Privacy & Data Management Blog

Employers sometimes discover evidence that a former employee may be or have been in breach of their obligations to the employer. Sometimes the employee’s own direct messages on social media accounts corroborate wrongdoing. Is it a privacy breach if an employer accesses the social media direct messages, and can the employee sue them for breach of privacy?

A recent decision decision from the New Brunswick Court of King’s Bench, the Plaintiff a former Director of Computer Program Development, left his position claiming that he had been constructively dismissed. Ten months after the Plaintiff’s departure, the employer was working at the Plaintiff’s former workstation when his Facebook messages “popped up” on the screen. This was not the first time the employer had accessed the Plaintiff’s former workstation, but it was the first time that Facebook messages had appeared. The Employer was worried about some sort of security breach, and investigated the messages further.

The messages revealed that the Plaintiff had exchanged messages with current and former employees, and some implied that the Plaintiff had breached the terms of his non-compete and non-disclosure agreements. The Employer sought an injunction against the Plaintiff to restrain him from disclosing confidential information by way of summary trial. The Plaintiff counter-claimed for breach of privacy based on the tort of intrusion upon seclusion, and argued that he had a reasonable expectation that his Facebook communications would be private.

The Court did not allow the Employee’s claim for breach of privacy.  The Court made note of the following:

• The Facebook messenger application had never popped up before, even though the computer had been accessed many times. This was distinguishable from the scenario in Jones v Tsige, 2012 ONCA 32, where the Defendant deliberately and surreptitiously accessed the Plaintiff’s information;
• The information was stored on, or at least accessed via a company computer;
• The Plaintiff was an experienced IT professional;
• A co-worker had reminded the Plaintiff to ensure that he logged off his Facebook account on his work computer so that the Employer could not read his messages;
• The Plaintiff failed to log off of Facebook or remove the application from his work computer; and
• The Plaintiff gave his workstation password to the Employer.

Key Takeaways

Every case is different, and it may be no surprise that the Court did not grant judgment for breach of privacy in the circumstances. However, employers need to take care before accessing any of their employees’ private messages or social media accounts. Although privacy laws may allow employers to collect information in some circumstances without consent, such as for investigations, they may be challenged.  Privacy torts are evolving across the country, including provinces with statutory privacy torts.  For example, the BC Court of Appeal left open the possibility of the existence of common law privacy torts earlier this year in a class action against Google.

We recommend establishing a clear privacy policy and device/systems use policy to provide appropriate notice and set expectations with employees.

If your organization has any questions about privacy, conducting investigations, device/systems use policies or data privacy generally, we would be pleased to help you. Please contact a member of our Privacy & Data Management Group.