It is understood that all internet and other connections made by an employee while using a company computer to perform his or her job, are presumed to be of a professional nature so that :
- The employer may search for the purpose of identifying them, without the presence of the person concerned (see Cass.soc. 09/07/2008, n°06-45.800 F-P, Cass.soc. 09/02/2010 n°08-45.253 F-D)
- The employer may monitor them, provided that, in the case of e-mails transmitted by professional messaging and computer files recorded on the employee's work computer, have not been identified as personal by the person concerned (See Cass.soc. 15/12/2010 n°08-42.486 F-D)
Abusive Internet Connections: The Issue of Evidence
Two Courts of Appeal (cf. CA Aix-en-Provence, 08/07/2016 n ° 14/11313 and CA Nîmes 26/07/2016 n ° 15/04114) censured redundancies in cases where employees abused internet situation and had denied being the author and where the employer had been unable to prove it:
- Judgment of the Court of Appeal in Nîmes: the computer from which the employee had connected to pornographic sites was open access, not protected by a password and located in a room where all employees have common access.
- Decision of the Court of Appeal in Aix-en-Provence: the access codes of the company's computers consisted only of the initials of their usual users, the duplicates of the keys of all the offices were accessible to all so that any employee could have access to the computer workstation of the person concerned.
How to avoid abusive Internet connections in business?
Securing access to work computers
To avoid falling into this pitfall, companies must secure access to each computer made available to an employee in order to perform their tasks.
However, proof is not the only reason for this security: this is an obligation because the company manager is responsible for processing of employees' personal data and their confidentiality.
What are the recommendations of the CNIL?
- Each employee must have an individual password sufficiently complex not to easily be guessed: at least 8 characters of different types (uppercase, lowercase, numbers, special characters)
- Regularly changing the passwords about every 3 months
- Other possible precautions: software to systematically lock computer stations beyond a short period of watch, prohibiting employees to disclose their usernames and passwords to their co-workers, via the internal rules, a computer charter or Memorandum attached to the Rules and Procedures.
Cybersurveillance: Is anti-spyware software allowed?
Setting up "spyware" software by both the company and the employees is in principle, prohibited.
- In regards to the company, it is forbidden to set up spyware called "Keyloggers", which allows constant and permanent monitoring of the activity not only of the employees but also of their residual personal activity.(CNIL dated 20/03/2013). These softwares watch both e-mails and instant messaging conversations as well as sensitive personal information such as a credit card numbers or passwords through which employees access their personal e-mail during their break periods. The use of such software can be justified only in the presence of a strong security imperative (example: protection of industrial secrets) and subject to the following requirements: prior declaration to the CNIL, employees notification, and consultation with the work councils.
- Employees are also forbidden to set up, by their own initiative, spyware on the computer made available to them by the company for the purposes of their work.
The IT Charter is recommended for companies
It is therefore in the interest of the employer to regulate the use of the computer equipment that it makes available to its employees in the framework of a computer charter. This IT charter will enable the company not only to regulate the conditions of computer usage as made available, but also to set the safety rules to which employees must comply, such as the prohibition on installing, copying, modifying or destroying company software without authorization.
