The Employee's Right to Privacy and Management of Personal Information

By Bennett-Alexander, D.D., Hartman, L.P.

Edited by Paul Ducham

PRIVACY POLICY

Privacy is a surprisingly vague and disputed value in contemporary society. With the tremendous increase in computer technology in recent decades, calls for greater protection of privacy have increased. Yet, there is widespread confusion concerning the nature, extent, and value of privacy. Philosophers have argued that our society cannot maintain its core values without simultaneously guaranteeing the privacy of the individual. Edward Bloustein writes that “an individual deprived of privacy merges with the mass. His opinions, being public, tend never to be different; his aspirations, being known, tend always to be conventionally accepted ones; his feelings, being openly exhibited, tend to lose their quality of unique personal warmth and to become the feelings of every man. Such a being, although sentient, is fungible; he is not an individual.” 

Recent inventions and business methods call attention to the next step that must be taken for the protection of the person and for securing to the individual what Judge Cooley calls the right “to be let alone.” Instantaneous photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life, and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops.”

The concept of privacy as a fundamental right is certainly not limited to the United States or even Western culture. Privacy is protected in the Qur’an and was recognized by Mohammed. Ancient Greece already had laws protecting privacy, and the Jewish Talmud considers privacy an aspect of one’s sanctity, providing rules for protecting one’s home. In fact, the Talmud contains reference to “harm caused by seeing” ( hezeq re’iyyah) when one intrudes upon another.

But do employees actually have a “fundamental right to privacy” as many believe? The answer to this question is not as easy as one might presume, given the wide recognition of employee rights in the workplace. The right to privacy may not be as fundamental as employees generally believe it to be, which makes it all the more important in these days of advancing information technology. Computer technology, though largely beneficial, can have a negative effect on employees if the easily obtained information is misused, incorrect, or misleading. Employers now have a greater capacity to invade an employee’s privacy than ever before. Among other devices, there are chairs that can sense and record the time an employee spends at his or her desk, computer programs that measure employees’ computer keystrokes to ensure they are as productive as they should be, phones that monitor employees’ phone calls, and policies related to workplace communication to make sure all communications are work-related. Monitoring is only increasing in power, ability, and frequency. Sales of computer monitoring and surveillance software have increased almost 500 percent to $622 million in 2006. But perhaps there is presently a greater employer need for seemingly private information, with more than 75 percent of 14.8 million drug users in the United States employed. Drug use in American industry costs employers approximately $82 billion per year in overall productivity due to absenteeism and attrition; theft of employer property by employees is estimated at $10 billion per year; and failure to perform an intensive reference and background check of an applicant may cost the employer enormous amounts in litigation fees defending claims of negligent hiring, easily outweighing the cost of a drug test, usually less than $50. In this time of increased competition in the global marketplace, each employee becomes all the more crucial to the workings of the company. An employer has a justified basis for attempting to choose the most appropriate and qualified person for the job; the means by which the employer obtains that information, however, may be suspect.

The right to privacy is not only balanced with the arguably legitimate interests of the employer but also with the employer’s responsibility to protect the employees’ personal information. A 2007 study of more than 800 North American privacy and security professionals reported that there is a strong likelihood of a security breach relating to personally identifiable information. In fact, 85 percent of those responding had experienced or observed a security breach within the past 12 months and 63 percent had experienced multiple breaches during that time—between 6 and 20 occurrences.

Since erosion of at-will employment was the dominant issue of the 1980s, scholars have predicted that privacy will be the main theme for the 1990s and beyond. This article will address the employee’s rights regarding personal information and the employer’s responsibilities regarding that information, as well as the employer’s right to find out both job-related and nonrelated personal information about its employees. This article will not address issues relating to consumer privacy since they fall outside the scope of the article’s primary focus.

Background

There are three ways in which privacy may be legally protected: by the Constitution (federal or state), by federal and/or state statutes, and by the common law. The U.S. Constitution does not actually speak of privacy, but privacy has been inferred as a necessary adjunct of other constitutional rights we hold. The right to privacy was first recognized by the Supreme Court in Griswold v. Connecticut, when the Court held that a Connecticut statute restricting a married couple’s use of birth control devices unconstitutionally infringed on the right to marital privacy.

The Court held a constitutional guarantee of various zones of privacy as a part of the fundamental rights guaranteed by the Constitution, such as the right to free speech and the right to be free from unreasonable searches and seizures. The latter right is that on which many claims for privacy rights are based; the Court has held that under certain circumstances the required disclosure of certain types of personal information should be considered an unreasonable search. It has protected against the mandatory disclosure of personal papers, and it decided in favor of the right to make procreation decisions privately.

