Despite the fact that public and private employers have a similar legitimate need for information about applicants and employees to make informed decisions about hiring, promotion, security, discipline, and termination, privacy rights in the private sector of employment are limited; an employee who is arbitrarily treated, but who is without a union or contract is generally left with fewer rights in the private sector environment.
The distinction between the treatment of employees in the private and public sectors is one that is created by the constitutional requirement of state action as precedent to its application. The Constitution is a limitation made to curb government excesses.
Whether there should be a right to privacy in both the public and the private sectors, employers suggest that the employee has three choices when faced with objectionable intrusions by employers: quit, comply, or object and risk termination. Employees argue that they are defenseless because of their economic condition and that their privacy in the private sector is subject to greater abuse precisely because there are no protections and the option to quit is unrealistic.
One explanation offered for the difference between public- and private-sector privacy protections is compliance-related costs. The implementation of the Privacy Act throughout its agencies costs the government relatively little because it is conducting self-regulation.
By contrast, ensuring compliance within the private sector requires administration of the compliance and adjudication of violations. The Privacy Protection Study Commission found that requiring an employer to change its manner of maintaining and using records can drastically increase the cost of operation.
These costs include the costs of changing employment record-keeping practices, removing relevant information from employment decisions, and implementing a social policy of employee privacy protection. These costs are not necessarily “burdensome” to the employer, however. One study found that protecting the rights of employees on a computer system could cost as little as $4 per person. Employers’ concern for compliance costs may well be an unrealistic barrier to the development of regulations for privacy rights of private-sector employees.
A second distinction between public- and private-sector employers offered to justify different privacy standards is that more stringent regulation is needed for government employees because it is common for federal agencies to be over-zealous in surveillance and information gathering. Private-sector employers, in contrast, do not generally have similar resources and, therefore, are unable to duplicate these invasive activities.
Bases for Right to Privacy in the Private Sector
Private-sector employers are not bound by constitutional structures. On a state- by-state basis, however, private-sector employees may be afforded protection either by the common law or by statute. All but two states provide common-law tort claims to protect individual privacy, such as intrusion into seclusion. Various torts described below have developed to protect individual solitude, the publication of private information, and publications that present personal information in a false light. (See Exhibit 13.3 , “U.S. Companies with Operations in Europe Must Comply with Data Protection Laws,” for the manner in which privacy protection is handled somewhat differently in the European context.)
State legislatures have responded to the issue of private-sector employee privacy in one of four ways:
1. Enacting legislation mirroring federal law regarding the compilation and dissemination of information.
2. Recognizing a constitutional right to privacy under their state constitutions, as in California, Illinois, and Arizona. For example, California appellate courts have found that employees terminated for refusing to submit to drug tests were wrongfully discharged in violation of the state’s constitutional guarantee of a right to privacy, which requires employers to demonstrate a compelling interest in invading an employee’s privacy. In Pennsylvania, a court held that a drug test violates that state’s policy against invasions of privacy where the methods used do not give due regard to the employee’s privacy or if the test results disclose medical information beyond what is necessary. Other states that provide constitutional recognition and protection of privacy rights include Alabama, Florida, Hawaii, Louisiana, Montana, South Carolina, and Washington. However, in all states except California, application of this provision to private-sector organizations is limited, uncertain, or not included at all.
3. Protecting employees only in certain areas of employment, such as personnel records or the use of credit information.
4. Leaving private-sector employees to fend for themselves while the federal laws and the Constitution afford protection to federal employees and those subject to state action.
Tort Law Protections/Common Law
As mentioned above, courts in almost all states have developed case law, the “common law,” which identifies certain torts in connection with private-sector invasion of privacy. Georgia was the first jurisdiction whose courts recognized a common-law right to privacy. As the court explained in Pavesich v. New England Life Ins. Co., “a right of privacy is derived from natural law, recognized by municipal law, and its existence can be inferred from expressions used by commentators and writers on the law as well as judges in decided cases. The right of privacy is embraced within the absolute rights of personal security and personal liberty.” Though some states rely on statutory protections rather than common law, only two states—North Dakota and Wyoming—fail to recognize any of the four privacy torts discussed here. A tort is a legal wrong, for which the law offers a remedy. The torts of particular interest in this article include intrusion into solitude or seclusion, the publication of private information, and publication that places another in a false light. Defamation also will be discussed.
Publication as used in these torts means not only publishing the information in a newspaper or other mass media but generally “bringing it to light” or disseminating the information. In addition, the concept of publication is defined slightly differently depending on the tort. Truth and absence of malice are generally not acceptable defenses by an employer sued for invasion of an employee’s privacy. They are acceptable, however, in connection with claims of defamation.
Intrusion into Seclusion To state a prima facie case for the tort of intrusion into seclusion, the plaintiff employee must show that
• The defendant employer intentionally intruded into a private area.
• The plaintiff was entitled to privacy in that area.
• The intrusion would be objectionable to a person of reasonable sensitivity. The intrusion may occur in any number of ways. An employer may
• Verbally request information as a condition of employment.
