Key takeaways
- Unfair or unlawful evidence may now be admitted by the employment tribunal where it is indispensable and proportionate to the right to adduce evidence.
- Such admissibility does not preclude a separate risk of sanction or regulatory scrutiny by the CNIL under the GDPR.
- Employee monitoring arrangements remain subject to strict constraints (prior information, proportionality, lawful basis).
- In practice, the GDPR is more frequently relied upon as a lever through a CNIL complaint than through a compensatory claim.
- Employers must anticipate this cross-cutting risk and secure their practices before relying on sensitive evidence.
It is a well-established principle that the monitoring of employees and their activities is a prerogative of the employer, flowing mechanically from its managerial authority. However, in a democracy, and even within the “enlightened dictatorship” that an undertaking may represent, such monitoring is regulated. The right to privacy requires that any monitoring measures implemented be proportionate to the aim pursued and justified by the tasks entrusted to employees.
Accordingly, an employer may not rely on video surveillance to justify a dismissal where its declaratory obligations have not been complied with (prior individual information, information of the works council, etc.) (Soc., 10 November 2021, no. 20-12.263; Soc., 8 October 2014, no. 13-14.991; Soc., 3 November 2011, no. 10-18.036; Soc., 19 December 2018, no. 17-14.631).
This then raises, for either party as the case may be, the question of the lawfulness of evidence obtained outside the statutory framework referred to above. It is increasingly apparent from decisions of the Cour de cassation (France’s highest court in civil and criminal matters) that unlawfulness does not require the evidence to be excluded ipso facto (Soc., 25 November 2020, no. 17-19.523).
However, the legal analysis should not stop there. At a second stage, consideration must be given to whether the admissibility of such evidence before the civil courts could be undermined by data protection law. In this respect, a decision of the Austrian data protection authority, the Datenschutzbehörde, clearly illustrates the issue that employers in France may soon face. Following a complaint by two former employees, the “Austrian CNIL” fined a restaurant owner €20,000 for having unlawfully installed a video surveillance system filming the kitchens. [1] The investigation revealed further breaches, including the absence of a record of processing activities (Article 30 GDPR) and a failure to comply with the accountability principle (Article 5(2) GDPR).
The evolution towards the admissibility of unfair evidence before the employment tribunal
Today, a vast amount of information can be exchanged on social networks: publicly, within a circle one assumes, or hopes, to be restricted, or via private messaging. It is this latter situation that the Cour de cassation examined, delivering in the process a clarifying decision on the issue of judicial evidence (Cass. soc., 4 October 2023, nos 21-25.452 F-D and 22-18.217 F-D).
In the case at hand, an employer had produced in court photographs exchanged by employees within a Messenger group (to which the employer was clearly not a party and which, by its nature, had no professional purpose). The facts were sensitive. Nurses were dismissed for gross misconduct for having repeatedly brought alcohol into the hospital and consumed it on the premises, organised festivities during working time, which had resulted in the mistreatment of patients, and for having taken part in a photo shoot in swimwear, during working hours and at the workplace.
To establish the seriousness of the misconduct, the hospital relied on several witness statements (including an anonymous alert), findings following the opening of staff lockers, and photographs and messages exchanged on Messenger. Shocked to find themselves pictured in swimwear in the context of employment tribunal proceedings, the nurses challenged the admissibility of the photographs taken from a private social network, arguing that they infringed their right to privacy. It should be noted that the employer had received the images from an employee who was a member of the Messenger group.
The court of appeal held that there was no impediment to their production: since the photographs had been taken at the workplace and sent to a former colleague, they fell within the professional sphere. Moreover, they revealed conduct that was, at the very least, contrary to the employees’ professional obligations.
When the matter came before it, the Cour de cassation held that the production of the disputed photographs did infringe the nurses’ right to privacy (without specifying whether this was due to their content or simply to their origin), but nonetheless upheld their admissibility.
The Court returned to first principles, namely the mechanism of the right to evidence (Articles 6 and 8 of the European Convention on Human Rights): the unlawfulness of a means of proof does not automatically require its exclusion from the proceedings. The judge must assess whether the use of that evidence has undermined the overall fairness of the proceedings, by weighing the employee’s right to respect for private life against the right to evidence. The latter may justify the production of material infringing an employee’s private life, provided that such production is indispensable to the exercise of that right and that the interference is strictly proportionate to the aim pursued (Cass. soc., 8 March 2023, nos 21-20.798 FS-D, 21-17.802 FS-B and 21-20.848 FS-B).
