Social Media in the Workplace: Employer Protections versus Employee Privacy

Vol. 41 No. 4


J. Mark Poerio ( is a partner in the Employment Law Department in the Washington, D.C., office of Paul Hastings. He focuses his practice on executive compensation and employee benefit matters. Laura E. Bain (, a law student at William and Mary Law School, was a summer associate in the firm this year. The authors gratefully acknowledge contributions from Carolina Benedet Barreiros Spada and Ana Paula Mesquita Barros (Brazil), Rhonda Shirreff (Canada), Jeremie Gicquel (France), Bernd Weller (Germany), Lara Vivas and Laia Mollar (Spain), Ueli Sommer (Switzerland), and Suzanne Horne and Andreas White (United Kingdom).


Although social media have been steadily integrating into business relationships and strategies, serious conflicts have erupted in the past year. The rallying cry traces back to a Maryland employee who was reportedly “mortified” when his employer requested and received his Facebook username and password. “Mortified” may well describe the reaction of employees and lawmakers worldwide.

Our survey of various world regions, outlined below, confirms that more than blustery talk has transpired. So far in 2012, Canada, Germany, the U.S. Congress, and at least 11 U.S. states have passed or proposed legislation directly aimed at forestalling employers’ access to personal accounts of employees. Many European countries already have well-developed laws protecting employee privacy that are now being applied to resolve work-related social media issues.

Despite concerns for employee privacy, employers are discovering that they need to address work-related social networking risks ranging from the theft of trade secrets and client records to overt client solicitation and defamation. All of this raises new questions: Who owns the contacts? What is private? Can “friending” and “linking” activities be considered solicitation? And how far can employers go to protect their legitimate interests? Because the answers vary by region and country, employers should proceed thoughtfully when they seek to protect key business interests at risk from employee social-media use. The following outlines legislative and judicial responses to the issue around the world.


Many Western European countries have already implemented laws that restrict an employer’s regulation of social media in the workplace.



No specific French employment law provisions currently address issues raised by employees’ social media use. However, the access and processing by an employer of an employee’s or applicant’s personal information via a social media site is strictly limited by general legal provisions. These provisions prevent employers from asking applicants or employees for information unrelated to the job or their qualifications. Any monitoring of the employee’s activity at work requires prior information and consultation of the employee representatives and approval from the French data privacy agency as to the employee’s information.

French case law may even prevent employers from firing employees who have posted negative comments on social networks, as recent cases indicate that privacy settings may determine when employee-posted negative comments about an employer will constitute valid justification for dismissal. In 2011, a Rouen court of appeal held that such a dismissal was unfair because the employee’s account had privacy settings that kept the information from being publicly available. On the other hand, a Paris criminal court recently found an employee liable for publicly insulting his employer on Facebook because of the absence of appropriate privacy settings on his Facebook account.



German employment law only permits employers to ask for an applicant’s personal information if it is relevant to the specific job; therefore, it is unlikely that an employer can legally obtain impermissible information via a social media site. Nor does German law allow employers to ask employees to disclose their social media account details. Germany has drafted, but not yet adopted, a law that would prohibit employers from using personal social networking sites to vet or screen applicants, but it would allow use of business-focused networks such as LinkedIn.

If employers in Germany decide to monitor employee social media, they must use third parties or obtain employee permission by, for example, becoming the employee’s online “friend.” Additionally, German courts have generally upheld employer decisions to terminate employees who violate noncompete agreements via social media.



Article 18 of the Spanish Constitution grants a right to privacy. In the social media context, courts have found that an employer’s request to access an employee’s social media account infringes upon the employee’s privacy right. However, privacy protection does not extend to publicly available data, such as blog posts. Whether an employer may access employee Facebook information via a Facebook friend remains debatable, as these data are partially public. Despite the privacy right, Spanish courts also recognize employers’ rights to conduct their businesses. Current case law allows employers to terminate employees for insulting the company on social media sites when the insult is clearly offensive. Additionally, Spanish courts generally will not find the monitoring of employees’ Internet use to constitute privacy infringement when the employer has provided written policies in advance.



