The Court of Cassation’s ruling of June 26, 2023, No. 18168, upheld the finding that dismissal of an employee was unlawful because the employer read the employee’s email indiscriminately and without time limits. The court confirmed that the principles of proportionality, minimization, relevance, and not exceeding the purpose in the regulation for such activities, commonly known as “defensive control,” applied. The salient points of the ruling are listed below.
The case concerns an employer that dismissed an employee after checking the employee’s email (performing “digital forensics”) because the employer suspected that the employee had engaged in unlawful conduct, including contact and dealings with competing business entities and false statements regarding sick leave. However, reading of the employee’s email—which the court characterized as defensive control—had been performed indiscriminately and without time limits.
The court analyzed the legitimacy of the judgment on the merits that found the dismissal unlawful and in doing so clarified that “defensive control” is oversight designed to ascertain specific unlawful conduct attributable to employees based on concrete evidence. According to the court, such control may be conducted through technological means—as in this case, where the employer used “digital forensics”—but certain aspects must be guaranteed:
- The control must be targeted, i.e., it must not take the form of general monitoring of employees’ work activity, but must focus on ascertaining unlawful conduct not pertaining to the mere non-fulfillment of obligations that are part of job performance.
- Monitoring must be ex post, that is, it must take place after unlawful conduct or when an employer has reasonable suspicion of the same. The employer bears the burden of first alleging and then proving the specific circumstances—including the timeframe—that led to undertaking control.
- As for the type of control, a proper balance must be struck between the need to protect corporate interests and assets and respect for the dignity and confidentiality of the employee. According to the court, the basic principles of privacy protection, including those of minimization, proportionality, transparency, and non-excessiveness with regard to the lawful purpose, apply in this case. Accordingly, the employer, should (i) inform the employee of the possibility of monitoring measures, reassuring the employee about the degree of invasiveness of these measures; (ii) assess whether the purpose justifying the monitoring could be pursued in less invasive ways.
Once the principles of law were affirmed, the court upheld the interpretation on the merits that declared the dismissal unlawful. Indeed, the court confirmed that the company had neither inferred nor proved its reasons for monitoring the employee’s emails. Moreover, according to the court, all communications on the company PC had been monitored indiscriminately and without time limits, resulting in an invasive, massive, indiscriminate, and unjustified investigation. The employer also did not previously inform the employee of the possibility that communications on the company PC could be monitored, let alone the scope and level of invasiveness of the monitoring.