The Court therefore reiterated that the production of photographs taken from a Messenger account infringed the employees’ right to privacy, but was nonetheless indispensable to the exercise of the right to evidence and proportionate to the aim pursued, namely the defence of the employer’s legitimate interest in protecting patients entrusted to the care of nurses employed by the hospital. As regards alcohol consumption, this was in any event sufficiently established by the search of the lockers and the witness statements produced (the official statements corroborating the anonymous alert, thereby conferring evidential weight upon it). It is, however, unlikely to be incidental that the unlawful evidence was upheld by the Cour de cassation in a context involving misconduct within a hospital.
Two months later, in two separate cases, the Full Court of the Cour de cassation pursued this line of reasoning and affirmed that judges may now take into account evidence obtained by unfair means (Cass. ass. plén., 22 December 2023, no. 20-20.648 BR, Sté Abaque Bâtiment Services v B.; Cass. ass. plén., 22 December 2023, no. 21-11.330 BR, Sté Rexel Développement v B.).
In reality, through these decisions, the Cour de cassation merely aligned itself with European case law.
In the first case, a senior key accounts sales manager challenged his dismissal for gross misconduct, arguing in particular that the employer had relied on clandestine recordings to establish that he had expressly refused to provide reports on his commercial activity. The lower courts upheld his claim. The employer then lodged an appeal on points of law, arguing that “an audio recording, even if obtained without the employee’s knowledge, is admissible and may be produced and relied upon in court provided that it does not infringe the employee’s rights, that it is indispensable to the right to evidence and to the protection of the employer’s interests, and that it has been open to adversarial debate in the context of a fair trial”.
The Cour de cassation was therefore required to rule not on the fact that the evidence was unfair, which it unquestionably was, given that it consisted of an audio recording made without the individual’s knowledge, but on whether it could be used in judicial proceedings.
Until then, the principle had been clear: the judge could not take account of evidence obtained by unfair means (“gathered without a person’s knowledge, through a manoeuvre or stratagem”) (Cass. ass. plén., 7 January 2011, nos 09-14.316 and 09-14.667 PBRI: RJDA 7/11 no. 653).
This is where alignment with the case law of the European Court of Human Rights occurred. That court does not treat unfair evidence as inadmissible as a matter of principle, taking the view that “it is for the judge to weigh the various rights and interests at stake”.
The Cour de cassation then referred to criminal case law, according to which “no statutory provision allows the criminal court to exclude evidence produced by private individuals solely on the ground that it was obtained unlawfully or unfairly” (Cass. crim., 11 June 2002, no. 01-85.559 P). Finally, the Full Court proposed “an abandonment of the principle of the inadmissibility of evidence regarded as unfair”.
Accordingly, from now on: “in civil proceedings, the unlawfulness or unfairness in the obtaining or production of a means of proof does not necessarily lead to its exclusion from the debate. Where requested, the judge must assess whether such evidence undermines the overall fairness of the proceedings, by weighing the right to evidence against the competing rights at stake. The right to evidence may justify the production of material infringing other rights, provided that such production is indispensable to its exercise and that the infringement is strictly proportionate to the aim pursued.” As explained by the Cour de cassation in its press release, this approach responds to “the need not to deprive a litigant of the possibility of proving their rights where the only available evidence necessarily entails, in order to be obtained, an infringement of the opposing party’s rights”.
There is, however, no cause for complacency. The solution is nuanced, and while unfair evidence is no longer automatically inadmissible, the conditions for relying upon it remain restrictive. In particular, the judge must consider whether the employer could not have achieved the same result by using other means that were more respectful of the employee’s private life, and must ultimately assess whether the interference with private life was proportionate in light of the aim pursued (Cass. soc., 8 March 2023, nos 21-20.798 FS-D, 21-17.802 FS-B and 21-20.848 FS-B: RJS 5/23 no. 235).
