In Finland, work emails are protected under correspondence privacy laws, meaning that employers are entitled to access and review an employee’s emails under only limited circumstances. Failure to observe these strict requirements for accessing an employee’s emails may result in fines or even imprisonment.
Privacy of correspondence
The Constitution prohibits violating secrecy protections around confidential communication. Protections in this regard extend to modern means of communication, such as emails, text messages or web-based messaging platforms.
The authorities have taken the view that an email is deemed personal if it is addressed to a named person. This rule applies equally to private email addresses and email addresses that are provided by employers (eg, firstname.lastname@example.org). The only exception is general corporate email addresses (eg, email@example.com), which are regarded as the property of the company.
An email address that has been given to a named person, whether work-related or private, is subject to privacy of correspondence rules – the main rule of which is that only the person who is named in the email address has access to that account.
Emails may be read with employee’s consent
In order to avoid situations where emails cannot be read or accessed due to an employee being absent or unreachable, the employer may ask an employee to authorise another employee to access their account. However, as the privacy of correspondence is guaranteed as a fundamental right that is recognised in the Constitution, an employee may not irrevocably give up their right to privacy of correspondence. In practice, this means that an employee may at any time revoke their authorisation for others to access their email account.
Accessing emails without employee’s authorisation
Legislators have recognised that employers may need to access employee email accounts in circumstances where it is not possible to obtain the employee’s consent (eg, due to time constraints). If consent cannot be obtained, an employer has the right to access an employee’s email with the assistance of the system administrator and under specific circumstances.
In order to have the right to access an employee’s emails, the employer must have implemented one of the below measures, the aim of which is to decrease the need for an employer to access an employee’s emails during their absence:
- requiring the use of an automated out of office message that states their absence and provides an alternative contact;
- setting up a system that automatically forwards emails that have been sent to an employee to another member of the company; or
- requesting the employee to give another employee the right to access the employee’s emails during the employee’s absence.
Employers may freely choose which of the above options to offer their employees. If the employee refuses to adopt the offered measure,, the employer is still regarded to have implemented the necessary steps to avoid the need to access an employee’s email during their absence and, therefore, has the right to access an employee’s emails with the assistance of the system administrator if it is deemed necessary.
Accessing the employee’s emails without the employee’s consent should always be the last option and before accessing the employee’s email the employer shall always try to receive consent from the employee. The employer may access the account without consent only if the employee in question cannot be reached within a reasonable time and the employer reasonably suspects that emails have arrived in the employee’s absence which need to be handled.
When accessing an absent employee’s email account, as described above, an employer cannot freely read through all the employee’s emails. An employer may only open emails that can be identified as urgent business-related messages based on their subject, sender and recipients. The employer is also obliged to document the actions taken whenever the employer accesses an absent employee’s email account. The report prepared by the employer must specify:
- who has had access to the employee’s emails;
- which emails have been accessed and why; and
- the exact time and date when this took place.
The report must be given the absent employee as soon as possible.
Email accounts must be closed when employment ends
Due to the personal nature of employee email accounts, employers have no legal basis to keep an employee’s email account active after their employment has ended. Even if an employee has not explicitly requested their email account to be closed, the employer may only keep it active after employment has ended if both parties have agreed to this.
Failure to comply with the regulation relating to the access and retrieval of employee emails may result in severe penalties. The Supreme Court recently sentenced a manager to fines after they had had kept an ex-employee’s email account open (without the employee’s consent) and instructed other employees to monitor the emails. In the case at hand, the employee had actually consented to the employer reviewing his emails during his absence, but as the consent did not expressly cover the time after their employment ended, the Court ruled that the employer did not have the right to keep the employee’s email account open and access its contents. The maximum penalty for violating the regulation on the privacy of correspondence would have been two years of imprisonment. In most cases, like in the case in hand, the penalty is fines, which can total a maximum of two months’ net income.
This article was first published by The International Law Office (ILO), 6 July 2022.