The employer may require its staff to read the employee manual carefully and acknowledge, in writing, having done so before being formally hired. Simply having such policies posted on the company intranet may not be sufficient.

Some experts also suggest that an employer may apply one of several strategies, or a combination thereof, to manage their employees' internet, email and IM activity at work:

• Employers can utilise software that prevents employees' access to personal email, IM or other programs. Use of such blocking software would negate the employer's need to monitor employees' personal email and IM communications, and could be implemented regardless of whether a relevant IT policy, as described above, has been effected;

• Where the employer's relevant IT policy has been acknowledged in writing by the concerned employees, the employer may request employees or supervisors to notify management if they are aware of an employee using personal email, IM, or other programs not related to work (or company IT equipment for personal use). The business could then demand that the violating employee cease such personal activity, rather than directly monitor the employee's online communications; and/or

• Where the employer's relevant IT policy has been acknowledged in writing by the concerned employees, if an employee uses personal email or IM and saves records of such personal online activity on a company-owned computer, the employee can then be deemed to have granted consent for access to the saved content (which could otherwise be deemed private information). The employer may then access and read such saved activity, as company IT equipment is the property of the employer. However, under such a circumstance, it is important that the employer not disseminate personal communications.

• Likewise, where the employer's relevant IT policy has been acknowledged in writing by the concerned employees, if an employee uses the company email system for personal use, he/she can then be deemed to have relinquished his/her right to privacy of such personal email content. Where the employer owns the company email system, and if communications on the system are routed through a server owned by the employer, the employer may access and read such communications, but still should not disseminate the personal communications.

Working with uncertainties

Employers in China face uncertainties when it comes to monitoring employee online activities. To conform with current provisions under the Regulations, the Administration Rules, and the Criminal Law and Constitution, employers should be careful when handling employee online privacy issues.

China's lawmakers have been drafting a privacy protection law (the Personal Information Protection Act) since 2005. During a recent meeting of the National People's Congress, deputies called for the law's finalisation. This Act, when promulgated, will likely provide more certainty for employers.

By Jojo Bai, Kevin Moore and Vincent Wang, Davis Wright Tremaine