The second case provides a direct illustration of this approach. An employee who was absent from work had left his Facebook account open, which was then accessed by a replacement employee. On that occasion, the latter discovered that his colleague was insinuating, in inelegant and inappropriate terms, that the promotion granted to the agency worker was linked to his sexual orientation and that of his line manager. The agency worker forwarded the exchange to the employer, which resulted in the employee’s dismissal for gross misconduct.
This time, the attempt failed. The Full Court refused to allow the employer to rely on this item of evidence in support of the dismissal. The outcome was logical: “a ground derived from the employee’s personal life cannot, in principle, justify a disciplinary dismissal, unless it constitutes a breach by the employee of an obligation arising from the contract of employment”. This was clearly not the case here, since “a private conversation not intended to be made public cannot constitute a breach of the employee’s contractual obligations, with the result that the dismissal, pronounced on disciplinary grounds, cannot be justified”.
Accordingly, while the case law relating to evidentiary means has become considerably more flexible, not all evidence will suffice, and it remains for the judge to assess, in concreto, the relevance and admissibility of the material produced by the parties.
GDPR: an obstacle to the right to evidence, or a means of circumvention?
The futile strategy of Article 82 as a compensatory fallback
Article 82 GDPR allows “any person who has suffered material or non-material damage as a result of an infringement of this Regulation (…) to receive compensation from the controller or processor for the damage suffered”. It thus establishes an autonomous fault-based liability regime, directly applicable under national law (OLG Hamm, 20 January 2023, no. 11 U 88/22), without any requirement to first refer the matter to the competent data protection authority (Administrative Court of Luxembourg, 21 April 2023, no. 45716). French litigants have already made use of this mechanism (CA Pau, Social Chamber, 1 June 2023, no. 21-02773; CA Paris, Division 4 – Chamber 10, 25 May 2023, no. 19-08637), albeit with less success than before German and Dutch courts (LAG Düsseldorf, 26 April 2023, no. 12 Sa 18/23). These setbacks in France do not, however, rule out the prospect of systematic subsidiary claims based on this mechanism in employment tribunal litigation.
Where unfair evidence is relied upon in support of a dismissal, an employee could therefore invoke several types of GDPR infringements. The principles of lawfulness, fairness and transparency could offer two potentially effective grounds. Lawfulness requires, first, that the processing method comply with national and European law, and, second, that a valid “legal basis” exists for the processing. While the case law of the Cour de cassation addresses the first requirement, no legal basis would appear to be available for the second. Consent and contract are excluded by definition: no one would consent to the collection of unfair evidence, and contractual arrangements in this respect would have no purpose other than to neutralise such evidence through settlement. As for legal obligation or the performance of a task carried out in the public interest, both must derive from a normative text and would, by their very nature, exclude any element of unfairness. [2]
The only remaining possibility would therefore be reliance on legitimate interest. It is here that a significant divergence is likely to emerge between the civil case law referred to above and the approach taken by data protection authorities. The assessment of legitimate interest requires proof of the legitimacy of the employer’s interests, the necessity of the processing, and, above all, the proportionality of the means employed in relation to the employee’s rights [3] (CJEU, 4 May 2017, R?gas satiksme, C-13/16; Conseil d’État, 10 December 2020, CDiscount, no. 429571). An employer unable to demonstrate that this three-part test was satisfied prior to implementing the processing would inevitably be found to have infringed the GDPR (NAIH, 28 April 2023, no. NAIH/4410-1/2023; GPDP, 11 January 2023, Commify Italia, no. 9864063; Circuit Court, 11 July 2023, no. 2019/04546). It should also be noted that, even where this test has been carried out, European data protection authorities remain reluctant to accept legitimate interest as a valid legal basis.
Even if the employer’s legitimate interest were accepted, the duty to inform – the operational transposition of the transparency principle in the context of unfair evidence – would likely have been breached. In such cases, European authorities generally take the view that the processing is unlawful (GPDP, 13 April 2023, City of Bologna, no. 9896808; CNPD, 21 September 2023, no. 13FR/2023). Illustrating the tension between administrative authorities and the courts, the latter tend to align with the position of the Cour de cassation by holding that an infringement of the duty to inform does not render the processing unlawful (BVwG, 6 October 2023, no. W176 2265088-1).
The data minimisation principle also requires the scope of surveillance measures, such as video surveillance systems, to be limited. An employee able to show that they are subject to constant filming could therefore invoke a breach of this fundamental GDPR principle (Belgian DPA, 23 November 2023, no. 154/2023; NAIH, 6 February 2023, no. NAIH-2732-2-2023). Another employee could challenge the proportionality of any audio recording in addition to video surveillance (AEPD, no. PS-00389-2022).
In employment tribunal proceedings involving an issue of unfair evidence, establishing a GDPR infringement would likely not be difficult where the disputed material was disclosed by the employer. It would, however, be almost impossible where the evidence was produced by a third party, particularly a non-professional. [4]
Moreover, the requirement for the employee to demonstrate that the alleged infringement caused direct and certain damage would be difficult to satisfy. This is precisely the point on which French claimants’ applications have failed to date (CA Pau, Social Chamber, 1 June 2023, no. 21-02773; CA Paris, Division 4 – Chamber 10, 25 May 2023, no. 19-08637). While the CJEU has excluded the application of any de minimis threshold (CJEU, 4 May 2023, Österreichische Post AG, C-300/21; CJEU, 14 December 2023, C-456/22), in the scenario considered here, where the unfair evidence establishes employee misconduct, it would be difficult for the employee to claim compensable damage. It is a settled principle of liability law that only lawful damage is capable of compensation (P. Brun, Responsabilité civile extracontractuelle, LexisNexis, 3rd ed., 2014, no. 195, p. 130). There is nothing to preclude this principle from applying in the context of Article 82 GDPR, particularly as contributory fault on the part of the victim has already been recognised as a justificatory factor (LG Bielefeld, 10 March 2023, no. 19 O 147/22).
Finally, a counterclaim based on Article 82 GDPR could be resisted by the employer on the ground of abuse of rights. German courts and the “Austrian CNIL” no longer hesitate to dismiss claims brought under this provision where its purpose is distorted (LG Baden-Baden, 16 January 2023, no. 3 O 277/22; LG Munich, 30 March 2023, no. 4 O 13063/22; DSB, 21 February 2023, no. 2023-0.137.735). Demonstrating that the counterclaim merely seeks to circumvent the lack of merit in the principal challenge to the genuine and serious nature of the dismissal could therefore prove an effective counter-strategy.
Unlawful evidence, even where directly collected by the employer rather than merely received from a third party, would therefore be unlikely to expose the employer to any significant additional risk.
A complaint to the CNIL as a tactical lever
An employee dismissed on the basis of unfair evidence could therefore use the GDPR as leverage against their (former) employer. Article 77 GDPR grants any data subject affected by processing, even if unlawful and/or unfair, the right to lodge a complaint with the data protection authority.
This remedy is easier to deploy. It is not subject to any formal requirements [5] or to the existence of damage (CJEU, 7 December 2023, Schufa Holding), and may relate to any type of GDPR non-compliance (VGH München, 30 May 2023, no. 5 BV 20.2104).
Once such a complaint is lodged, the authority is in principle required to examine it, carry out investigations and inform the data subject of the outcome. Where appropriate, it must rule on the lawfulness of the processing at issue before deciding on the complaint (Personvernnemnda, 7 November 2023, no. 2023-14 (21-01067)). Admittedly, the CNIL enjoys a quasi-discretionary power [6] when determining the action to be taken following a complaint (Personvernnemnda, 7 November 2023, no. 2023-14 (21-01067); Conseil d’État, 21 June 2018, Louni, no. 416505). Nevertheless, there is no guarantee for an employer that the Commission will not decide to entertain an employee’s complaint, or even subsequently initiate a broader inspection. [7]
The leverage effect would then be based on an expected-value calculation: the probability that the CNIL will take action [8], directly or indirectly, on a complaint, together with the attendant risk of sanctions. While the theoretical maximum fine is realistically conceivable only for large multinational groups, the average level of sanctions imposed by the CNIL amounts to several tens of thousands of euros, including for small businesses and sole traders.
In this context, the employer must take into account the fundamental distinction between the compensatory action provided for under Article 82 GDPR and the administrative control and sanction mechanisms under Article 77. In the latter framework, traditional exonerating factors, such as the act of a third party or contributory fault on the part of the victim, assuming they are even transposable to this field, do not apply. In light of the accountability principle, a controller reported for unlawful and/or unfair processing would only be able to avoid a sanction by establishing full compliance of the processing underlying the contested evidence (EDPB – Guidelines 07/2020 on the concepts of controller and processor in the GDPR).
