Monitoring employees’ use of email and Internet in Italy after the “Jobs Act”: a decision by the Italian DPA

By its Decision no. 303 of 13 July 2016, the Italian Data Protection Authority (“Garante della privacy”) provided some cues on the interpretation of the current rules on the monitoring of the use of IT services by employees in the workplace, amended in late 2015. The Garante’s decision is not, on a strictly formal level, a binding interpretation; but the de facto authority that its rulings have in matters of data protection in Italian courts is well known.

Following a number of complaints from the personnel of an Italian university, the Garante opened an inquiry into the processing of personal data belonging to the University’s administrative staff, teachers, researchers and students. The inquiry revealed that the University’s governing body routinely recorded Internet traffic log files (in particular, Mac Addresses and Dynamic IPs) and other information relating to the Internet and email usage from the workstations located in its premises, storing it for several years; and that it monitored, tracked and filtered Internet traffic.

Considering that the data concerned, although anonymous in origin, was “personal” in nature – as it related to identifiable individuals – the Garante found the processing to be in breach of personal data protection law on multiple grounds. Firstly, the individuals concerned had not been given prior, clear and complete information on the extent of the processing of their data. More importantly, to the extent that it involved the University’s employees’ data, the processing was in violation, among other things [1], of Article 4 of the Workers’ Statute (the main Italian body of law on workers’ rights), as amended in late 2015 by the so-called “Jobs Act”.

The Garante noted that the processing under review was carried out by means of devices, distinct and independent from the workstations themselves, and software systems, which allowed the monitoring of Internet and email traffic in the background, without being perceived by the worker or interfering with their activity.

Such devices, according to the Garante, were not included in the legal notion of “tools used by the worker to perform their duties”, which the amended Article 4, paragraph 2 of the Workers’ Statute uses to discriminate between monitoring tools that require prior approval by workers’ unions and tools that do not. Said notion, narrowing the focus to email and Internet services, in the Garante’s view only includes “services, software or applications strictly functional to work performance, including for safety purposes”. Among them, the Garante listed – apart from the very email service and Internet connection offered by employers to their employees – relevant safety measures such as email logging systems, which only retain exterior data, anti-virus filters and filters of web content irrelevant to the data controller’s purposes.

On the above grounds, the Garante issued an injunction against the University, prohibiting it from continuing the personal data processing reviewed, and ordered the case file to be sent to criminal authorities for the assessment of any criminal offence.

[1] The DPA noted that the processing was also inconsistent with the principles of necessity and proportionality “which prohibit massive, prolonged, continuous and indiscriminate, such as in this case, systematic registration of MAC address data and of data relating to the connection to network services.” The University had not been able to prove that the processing of traffic data was justified by the occurrence of specific circumstances (such as, for example, security breaches or ongoing criminal investigations).