While baseless or unjustified intrusions, at first blush, may appear to be completely abhorrent in our society, proponents of the argument that employers can ask whatever they please argue that if an employee does not want to offer a piece of information, there is something the employee is trying to hide. For example, why would an employee refuse to submit to a drug test if that employee is not abusing drugs? Do private-sector employers have the right to ask their employees any question they choose and take adverse employment actions against the employee if she or he refuses to answer since they are not necessarily constrained by constitutional protections? (See Exhibit 13.1 , “Myths about Employee Privacy Rights.”)

Additionally, employees are concerned about the type of information gathered in the course of applying for and holding a job. Who has access to that information? What information may be deemed “confidential,” and what does that mean to the employee? Evidently, employers perceive challenging issues among these and others with regard to privacy; as of 2004, there were more than 2,000 chief privacy officers (CPOs) in businesses around the world, more than 10 times the estimate three years ago.

Exhibit 13.1 MYTHS about Employee Privacy Rights

1. Employees have an absolute right to privacy in their workplace.

2. It is a breach of an employee’s right to privacy for an employer to ask with whom the employee lives.

3. In the private sector, the Constitution protects employees’ right to be free from unreasonable searches and seizures.

4. Without constitutional protection, employees in the private sector are left with no protection against invasions of privacy.

5. Once an employee gives information to an employer, the employer may use it for whatever purpose it desires.

5TH AMENDMENT AND THE PUBLIC SECTOR

With regard to the public sector, the Constitution protects individuals from wrongful invasions by the state or by anyone acting on behalf of the government. The personal privacy of federal, state, and local employees is therefore protected from governmental intrusion and excess. As we will see later, private-sector employees are subject to different—and often fewer—protections.

Constitutional Protection

The Fourth Amendment and Its Exceptions

For the Fourth Amendment’s protection against unreasonable search and seizure to be applicable to a given situation, there must first exist a “search or seizure.” The Supreme Court has liberally interpreted “search” to include a wide variety of activities such as the retrieval of blood samples and other bodily invasions, including urinalyses, as well as the collection of other personal information. One might imagine how this umbrella gets wider as technology advances.

For the search to violate the Fourth Amendment, that search must be deemed unreasonable, unjustified at its inception, and impermissible in scope. You will read in the seminal Supreme Court case, O’Connor v. Ortega, included in the end, that a search is justified “at its inception” where the employer has reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related misconduct, or where the search is necessary for a noninvestigatory work-related purpose such as to retrieve a file.

It is critical to review the O’Connor case to understand both the fundamental basis of public-sector search and seizure law as it applies to the workplace as well as much of current case law today. The Court held that a search is permissible in scope where “the measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of . . . the nature of the misconduct being investigated.”

Generally, all searches that are conducted without a judicially issued warrant based on a finding of reasonable cause are held to be per se unreasonable. But there are several exceptions to this rule, including searches that happen as part of an arrest, some automobile searches, pat-down searches with probable cause to believe the subject is armed, and administrative searches of certain regulated industries.

One example of an exception occurred in Shoemaker v. Handel where the Supreme Court held that a drug-related urine test of jockeys without a warrant was acceptable because it satisfied the court’s two-pronged test. The Court held that (1) where there is a strong state interest in conducting the unannounced warrantless search and (2) where the pervasive regulation of the industry reduces the expectation of privacy, the search does not violate the Fourth Amendment. Similarly, in Skinner v. Railway Labor Executives Association, decided three years after Shoemaker, the Court again addressed the question of whether certain forms of drug and alcohol testing violate the Fourth Amendment. While this case is discussed in this text in connection with testing, it is relevant here for the Court’s analysis of the privacy right challenged. In Skinner, the defendant justified testing railway workers based on safety concerns: “to prevent accidents and casualties in railroad operations that result from impairment of employees by alcohol or drugs.” The Court held that “ the Government’s interest in regulating the conduct of railroad employees to ensure safety, like its supervision of probationers or regulated industries, or its operation of a government office, school, or prison, likewise presents ‘special needs’ beyond normal law enforcement that may justify departures from the usual warrant and probable-cause requirements.”