In the social media context, Switzerland authorizes employers to monitor employee accounts to a greater extent than does the United Kingdom (as discussed below), but it offers weaker solicitation and defamation protection to employers. Swiss law does not address whether employers may request access to employee social media accounts but, rather, generally limits permissible employment interview questions to those related to the job’s requirements. Switzerland also allows employers to monitor employee social media and Internet use at work if a clear written policy is in place.

However, the Working Act forbids continuous monitoring, so employers should limit their policies and practices to random or suspicion-based monitoring. In contrast, although employers may discipline employees for disclosing trade secrets or company confidential information via social media, they may only do so if a confidentiality agreement is in place and the breach either was substantial or it repeatedly damaged the employer’s reputation.


United Kingdom

The United Kingdom’s Data Protection Act requires employers to obtain consent before they can collect an applicant’s or an employee’s online data. Hacking into an employee’s account is a criminal offense. This presents a challenge when employers need to investigate employee misconduct because employees might not authorize access to their social media sites if they engaged in misconduct there. Although employers can investigate employee social media without prior consent when their interest outweighs the employee’s privacy interest, they risk sanction if a court finds an employer’s interest insufficient. As for accessing applicant accounts, the Information Commissioner’s Office has issued guidelines recommending that employers only view applicant social media profiles when the employer faces particular risks and has notified the applicant. These guidelines are not legally binding. However, courts may refer to them in breach of Data Protection Act cases.

Interestingly, UK law also protects employer interests in social media and confidential data. In 2008, the High Court in Hays Specialist Recruitment Ltd. v. Mark Ions ordered a former employee to disclose all his LinkedIn contacts established during his former employment. The case involved a former employee who signed a nonsolicitation agreement but sent LinkedIn invitations to his employer’s clients before quitting. The case suggests UK courts will strictly enforce nonsolicitation agreements in the social media context. UK employers should nevertheless proceed cautiously in viewing employee social network pages, but they likely can protect their confidential business information with restrictive covenants.


North America

North American countries have recently begun to regulate employer controls over social media in the employment context.



Nova Scotia so far is the only Canadian province to amend its Labour Standards Code to prohibit employers from demanding passwords, account information, or access to employee and applicant social media accounts. Although many provincial agencies have advised employers not to ask for social media passwords, these do not carry force of law (see Lisa Stam’s blog, Employment and Human Rights Law in Canada, Employers should nevertheless proceed cautiously, as courts could apply privacy and human rights legislation to the social media context. Likewise, employers may monitor employee social media use at work, but monitoring must meet the courts’ reasonableness requirement.

Canadian arbitrators have protected employer confidentiality and reputation interests. In Chatham-Kent v. National Automobile, Aerospace, Transportation & General Workers Union, the arbitrator upheld a nursing home’s termination of an employee who published confidential information about residents and insults about supervisors on a public blog. The arbitrator found that these public blog posts breached the employee’s confidentiality agreement. Whether courts or arbitrators will also enforce nonsolicitation agreements in the social networking context remains unclear.


United States

In April 2012, the Social Networking Online Protection Act was introduced in the House of Representatives. Federal legislation seems likely to pass, given indications of support in the Senate. One month later, Maryland enacted a law prohibiting employers from requesting that employees or applicants disclose their usernames, passwords, or other personal account information for social networking sites. Maryland’s law does permit employers to access employee personal electronic accounts to ensure employee use complies with securities or financial law and to investigate allegations of unauthorized downloading of the employer’s data. Other states are considering similar legislation (see generally “Employer Access to Social Media Usernames and Passwords,” a list maintained by the National Conference of State Legislatures, at Despite this legislative trend, not all information that employees post on social networking sites will necessarily be protected. Unprotected information could, for example, include items posted on a coworker’s Facebook page when the employer is also that coworker’s Facebook friend (see Sumien v. CareFlite, 2012 WL 2579525 (Tex. App. July 5, 2012)).

