So, does a company have the right or even a responsibility to capture employee data that is generally personal, only incidentally used for business purposes, is not part of a normal business process or has other intended uses? Ostensibly, the business might have a legitimate business concern, such as preventing the leakage of confidential information or to capture data that would be necessary to respond to eDiscovery requests should they occur.
Now this my personal opinion, but I suspect that businesses would be on very shaky legal ground if they captured such information. Yes, a worker may do things that are inappropriate or illegal related to the company, but if they do so on their own time and through private communication channels that is and remains their responsibility. The process of eDiscovery for ESI for businesses relates only to normal business processes. If a company suspects that an employee is using company data, such as revealing trade secrets, outside those normal business processes, the company should turn to law enforcement authorities to help address the issue rather than attempting a broad, surreptitious sweep of information where only a small portion of communications could conceivably be of importance and a number of individuals could risk having their private communications exposed.
Does that mean that a business could not sometimes collect that data reasonably and legally? No. For example, the company could ask employees to allow them to collect that data. Union and public sector employees could probably tell them no, but "at will" employees might feel that their jobs are at stake and consent only because of that threat. Whether such coercion is legal, I don't know. However, say that a third party had a confidentiality arrangement with the employee for private matters totally unrelated to the employer, such as health-related matters, and the employer revealed that information. Once again, this is only my opinion, but the third-party employee might have a very good case to receive damages from the employer. The bottom line is that businesses probably should collect private communications only as an unavoidable byproduct of their normal business processes. When they stray from that, they may be taking on unnecessary and unexpected risks which far exceed any benefits they might gain from capturing that information.
As a non-attorney and one more or less unfamiliar with constitutional law, including the precedents, I cannot pretend to understand in depth the complex reasoning that goes on in any Supreme Court decision. People tend to like or dislike particular decisions based upon their political perspectives without fully comprehending the legal issues surrounding the conflict between two principles where only one can prevail. However, as an industry analyst familiar with the technologies of ESI and with a strong business background, I have tried to frame the issues from at least a business perspective. The key points are:
- Collecting personal communications in a central business storage repository can very well be an unavoidable byproduct of normal business processes where a particular electronic device is used for the creation of both personal and business communications.
- The difficulty of determining what is truly personal means that the business may inadvertently visually scan and read what were meant to be strictly personal communications.
- Denying an organization this ability could prove to be technically infeasible and could conceivably expose it to both business and legal risk.
- Even if the data can be separated (such as through the use of virtualization) and a business wants to take a laissez faire stance respectful of employee privacy, is the business still at risk for not having done enough?
- Can businesses thus decide to try and collect personal business communications that are not part of a normal business process? One risk is in not doing enough and the other risk is in trying to do too much.
While the Supreme Court may choose to rule very narrowly, and only on some of what is contained in the first point, a broader ruling would help businesses explicitly understand what is and what is not permissible, which would have the laudable effect of reducing future litigation. In any event, the upcoming case and eventual ruling may be under the radar for most businesses but needs to be watched quite closely. Depending on the Court's ruling, some businesses may want to take a more proactive stance to avoid significant negative consequences.