It was clear to the Court that the governmental interest in ensuring the safety of the traveling public and of the employees themselves “plainly justifies prohibiting covered employees from using alcohol or drugs on duty, or while subject to being called for duty.” The issue then for the Court was whether the means by which the defendant monitored compliance with this prohibition justified the privacy intrusion absent a warrant or individualized suspicion. In reviewing the justification, the Court focused on the fact that permission to dispense with warrants is strongest where “the burden of obtaining a warrant is likely to frustrate the governmental purpose behind the search,” and recognized that “alcohol and other drugs are eliminated from the bloodstream at a constant rate and blood and breath samples taken to measure whether these substances were in the blood-stream when a triggering event occurred must be obtained as soon as possible.” In addition, the Court noted that the railway workers’ expectations of privacy in this industry are diminished given its high scrutiny through regulation to ensure safety. The Court therefore concluded that the railway’s compelling interests outweigh privacy concerns since the proposed testing “is not an undue infringement on the justifiable expectations of privacy of covered employees.” Consider the possible implications of this and related decisions on genetic testing in governmental workplaces or in employment in heavily regulated industries such as that involved in Skinner.

Finally, the employer may wish to conduct a search of employee lockers. Would this be acceptable? Under what circumstances is an employer allowed to conduct searches? A search may constitute an invasion of privacy, depending on the nature of the employer and the purpose of the search. The unreasonableness of a search is determined by balancing the extent of the invasion and the extent to which the employee should expect to have privacy in this area against the employer’s interest in the security of its workplace, the productivity of its workers, and other job-related concerns.

Prior to any search of employer-owned property, such as desks or lockers, employees should be given formal written notice of the intent to search without their consent. Where the employer intends to search personal effects such as purses or wallets, employees should be forewarned, consent should be obtained prior to the search, and employees should be made well aware of the procedures involved. Consent is recommended under these circumstances because an employee has a greater expectation of privacy in those personal areas. These rights are significantly diminished where the employer is not restrained by constitutional protections.

In an interesting combination of private/public workplace rights, the Ninth Circuit addressed these issues in the 2007 case, United States v. Ziegler. In that case, Ziegler worked for a private company that had a clear policy in technology use. It explained that equipment and software were company-owned, to be used for business purposes only, and that employees’ e-mails would be constantly monitored. The FBI received a complaint from the firm’s Internet provider that Ziegler had accessed child pornography from a company computer and requested access to his computer. The employer consented to the request. The court held that the employer had the right to consent to the search because the computer was workplace property and the contents of Ziegler’s hard drive were work-related items that contained business information and that were provided to, or created by, the employee in the context of a business relationship. Ziegler’s downloading of personal items (pornography) did not destroy the employer’s common authority over the computer given the company’s policies that informed employees that electronic devices were company-owned and subject to monitoring—two key components necessary to the reasonable expectation element in any employment context.

When an employee is detained during a search, the employer may have a claim for false imprisonment, which is defined as a total restraint on freedom to move against the employee’s will, such as keeping an employee in one area of an office. The employee need not be “locked” into the confinement to be restrained; but when the employee remains free to leave at any time, there is no false imprisonment.

The Fifth and Fourteenth Amendments

The Fifth and Fourteenth Amendments also protect a government employee’s right to privacy in that the state may not restrict one’s rights unless it is justified. For instance, the Supreme Court has consistently held that everyone has a fundamental right to travel, free of government intervention. Where the state attempts to infringe on anything that has been determined to be a fundamental right, that infringement or restriction is subject to the strict scrutiny of the courts. For the restriction to be allowed, the state must show that the restriction is justified by a compelling state interest. Moreover, the restriction must be the least intrusive alternative available.

On the other hand, for those interests not deemed by the courts to constitute fundamental rights, a state may impose any restrictions that can be shown to be rationally related to a valid state interest, a much more lenient test.

To determine whether the state may restrict or intrude on an employee’s privacy rights, it must first be determined whether the claimed right is fundamental. Two tests are used to make this determination. First, the court may look to whether the right is “implicit in the concept of ordered liberty, such that neither liberty nor justice would exist if [the rights] were sacrificed.” Second is whether the right is “deeply rooted in this Nation’s history and tradition.”

While conception, child rearing, education, and marriage have been held to be within the area of privacy protected by the Constitution, other issues have not yet been addressed or determined by the Court, including the right to be free from mandatory pre-employment medical tests. Moreover, the Court has found no general right of the individual to be left alone.

The Privacy Act of 1974

Governmental intrusion into the lives of federal employees is also restricted by The Privacy Act of 1974. Much of the discussion in the area of employee pri vacy is framed by governmental response to the issue, both because of limitations imposed on the government regarding privacy and because of the potential for abuse. The Privacy Act of 1974 regulates the release of personal information about federal employees by federal agencies. Specifically, but for 11 stated exceptions, no federal agency may release information about an employee that contains the means for identifying that employee without the employee’s prior written consent. (See Exhibit 13.2 , “Privacy Act of 1974.”) There are four basic principles that underlie the Privacy Act:

1. Employees should have access to their own personnel files, and there should be some way for them to find out the purposes for which the files are being used.