U.S. employers are not without judicial protection. Two U.S. district courts, one in Colorado and the other in California, have held that employers’ social media accounts can constitute trade secrets and that an ex-employee’s continued use or theft of them can constitute misappropriation (see Christou v. Beatport, LLC,  2011 U.S. Dist. LEXIS 19055 (D. Colo. Feb. 10, 2011), and PhoneDog v. Kravitz, 2011 WL 5415612 (N.D. Cal. Nov. 8, 2011), respectively). Further, in Amway Global v. Woodward, 744 F. Supp. 657 (E.D. Mich. 2010), the U.S. District Court for the Eastern District of Michigan enforced an arbitration award against an ex-employee for breach of a nonsolicitation agreement through blog postings. The court deferred to the arbitrator’s conclusion that the employee engaged in mass solicitation by posting his reasons for joining a competitor on a blog with 100,000 viewers.


Other Regions


Article 7 of China’s 1996 Regulations on Safeguarding Computer Information Systems prohibits any person or entity from using computer information systems to endanger “legitimate interests of citizens” such as freedom of communication privacy. Although this article could be applied to ban employer monitoring of employee online communications, the government has rarely enforced it. Since 2005, China has been drafting the Personal Information Protection Act, which could allow employers to access employee Internet information. Until this law is passed and enforced, an employer’s ability to regulate employee social media use remains uncertain. Meanwhile, some provinces, such as Jiangsu, have issued data protection regulations requiring the employee’s consent before the employer can access data.



Brazil’s Federal Constitution grants citizens, including applicants and employees, the right to privacy. An employer may not conduct business activities in a way that unreasonably infringes upon an employee’s or applicant’s privacy right. For example, an employer may request past employment information to determine if an applicant is qualified, but the employer cannot request social media passwords. Courts will likely deem such a request to constitute discrimination and a violation of the constitutional privacy right. On the other hand, employees’ rights to privacy in their social media use do not protect them from discipline when they publicly post offensive opinions about their employer on social media sites. Brazilian courts consider whether the employer’s right to conduct business outweighs the employee’s right to privacy on a case-by-case basis.


South Africa

The South African Parliament is scheduled to consider the data protection bill that was drafted in 2009. The proposed law would require employers to obtain employees’ consent before collecting electronically stored information. Additionally, employers generally may not process information protected by the Employment Equity Act, that is, information about race, sex, pregnancy, health, and religion. Nevertheless, employers can protect themselves against online defamation by employees. South Africa’s Commission for Conciliation, Mediation and Arbitration has allowed employers to terminate employees for posting negative comments about the employer on social networks (Gareth Vorster, SA Law Protects Against Employer Facebook Prying, Bus. Tech. News, May 7, 2012).


Employer Alternatives Going Forward

If employees will be using social media for work-related purposes, employers should vigilantly position themselves to protect their interests in their website and related social media accounts. For example, a concerned employer should consider:


·         establishing sole ownership of its business-related social media accounts, websites, blogs, and other protectable interests (e.g., trade secrets and customer lists);

·         controlling the password for employer media accounts and changing it when key employees depart;

·         establishing “use policies” to designate which employees have authority to access the employer media and what they may do once access is gained;

·         requiring that key employees execute written agreements acknowledging that, in the United States for instance, for purposes of the 1976 Copyright Act, the content within employer media is “work for hire” and owned by the employer; and

·         addressing, also in written agreements, the obligations of a departing employee, both as to employer media and other business-oriented contacts such as those made through LinkedIn.


Given the global trend toward protecting personal electronic media accounts, employers should weigh the risks and benefits before accessing an employee’s or applicant’s password-protected account. Nevertheless, employers often have critical business interests at stake. The smartest employers will act aggressively to protect their trade secrets and key relationships. They will, however, stay alert both to public sensitivities and to potential liabilities for pushing beyond the boundaries for proper employer protections.



Fall 2017 Spring Meeting
2017 Eurpoe Forum
2017 Fall Meeting



  • Call for Articles

  • Contact Us

  • International Law News


  • Editor-in-Chief

  • Deputy Editors

  • Sample Issues