Most Romanian workers log on to their computers each morning oblivious of the fact their bosses can not only monitor what websites they visit, but measure exactly how much time they spend working or surfing the net.
Of greater concern, hardly anyone realises their employer can, with the right software, intercept private emails sent from personal accounts such as Gmail or Yahoo!
"Employees should be aware that the content of their emails could be read," says LF, an executive at Netsec Interactive Solutions, a Bucharest-based IT security consultancy, who asked not to be named.
"Sadly, although initially designed to be used constructively, IT monitoring tools are used by some employers for personal rather than professional goals. We are talking about blackmailing or even harassment."
Netsec estimates more than 40 per cent of multinationals and large companies operating in Romania use specialist software to routinely intercept and track all information flow – including what an employee might write in an email or download onto a memory stick.
Secret surveillance of workers, banned under EU law, has been hugely controversial in other European states too, particularly Germany, where companies have been forced to pay multi-million euro fines and lawmakers are debating new workplace privacy legislation.
In Romania, many allege that bosses not only collected information about them by illegal, covert means, but then used it against them.
Blackmailed by the boss
No Romanian employees would talk openly to BIRN about their experiences of illegal workplace monitoring, fearing speaking out would jeopardise their new positions and mark them out as troublemakers.
One woman claims she was forced to resign after her boss accessed private emails she had sent to a friend, in which she criticised her line manger.
After being called into the boss’s office, she was shown printouts of her private emails and told it would be best for her to leave. She accepted a small payout after her employers threatened they would make sure she couldn’t get work anywhere else.
Another, a married man, claims he was blackmailed by his boss after she discovered he was having an affair with a colleague. The manager found out after accessing conversations between the two on Yahoo! Messenger that were recorded by computer surveillance software.
He claims the boss forced him to perform tasks he did not want to under threat she would tell his wife he had been unfaithful. When he finally refused and left his post, the boss rang his wife and told her about the affair.
Both say their employers never once informed them that their communications, both private and official, would be subject to surveillance.
While it is legal for employers to monitor their workforce and use computer software to do so, they are obliged by EU and national law to inform workers. In turn, employees must officially consent to the surveillance. In practice, this rarely happens.
Officially, not a single company in Romania subjects its workforce to surveillance. Employers are also obliged by the law to inform the Romanian Data Protection Agency (ANSPDCP) if they are monitoring staff, but not one has registered to date.
Software sales boom
This appears to be rather at odds with estimates on surveillance software sales in Romania, where IT companies say business is booming.
The surveillance software market was worth an estimated one million euro in Romania in 2010 alone, according to Amplusnet, another software manufacturer, who emphasise that it is a rapidly expanding business.
The Romanian constitution stipulates that all correspondence is confidential but does not differentiate between private or official work-related communications.
Alina Savoiu, head of communications at ANSPDCP, says: "It is a violation of correspondence, which is a criminal act. All companies that are involved in such practices are infringing the law."
The software manufactured by companies like Netsec track every activity on workers’ computers, not just their correspondence, private or otherwise.
The boss can see exactly which websites you visit, what content you view, and compare how much time you spend surfing the net rather than using Excel, Word or other office tools.
Lawyers who represent employers argue they need to ensure their workers are putting in their full hours and are not engaged in unproductive or unlawful activities – such as accessing porn sites or downloading illegal content.
Gay worker ‘asked to leave’
But, as LF from Netsec says, bosses can use tools developed for lawful monitoring to gain information they can then abuse. Even the pages employees visit can reveal or suggest they may have personal problems, such as health issues, addictions or complex private lives.
Mihai Russu is a Bucharest-based lawyer who has represented companies involved in disputes with employees about privacy. He recently represented a medical firm that had secretly monitored its employees and in doing so discovered one of the directors, who was married, had been browsing gay dating sites. The director was asked to leave his job.
He initially refused, claiming the request was discriminatory. In the end, he gave up because he feared his family would discover he was gay.
Russu insists his sexual orientation was irrelevant and that he was asked to leave because "he was not working his eight hours".
However, Russu acknowledges the company did break the law because it secretly monitored workers.
Savoiu says the ANSPDCP has not received any complaints about covert surveillance, but insists they would investigate if they did and seize equipment, including computers, if deemed necessary.
However, she admits they employ just one qualified IT expert who can track monitoring software.
Bosses own the evidence
Proving you have been the subject of unlawful workplace surveillance is no easy task, not least because the bosses own the evidence.
If the ANSPDCP was unable to investigate, employees can go to civil courts themselves but they cannot seize the bosses’ equipment.
"Can an employee bring to court all the servers and evidence on the employee’s computer that shows he was supervised? No. The state would only have the authority to seize this type of evidence, backed up by appropriate experts, in criminal cases," says Cristian Driga, a lawyer specialising in IT crime.
"In civil cases, employees have to bear the cost alone… added to that, there is an acute shortage of certified computer experts available in the field," he says.
On the other hand, employers argue they must monitor their staff to protect commercially sensitive information and safeguard their brand.
Russu quotes one case where an advertising firm he represented discovered, by means of covert surveillance, that one worker was copying confidential client databases that could have been financially damaging to the company.
She resigned after being challenged by the bosses and went on to set up a competitor firm of her own. The dispute is ongoing with the firm yet to decide whether to prosecute the worker.
Bogdan Manolea, a lawyer specialising in internet law, believes the Romanian government has failed to properly implement data protection laws and has not ensured the public is properly aware of their rights and responsibilities.
"The authorities did not do their job properly; they did not explain why it is important. People have a paranoid reaction – yes, we are all intercepted – but when you ask them what they are doing about it, they don’t know or don’t act. There are many who complain and few who act," he says.
Asked if the ANSPDCP has done enough to inform bosses and workers about the rules, Savoiu says they have published the Romanian data protection law on its website.
The ANSPDCP site does not, however, carry an accessible summary or guide to good practice on monitoring that could be of use to both employers and employees.
Balkan communist legacy
Yet there seems to be little appetite among Romanians and Serbians alike to take on their bosses or the authorities – a legacy, in part, of communist rule.
An unwillingness to confront employers is also evident in neighbouring Serbia, an aspirant EU member that, in 2008, adopted European data protection laws.
Implementation has been slow and Serbians seem equally unaware, and disinterested, in privacy at work issues.
Aleksandar Resanovic, Serbia’s deputy information commissioner, believes people do not properly understand the concept of privacy after so many years of communism.
"We do not have complaints. People say 'who cares if they monitor me?’ But it is not a question of whether you have something to hide or not. Privacy is something that belongs to you and you decide whether you disclose it [information] or not," he says.
Together with the Partners for Serbia NGO, the commissioner is trying to make sure that at least employees responsible for processing personal data at large firms are aware of the law.
Serbia: Who monitors the monitors?
Blazo Nedic, president of Partners for Serbia, launched a campaign this year to raise awareness but remain concerned the law does not adequately check the people responsible for monitoring.
And there have been some eye-catching incidents that have made it to the press, including the posting on YouTube of Serbian police CCTV footage that captured a couple having sex in a car park.
Since then, the Serbian police have been required to follow new, strict procedures when collecting and processing CCTV data.
But confusion as to what remains private at work is certainly not confined to Belgrade and Bucharest; there have been numerous cases and campaigns across European countries.
The European Directive 95/46/EC does not spell out the limits of lawful employee monitoring but it does enshrine employees’ right to be informed that they will be subject to surveillance, grants access to the data and allows for workers to oppose data collection by the bosses.
Britons trust the authorities
Like their Romanian and Serbian counterparts, the British do not appear overly-concerned about surveillance either in or outside the workplace.
The reason why, however, might surprise Balkan readers who lived under communist rule.
"We never had a police state like Romania. In a sense, we trust our authorities more than most nations do and if something goes wrong, we have a very good legal system," says Nicholas Lakeland, a partner and employment law specialist at London law firm Silverman Sherliker LLP.
But he warns workers should be aware of the sort of personal information bosses can collect and how it could be used.
"We had a case where the employer found out one employee had HIV. In the construction industry, employees using heavy machinery may be breathalysed... in that particular case they also found he had been using drugs which helped him with the HIV… the employer did nothing… but it was a [potentially difficult] situation," says Lakeland.
However, some British employees have taken privacy cases all the way to the European Court of Human Rights (ECHR), as demonstrated by the Halford and Copland cases.
In 1990, Alison Halford, a police officer in Wirral, accused her superiors of intercepting her phone and Lynette Copland, a secretary at a college in Wales, found out that her phone and office email have been intercepted over a six-month period.
The ECHR ordered the British state, which employed both, to pay damages on the grounds that they were entitled to privacy at their workplace.
However, despite the ECHR rulings, little changed in Britain.
"A lot of employers do that [monitoring] without thinking. An employer comes to me and says 'I find all these interesting things by looking in employees' emails'. And I say 'You did not tell them, there is no legitimate reason why you are doing it. You are just snooping, so stop it and destroy all the data you have’.
"There are a lot of small offices where employers are doing that, they don't really know the law, people are curious and want to know what other people do. It is human nature but it is not legal," says Lakeland.
This trust in the authorities will have been undoubtedly dented by the News of the World illegal phone hacking scandal that threw suspicion not only on unscrupulous journalists but also law enforcement and politicians.
Germans keep state in check
Germans are acutely aware of the importance of privacy and the need to keep state control in check.
They share a deep-seated distrust of authority figures with their eastern European counterparts – an unease informed by recent history including the Nazi era and the Stasi in what was East Germany.
Germany has had data protection laws on its statute books since 1970 and, although their legislation on monitoring does not differ from the rest of the EU, they have set down additional rules.