The admissibility of unfair evidence before the civil courts therefore does not necessarily preclude the risk of an administrative sanction for the same facts, or even a full CNIL inspection, which could reveal additional compliance failures.
An employer seeking to rely on such evidence must therefore anticipate a legal counter-attack which, even if tinged with a degree of abuse, would not be without effect.
Conclusion
Nevertheless, no employer should refrain from relying on unfair evidence solely because of the risk of a CNIL inspection following disciplinary proceedings against an employee.
There are several reasons for this. Statistically, the CNIL generally sets itself a target of around 300 inspections per year. When compared with the approximately one million businesses created each year in France, such enforcement activity is necessarily confined to the most serious situations and the most clear-cut infringements. Even then, this figure alone does not allow for a rigorous assessment of risk. Indeed, CNIL publications relating to administrative sanctions suggest that its restricted committee proceeds to impose penalties in fewer than 20% of cases.
Secondly, it must be noted that the conditions laid down by the Full Court of the Cour de cassation tend to reduce an employer’s exposure to administrative sanctions. The assessment of the balance between the employer’s right to evidence and the employee’s rights to privacy and data protection makes it possible, indirectly, to anticipate the outcome of any complaint lodged with the CNIL. A manifest lack of proportionality would correspond to a maximum level of risk, whereas a balanced assessment, or ideally one tipping in favour of the employer, would allow for the prospect of a minimal sanction, a simple formal notice, or even the dismissal of the complaint.
A final factor, and not the least significant, is the authority of res judicata. Where it proceeds to impose a sanction, and notwithstanding its own assertions to the contrary (Decision SAN-2019-001; Decision of the Restricted Committee no. SAN-2021-023 of 31 December 2021 concerning GOOGLE LLC and GOOGLE IRELAND LIMITED), despite an explicit position adopted by the Conseil d’État on the matter (Conseil d’État, interim order, 19 February 2008, Profil France, no. 311974), the French data protection authority acts as a specialised administrative court. The Conseil d’État has recognised that the scope of res judicata extends beyond the operative part of a decision and, above all, that it is absolute in matters falling exclusively within the jurisdiction of the civil courts (Conseil d’État, 4 October 1972, Leclerc-Charron, nos 80866 and 81278). The CNIL, whose founding text states in its fourth recital that the right to data protection must be balanced against other rights, could therefore be bound by the employment tribunal’s assessment of the admissibility of evidence and be required to refrain from imposing a sanction on that point.
In this context, the role of the legal adviser is pivotal. Beyond determining whether disciplinary proceedings or a dismissal are justified, they must take account of other branches of law in order to anticipate cross-cutting risks that are, for the time being, often overlooked. Short of becoming a specialist in Bayesian statistics, such issues are best addressed through a multidisciplinary approach.
Notes and references:
[1] DSB, 7 December 2023, No. 2023-0.583.644
https://www.ris.bka.gv.at
[2] By way of example, this includes the use of mystery shoppers or the recent power granted to tax authorities to create “pseudonymised” accounts on social networks in order to investigate cases of tax fraud.
[3] https://www.cnil.fr/fr/linteret-legitime-comment-fonder-un-traitement-sur-cette-base-legale
[4] By way of illustration: Dismissed because of a photograph, a cleaning operative employed by the City of Paris challenges the decision before the employment tribunal, France Bleu, 14 January 2020.
[5] A simple email may therefore be characterised as a complaint (VG Ansbach, 3 August 2023, No. AN 14 K 19.01313).
[6] It is only where a complaint is rejected that the data subject may refer the matter to the Conseil d’État; in such cases, limited judicial review applies as a matter of principle (Conseil d’État, 21 June 2023, Mousse, No. 452850). Full judicial review applies solely to those aspects of the complaint relating to an infringement of the data subject’s rights (Conseil d’État, 21 October 2022, No. 459254).
[7] This was indeed the case in the DSB decision referred to in the introduction.
[8] The likelihood of the risk has increased following the introduction of a simplified sanctioning procedure: Article 22-1 of Law No. 78-17 of 6 January 1978.
Disclaimer
The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.
The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Evidency. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.