2. There should be some mechanism by which an employee may correct or amend an inaccurate record.

3. The employee should be able to prevent information from being inappropriately revealed or used without her or his consent, unless such disclosure is required by law.

4. The person who is in charge of maintaining the information must ensure that the files are not falling into the wrong hands and that the information contained within the files is accurate, reliable, and used for the correct reasons.

By affording the employee with these rights, Congress has effectively put the right of disclosure of personal information in the hands of the employee, at least when none of the 11 specified exceptions applies.

When one of the Privacy Act exceptions applies, the act dismisses the employee consent requirement, which gives the agency total control over the use of the file. The right to privacy is not absolute; the extent of protection varies with the extent of the intrusion, and the interests of the employee are balanced against the interests of the employer. Basically, the information requested under either the Privacy Act or the Freedom of Information Act is subject to a balancing test weighing the need to know the information against the employee’s privacy interest.

The Ninth Circuit Court of Appeals has developed guidelines to assist in this balancing test. The court directs that the following four factors be looked to in reaching a conclusion relating to disclosure:

1. The individual’s interest in disclosure of the information sought.

2. The public interest in disclosure.

3. The degree of invasion of personal privacy.

4. Whether there are alternative means of getting the information.

Critics of the act suggest that it is enormously weakened as a result of one particular exemption that allows disclosure for “routine use” compatible with the reason the information was originally collected. In addition, certain specific agencies are exempted. For instance, in March 2003, the Department of Justice exempted the National Crime Information Center, which is a resource for 80,000 law enforcement agencies.

The Privacy Act grants employees two options for relief: criminal penalties and civil remedies, including damages and injunctive relief. The act also allows employees who are adversely affected by an agency’s noncompliance to bring a civil suit against the agency in federal court.

Privacy Protection Study Commission

The Privacy Protection Study Commission was formed by Congress with the purpose of studying the possibility of extending the Privacy Act to the private sector. In 1977, the commission concluded that the Privacy Act should not be extended to private employers but that private-sector employees should be given many new privacy protections. The suggested protections required a determination of current information-gathering practices and their reasons, a limitation on the information that may be collected to what is relevant, a requirement that the employer inform its employees to ensure accuracy, and a limitation on the usage of the information gathered both internally and externally.

The commission further found that certain issues demanded federal intervention and, for this reason, recommended that (1) the use of polygraph tests in employment-related issues be prohibited; (2) pretext interviews be prohibited; (3) the use of arrest or criminal records in employment decisions be prohibited except where otherwise allowed or required by law; (4) employers be required to use reasonable care in selection of their investigating agencies; and (5) the Federal Fair Credit Reporting Act provisions be strengthened. These recommendations have yet to be implemented by Congress, primarily due to private employers’ vocal rejection of such an extension of federal law due to the cost of the implementation of the recommendations.

The commission has since established three general policy goals: (1) to attempt to create a balance between what an employee will divulge to the recordkeeping department and what that employee seeks in return for his or her information; (2) to find a manner by which to ensure fairness to all employees, in that the information that has been processed will not be used against them; and (3) to create and define rules regarding the type of information that may be disclosed and those to whom the information may be given.

Many large corporations have embraced privacy protection programs on their own in accordance with recommendations from the Privacy Commission and in anticipation of federal regulation. In light of this advance implementation, the Privacy Commission recommends that any program guarantee five basic employee procedural rights. The list includes

• Notice

• Authorization

• Access

• Correction

• Confidentiality

Though the list seems rather specific, the problem lies within the depth and scope of each component.

Federal Wiretapping—Title III

Title III, as amended (particularly by the Electronic Communications Privacy Act of 1986, discussed below), is codified at 18 U.S.C. §§ 2510–2521. These statutes provide privacy protection for and govern the interception of oral, wire, and electronic communications. Title III covers all telephone communications regardless of the medium, except that it does not cover the radio portion of a cordless telephone communication that is transmitted between the handset and base unit. The law authorizes the interception of oral, wire, and electronic communications by investigative and law enforcement officers conducting criminal investigations pertaining to serious criminal offenses, or felonies, following the issuance of a court order by a judge. The Title III law authorizes the interception of particular criminal communications related to particular criminal offenses. In short, it authorizes the acquisition of evidence of crime. It does not authorize noncriminal intelligence gathering, nor does it authorize interceptions related to social or political views.

