Lance Bellers - Fotolia

Monitoring employee communications: What do EU privacy laws say?

The European Court of Human Rights recently placed strict regulations on monitoring employee communications. Matt Pascucci compares EU privacy laws to the U.S.'s standards.

The European Court of Human Rights recently ruled that companies in the European Union (EU) have to notify employees ahead of time if they are going to monitor employee work accounts. Are there similar regulations for monitoring employee communications in the U.S., and if so, what are they?

According to the European Court of Human Rights, employers must inform their users if their business-related communications are being monitored while working for the organization. The court informed individuals that there must be a clear distinction of the type of monitoring, the timeframes, which content is monitored and the administrators that have access to the data.

The EU's privacy laws are head and shoulders above those in the United States. Just look at their General Data Protection Regulation (GDPR), which will go into effect soon.

The GDPR regulates the privacy of EU citizens in relation to user data being sent to third parties, breach notification requirements, data security restrictions and the right to be forgotten. GDPR also necessitates that companies perform privacy impact assessments, validate the existence of a data protection officer and review how data is transferred to other countries. Organizations that don't meet these stipulations will be fined. While these are just a few examples of how the EU is enforcing the regulation, it shows that it takes the privacy of its citizens' data extremely seriously.

When it comes time to review how monitoring employee communications should be handled within the workplace, it's not surprising to see that the EU is taking a similar privacy-based approach.

Personally, I have no problem with what they're doing, and I agree that people should be alerted when their communications are being monitored. I also don't have an issue with organizations monitoring employee communications from a business perspective -- in today's world, both of these options need to be in place. Organizations need to monitor communications to validate that attacks and insider threats aren't occurring, but users should be made aware of how and when this is occurring -- it should never come as a surprise.

When you start a company, you normally use some type of communication filtering system, such as for email or the web. In the United States, it's legal to monitor these communications as long as they're a part of the organization and not for the user's personal use. This means that if you're browsing personal websites on a business-related internet network or system, then it will be monitored.

Many organizations are aware that this is happening and whitelist filtering for particular categories, such as banking, so there's never a question if they're monitoring personal information that doesn't pose a risk to the organization. Just keep in mind that anything employer-owned can be monitored.

Furthermore, unlike the EU, the legal right to monitor and how far it can go in the U.S. is state-dependent. There are no federal guidelines on how monitoring employee communications should be handled, and it's completely left up to the local and state levels to decide.

Next Steps

Learn more about the EU's General Data Protection Regulation

Confused on bring-your-own-device policies? Explore user tips

Read more on preparing for the GDPR deadline

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing