The Fight on Corruption versus Data Protection and Employment Law: A Balancing Act - International Law Office

Introduction
Investigations and Controls: Duties and Liability Risks
Restrictions on Internal Control Measures
Comment


Introduction

In recent years, the commercial world has become increasingly aware of the requirements that must be met in order to fight crime. If a business or its management fails to meet these requirements, it runs the risk of being held liable or penalized. Therefore, many businesses have implemented detailed compliance and anti-fraud programmes. However, new legislation has now been introduced – most recently on July 3 2009 in the form of a new law – that further restricts the permissible use of employee data.

Against this background, it is becoming increasingly difficult for a business to ensure that its staff members are complying with the law and with company policy. The implementation of many controls and measures to monitor staff involves a risk of infringing the provisions of either data protection law or employment law. This update describes the limits set by data protection and employment law to restrict the ways in which a business can conduct investigations and impose control mechanisms in order to ensure compliance with its duty to fight fraud and corruption.

Investigations and Controls: Duties and Liability Risks

In view of the recent, mostly negative media reportage regarding control mechanisms and investigations by businesses (ie, the so-called 'snitcher scandal'), managers may be tempted to suspend such activities, at least temporarily, in order to avoid negative publicity. However, this approach could also attract negative publicity (since it would create the impression that little was being done to prevent fraud), and may involve major liability risks for both the business and its management. Business enterprises have a legal duty to prevent any crime or regulatory offence from being committed by the business or its staff to the detriment of any third party (ie, compliance management), and by the business's staff or any third party to the detriment of the business (ie, fraud prevention).

Both the business and its management may be held liable for non-compliance with these legal duties. In particular, such non-compliance may result in:

• adverse legal consequences under civil law – a manager may, for example lose his or her job and be held liable for damages by the business or by third parties, or the business may be held liable for damages by customers, employees, suppliers or competitors;
• the imposition of severe penalties under criminal and regulatory offences law – for example, managers risk criminal proceedings or regulatory fines for failure to intervene to prevent offences being committed by employees in the context of their work or by third parties to the detriment of the business, while corporate entities run the risk of corporate regulatory fines or forfeiture orders; and
• negative consequences under regulatory law – for example, a bank manager may lose his or her qualification to run a bank or a bank may lose its banking licence.

For these and other reasons, the obligation to prevent criminal or regulatory offences should be taken seriously. Effective investigation and control measures should not be dispensed with, provided that they can be made to comply with the limits set by data protection and employment law.

Restrictions on Internal Control Measures

Internal control measures are restricted by both data protection law and employment law.

Data protection law
Data protection law stipulates a number of important boundaries for internal control measures. Any form of collecting, processing or using personal data is permissible under the Federal Data Protection Act only (i) if and to the extent that this is expressly permitted under the act or any other appropriate legislation, or (ii) if and to the extent that the data subject has given his or her consent.

Obtaining the consent of employees is the safest way of ensuring compliance with data protection law. In order to be legally effective, any such statement of consent must be detailed, clear and purely voluntary. Whether consent given in the employment contract is voluntary is arguable, given that employees may fear that a refusal could result in prejudicial consequences.

In the absence of a legally valid statement of consent, personal data of employees may be collected, processed or used for purposes relating to their employment only if the conditions laid down in the amended version of Section 32 of the act, which came into effect on September 1 2009, are met.

The first sentence of Section 32(1) of the act stipulates that employers may collect, process or use employee's personal data for purposes relating to the employment relationship only if (i) this is required in order to decide whether to employ a particular individual, or (ii) to implement or terminate a previously signed employment contract (including the winding-up of the employment relationship). This is deemed to be the case if and to the extent there is no other way to safeguard the legitimate interests of the business. For the purposes of this provision, the legitimate interests of a business include not only compliance with its legal obligations (eg, salary administration and personnel management), but also the exercise of its rights (eg, the right to give instructions or to monitor the performance and conduct of employees).

If personal data is to be collected, processed or used by employers in connection with investigations concerning criminal offences, the second sentence of Section 32(1) of the act requires that:

• concrete evidence exist to suggest that a criminal offence has been committed (ie, vague suspicions are insufficient);
• such evidence be documented;
• the employee's interests in his or her personal data not being collected or used not prevail; and
• the nature and extent of the data collection be proportionate to the nature and the seriousness of the offence and level of suspicion.

Employment law: co-determination of works council
In addition to data protection law, due consideration must be given to the co-determination rights of the works council. Almost all investigations and control measures relating to the fight against fraud and corruption require the consent of the works council. Most of these measures either fall within the scope of "regulating the procedures within the business or the conduct of employees", or involve the "introduction and use of new technical facilities for monitoring the conduct or performance of employees", both of which are subject to co-determination by the works council. The requirement to obtain the works council's approval may be fulfilled by means of either a works agreement or a special accord for a specific measure. If the works council rejects any proposed measures of this kind, the employer has the option to bring the matter before the conciliation board, which has the power to overrule the works council's refusal. However, this option is often not practical because the procedure can take several weeks or even months.

Penalties and probative value
Violations of the Federal Data Protection Act may lead to the imposition of regulatory fines or, in extreme cases, a criminal fine and prison sentence. Moreover, employees may hold the employer liable for damages and possibly even demand compensation for immaterial damage.

Furthermore, under certain circumstances, evidence obtained in violation of data protection law may not be used in court (eg, unfair dismissal proceedings). However, the courts have ruled that there is no ban on the use of such evidence if the company is acting in self defence or under similar circumstances.

In situations in which the works council is not consulted but it is mandatory to do so, the works council may file for injunctive relief. Failure to consult the works council does not, by itself, justify a ban on the use of the relevant evidence in subsequent court proceedings.

Specific control measures
Screening (data reconciliation)
There are many ways of screening existing data (eg, data on employees, customers or suppliers) in order to obtain clues that may suggest irregularities. For example, a comparison of data on suppliers (eg, addresses and bank details) and employees may reveal evidence of criminal activity.

Hitherto, such mass screenings have often been implemented as routine and without concrete evidence. According to the new Section 32, a business may conduct such screening only if there is evidence of criminal offences having been committed. Without such probable cause, mass screenings are permissible only if anonymized employee data is used. If the result of such screening or other facts suggest that criminal offences may have been committed, the company concerned will then be legally authorized to investigate the matter further.

The computer programmes needed to carry out data screening may not be installed and used without the consent of the works council. However, this is the case only if individual employees are identifiable. The works council has no co-determination rights in this regard if the screening is performed using anonymized data.

Telephone, internet and email surveillance
The supervision of telephone, internet and email use involves processing personal data and, therefore, must comply with the requirements of Section 32. If such supervision is in the context of investigating criminal offences, there must be documented concrete evidence suggesting that a criminal offence has been committed, the business enterprise's interests must prevail and the principle of proportionality must be met.

An important point regarding the supervision of telephone, internet and email use is whether the company allows its staff to use these media for private purposes. Silence on this point on the part of the employer cannot automatically be construed as authorization of such use. Seen purely from the perspective of surveillance, it is advantageous for the employer to ban any private use of these means of work communication. This allows the employer to assume that any correspondence and other communications of an employee are work related. The employer may therefore access the relevant data (call detail records, emails, internet use logs) relatively freely (ie, in a manner comparable to normal written business correspondence). However, certain restrictions also exist in this regard and full surveillance is not permissible. Furthermore, an employer is not allowed to make any further use of an allegedly business-related email which, when checked, turns out to be of an entirely private nature.

If an employer has authorized the private use of these means of communication, it is more difficult for it to monitor the business-related email correspondence of its staff. Any kind of control during the transmission process is ruled out. An employee's saved emails should not be checked without the prior (preferably written) permission of the concerned individual and in any case only to the extent that it is clear (eg, from the filing structure) that the emails which are being checked are business-related (and thus not private).

It holds true for telephone, internet and email surveillance that the risk of violating data protection law can be minimized by keeping the number of employees concerned as small as possible and that this risk declines in inverse proportion to the growth and strength of the suspicion of a criminal offence. Great caution should be exercised with regard to any concealed surveillance, which could even render the employer criminally liable in certain cases.

Video surveillance and movement profiles
Video surveillance of freely accessible premises is permissible only in order to exercise house rights or safeguard legitimate interests for specific purposes. In either case, the rights of those who are subject to such surveillance must not prevail.

However, most workplaces are located in premises that are not freely accessible. Overt video surveillance of such premises may be permissible in certain cases, provided that it serves a legitimate purpose and is not intended merely to harass or pressurize employees. Furthermore, such surveillance must be reasonable and the co-determination rights of the works council must be respected.

Covert video surveillance constitutes severe interference with the rights of those who are being observed and is consequently permissible only if the requirements of Section 32 of the act are met (ie, in particular, if there is a strong suspicion of criminal behaviour or other serious misconduct on the part of the employee concerned.) Moreover, covert video surveillance may be undertaken only as a last resort and with the approval of the works council.

The same holds true for the preparation and use of movement profiles by technologies such as Global Positioning System, radio-frequency identification, cellular radio location data or magnetic cards. Except in some special cases, complete supervision (whether overt or otherwise) is not permissible. Any covert surveillance is possible only as a last resort, if at all.

Whistleblowing
Many companies have set up whistleblowing hotlines which employees may use to report any irregular conduct by other employees. In particular, in serious cases and especially if criminal offences are concerned, employees are subject to a legal duty under their employment contract to report such conduct to their employer.

Generally speaking, it is permissible to store caller data provided that the caller is aware that this is being done and that the storage of such data facilitates the investigation of the allegations made. Storing data regarding an employee of whom irregular conduct is suspected is justifiable only if the requirements laid down in the second sentence of Section 32(1) of the act are met (ie, there is documented evidence of a criminal offence, the interests of the employer outweigh those of the employee and such storage complies with the principle of proportionality).

Particular caution is always required if data is collected and stored outside the European Union or the European Economic Area.

The setting up of whistleblowing hotlines falls within the scope of the co-determination rights of the works council.

Comment

Businesses not only have a legitimate interest in preventing and pursuing fraud and corruption, but also are legally obliged to do so. This often leads to businesses entering into legal grey areas. In some cases, it may be necessary to investigate very thoroughly whether any contemplated measures comply with data protection and employment law. Generally, control measures are permissible provided that:

• they are based on a reasonable suspicion of a criminal offence;
• they affect only employees who may be involved in a suspected criminal offence;
• they do not violate employees' privacy;
• there is no a practicable, less onerous alternative; and
• they are taken after consultation with the works council.

Particular caution should be exercised when undertaking covert supervision measures.

The new Section 32 of the Federal Data Protection Act failed to draw a clear line between what constitutes permissible anti-fraud measures and what is considered impermissible interference with employees' personal rights. At least until a new act is passed on the protection of employee data, uncertainty surrounding how to ensure the legality of internal investigation and control measures will remain.

For further information on this topic please contact Heiner Hugger, Florian Schmitz or Stefan Simon at Clifford Chance LLP by telephone (+49 69 7199 01), fax (+49 69 7199 4000) or email (heiner.hugger@cliffordchance.com, florian.schmitz@cliffordchance.com or stefan.simon@cliffordchance.com).