The Keylogger Decision of the Federal Labour Court – Exclusion of Evidence Due to Data Protection Violation

Bernd Schmidt Employee Data Protection Leave a Comment

The Federal Labour Court (Bundesarbeitsgericht) had to decide on the effectiveness of the termination of a web developer who used substantial parts of his working time for private activities. The employer had gained this insight by using a keylogger, without any concrete suspicion of a criminal offence or serious breaches of duty by the employee. (Judgment as of 27.07.2017, BAG 2 AZR 681/16).

1. The Case

The employee, a web developer, had used his working time to a considerable amount for private activities. In particular for programming and playing a spaceship PC game, working for his father’s logistics company and programming an IT tool for his father’s company. The employer gained knowledge thereof via log files of a key logger program, logging any activity of the employee in connection with his work PC, including screenshots and keyboard entries.

Before deploying the keylogger to any of its employees’ PCs, the employer had informed them via e-mail and requested the employees to express objection within one week in case they would not agree. The concerned employee did not reply to said email.

Upon written request and opposed to the results of the employer’s logfile analysis, the employee stated this private activity only had limited extend and mostly took place during his breaks. The employer, who, according to the logfiles could assume that the employee had done a considerable amount of private work in his working time, terminated the employment contract without notice. The employee successfully filed dismissal protection suit. The Federal Labour Court upheld the rulings of the employment courts of first and second instance.

2. Legal Reasons for the Ruling

The employee’s private activities in his working times as such clearly would justify terminating his employment relationship. Where termination is appealed, the employer must prove the employee’s violation of employment contractual obligations. In order to establish prove, the employer could only provide information directly acquired from the keylogging. The keylogging as such was rather clear in breach of data protection law, which according to the Federal Labour Court results in respective evidence being excluded from consideration in court.

2.1 Data Protection Requirements

Little surprising, the German Federal Labour Court held deployment of the keylogger as being in breach of data protection law here. Following its press release,

the use of a keylogger, which records all keystrokes on a business computer for covert monitoring and control of the employee is inadmissible according to § 32 (1) German Data Protection Act (BDSG) if there is no suspicion of a criminal offence or other serious breach of duty related to the employee, based on concrete facts.

German data protection law contains rather restrictive justifications for processing employee data. Under Section 32 (1) German Data Protection Act (BDSG)

personal data of an employee may be collected […] for the purposes of the employment relationship, if this is necessary for […] carrying out an employment relationship […]. In order to disclose criminal offences, personal data of an employee may only be collected […] if the factual evidence to be documented justifies the suspicion that the person concerned has committed a criminal offence in the employment relationship, that the collection […] is necessary for detection and that the employee’s legitimate interest in excluding the collection […] is not overruling the employer’s interests […].

Here, deployment of a keylogger was clearly not necessary for carrying out the employment relationship. Further, the employer did not have any suspicion of a criminal offence or severe violation of the employment agreement. Rather, the keylogger deployment was made randomly “into the blue”. Such general and extensive monitoring of employee behaviour is considered a clear breach of their privacy rights.

The employer’s information on deployment of the keylogger and the possibility to express objection could also not serve as data protection justification. One could argue whether or not such opt-out invitation would qualify as expression of consent. Regardless, the merits of consent are limited in an employment context and not given here. It has long been disputed whether or not employees could at all express valid consent in an employment context given their subordinate role. The Federal Labour Court in its judgment as of 27.07.2017 (BAG 2 AZR 681/16) held, this was in principle possible where the employee could act fully free of any pressure and possible consequences connected to his or her action. This could not be assumed here.

2.2 Data Protection Violation and Consideration of Evidence in Court

Any civil court including the employment courts are obliged to consider the parties’ evidence including the question as to whether or not is was obtained lawfully. While not any breach must result in excluding evidence, the court must assess the seriousness of the breach by weighing up the interest in the exploitation and functional efficiency of the administration of justice and the breach itself. Here the German Federal Labour Court considered the breach too serious to consider evidence gained from it in court.

Following its press release,

The knowledge about the plaintiff’s private activities gained by the keylogger may not be used in court proceedings. The defendant violated the plaintiff’s right to informational self-determination guaranteed as part of the general right of personality (Art. 2 (1) and Art. 1 (1) German Constitution). The acquisition of information was not permitted in accordance with Section 32 (1) BDSG. The defendant did not have any factual suspicion of a criminal offence or other serious breach of duty against the plaintiff when using the software. The measure taken “into the blue” was therefore disproportionate.

3. Conclusion

The Federal Labour Court’s ruling clearly strengthens employees’ privacy rights vis-à-vis their employers and upholds restrictions for using evidence gained in breach of data protection law. It does, however, neither permit deployment of keyloggers per se, nor use of respective data in court proceedings. Following the judgement, employers are well advised to careful consider data protection requirements prior to any investigation. Where keylogger or other monitoring measures are intended to disclose employees’ breach of employment obligations or criminal offences, Section 32 (1) German Data Protection Act (BDSG) requires a justified suspicion, documentation of said suspicion and consideration of the concerned employee’s privacy rights.

Leave a Reply

Your email address will not be published. Required fields are marked *