Thursday, May 21, 2009

Your Friends Are My Friends

Joe is disgruntled with his boss, and more generally with his company. He needs to vent, and he finds a social network site an easy medium to share his private frustrations with his online friends. Joe actually has hundreds of "friends" on Facebook, many of whom have not communicated much more than a click or two. While at his work computer, during paid hours, Joe shares with his Facebook friends in "private" postings (postings visible only to his "friends") that the company's ethics policy is a joke, that his boss is a major kiss ass, that employee morale is in the pits, and that the product stinks.

Should Joe's boss have the authority to require Joe to allow him access to see what Joe is posting about him and the company? Of course, there is a legal answer, a political answer, an ethical answer, a logical answer, an economic answer, and the kind of evasive cautious answer that often characterizes legal opinions. I serve up the latter. But I will try to be direct, simple, and clear.

Decades ago I wrote a published law review article on privacy rights. Old principles never die, they just fade away. The basic principle of privacy is the idea of "being left alone", that is, to be free of intrusion. I like that: it states a good basic working definition of a personal boundary. Other than doing that, however, it's worthless to answer the FaceBook question first posed. More principles are needed.

Here is the way I believe a California Court would frame the ultimate question: Is the activity one traditionally viewed by our culture as "private", and what is the employer's interest in acquiring the "private information"? California's Constitution has a privacy protection, and unlike the federal constitution, the protection is not limited to government intrusion, but includes individuals.

Well, as you can see, we're now into the fuzzy logic of legal opinions. Maybe some extreme examples will aid in seeing why "fuzzy" applies to most situations. Nearly everything in the way of a personal right can be knowingly, freely, and unconditionally waived. Let's suppose the employer presents the employee with a written waiver of privacy rights, stating that employment is conditional on signing the waiver. Let's suppose the employee is in two distinct situations: a) applying for employment and b) currently in the employment, at the time the waiver is presented. Let's also suppose the waivers concern the following three situations:

1) otherwise private bedroom activity at home is subject to being videotaped and monitored;

2) bathroom use at work is being videotaped and monitored;

3) emails of all types to all persons either sent or received at work on company computers, whether relying on company servers or private servers, will be subject to monitoring.

Now, the two categories of situation will be a) 1,2, or 3, and b) 1, 2, or 3.

I believe, based on years of experience, that a Supreme Court would ask: is there a fundamental, well-established, and important public policy that is so compromised by the waiver that we as a society will declare the waiver invalid as a matter of law, irrespective of the employee's willingness to sign the waiver? Whew, that's a long-winded question, but just the kind of question Court's are logically going to ask. So, bear with me.

The hypothetical questions aren't such a stretch. A U.S. Supreme Court case many years ago held in Griswold v. Connecticut that a state could not enforce a law prohibiting contraceptives because enforcement would put the government in a couple's bedroom. Here in California, there was a major trial verdict upheld on appeal awarding an employee megabucks against a company whose manager placed a secret camera in the women's restroom. Likewise, email that is sent over a private email server (such as Gmail or Yahoo) is considered "private" even if sent from work on working time.

I believe a court is more likely to uphold a denial of employment for refusal to sign a waiver of privacy rights at the time of application, but less likely to uphold a termination of an existing employment because of failure to sign such a waiver. The basic reasoning is that an employee can turn away from the prospective job, and find another opportunity if the privacy waiver is unacceptable. [Like all principles or logical premises, this statement has its exceptions, especially in the present economy, but some courts have ruled just this way]. On the other hand, a current employee who took the job expecting one level of privacy should not be required to release that privacy level in fear of losing his or her job. In effect, I think a court would view this situation as one of the employer changing the rules of the game.

As for the 6 hypothetical examples (3 in each category) stated above: I predict that in both the "pre-employment" and "post employment" situations, a court would invalidate the waivers in situations 1 and 2. The reason is that even if a "pre-employment" applicant were to "voluntarily and knowingly" waive a fundamental privacy right, society itself has an interest in restricting waivers for the broader public good. That is, the court will indulge a presumption that no reasonable person would sign such a waiver or be required to sign consent to such an extreme invasion having no discernible relation to the employer's legitimate business. By analogy, courts do this all the time in the field of contract law. For example, courts will not enforce contracts that have a criminal purpose or outcome, such as prostitution or drug dealing.

Hypothetical situation number 3 above is closer to a "real world" situation. Applying the same principles, the questions would be a) what is the generally accepted level of privacy accorded to private-server email use at work and b) what is the level of an employer's legitimate interest in monitoring that class of email? For example, could an employer convince a trial court to enforce a subpoena directed to the employee and that was focused on content concerning the employer's business? I conclude that a court would uphold the pre-employment waiver for situation number 3, and would invalidate it in the "post-hire" situation unless the waiver was clearly limited to subject matter directly related to legitimate business interests. [Sorry reader, these terms beg the point, I know]. One way to think of the "waiver" in the "post-hire" situation is to compare it to a "confidentiality agreement" concerning the company's trade secrets, processes, and marketing. These agreements are ubiquitous, and often upheld. Steps taken to monitor compliance with the "confidentiality agreement" if not unduly restrictive, will be upheld.

Answering the two guiding questions, there is a fairly high and well-established general privacy expectation that private server email will be private, but there is also a reasonable employer restriction of that privacy expectation insofar as it concerns confidential company subjects. I conclude that a court would enforce a company waiver of private server email privacy if the waiver was limited to subjects of company business. I believe a court would also enforce a subpoena served on the employee [as opposed to the ISP] if the subpoena was highly focused and limited to identify company trade secrets or proprietary information.

One additional consideration often weighed by courts is whether the consent and waiver of privacy is limited to the use of the company's network and computers to access or create the private information. Likewise, a court may consider if the employee posted the "private" information while being paid on company time.

The answer will likely depend on how clearly and frequently the employer communicates its policy that such information is not private, and must be made fully accessible to the employer on request. For example, if an employee is using the company's computer systems to access his or her Facebook account, and if the company has a policy stating nothing going over its systems is to be considered "private", a court is more likely to uphold the privacy waiver. In contrast, an employee using his private cell phone account (that is, the phone and the bill are entirely the employee's, with no employer subsidy), to post negative information about the employer on Twitter, MySpace,Facebook or other networks, the waiver is less likely to be legally valid. The exception may be if the employer has a clearly communicated policy acknowledged by the employee that postings to social networks during company paid time will be deemed the property of the employer, and subject to full access by the employer upon request.

Now, back to Joe. Joe uses Facebook, and has slandered his employer and its product with numerous "private" posts. He has given a new meaning to "viral marketing". He claims he can do so with impunity because of his freedom of speech and privacy rights. He claims his password requirement is itself evidence of the "private" nature of his communications. Of course, Joe could have a totally public site accessible to anyone registering with Facebook. That is hardly a "private" communication when visible to virtually the world. But Joe says he limits the postings to viewing by his friends and their friends.

An employee communicating to 50 or 500 "friends" may still have a privacy expectation if those "friends" are part of a limited group allowed access only by invitation and consent, similar to a "private" club. The size of the group is not as significant as the selectivity and exclusivity of the group. Why? Persons outside the group are not privy to the communications inside the group, and so any person in the group can plausibly argue that he or she expected privacy.

The matter is complicated when an employer has the consent of one participant to the group to enter the group, but not the others, and the others' private communications are inevitably discovered by the employer as well. It is easy to envision multiple firings of co-employees who "trusted" the confidentiality of the password protected membership. Could those co-employees successfully assert that one member's waiver of privacy did not operate to waive their privacy, or did they "assume the risk" that any one member could violate the privacy expectations of all? My actual experience with the free flow of members in and out of groups, with few barriers to entry except a "click" requesting "friend" status, often freely given, indicates a court would likely hold that all participants voluntarily assumed the risk that their communications would be viewed by a third party (such as an employer) they would rather have excluded.

In summary, employees should not assume privacy of social network communications simply because they register and use a password. An employer can enhance the chances of a court upholding a privacy waiver if the employer presents a clear, and fully articulated company policy that identifies social network communications as subject to monitoring if those communications occur on company paid time, and/or with the use of company owned Internet or computer systems. Even then however, employers will have to demonstrate the scope of their monitoring was limited to social network communications impacting the company's legitimate business interests, such as company morale, insubordination, confidentiality, marketing, or public relations.

This article is unusual for many legal articles because it attempts to predict what cases will hold, instead of explaining the implications of cases already decided. Still, this degree of speculation can be helpful as the social networking phenomenon is eventually tested by litigation by employees claiming invasion of privacy and wrongful termination of employment.

As for our disgruntled "friend" Joe mentioned at the beginning of this article, his posting will be deemed "private" if the employer has no policy in place stating such postings are subject to employer access and monitoring, and that Joe or others will be potentially fired if they refuse to grant employer access on request. On the other hand, if Joe accepted employment, and at that time, signed an acknowledgment of the privacy waiver policy as a condition of employment, Joe will likely not have a legally enforceable privacy expectation to the postings. If Joe is requested to sign a privacy waiver after commencing employment, and to comply with a new policy of waiver and consent, that policy will likely be enforceable if it is limited to future communications only, and Joe is given reasonable notice of the date the policy is to take affect.

"If the pink slip doesn't fit,
get redressed!"
Click to see my wardrobe of remedies.


No comments: