Decision 2 BvR 902/06 of the German Constitutional Court: the end of email screening in the workplace?

Article by Dr. Michael Schmidl, LL.M. Eur. (Rechtsanwalt/Maître en Droit), published by BNA International in World Data Protection Report 08/09, p. 15 - 21.

According to the prevailing opinion in Germany, an employer allowing or tolerating the private use of the company’s e-mail system is treated as provider of telecommunication services. In this capacity the employer is inter alia obliged to respect the secrecy (cf. Sec. 88 German Telecommunication Act) and integrity of telecommunication with regard to his employees’ private e-mails. Non-compliance with these obligations can even be subject to criminal sanctions according to Sec. 206 German Criminal Code.

At the same time, the employer (to be understood as the company’s management) as part of his management obligations has to make sure that the company’s IT-infrastructure is run in an efficient and secure manner. Different opinions and strategies as to how to achieve these targets can be adopted. Putting an e-mail filtering system into place defending the company’s networks against viruses, Trojans and other malware, however, can be regarded as an absolute standard. Although not dangerous as such (seen apart from mail-bombs, i.e. cases where the sheer size poses the threat etc.) also unsolicited commercial e-mail messages or ‘spam’ in the workplace are a time-consuming nuisance, which not only wastes resources but can also lead to legitimate messages being overlooked or deleted. Therefore a spam-filtering solution can also be regarded as part of an efficient and secure IT-infrastructure.

Eventually it is perceivable that certain incidents within a company may trigger the need to carry out an internal investigation within a company, including the screening of the employees’ e-mail accounts for certain key-words or certain forms of content. Examples of such incidents include the suspicion that company secrets have been betrayed to competitors, that corruptive measures have been undertaken or that the company’s e-mail system has been used to distribute illegal content to interested recipients inside and outside the company.

For implementing virus and spam protection solutions it has been clear for quite some time that telecommunication secrecy and Sec. 206 German Criminal Code need to be taken into consideration. As regards e-mail screening the situation was less clear. E-mail screening usually takes place with regard to data, for which, at least from a technical standpoint, the process of telecommunication could be considered as already being over. Based on this technical view, a frequent conclusion was that in the absence of an ongoing telecommunication process telecommunication secrecy was no longer an issue.

In its decision dated June 16, 2009 the German Constitutional Court (judging on a constitutional complaint) inter alia decided, however, that the protection of e-mails by telecommunication secrecy does not end at the point of time of the e-mails’ arrival on the provider’s mail servers. It is quite likely that this decision, although as such unrelated to the employment environment, is to be applied to the employer as provider of telecommunication services.

This article outlines the consequences of allowing private use of the e-mail system by the employees of a company (I), describes the main contents of the German Constitutional Court’s decision 2 BvR 902/06 (II) and analyses on which of the measures described above, i.e. virus as well as spam filtering and e-mail screening, this decision might have an impact (III).

I. Private use of e-mail and resulting conflicts for employers

Although it is doubtful whether the private use of e-mail and Internet may be deemed to be ‘socially adequate’ (as it was expressed in a decision by the Labour Court of Rheinland Pfalz on July 12 in 2004 (LAG Rheinland-Pfalz, Az. 7 Sa 1243/03), it is legally permissible and normally granted in the working environment of modern companies (1). As a consequence the employer, often unknowingly, becomes a provider of telecommunications services within the meaning of the German Telecommunications Act on the one hand, while remaining committed to IT security and entrepreneurial efficiency on the other hand (2).

1. Employees and the Private Use of E-Mail

Almost every modern workstation has access to e-mail. Employees generally expect to be allowed to use e-mail for private purposes (to a reasonable extent) and many companies either expressly allow use in this way or have (unconsciously) adopted a corresponding ‘internal practice’ (or ‘betriebliche Übung’, which has the same effect as allowing private e-mail use) either by tolerating the contravention against an existing prohibition of private use or by tolerating private e-mail use in the absence of regulations dealing with the question of non-work related use. It is impossible to determine at which point this toleration turns into an internal practice; time periods of between three and 12 months are cited in this context. It is not even necessary that the employer actually intends to establish an internal practice. It will be sufficient that he consciously permits private use or consciously fails to implement controls thus accepting the possibility that e-mail is used for private purposes.

In contrast to questions regarding the private use of telephone and postal services there is still no conclusive case law on the private use of e-mail, in particular regarding the specific content of an internal practice. There is no Supreme Court decision on whether, in how far and to what extent private use is permissible in the workplace, in particular in cases where no explicit regulations exist on the issue.

It has been determined, however, that there shall be no general claim to e-mail access in the workplace and thus no claim to the private use of such facilities, either. It is at the sole discretion of the employer to make this decision, including the prohibition of private use in general. The works council has no codetermination right in this respect. Employees who violate an effective prohibition may eventually (after a warning) be dismissed. However, as private e-mail use is almost generally permitted, such dismissals are rare.

2. Resulting Conflicts for Employers

It is at the employer’s discretion to allow or prohibit the private use of e-mail. In light of the difficulties of implementing measures to oversee compliance with such a prohibition and the negative impact on the work climate such measures would have, private e-mail use is permitted in the vast majority of cases. Permitting non-work related use of e-mail either expressly or by acquiescence has significant consequences for the employer.

The employer becomes a provider of telecommunications services within the meaning of the German Telecommunications Act. According to Sec. 3 no. 6 Telecommunication Act, a service provider is a person who, on a wholly or partly commercial basis, provides telecommunications services. Any activity that does not exclusively serve purposes subject to German federal law or private purposes will meet this requirement. The activity does not necessarily have to be carried out for profit, which means that the obligations will arise even if the employer does not charge his employees for the privilege of private e-mail use. As provider of telecommunications services as regards his employees’ private e-mails the employer is bound by telecommunication secrecy in accordance with Art. 88 Telecommunication Act:

“Section 88. Privacy of Telecommunications. (1) The content and detailed circumstances of telecommunications, in particular the fact of whether or not a person is or was engaged in a telecommunications activity, shall be subject to telecommunications privacy. Privacy shall also cover the detailed circumstances surrounding unsuccessful call attempts.

(2) Every service provider shall be obliged to maintain telecommunications privacy. The obligation to maintain privacy also applies after the end of the activity through which such commitment arose.

(3) All persons with obligations according to subsection (2) shall be prohibited from procuring, for themselves or for other parties, any information regarding the content or detailed circumstances of telecommunications beyond that which is necessary for the commercial provision of their telecommunications services, including the protection of their technical systems. Knowledge of facts which are subject to telecommunications privacy may be used solely for the purpose referred to in sentence 1. Use of such knowledge for other purposes, in particular, passing it on to other parties, shall be permitted only insofar as provided for by this Act or any other legal provision and reference is made expressly to telecommunications activities. The reporting requirement according to section 138 of the Penal Code shall have priority. […]”

Contraventions against the obligations contained in Sec. 88 Telecommunication Act are inter alia sanctioned by Sec. 206 (1) German Criminal Code:

“Section 206. Violation of the Postal or Telecommunications Confidentiality.(1) Whoever, without authorization, makes a communication to another person about facts which are subject to postal or telecommunications confidentiality and which became known to him as the owner or employee of an enterprise in the business of providing postal or telecommunications services, shall be punished with imprisonment for not more than five years or a fine. […]”

Furthermore there is a specific criminal sanction for interference with the telecommunication process by delaying the arrival of an e-mail, for example by means of a pre-delivery screening or by deleting a private e-mail. The pre-delivery screening would potentially also violate Sec. 206 (1) German Criminal Code whereas the mere delaying or deleting of an e-mail without taking notice of its content would solely be covered by Sec. 206 (2) no. 2 German Criminal Code:

“(2) Whoever, as an owner or employee of an enterprise indicated in subsection (1) and without authorization: […] 2. suppresses a piece of mail entrusted to such an enterprise for transmission; or 3. permits or encourages one of the acts indicated in subsection (1) or in numbers 1 or 2, shall be similarly punished. […]”

In addition to Sec. 206, Sec. 303a German Criminal Code could be applicable, where private e-mails are detained without the recipient’s approval. For the purpose of Sec. 303a German Criminal Code it is irrelevant whether or not the employer is a provider of telecommunications services. Offences as defined under Sec. 303a German Criminal Code shall be punishable irrespective of whether or not the company has permitted private e-mail and Internet use by employees. Any form of ‘suppressing’ a message may meet the requirements for the application of Sec. 303a German Criminal Code. Subject to protection is the recipient’s right to dispose of his messages. A short detention of a private e-mail will therefore, unlike under Sec. 206 German Criminal Code, not fulfil Sec. 303a German Criminal Code. In contrast to Sec. 206 (2) no. 2 German Criminal Code, Sec. 303a German Criminal Code solely protects the recipient and his right to dispose of the telecommunication. Unlike for Sec. 206 (2) no. 2 German Criminal Code, the consent of the recipient alone regarding the deletion of a private e-mail will suffice to exclude consequences under penal law.

Irrespective of his status as a provider of telecommunications services, the employer (to be understood as the company’s management) is legally obliged to take appropriate measures in order to safeguard IT-security. As a minimum requirement, the company’s data must be protected against viruses and unauthorised external access, use and manipulation. Should the company’s management fail to implement such measures it may be liable for damages e.g., to its shareholders. Sec. 9 Federal Data Protection Act provides for further obligations on the part of the company as regards technical protection measures.

In light of IT-security being a management obligation, the interests of the employer differ fundamentally from those of a ‘normal’ provider. Although both provide telecommunications services, the provider will usually rather be indifferent to the messages he transmits while for the employer, such messages will represent a part of the total sum of all e-mails, including the relevant work-related e-mails. There is a conflict between the employer’s function as

• carrier of the e-mail messages – as such he is subject to telecommunication secrecy and must respect the recipients’ rights with regard to their data on the one hand; and
• bearer of the responsibility to eliminate the threat to network security such e-mails pose – in this respect he must maintain the company’s functional efficiency on the other.

It is obvious that, in a situation like this, the employer will give priority to IT-security-related tasks and probably tend to implement as many IT safeguards as possible. The same most likely applies with regard to e-mails that, though unsolicited, are not dangerous as such, since the employer will generally be interested in optimising the work flow by avoiding the risks going along with the spam selection and deletion process carried out daily and manually by his employees.

II. Main contents of the decision 2 BvR 902/06

The facts of the case concern an investigation carried out by the general prosecutor against two individuals accused for fraud and embezzlement in the course of which the e-mails of another individual still stored on the provider’s servers had been made subject of confiscation, which this other individual by means of a constitutional complaint claimed as being a violation of his fundamental rights (1). The key message of the decision is that e-mails are protected by telecommunication secrecy according to Art. 10 (1) German Constitution until the addressee has received them and has stored them in his exclusive sphere of influence, the latter not being the case as long as the e-mails are stored on the provider’s mail server (2).

1. Simplified outline of the facts of case 2 BvR 902/06

The decision 2 BvR 902/06 was taken in the wake of an official investigation carried out against two individuals suspected of having committed the crimes of fraud and embezzlement. In the context of the investigation the competent court decided to issue a search warrant for the apartment of a further individual – the plaintiff – who was not accused of the investigated crimes. The search warrant allowed the confiscation of documents, data carriers and electronic files as well as the analysis of text files and e-mail communications to be found on confiscated data carriers. The plaintiff used his e-mail account without downloading the e-mail messages, i.e. for reading them an Internet connection needed to be established. The e-mails were then read online and then stayed on the password-protected space on the e-mail provider’s mail server. On the occasion of the search of his apartment, the plaintiff informed the investigators about this situation, established an Internet connection but then objected to the investigators having access to the e-mails, since their search warrant would not cover this. Thereafter the competent court decided to order the confiscation of the plaintiff’s e-mails on the provider’s mail server. One the same day, all of the plaintiff’s 2500 e-mails were copied on a data carrier at the provider and were handed over to the investigators. The plaintiff claimed that for confiscating e-mails on a provider’s mail server the investigators would have needed a legal justification from the Code of Criminal Procedure taking into account that e-mails on his provider’s mail server were still protected by Art. 10 (1) German Constitution (i.e. by telecommunication secrecy). The plaintiff argued that for such different legal justification the requirements had not been fulfilled and that the confiscation of his entire e-mail correspondence (including e-mails totally unrelated to the investigated matters) would violate the constitutional principle of proportionality, especially in light of him not being accused of the investigated crimes and would especially have detrimental consequences for his relationships with business partners in case they learned about the confiscation. The plaintiff’s appeals against the confiscation had no success. The involved courts based their decision especially on the arguments that

• for e-mails stored on a provider’s mail server the telecommunication process is terminated,
• it is the plaintiff’s decision whether to read, store or delete his e-mails,
• an unnoticed access by third parties could be excluded by using password protection for the e-mail account (therefore no special danger exists),
• and that it would not make a difference whether the e-mails were stored on the provider’s mail server or on hardware in the plaintiff’s possession.

The involved courts further held that the extension of the confiscation of all e-mails (including e-mails totally unrelated to the investigated matters) was justified because of the importance of the investigated crimes and because prior to the e-mail analysis it would not have been possible to decide which e-mails were relevant and which ones were not. By means of a constitutional complaint the plaintiff claimed that the final decision to reject his appeal against the legality of the confiscation violated his fundamental rights concerning the secrecy of telecommunication, informational self-determination and general freedom to act as contained in Arts. 10 (1), 2 (1) and 1 (1) German Constitution.

2. Simplified outline of the decision 2 BvR 902/06

The first reaction of the German Constitutional Court was to pass a preliminary injunction obliging the competent general prosecutor to hand certain data carriers, print-outs and documents to the competent court for safekeeping. The competent court was ordered to take these in custody and to seal them. The preliminary injunction was then repeated several times (for the last time on May 6, 2009) because of its limited duration.

On June 16, 2009 the final decision was taken. Although the constitutional complaint as such was rejected as unfounded, since the concerned court decisions had been considered legitimate, the German Constitutional Court made clear that the confiscation of e-mails on the provider’s mail server has to occur in accordance with the fundamental right to safeguard the secrecy of telecommunication according to Art. 10 (1) German Constitution. In its decision the German Constitutional Court explained its reasoning, including the differentiation between the secrecy of telecommunication and the right to informational self-determination, mainly as follows:

1. Telecommunication secrecy protects the transmission of non-embodied information (especially the content of a message but also the circumstances of the communication) to individual recipients by means of telecommunication, regardless of the form of transmission and of the type of message used, including internet-based communication services;
2. Telecommunication secrecy does not protect content and circumstances of a communication stored outside an ongoing telecommunication process in the exclusive sphere of influence of a party of the communication and the protection thus ends once an e-mail has arrived at the addressee and the transmission process is terminated;
3. The password-protected communications (i.e. e-mails) in an online e-mail inbox, which can only be visualised by establishing an Internet connection with the provider’s mail server, however, are protected by Art. 10 (1) German Constitution, since they are not stored in the user’s sphere of influence (e.g., on the user’s hardware) but in the provider’s sphere of influence, who can access or give them to third parties (and thus also the investigating authorities) despite security measures (e.g., passwords) adopted by the user;
4. It is this lack of control caused by technical circumstances that triggers the special need for protection by telecommunication secrecy, which exists regardless of whether an e-mail is finally saved on the provider’s mail server or only on a preliminary basis since the factual possibilities of the provider’s or third party’s influence is identical;
5. The protection by Art. 10 (1) German Constitution is not hindered by the fact that while ‘waiting’ on the provider’s mail server a telecommunication procedure in a dynamic sense does not occur. This is because Art. 10 (1) German Constitution protects the beneficiary of the fundamental right because of his need for protection as the consequence of using a third party for the communication process regardless of whether, technically speaking, a permanent telecommunication process takes place;
6. The protection by telecommunication secrecy for e-mails on the provider’s mail server does not change as a consequence of the user noticing or reading the messages, since the reach of the protection conveyed by Art. 10 (1) German Constitution does not necessarily end at the point of time of reading an e-mail’s content if the e-mail continues to be stored on the provider’s mail server and therefore is in a sphere that is administered by the provider in an ongoing fashion and that the user cannot control;
7. As a consequence of the e-mails being protected by Art. 10 (1) German Constitution as ‘lex specialis’ they are not covered by the general right of informational self-determination although, insofar as the contravention against telecommunication secrecy concerns the collection of data, the criteria for how to lawfully limit the Right of Informational Self-Determination, have to be applied accordingly to the more special guarantee contained in Art. 10 (1) German Constitution;
8. The confiscation of e-mails on the provider’s mail server does not fall into the scope of the IT-Fundamental Right (cf. Schmidl, WDPR 08/2008) which protects against infiltrations of technical systems only if the protection is not provided by other fundamental rights such as Art. 10 or 13 (Inviolability of the Home) German Constitution.
9. In light of the fact that Art. 10 (1) German Constitution aims at protecting the confidentiality of communication, the fundamental right is impaired by each act of taking access to, storing or processing communicative data without the concerned person’s consent and neither the storing of the e-mails on the provider’s mail server and thus outside the user’s sphere of influence nor the user’s decision to enter into the corresponding contract can be regarded as the user’s consent to third parties taking access to the contents of such communication.

III. Effects of decision 2 BvR 902/06 on filtering and screening of e-mail in the employment relationship

It is very likely that labour courts will apply the decision 2 BvR 902/06 to the employment relationship despite the differences between employers allowing the private use of their e-mail systems and normal providers of telecommunication services (1). Such analogy will impact the filtering of viruses and spam only to a minimal extent, since such measures usually take place during a period of time where the e-mail has not arrived at the addressee so that the enlarged scope of telecommunication secrecy does not come to bear (2). As regards the admissibility of e-mail screening, however, the decision 2 BvR 902/06 will most likely have a considerable impact (3).

1. Applying the decision 2 BvR 902/06 to the employment relationship

As laid out above, the employer who allows the private use of his e-mail system is qualified as a provider of telecommunication services. As a consequence the employer is bound by telecommunication secrecy concerning his employees’ private e-mails. The decision 2 BvR 902/06 is likely to be applied in the employment relationship for various reasons.

First of all the decision 2 BvR 902/06 ‘only’ deals with the scope of applicability of telecommunication secrecy on the time-line, especially by extending telecommunication secrecy to data, which from a technical standpoint have already ‘arrived’. It could therefore be argued that the main question whether or not the employer (allowing the private use of his e-mail system) can be qualified as provider of telecommunication services had already been ‘answered’ prior to the decision 2 BvR 902/06 and that the decision 2 BvR 902/06 ‘only’ details the scope of telecommunication secrecy. In other words: if the employer needs to respect telecommunication secrecy he needs to respect telecommunication secrecy in the manner defined by the courts.

Secondly, labour courts are likely to reason that the special need for protection of communication contents also exists in the employment relationship because of the employer (i.e. a third party) being involved in the storing of private e-mails permanently or at least until the addressee decides to delete the e-mails or move them to a private data carrier without leaving a copy behind.

Further reasons could be seen in the fact that the employee can only get access to his e-mails when connected with the employer’s mail server and that therefore there is special need for protection by telecommunication secrecy, which exists regardless of whether an e-mail is finally saved on the employer’s mail server or only on a preliminary basis since the factual possibility of the employer taking influence is identical.

Although in light of the aforementioned it seems quite likely that the decision 2 BvR 902/06 will be applied to the employment relationship, this might trigger considerable difficulties:

• The employer can hardly differentiate between business and private e-mails and treat them differently – ‘normal’ providers do not have this problem because they are obliged to respect telecommunication secrecy for all e-mails;
• There is the question of how to handle attachments to private e-mails if they are stored on the company’s servers, i.e. still not in the addressee’s exclusive sphere of influence;
• The private use of e-mail systems in the employment relationship as a rule ‘only’ constitutes a (in some cases unconscious) ‘favour’ by the employer and there are often no rules on how the e-mail system may be used as opposed to the ‘normal’ e-mail provider who requires the conclusion of a detailed contract on rules of use before opening an e-mail account for a new user;
• The business e-mail system has the determination to serve as the backbone of many companies’ internal and external communication, whereas the ‘normal’ providers’ e-mail system exclusively serves the users’ communication with third parties they have selected themselves;
• The employer has to safeguard the company’s IT-infrastructure and thus safety-oriented measures can easily come into conflict with telecommunication secrecy, especially since it might now also apply to e-mails on the employer’s servers.

2. Impact on virus and spam filtering

As regards the legal admissibility of e-mail filtering, a distinction must be made between infected and unsolicited e-mails.

Infected e-mails can be identified with little invasion by means of automatic virus controls. The admissibility of such controls is not in dispute, as long as the message content is not examined. In line with the legally recognised grounds of justification, even the deletion of individual e-mails may be justified and thus admissible. The filtering of e-mails infected with viruses, worms or Trojans is therefore admissible because such messages pose a threat to the company. In such cases it may be possible to delete attachments or even entire messages, if solely deleting the attachment does not eliminate the danger. There is no obligation to deliver potentially harmful e-mails. The employer is entitled to filter out and delete e-mails irrespective of whether he has permitted or merely tolerates the private use of his telecommunications facilities. As a provider of telecommunications services, the employer is legally obliged to implement appropriate technical safeguards. Such measures may therefore be carried out without the respective employee’s consent.

This reasoning, however, is not equally applicable for the filtering of spam, i.e., unsolicited e-mails. As a rule it is not individual e-mails but rather the sheer bulk of spam that threatens to cause business disruption and affect productivity. The recipient of a spam e-mail may in fact even be interested in its content. The examination necessary to identify and eliminate spam will consider typical spam parameters, such as mass postings of the same message to multiple recipients but mainly focus on content-related criteria. As regards the scope of the employer’s examination right it is questionable whether it is subject to the principles applicable to work-related mail or whether the provisions on official/work-related telecommunications are applicable. Official mail may be fully monitored while it is prohibited to examine the content of telephone calls. Due to the spontaneity of the communication, e-mail is generally comparable to correspondence via telephone. In case private use is permitted, the examination of incoming e-mails for keywords therefore represents a violation of telecommunication secrecy of both the recipient and the sender. Deleting e-mails identified as spam according to the employer’s criteria impairs the integrity of the telecommunication process. Both measures can trigger the employer’s criminal liability according to Sec. 206 and 303a German Criminal Code.

The decision 2 BvR 902/06 has almost no impact on virus and spam filtering, since both filtering measures usually take place prior to the addressee’s reception of the e-mails and therefore at a point of time where the telecommunication process has not ended even from a technical point of view. Decision 2 BvR 902/06 could only become relevant for virus and spam filtering measures if such measures took place after arrival of the e-mails in the addressee’s inbox, for example by deleting an infected and/or unsolicited private e-mail in the addresse’s inbox. As regards virus infected e-mails the situation does not change – although telecommunication secrecy still applies the employer still has the right to recur to general grounds of justification and is not obliged to allow the infected e-mail to discharge its potentially harmful effects. As regards spam having arrived in the addressee’s inbox, however, the deletion might be qualified as interference with the telecommunication process, whereas prior to decision 2 BvR 902/06 it could have been argued that the telecommunication process is already over and therefore an interference would not be possible. This argument could only be invalidated by extending the scope of protection of telecommunication secrecy to private e-mails on the employer’s mail server but by limiting the applicability of the crime of interference with the telecommunication process to an interference prior to the arrival of the e-mail in the addressee’s inbox. It remains to be seen whether such differentiation will be made by the competent courts. The importance of the question as to whether the e-mails are still protected by telecommunication secrecy and whether the telecommunication process is over or not is due to the respective sanctions. The criminal sanctions for deleting private e-mails in the course of telecommunication according to Sec. 206 (2) no. 2 German Criminal Code are stricter than for the deletion of ‘normal’ private data of a third party (i.e. the employee) according to Sec. 303a German Criminal Code.

3. Impact on e-mail screening

Whereas the impact of decision 2 BvR 902/06 on virus and spam filtering is relatively low – seen apart from the special problem of deleting arrived e-mails – it might change the legal framework for e-mail screening quite considerably. Prior to decision 2 BvR 902/06 it was not unusual to get data protection authorities’ approval for carrying out an e-mail screening on the basis of applying Sec. 28 (1) 1st no. 2 Federal Data Protection Act. The screening of e-mails in employees’ inboxes was, in other words, dealt with as the investigation of ‘normal’ data. This practice had developed on the basis of a decision of the German Constitutional Court on March 2, 2006 (2 BvR 2099/04), which dealt with e-mail data on data carriers that had been confiscated and which declared such confiscation as having to be in line with informational self-determination, i.e. data protection law (e.g. by respecting Sec. 28 Federal Data Protection Act), and not with telecommunication secrecy, in light of the telecommunication process having ended prior to the confiscation with the act of storing the e-mails on a data carrier in the exclusive sphere of influence of the concerned individual.

Given the fact that e-mail screening usually concerns e-mails having already arrived in the addressee’s inbox it does normally not lead to the blocking or deletion of private e-mails. An interference with the telecommunication process is therefore hardly possible. Only if the e-mail screening took place prior to the arrival of the e-mail and would delay the normal course of delivery can the screening lead to the criminally relevant act of the blocking of private e-mails. This is because Sec. 206 (2) no. 2 German Criminal Code treats both the delaying of the delivery of a private e-mail and its deletion as two forms of blocking.

As a consequence of (or in a less dramatic wording, as underlined by) decision 2 BvR 902/06 the screening process concerning e-mails in the addressees’ inboxes must potentially be qualified as a violation of telecommunication secrecy. According to Sec. 206(1) German Criminal Code whoever, without authorisation, makes a communication to another person about facts which are subject to postal or telecommunications confidentiality and which became known to him as the owner or employee of an enterprise in the business of providing postal or telecommunications services shall be punished with imprisonment for not more than five years or a fine. The decisive question is whether the crime-elements of making “a communication to another person” about facts protected by telecommunication secrecy “which became known to him as the owner or employee of an enterprise in the business of providing postal or telecommunications services” can be fulfilled by an e-mail screening. This question cannot be thoroughly discussed in this article. It should be noted, however, that when applying Sec. 206 (1) German Criminal Code, the prevailing opinion examines whether the “communication” of telecommunication secrecy protected facts to another person was required as part of the normal delivery process or not. Any communication going beyond what is required for the normal telecommunication delivery process is regarded as fulfilling the crime-element of “a communication to another person”. Commentary literature therefore expressly includes intra-company communications of telecommunication-secrecy protected facts (e.g. the IT-administrator who carries out the e-mail screening reports to his management) as fulfilling the crime-element of “a communication to another person”. As shown above, the crime-element of “facts which are subject to telecommunications confidentiality” is fulfilled by a private e-mail even after arrival in the addressee’s inbox. Eventually, the crime-element that the protected fact must have become known to the employer as “the owner or employee of an enterprise in the business of providing telecommunications services” is constituted by the employer being treated as provider of telecommunication services to the extent he allows the private use of the company’s e-mail system.

Outlook and summary

To some extent the decision 2 BvR 902/06 of the German Constitutional Court was a surprise: e-mails on the mail server of a provider are protected by telecommunication secrecy even after having arrived in the addressee’s inbox on the provider’s mail server until such e-mails have been stored in the exclusive sphere of influence of the addressee.

Only a few months before the decision was taken, on March 31, 2009 the German Supreme Court had decided that the confiscation of e-mails in the online-inbox of a suspect, i.e. getting access required the establishment of an Internet connection where the e-mails were stored on the provider’s mail server, did not need to take telecommunication secrecy into consideration since the telecommunication process was over at the very moment of storing the e-mails on the provider’s mail server.

Despite all criticism concerning the qualification of an employer (consciously or unconsciously) allowing the private use of the company’s e-mail system as provider of telecommunication services it is likely that the decision 2 BvR 902/06 will be applied in the employment relationship. It could be regarded as the logical next step to do so because of the alleged parallels between the employer and a ‘normal’ provider of telecommunication services. Or in other words: if an employer needs to respect telecommunication secrecy he needs to respect it in the way it is defined and understood by the competent courts. The extension of telecommunication secrecy beyond the point of time of arrival of private e-mails on the employer’s mail server, however, causes a difficult situation for the employer. Unlike ‘normal’ providers he would then be obliged to differentiate how to treat e-mails even once they have arrived in the respective addressees’ inboxes. Other open questions, as to how to treat file attachments, which are stored on the company’s servers and not in the exclusive sphere of influence of the addressee or the exact relation between IT-security obligations and limitations resulting from telecommunication secrecy, will still have to be answered.

The decision 2 BvR 902/06 will only have little impact on virus and spam filtering. Most likely it will, however, have considerable impact on the admissibility of e-mail screening, which as a rule takes place after the concerned e-mails arrived in the addressees’ inboxes. Sec. 206 (1) German Criminal Code could insofar turn out to become the limiting factor for e-mail screening since it sanctions the communication of telecommunication secrecy-protected facts, such as private e-mails in the employment relationship to third parties (including recipients inside a company) if such communication goes beyond what is required for the normal telecommunication process.