In China, the 1994 Regulations on Safety and Protection of Computer Information Systems (the “Regulations”) and the 1997 Administration Rules on Safety and Protection of International Connection by Computer Information Networks (the “Administration Rules”) set forth fundamental rights and rules relating to privacy protection in Internet environments. The Regulations and the Administration Rules, together with other regulations regarding information technology (IT), provide clear instruction for e-mail service providers regarding privacy protection.
Yet, employers lack guidance regarding the circumstances under which they may legally monitor employee online activities. This advisory: (1) expounds relevant legal provisions; (2) highlights accord on the legitimacy of Internet monitoring; and (3) presents observations about strategies for managing employees' work-related Internet activities while curtailing legal disputes.
Relevant legal provisions and their relationship: the Regulations, the Administration Rules, the Criminal Law and the Constitution
Article 7 of the Regulations provides that:
“No organization or individual may utilize computer information systems to endanger … the lawful rights of citizens.”
Article 7 of the Administration Rules further elaborates citizens' lawful rights in the following terms:
“The communication freedom and communication privacy of the user [of computer information networks] are subject to legal protection. No entity or individual may use the Internet in a way that violates the law to harm communication freedom and communication privacy.”
A recent amendment to China's Criminal Law includes a provision imposing criminal liability for misappropriation of personal in formation. The amendment can make a company or an individual (“management personnel with direct responsibility”) liable for such misappropriations conducted by the company. Possible penalties include imprisonment for less than three years, fine or detention.
China's Constitution guarantees freedom and privacy of correspondence. Given a systemic lack of judicial interpretation beyond the provisions of the Measures and the Constitution, an employer's ability to monitor employee online activity is thus dubious.
Accord on the legitimacy of Internet monitoring
The pro-employer camp of China's legal community contends that monitoring employee online communications is an appropriate means to exercise corporate management. They argue that, during work hours, a business' computers and employees' online communications are owned by the business. Those who advocate freedom of correspondence contend that any monitoring of employee online activity constitutes a fundamental legal infringement upon their privacy. Both camps generally converge, however, in agreement that disputes might be avoided or reduced if an employer notifies employees of its legitimate intent to monitor and its policy thereto.
The accorded model is that employers develop relevant rules and policies for Internet monitoring, to reasonably convey the scope of use for online activity (company IT equipment, personal e-mail, instant messaging (IM), etc.) and to explain the purpose and method of monitoring. There remains disagreement as to how broad work-related monitoring can be; for example, whether an employer can monitor employees' e-mail or IM activities outside of the corporate e-mail system.
Effecting a balance
Some experts on Chinese privacy law suggest the following approach:
An employer may formulate an IT policy for inclusion in its employee manual, specifying that personal online activity not related to work is prohibited during work hours (and/or on company IT equipment). Such a policy should specifically prescribe activities for which use of the company e-mail system is deemed appropriate (if applicable). The employer may require its staff to read the employee manual carefully and acknowledge, in writing, having done so before being formally hired. Simply having such policies posted on the company intranet may not be sufficient.
Some experts also suggest that an employer may apply one of several strategies, or a combination thereof, to manage their employees' Internet, e-mail and IM activity at work:
- Employers can utilize software that prevents employees' access to personal e-mail, IM or other programs. Use of such blocking software would negate the employer's need to monitor employees' personal e-mail and IM communications, and could be implemented regardless of whether a relevant IT policy, as described above, has been effected;
- Where the employer's relevant IT policy has been acknowledged in writing by the concerned employees, the employer may request employees or supervisors to notify management if they are aware of an employee using personal e-mail, IM, or other programs not related to work (or company IT equipment for personal use). The business could then demand that the violating employee cease such personal activity, rather than directly monitor the employee's online communications; and/or
- Where the employer's relevant IT policy has been acknowledged in writing by the concerned employees, if an employee uses personal e-mail or IM and saves records of such personal online activity on a company-owned computer, the employee can then be deemed to have granted consent for access to the saved content (which could otherwise be deemed private information). The employer may then access and read such saved activity, as company IT equipment is the property of the employer. However, under such a circumstance, it is important that the employer not disseminate personal communications.
- Likewise, where the employer's relevant IT policy has been acknowledged in writing by the concerned employees, if an employee uses the company e-mail system for personal use, he/she can then be deemed to have relinquished his/her right to privacy of such personal e-mail content. Where the employer owns the company e-mail system, and if communications on the system are routed through a server owned by the employer, the employer may access and read such communications, but still should not disseminate the personal communications.
Conclusion
Employers in China face uncertainties when it comes to monitoring employee online activities. To conform with current provisions under the Measures, the Administration Rules, and China's Criminal Law and Constitution, employers should be careful when handling employee online privacy issues. China's lawmakers have been drafting a privacy protection law, called the Personal Information Protection Act, since 2005. During a recent meeting of the National People's Congress, deputies called for the law's finalization. This Act, when promulgated, will likely provide more certainty for employers.
For more information on China's ever changing employment laws, please see these recent Davis Wright Tremaine advisories: "Producing an Effective Employment Handbook in China," "Sick Leave in China: Employers' Obligations," "Dismissing Underperforming Employees in Compliance with Chinese Labor Law," "Retrenchment in China: Labor-Reduction Measures in Trying Economic Times" and "Procedures and Requirements to Obtain Chinese Work Visas for Expatriate Employees."