Thirty-seven states have statutes permitting interceptions by state and local law enforcement officers for certain types of criminal investigations. All of the state statutes are based upon Title III, from which they derive. These statutes must be at least as restrictive as Title III, and in fact most are more restrictive in their requirements. In describing the legal requirements, we will focus on those of Title III since they define the baseline for all wiretaps performed by federal, state, and local law enforcement agencies. In recent years, state statutes have been modified to keep pace with rapid technological advances in telecommunications. For example, New Jersey amended its electronic surveillance statute in 1993 to include cellular telephones, cordless telephones, digital display beepers, fax transmissions, computer-to-computer communications, and traces obtained through caller-ID.

Wiretaps are limited to the crimes specified in Title III and state statutes. Most wiretaps are large undertakings, requiring a substantial use of resources. In 1992, the average cost of installing intercept devices and monitoring communications was $46,492. Despite budget constraints and personnel shortages, law enforcement conducts wiretaps as necessary, but obviously, because of staffing and costs, judiciously.

Electronic Communications Privacy Act (ECPA)

At first, Title III was created to combat invasion of the government for eavesdropping in large part due to the Watergate scandal in the 1970s. Originally the federal statutes targeted government eavesdropping on telephone discussion without the consent of the speakers. The federal statute required the government agents to obtain a warrant before they could intercept any oral discussions (though in 2003 no wiretap applications were denied). In late 1986, Congress increased the coverage by broadening the range of electronic communications, resulting in the ECPA.

The ECPA covers all forms of digital communications, including transmissions of text and digitalized images, in addition to voice communications on the telephone. The law also prohibits unauthorized eavesdropping by all persons and businesses, not only the government. However, courts have ruled that “interception” applies only to messages in transit and not to messages that have actually reached company computers. Therefore, the impact of the EPCA is to punish electronic monitoring only by third parties and not by employers. Moreover, the ECPA allows interception where consent has been granted. Therefore, a firm that secures employee consent to monitoring at the time of hire is immune from ECPA liability. Therefore, an employer does not violate the ECPA when it opens and reads employee e-mails on its own system.

Exhibit 13.2 Privacy Act of 1974

PRIVACY ACT OF 1974

No Agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be

1. To those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties.

2. Required under section 552 of this title; (the Freedom of Information Act). (Note that this act does not apply to “personnel, medical, and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.”)

3. Or a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D) of this section; (a purpose that is specifically compatible with the purpose for which the information was gathered).

4. To the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity. . . .

5. To a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable.

6. To the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Administrator of General Services or his designee to determine whether the record has such value.

7. To another federal agency or to an instrumentality of any government jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought.

8. To a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual.

9. To either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee or subcommittee of any such joint committee.

10. To the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the General Accounting Office.

11. Pursuant to the order of a court of competent jurisdiction.

5TH AMENDMENT AND THE PRIVATE SECTOR

Despite the fact that public and private employers have a similar legitimate need for information about applicants and employees to make informed decisions about hiring, promotion, security, discipline, and termination, privacy rights in the private sector of employment are limited; an employee who is arbitrarily treated, but who is without a union or contract is generally left with fewer rights in the private sector environment.

The distinction between the treatment of employees in the private and public sectors is one that is created by the constitutional requirement of state action as precedent to its application. The Constitution is a limitation made to curb government excesses.

Whether there should be a right to privacy in both the public and the private sectors, employers suggest that the employee has three choices when faced with objectionable intrusions by employers: quit, comply, or object and risk termination. Employees argue that they are defenseless because of their economic condition and that their privacy in the private sector is subject to greater abuse precisely because there are no protections and the option to quit is unrealistic.

One explanation offered for the difference between public- and private-sector privacy protections is compliance-related costs. The implementation of the Privacy Act throughout its agencies costs the government relatively little because it is conducting self-regulation.

By contrast, ensuring compliance within the private sector requires administration of the compliance and adjudication of violations. The Privacy Protection Study Commission found that requiring an employer to change its manner of maintaining and using records can drastically increase the cost of operation.

These costs include the costs of changing employment record-keeping practices, removing relevant information from employment decisions, and implementing a social policy of employee privacy protection. These costs are not necessarily “burdensome” to the employer, however. One study found that protecting the rights of employees on a computer system could cost as little as $4 per person. Employers’ concern for compliance costs may well be an unrealistic barrier to the development of regulations for privacy rights of private-sector employees.

