To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://comment.silicon.com/0,39024711,11014995,00.htm

Ask the lawyer @ Silicon.com
In the first week of every month, Silicon.com solves your IT law problems. Just send your questions to askthelawyer@silicon.com. This month, Alastair Breward of UK firm Taylor Joynson Garrett responds to your queries

By Alastair Breward

Published: Tuesday 11 January 2000

Q. What are a company's liabilities concerning the content of emails sent by employees, or concerning their visiting "inappropriate" Web sites and downloading material from these? Is an employer responsible, and if so, is it possible to counter potential legal actions?

A. In most cases, an employer will be liable for the acts of its employees carried out in the course of their employment. Sending email, visiting inappropriate Web sites or downloading material from them each raise different issues. Let's look at each in turn.

Email: Presents the problem of unwanted contracts. Email exchanges can create binding agreements without there being any formal signed document. The key test is whether an employee appears to have the authority to conclude the contract - a tea boy cannot commit you to buying a nuclear reactor. If this is so, the company may be bound - subject to any qualifications in the email. The speed and convenience of email means people often pay too little attention to the risk that contracts will be formed unintentionally.

Second, IP rights can be infringed by email. For example, an email sent to customers with an attachment of information gathered from a third party's Web site could breach the copyright of that third party - the downloading itself might well infringe, but the circulation is what gets you caught. Employees should always read the on-line licence to find what they can do.

Thirdly, great care should be taken to avoid defamation. Even an internal email regarding a third party, the content of which is false and damaging, could constitute sufficient grounds for that party to found a claim against the company.

Fourthly, the law protects people (whether or not employees) from discrimination and similar detriment. An employer will be liable for employees who send intimidating, hostile or humiliating email which might contain offensive material. The liability will depend on the severity of the case and the particular context. However, an employer's lack of knowledge of the offending correspondence is not a defence. It can only defend itself by demonstrating that reasonably practicable steps were taken to prevent the employee from carrying out the detrimental act or acts of that description.

Lastly, we should mention pornography, which is supposedly tightly regulated in the UK. It is a criminal offence to publish (eg, by email or posting in a publicly accessible Web space, but not simply by viewing) "obscene material" (i.e. that which "tends to deprave and corrupt" those who are likely to read it). There is no clear definition of what constitutes obscene material, and juries are generally reluctant to convict. Even if an employee were to contravene the law the employer could still escape vicarious liability by showing that reasonable steps were taken to prevent this.

Browsing & Downloading: Where an employee views material on a Web site, it will probably be copied onto the cache of the company's server, so browsing usually amounts to downloading. It should be noted that browsing "inappropriate" Web sites and downloading from them are generally not offences so long as the "inappropriate" material is not sent to others. Of course, it is still an inappropriate use of company time and resources, and as such is a valid target for control by corporate employment policy. Also, if the material is child pornography, the mere downloading of the material from the Internet will constitute a criminal offence. Here though, the employer cannot usually be held vicariously liable.

In relation to all the matters we have looked at above, a comprehensive, published and properly implemented email and Internet policy (see Ask the Lawyer 6th September 1999) is invaluable. It should address inappropriate email and Internet access in the workplace, stating that employees must not commit offences and outlining the penalties if they do so.

An important part the policy is for the employer to put in place a system to supervise the use of email and the Internet, and to deal with problems once they have come to the attention of management. This is particularly relevant where an employer wishes to defend itself against vicarious liability for the discriminatory acts of its employees. Also, training employees so that they appreciate the dangers of unwanted contracts is the best way of avoiding unnecessary costs further down the line.

Q2. I work for an Internet company, launching a new UK based Internet advertising platform. We track all banner impressions that we serve onto member sites. We then collate all assimilated data and publish any notable activity or trend within the members' area of the site. This information is general in nature and does not identify any individual sites. We are anxious to assure future members that information gathered from their sites or campaigns will not be directly linked to them when published in the members' area, and that we will not supply any information to any other source about any member. Will a small privacy policy statement saying we gather information but do not sell the information be sufficient for data protection purposes?

A2. A privacy policy statement is not sufficient for Data Protection purposes if you are an established European Union company. Throughout the EU there is a statutory Data Protection regime which requires that users of personal data file a registration and then comply with that registration and with eight so-called Principles. These Principles state that data must be obtained and processed fairly and lawfully, or that it can be held no longer than is necessary for the purpose for which it is held. They also cover security, subject access and correction.

Registration is simple and inexpensive, through the Data Protection Registry which can be contacted on 01625 545 700. They will ask some questions to identify the kind of business being registered, provide a provisional registration and send a half completed form for you to complete and return. The Registry's Web site is at www.dataprotection.gov.uk.

Data Protection requirements in Europe contrast with the situation in the US where there is no governmental legislation so individual privacy statements with contractual force are commonly used. As a result of US influence, this practice has become popular in the UK and elsewhere.

Although not sufficient for Data Protection purposes, such statements are useful because they enable customers to be fully informed about a company's intended use of their information and the safeguards it intends to follow.

It must be stressed, however, that privacy policies or statements do not dispense with the need to register properly, and failure for European Union established companies to register properly is, technically, a criminal offence.

** Network Multimedia Television Ltd/Silicon.com give no warranties as to the accuracy of the information and advice contained herein and can take no responsibility for any acts or omissions resulting from reliance upon the information provided. Commentary is intended only as general guidance on legal issues arising from the circumstances described, and specific legal advice based on all relevant facts should always be sought.