On 15 July 2011 the Belgian Commission for the Protection of Privacy (Commissie voor de bescherming van de persoonlijke levenssfeer/Commission de la protection de la vie privée - the "Privacy Commission") launched a public consultation on cyber surveillance. The Privacy Commission wants to clarify the rules governing the monitoring of employees' internet and e-mail use. The public consultation is based on a number of documents made available on the Privacy Commission's website, including a report published on 6 July 2011 (the "Report") and a recommendation to employers (the "Recommendation"). The Privacy Commission maintains that the current legal framework does not prevent employers from recording and accessing professional communications of their employees. However, the legitimate interests of the employer must be balanced against the need to protect the privacy of the employees.
In its Report, the Privacy Commission analyses the legal framework applicable to the monitoring of employees' electronic communications in Belgium. This includes the Law on the protection of privacy in relation to the processing of personal data of 8 December 1992 (Wet tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens/Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel - the "Data Protection Law"), the Electronic Communications Law of 13 June 2005 (Wet betreffende de elektronische communicatie/Loi relative aux communications électroniques - the "Law on Electronic Communication") and Collective Bargaining Agreement No. 81 concerning the monitoring of electronic communications of employees of 26 April 2002 (Collectieve arbeidsovereenkomst 81 tot bescherming van de persoonlijke levenssfeer van de werknemers ten opzichte van de controle op de elektronische on-linecommunicatiegegevens/ Convention collective de travail n° 81 relative à la protection de la vie privée des travailleurs à l'égard du contrôle des données de communication électroniques en réseau - "CBA 81").
The Report explains that the employees' right to privacy must be balanced against the rights and legitimate interests of the employers. This balancing exercise should also take account of the legitimate expectations of the employees.
In addition, the Report sets out the various specific exceptions to the confidentiality of electronic communication contained in Article 124 of the Law on Electronic Communication. These include the processing necessary to ensure the proper functioning of a communications network, the possibility for companies to store business communications and the exception for call centres. Each of these exceptions is subject to strict conditions.
The Privacy Commission also points out that the confidentiality of electronic communications does not apply if the law imposes or permits to interfere. For instance, the Privacy Commission explains that employers can interfere with electronic communications if an employee abuses the system to cause damage to a third party. In addition, the Report states that the employment relationship permits the employer to monitor employees' professional activities in accordance with normal business practices.
Moreover, the Report clarifies that the employer always has the right to access e-mail correspondence which an employee sent in the context of his or her employment and on behalf of the company, provided the professional nature of the correspondence is clear to the employee and the recipient of the correspondence.
Furthermore, the Report underlines the importance of the three basic principles of the Data Protection Law: (i) the purpose limitation requirement (i.e., employers may only process personal data for specific, well defined and legitimate purposes); (ii) the proportionality requirement (i.e., the processing must be adequate, relevant and not excessive in view of the specified purpose); and (iii) the transparency requirement (i.e., the data subjects must be informed about the processing of their personal data, for instance, through the employment agreement, the work rules or internal policies).
Finally, the Report clarifies the scope of CBA 81. It explains that CBA 81 sets out the procedure for monitoring Internet and e-mail use of employees for private purposes. Under CBA 81, employers can monitor such electronic correspondence at a general level (without identifying the data subjects). Except in exceptional circumstances, the employer is not allowed to access the content of private messages.
The Report and the Recommendation provide a welcome clarification of the scope of CBA 81 and the Law on Electronic Communication.
The Privacy Commission's report also reflects the evolution in Belgian case law concerning the inadmissibility of evidence obtained in breach of data protection and privacy rules (See, for instance, Van Bael & Bellis on Belgian Business Law, Volume 2010, No. 8, p. 7).
Together with the Report, the Privacy Commission issued a number of recommendations to ensure compliance with applicable rules. For instance, the Privacy Commission recommends employers to establish in the employment agreement, work rules or in an internal policy, that employees cannot use their professional e-mail address to send private e-mails. According to the Privacy Commission, this prohibition creates a clear presumption that all e-mail correspondence sent using the employer's e-mail system is professional in nature. This, in turn, facilitates monitoring by the employer and diminishes the risk of interference with the private life of the employee.
The Privacy Commission has invited all stakeholders to provide comments or questions in relation to the published documents before 30 November 2011. More information on the public consultation can be found at http://www.privacycommission.be/nl/new/topic/publieke-consultatieronde-cybersurveillance.html (in Dutch) or at http://www.privacycommission.be/fr/new/topic/publieke-consultatieronde-cybersurveillance.html (in French).