A second distinction between public- and private-sector employers offered to justify different privacy standards is that more stringent regulation is needed for government employees because it is common for federal agencies to be over-zealous in surveillance and information gathering. Private-sector employers, in contrast, do not generally have similar resources and, therefore, are unable to duplicate these invasive activities.

Bases for Right to Privacy in the Private Sector

Private-sector employers are not bound by constitutional structures. On a state- by-state basis, however, private-sector employees may be afforded protection either by the common law or by statute. All but two states provide common-law tort claims to protect individual privacy, such as intrusion into seclusion. Various torts described below have developed to protect individual solitude, the publication of private information, and publications that present personal information in a false light. (See Exhibit 13.3 , “U.S. Companies with Operations in Europe Must Comply with Data Protection Laws,” for the manner in which privacy protection is handled somewhat differently in the European context.)

Statutory Claims

State legislatures have responded to the issue of private-sector employee privacy in one of four ways:

1. Enacting legislation mirroring federal law regarding the compilation and dissemination of information.

2. Recognizing a constitutional right to privacy under their state constitutions, as in California, Illinois, and Arizona. For example, California appellate courts have found that employees terminated for refusing to submit to drug tests were wrongfully discharged in violation of the state’s constitutional guarantee of a right to privacy, which requires employers to demonstrate a compelling interest in invading an employee’s privacy. In Pennsylvania, a court held that a drug test violates that state’s policy against invasions of privacy where the methods used do not give due regard to the employee’s privacy or if the test results disclose medical information beyond what is necessary. Other states that provide constitutional recognition and protection of privacy rights include Alabama, Florida, Hawaii, Louisiana, Montana, South Carolina, and Washington. However, in all states except California, application of this provision to private-sector organizations is limited, uncertain, or not included at all.

3. Protecting employees only in certain areas of employment, such as personnel records or the use of credit information.

4. Leaving private-sector employees to fend for themselves while the federal laws and the Constitution afford protection to federal employees and those subject to state action.

Tort Law Protections/Common Law

As mentioned above, courts in almost all states have developed case law, the “common law,” which identifies certain torts in connection with private-sector invasion of privacy. Georgia was the first jurisdiction whose courts recognized a common-law right to privacy. As the court explained in Pavesich v. New England Life Ins. Co., “a right of privacy is derived from natural law, recognized by municipal law, and its existence can be inferred from expressions used by commentators and writers on the law as well as judges in decided cases. The right of privacy is embraced within the absolute rights of personal security and personal liberty.” Though some states rely on statutory protections rather than common law, only two states—North Dakota and Wyoming—fail to recognize any of the four privacy torts discussed here. A tort is a legal wrong, for which the law offers a remedy. The torts of particular interest in this article include intrusion into solitude or seclusion, the publication of private information, and publication that places another in a false light. Defamation also will be discussed.

Publication as used in these torts means not only publishing the information in a newspaper or other mass media but generally “bringing it to light” or disseminating the information. In addition, the concept of publication is defined slightly differently depending on the tort. Truth and absence of malice are generally not acceptable defenses by an employer sued for invasion of an employee’s privacy. They are acceptable, however, in connection with claims of defamation.

Intrusion into Seclusion To state a prima facie case for the tort of intrusion into seclusion, the plaintiff employee must show that

• The defendant employer intentionally intruded into a private area.

• The plaintiff was entitled to privacy in that area.

• The intrusion would be objectionable to a person of reasonable sensitivity. The intrusion may occur in any number of ways. An employer may

• Verbally request information as a condition of employment.

• Require that its employees provide information in other ways such as through polygraphs, drug tests, or psychological tests.

• Require an annual medical examination.

• Ask others personal information about its employees.

• Go into private places belonging to the employee. '

Any of these methods may constitute a wrongful invasion where it so invades the employee’s private sphere that it would be objectionable to a reasonable person. On the other hand, if the employer can articulate a justifying business purpose for the inquiry/invasion, the conduct is more likely to be deemed acceptable.

In Rogers v. Loews L’Enfant Plaza Hotel, an employee was continually sexually harassed by her supervisor, including bothersome telephone calls to her home, during which he made lewd comments to her about her personal sex life. The sexual harassment evolved into harassment in the workplace, where the supervisor verbally abused her in front of her co-workers, kept important business-related information from her, and refused to include her in meetings. Her employer, refusing to take formal action, suggested that she change positions. The court determined that the telephone calls were not of a benign nature but, instead, were unreasonably intrusive and not normally expected. Further, the harassment constituted an intrusion into a sphere from which the employee could reasonably exclude the defendant. On these bases, the court found in favor of the employee.