• Require that its employees provide information in other ways such as through polygraphs, drug tests, or psychological tests.
• Require an annual medical examination.
• Ask others personal information about its employees.
• Go into private places belonging to the employee. '
Any of these methods may constitute a wrongful invasion where it so invades the employee’s private sphere that it would be objectionable to a reasonable person. On the other hand, if the employer can articulate a justifying business purpose for the inquiry/invasion, the conduct is more likely to be deemed acceptable.
In Rogers v. Loews L’Enfant Plaza Hotel, an employee was continually sexually harassed by her supervisor, including bothersome telephone calls to her home, during which he made lewd comments to her about her personal sex life. The sexual harassment evolved into harassment in the workplace, where the supervisor verbally abused her in front of her co-workers, kept important business-related information from her, and refused to include her in meetings. Her employer, refusing to take formal action, suggested that she change positions. The court determined that the telephone calls were not of a benign nature but, instead, were unreasonably intrusive and not normally expected. Further, the harassment constituted an intrusion into a sphere from which the employee could reasonably exclude the defendant. On these bases, the court found in favor of the employee.
In connection with opening scenario 1, Aravinda’s decision in connection with the HIV tests may be governed in part by the law relating to employment testing and in part by the law relating to disability discrimination (since HIV is considered a disability under the Americans with Disabilities Act). On the other hand, the law relating to intrusion into seclusion also would have application here in terms of disclosure of the test results. If Aravinda discloses the results to anyone or, through her actions, leads someone to a belief about the employee’s HIV status, she might be liable under this tort. In addition, it is important to consider that it is highly unlikely that Aravinda has any right to know any employee’s HIV status as it is unlikely that the information would be job-related. (Can you imagine what employment position might warrant this type of information? Is HIV status ever considered job-related?) Consider the application of the prima facie case for intrusion into seclusion as you review Michael A. Smyth v. The Pillsbury Company, included in the end. The court in that case considers the nature of a reasonable expectation of privacy, as well as why an employer might wish to intercept e-mails.
Public Disclosure of Private Facts To state a prima facie case for the tort of public disclosure of private facts, the plaintiff employee must show that
• There was an intentional or negligent public disclosure
• Of private matters, and
• Such disclosure would be objectionable to a reasonable person of ordinary sensitivities.
The information disclosed must not already be publicized in any way, nor can it be information the plaintiff has consented to publish. Therefore, in Pemberton v. Bethlehem Steel Corp., publication of an employee’s criminal record did not constitute public disclosure of private facts because the criminal record did not contain private facts; it was information that was already accessible by the public.
As you shall see, in the end, in the Yoder v. Ingersoll-Rand Company a.k.a. ARO case, the publication also must be made public, which involves more than mere disclosure to a single third party. The public disclosure must be communication either to the public at large or to so many people that the matter must be regarded as substantially certain to become one of public knowledge or one of knowledge to a particular public whose knowledge of the private facts would be embarrassing to the employee. Therefore, publication to all of the employees in a company may be sufficient, while disclosure to a limited number of supervisors may not.
Several states have enacted legislation codifying this common-law doctrine under the rubric of “breach of confidentiality.” Connecticut, for instance, has passed legislation requiring employers to maintain employee medical records separate from other personnel records. Other states have limited an employer’s ability to disclose personnel-related information or allowed a cause of action where, through the employer’s negligent maintenance of personnel files, inaccurate employee information is communicated to a third party.
Publication in a False Light The prima facie case of publication in a false light requires that there was a public disclosure of facts that place the employee in a false light before the public if the false light would be highly offensive to a reasonable person and the person providing the information had knowledge of or recklessly disregarded the falsity or false light of the publication.
Voluntary consent to publication of the information constitutes an absolute bar to a false-light action. This type of tort differs from defamation, where disclosure to even one other person than the employer or employee satisfies the requirements. The tort of publicizing someone in a false light requires that the general public be given a false image of the employee. In a false-light action, the damage for which the employee is compensated is the inability to be left alone, with injury to one’s emotions and mental suffering, while defamation compensates the employee for injury to his or her reputation in the public’s perception.
Note that any of the above claims may be waived by the employee if the employee also publishes the information or willingly or knowingly permits it to be published. For example, in Cummings v. Walsh Construction Co., the employee complained of public disclosure of embarrassing private facts, consisting of information relating to a sexual relationship in which she was engaged with her supervisor. The court held that, where the employee had informed others of her actions, she waived her right not to have her supervisor disclose the nature of their relationship.
As with defamation, an exception to this waiver exists in the form of compelled self-publication, where an employer provides the employee with a false reason as the basis for termination and the employee is compelled to restate this reason when asked by a future employer the basis of departure from the previous job. Therefore, where the employer intentionally misstates the basis for the discharge, that employer may be subject to liability for libel because it is aware that the employee will be forced to repeat (or “publish”) that reason to others.
Breach of Contract An employee also may contest an invasion of privacy by her or his employer on the basis of a breach of contract. The contract may be an actual employment contract, collective bargaining agreement, or one found to exist because of promises in an employment handbook or a policy manual.