Unlike elsewhere, employers are forbidden from monitoring employees’ online activities if the company rules allow them to access private email accounts or surf the net for personal use from the firm’s computer.
Still there is unease about the scale of unlawful monitoring.
Bertran Raum, head of social services at Germany’s Federal Commission for Data Protection, quotes 2001 statistics suggesting that two out of three companies monitor their workforce.
"I think the number of employers who are monitoring their employees has risen since. I think that a lot of that monitoring would be illegal," he says.
Workers’ bank accounts accessed
There was public outrage when it became known that Deutsche Bahn, the state-owned national rail company, had been secretly monitoring its employees for a decade.
In a bid to root out corruption, the company routinely accessed employees’ private bank accounts and checked payments against their supplier list. In 2009, they were fined 1.2 million euro by the Berlin Data Protection Commissioner.
The LIDL retail chain was fined in 2008 a similar amount for employing private investigators to monitor staff, including video surveillance, by the data commissioner of North Rhine-Westphalia.
Their have been numerous other workplace privacy and surveillance scandals, involving high-profile companies, that have been covered in the German media.
Employees who suspected they were being illegally monitored talked to the press and the resulting coverage forced the authorities to take action on the issue.
Jan Jurczyk, press officer for Ver.di, the second largest German trade union, says that "we have more to thank journalists for than the authorities".
Alexander Dix, Berlin Information Commissioner, admits: "It takes a lot of courage in Germany to complain about an employer. You cannot rely on the German courts, as it takes several years… and sometimes you don't win."
More power for bosses?
After so many scandals, the German parliament is debating a new federal law to regulate workplace monitoring which they are expected to vote on by the end of 2011. No one is happy with the proposed changes.
Currently, companies have to seek permission both from the unions and the labour courts before installing surveillance equipment. Under the proposed new law, they would only have to ensure they notified employees and secured their consent.
"Now the judge keeps the balance between employees and employers, but in the new project, the employer is the one who decides when to monitor. He is the judge," thinks Sarah Thome, lawyer for the human rights NGO the Humanist Union.
She believes that the focus on consent is misleading, as the employee could agree to all types of monitoring out of fear that not doing so would prevent them from getting the job in the first place.
For their part, employers say the rules do not address their key concern: corruption.
Thomas Prinz, a lawyer at the Confederation of German Employers’ Association, believes there is no need for a new law, just because some companies illegally spied on their employees.
"The draft has no clear provisions for preventing corruption. This is the main point for any German company," he says.
Raf Jaspers, a Belgian lawyer and author of Big Brother in Europe, is convinced only public awareness and action will combat state and employer privacy intrusions.
"It will be a long struggle to convince the masses. Privacy is not like work or food, which you miss immediately if you don’t have them," he warns.
Back in Romania, IT specialist LF offers workers some simple advice: "Do not forget that when you switch on your computer you are no longer alone and no password, no matter how complex, can block monitoring software."
Workplace monitoring and public awareness
A survey by a Romanian monitoring software manufacturer suggests during an average working day, 20 per cent of employees spend between one and two hours playing computer games.
A 2008 Eurobarometer study looking at data protection and public awareness among EU citizens suggests:
- Only 28 per cent of respondents knew they had national data protection agencies;
- The level of trust in employers was low in Spain (34 per cent), Cyprus (47 per cent), Latvia (44 per cent), Lithuania (39 per cent) and Greece (37 per cent), where less than half of respondents showed confidence in employers handling their personal data appropriately;
- Austrian and German citizens were most concerned about how their personal data was handled, with 86 per cent stating they were concerned;
- In Bulgaria, the Netherlands and Finland, only one-third of respondents said they were concerned about data privacy (34 per cent, 32 per cent and 36 per cent, respectively);
- Around two-thirds of all respondents said they trusted banks and other financial institutions (66 per cent) and employers (63 per cent) to handle their personal data appropriately;
- The majority of respondents agreed it should be possible to monitor passenger flight details (82 per cent), telephone calls (72 per cent), internet and credit card usage (75 per cent and 69 per cent, respectively) when this served to combat terrorism.
European legislation: Employee privacy
Employees’ right to be informed about workplace surveillance is enshrined in Directive 95/46/EC, 2002/58/EC and 2006/24/EC.
Bosses should not intercept even work-related emails if the company hasn’t set down clear rules and they did not get the employees consent.
Across the EU, employers who suspect serious criminal activity among workers can ask the police to intervene, who are able to secretly monitor.
Employers are banned from storing sensitive data, such as religious beliefs, political opinions, sexual orientation and racial/ethnic origin, under Directive 95/46/EC.
Confusion over the law has led to scandals in Germany and a few privacy cases in the UK, some of which ended up at the ECHR in Strasbourg.
In ECHR cases Copland and Halford vs the UK, a precedent was established setting down that employees are entitled to privacy at work while using the company computer or phone
Germany is the only EU country debating federal workplace monitoring laws.