In connection with opening scenario 1, Aravinda’s decision in connection with the HIV tests may be governed in part by the law relating to employment testing and in part by the law relating to disability discrimination (since HIV is considered a disability under the Americans with Disabilities Act). On the other hand, the law relating to intrusion into seclusion also would have application here in terms of disclosure of the test results. If Aravinda discloses the results to anyone or, through her actions, leads someone to a belief about the employee’s HIV status, she might be liable under this tort. In addition, it is important to consider that it is highly unlikely that Aravinda has any right to know any employee’s HIV status as it is unlikely that the information would be job-related. (Can you imagine what employment position might warrant this type of information? Is HIV status ever considered job-related?) Consider the application of the prima facie case for intrusion into seclusion as you review Michael A. Smyth v. The Pillsbury Company, included in the end. The court in that case considers the nature of a reasonable expectation of privacy, as well as why an employer might wish to intercept e-mails.

Public Disclosure of Private Facts  To state a prima facie case for the tort of public disclosure of private facts, the plaintiff employee must show that

• There was an intentional or negligent public disclosure

• Of private matters, and

• Such disclosure would be objectionable to a reasonable person of ordinary sensitivities.

The information disclosed must not already be publicized in any way, nor can it be information the plaintiff has consented to publish. Therefore, in Pemberton v. Bethlehem Steel Corp., publication of an employee’s criminal record did not constitute public disclosure of private facts because the criminal record did not contain private facts; it was information that was already accessible by the public.

As you shall see, in the end, in the Yoder v. Ingersoll-Rand Company a.k.a. ARO case, the publication also must be made public, which involves more than mere disclosure to a single third party. The public disclosure must be communication either to the public at large or to so many people that the matter must be regarded as substantially certain to become one of public knowledge or one of knowledge to a particular public whose knowledge of the private facts would be embarrassing to the employee. Therefore, publication to all of the employees in a company may be sufficient, while disclosure to a limited number of supervisors may not.

Several states have enacted legislation codifying this common-law doctrine under the rubric of “breach of confidentiality.” Connecticut, for instance, has passed legislation requiring employers to maintain employee medical records separate from other personnel records. Other states have limited an employer’s ability to disclose personnel-related information or allowed a cause of action where, through the employer’s negligent maintenance of personnel files, inaccurate employee information is communicated to a third party.

Publication in a False Light  The prima facie case of publication in a false light requires that there was a public disclosure of facts that place the employee in a false light before the public if the false light would be highly offensive to a reasonable person and the person providing the information had knowledge of or recklessly disregarded the falsity or false light of the publication.

Voluntary consent to publication of the information constitutes an absolute bar to a false-light action. This type of tort differs from defamation, where disclosure to even one other person than the employer or employee satisfies the requirements. The tort of publicizing someone in a false light requires that the general public be given a false image of the employee. In a false-light action, the damage for which the employee is compensated is the inability to be left alone, with injury to one’s emotions and mental suffering, while defamation compensates the employee for injury to his or her reputation in the public’s perception.

Note that any of the above claims may be waived by the employee if the employee also publishes the information or willingly or knowingly permits it to be published. For example, in Cummings v. Walsh Construction Co., the employee complained of public disclosure of embarrassing private facts, consisting of information relating to a sexual relationship in which she was engaged with her supervisor. The court held that, where the employee had informed others of her actions, she waived her right not to have her supervisor disclose the nature of their relationship.

As with defamation, an exception to this waiver exists in the form of compelled self-publication, where an employer provides the employee with a false reason as the basis for termination and the employee is compelled to restate this reason when asked by a future employer the basis of departure from the previous job. Therefore, where the employer intentionally misstates the basis for the discharge, that employer may be subject to liability for libel because it is aware that the employee will be forced to repeat (or “publish”) that reason to others.

Breach of Contract  An employee also may contest an invasion of privacy by her or his employer on the basis of a breach of contract. The contract may be an actual employment contract, collective bargaining agreement, or one found to exist because of promises in an employment handbook or a policy manual.

Defamation  Libel refers to defamation in a written document, while slander consists of defamation in an oral statement. Either may occur during the course of a reference process. And, while the prima facie case of defamation requires a false statement, even a vague statement that casts doubt on the reputation of an individual by inference can cause difficulties for an employer if it cannot be substantiated.

The elements of a claim for defamation include

• False and defamatory words concerning employee,

• Negligently or intentionally communicated to a third party without the employee’s consent (publication), and

• Resulting harm to the employee defamed.