Defamation Libel refers to defamation in a written document, while slander consists of defamation in an oral statement. Either may occur during the course of a reference process. And, while the prima facie case of defamation requires a false statement, even a vague statement that casts doubt on the reputation of an individual by inference can cause difficulties for an employer if it cannot be substantiated.
The elements of a claim for defamation include
• False and defamatory words concerning employee,
• Negligently or intentionally communicated to a third party without the employee’s consent (publication), and
• Resulting harm to the employee defamed.
One cautious solution to this problem area is to request that all employees fill out an exit interview form that asks, “Do you authorize us to give a reference?” If the applicant answers yes, she or he should be asked to sign a release of liability for the company.
Ordinarily defamation arises from someone other than the defamed employee making defamatory statements about an employee; but one interesting form of defamation has evolved over the past decade where an employee is given a false or defamatory reason for her or his discharge. In that case, the employee is the one who is forced to publicize it to prospective employers when asked for the reason for her or his discharge. These circumstances give rise to a cause of action for defamation, termed compelled self-disclosure, because the employee is left with no choice but to tell the prospective employer the defamatory reasons for her or his discharge. Barring this result, the employee would be forced to fabricate reasons different from those given by the former employer and run the risk of being reprimanded or terminated for not telling the truth. This cause of action has been recognized, however, only in Colorado, Iowa, Minnesota, Connecticut, and California.
An employer may defend against an employee’s claim of defamation by establishing the truth of the information communicated. While truth is a complete defense to defamation, it can be difficult to prove without complex paper management.
Employers also may be immune from liability for certain types of statement because of court-recognized privileges in connection with them. For example, in some states, an employer is privileged to make statements, even if defamatory, where the statement is made in the course of a judicial proceeding or where the statement is made in good faith by one who has a legitimate business purpose in making the communication (e.g., ex-employer) to one who has a business interest in learning the information (e.g., a prospective employer). This privilege would apply where a former employer offers a good-faith reference to an employee’s prospective employer. “Good faith” means that the employer’s statement, though defamatory, is not made with malice or ill will toward the employee.
Exhibit 13.3 U.S. Companies with Operations in Europe Must Comply with Data Protection Laws
The European Union’s approach to data privacy is completely alien to American companies. But, as a recent decision from CNIL (Commission Nationale de l’Informatique et des Libertés, the French Data Protection Authority) makes clear, an American company with operations in Europe that does not learn how to play by European rules runs a serious risk of getting slapped with a hefty fine.
The European Union’s Directive governing the protection of individuals’ personal data and the processing of such data mandates that the member nations adopt laws that cover all “processing” (defined to include even collection and storage) of data about personally-identifiable individuals. The EU Directive includes provisions addressing, among other things, limitations on the use of date [sic], data accuracy, and data destruction requirements. The Directive is not limited to electronic or computerized data, and therefore reaches written, Internet, and even oral communications.
The EU Directive offers a blueprint for data privacy laws across Europe but, in any given situation, the Directive itself is not legally binding. As to each specific data privacy issue arising within Europe, the relevant country’s local statue [sic] that adopts (“transposes”) the Directive will determine data privacy rights an[d] responsibilities.
The Extraterritorial Reach of the EU’s Data Privacy Directive Means That Any Company with Operations in Europe Must Comply; Cross-Border Data Transfer Is Particularly Thorny
An important aspect of the Directive for businesses headquartered outside of Europe, such as in the U.S., is the Directive’s extraterritorial reach. The Directive specifically prohibits sending personal data to any country without a “level of [data] protection” considered “adequate” by EU standards. Significantly, the EU has ruled that the United States, with its patchwork of privacy laws, does not possess an adequate level of data protection.
The directive authorizes a number of exceptions, legally permitting transmission of personal data outside of Europe even to a “third country” that fails to offer an “adequate level of protection.”
Exceptions Permitting Cross-Border Transfers of Personal Data
The EU recognizes three “transborder data flow vehicles”: (i) a company can self-certify with the U.S. Department of Commerce that it adheres to specified data protection principles (known as the “safe harbor” system); (ii) a company can enter into “model contracts” with its European subsidiaries, agreeing to abide by mandatory data protection provisions; or (iii) a company can develop a set of “binding corporate rules”—company-drafted data protection regulations that apply throughout the company, which must be ratified by each EU member state’s data protection authority. Failure to implement at least one of these methods could result in significant liability.
Obtaining the data subject’s free, unambiguous consent to transmit his or her data overseas is theoretically another permissible way in which to transfer data to a country outside the EU—even to a country without comparable data protection law—provided that the consent specifically lists the categories of data and the purposes for the processing outside the EU. Practically speaking, however, obtaining consent to legitimize a transfer overseas is often not an available alternative for employers; in the employment context, because of the imbalance in bargaining power between employer and employee, consents may be presumed not to have been freely given.
Also, of course, there is no prohibition against transmitting genuinely anonymized data out of the EU. Where the identity of the data subject is impossible to determine, the data transmission falls outside the scope of the directive.