One cautious solution to this problem area is to request that all employees fill out an exit interview form that asks, “Do you authorize us to give a reference?” If the applicant answers yes, she or he should be asked to sign a release of liability for the company.

Ordinarily defamation arises from someone other than the defamed employee making defamatory statements about an employee; but one interesting form of defamation has evolved over the past decade where an employee is given a false or defamatory reason for her or his discharge. In that case, the employee is the one who is forced to publicize it to prospective employers when asked for the reason for her or his discharge. These circumstances give rise to a cause of action for defamation, termed compelled self-disclosure, because the employee is left with no choice but to tell the prospective employer the defamatory reasons for her or his discharge. Barring this result, the employee would be forced to fabricate reasons different from those given by the former employer and run the risk of being reprimanded or terminated for not telling the truth. This cause of action has been recognized, however, only in Colorado, Iowa, Minnesota, Connecticut, and California.

An employer may defend against an employee’s claim of defamation by establishing the truth of the information communicated. While truth is a complete defense to defamation, it can be difficult to prove without complex paper management.

Employers also may be immune from liability for certain types of statement because of court-recognized privileges in connection with them. For example, in some states, an employer is privileged to make statements, even if defamatory, where the statement is made in the course of a judicial proceeding or where the statement is made in good faith by one who has a legitimate business purpose in making the communication (e.g., ex-employer) to one who has a business interest in learning the information (e.g., a prospective employer). This privilege would apply where a former employer offers a good-faith reference to an employee’s prospective employer.  “Good faith” means that the employer’s statement, though defamatory, is not made with malice or ill will toward the employee.

Exhibit 13.3 U.S.  Companies with Operations in Europe Must Comply with Data Protection Laws

The European Union’s approach to data privacy is completely alien to American companies. But, as a recent decision from CNIL (Commission Nationale de l’Informatique et des Libertés, the French Data Protection Authority) makes clear, an American company with operations in Europe that does not learn how to play by European rules runs a serious risk of getting slapped with a hefty fine.

***

The European Union’s Directive governing the protection of individuals’ personal data and the processing of such data mandates that the member nations adopt laws that cover all “processing” (defined to include even collection and storage) of data about personally-identifiable individuals. The EU Directive includes provisions addressing, among other things, limitations on the use of date [sic], data accuracy, and data destruction requirements. The Directive is not limited to electronic or computerized data, and therefore reaches written, Internet, and even oral communications.

The EU Directive offers a blueprint for data privacy laws across Europe but, in any given situation, the Directive itself is not legally binding. As to each specific data privacy issue arising within Europe, the relevant country’s local statue [sic] that adopts (“transposes”) the Directive will determine data privacy rights an[d] responsibilities.

The Extraterritorial Reach of the EU’s Data Privacy Directive Means That Any Company with Operations in Europe Must Comply; Cross-Border Data Transfer Is Particularly Thorny

An important aspect of the Directive for businesses headquartered outside of Europe, such as in the U.S., is the Directive’s extraterritorial reach. The Directive specifically prohibits sending personal data to any country without a “level of [data] protection” considered “adequate” by EU standards. Significantly, the EU has ruled that the United States, with its patchwork of privacy laws, does not possess an adequate level of data protection.

The directive authorizes a number of exceptions, legally permitting transmission of personal data outside of Europe even to a “third country” that fails to offer an “adequate level of protection.”

Exceptions Permitting Cross-Border Transfers of Personal Data

The EU recognizes three “transborder data flow vehicles”: (i) a company can self-certify with the U.S. Department of Commerce that it adheres to specified data protection principles (known as the “safe harbor” system); (ii) a company can enter into “model contracts” with its European subsidiaries, agreeing to abide by mandatory data protection provisions; or (iii) a company can develop a set of “binding corporate rules”—company-drafted data protection regulations that apply throughout the company, which must be ratified by each EU member state’s data protection authority. Failure to implement at least one of these methods could result in significant liability.

Obtaining the data subject’s free, unambiguous consent to transmit his or her data overseas is theoretically another permissible way in which to transfer data to a country outside the EU—even to a country without comparable data protection law—provided that the consent specifically lists the categories of data and the purposes for the processing outside the EU. Practically speaking, however, obtaining consent to legitimize a transfer overseas is often not an available alternative for employers; in the employment context, because of the imbalance in bargaining power between employer and employee, consents may be presumed not to have been freely given.

Also, of course, there is no prohibition against transmitting genuinely anonymized data out of the EU. Where the identity of the data subject is impossible to determine, the data transmission falls outside the scope of the directive.