The Future of Defensive Investigations and Remote Monitoring in Italy

One of the most significant implications of the COVID-19 pandemic has been a massive spread of agile work. Under an agile work agreement, which is governed by Law No 81/2017 in Italy, employees are entitled to choose where and when to render their services – without any constraints. In other words, agile work has introduced a new way of managing the employment relationship, in which employees are only expected to take into account the “phases, cycles and objectives” set by the employer – rather than simply complying with working hours at the workplace.

A further implication of the spread of agile work is the increasing need to monitor performance remotely using technological tools. This becomes particularly important when the employer intends to verify whether the agile worker has engaged in disciplinary misconduct or even criminal offences.

To this end, according to Italian law, companies are not entitled to conduct this type of investigation directly. Instead, they must rely on external specialised providers to carry out a lawful digital forensic probe. In any case, digital forensics may focus exclusively on employees’ professional activity or on potential behaviour that could trigger criminal liability.

As a result, such an investigation cannot be indiscriminate, as the employer’s interests must be balanced with the employee’s rights to privacy and dignity. For this reason, depending on the scope and breadth of the investigation, digital forensics may be subject to limits set forth by supranational law (namely, Section 8 of the ECHR) and national law (under Section 4 of Law No 300/1970) – as outlined by recent case law on the subject.

According to Section 8 of the ECHR, each person is entitled to the protection of their private and family life ‒ as well as their domicile and correspondence ‒ from interference by any public authority. Such interference may be considered lawful only when it is allowed by applicable law to protect the following public and individual interests:

• national and public security;
• the country’s economic well-being;
• public order and crime prevention;
• health and morals; or
• third parties’ rights and freedoms.

The same reasoning applies to employment relationships, where the employer’s interests and employee’s rights are at stake.

Italian legal constraints and case law

In terms of national law, the relevant rules and limits are set forth by Section 4 of Italian Law No 300/1970 (as amended by Legislative Decree No 151/2015) ‒ according to which, employers are entitled to install software or hardware tools that could imply remote monitoring of employees only upon entering into a bargaining agreement with trade unions or, in the absence of work councils, upon authorisation from the relevant labour inspection authority. In any case, no tool can be used for any sort of direct control over the employees’ performance. Any tool potentially implying remote monitoring of employees, even indirectly, can be justified only by the following reasons:

• organisational and productive reasons;
• safety of work; and
• protection of company assets.

However, pursuant to Section 4 of Italian Law No 300/1970, the aforementioned limits do not apply to tools that are needed by employees strictly to perform their working activities (nor to those tools aimed at registering the employees’ access to the workplace). Moreover, according to the same piece of legislation, the data collected with such tools can be used for all employment-related purposes (including for disciplinary reasons) ‒ subject to the condition that employees are provided with adequate information on how to use the tools themselves, how the controls are carried out, and how their personal data are protected (in compliance with the EU’s General Data Protection Regulation (GDPR)).

Within this legal context, there is a debate in Italian case law over:

• whether “defensive investigations”, used in order to protect company assets, come under the scope of Section 4 of Italian Law No 300/1970; and
• whether such controls are compatible with the cited legal provisions.

The application of Section 4 of Italian Law No 300/1970 to defensive investigations depends on whether they concern the whole workforce or a specific employee. On the one hand, when defensive systems concern the whole workforce (or a group of employees) in the performance of their working activities, such systems fall under the scope of Section 4 of Italian Law No 300/1970 ‒ meaning all the requirements set out therein must be complied with in order to carry out lawful investigations. On the other hand, the legal provisions under Section 4 of Italian Law No 300/1970 do not apply to defensive systems aimed at investigating any illicit misconduct that could be traced to a single employee and that constituted a threat to the company’s interests and assets.

Nevertheless, as the balance between the protection of company interests and property and the employee’s privacy and dignity is at stake, the following conditions are required in order to carry out a lawful investigation into a single employee’s suspected illicit misconduct.

There must be a grounded suspicion of illicit misconduct, justified by material concrete evidence.

The investigation should be carried out only in response to grounded suspicion of an employee’s illicit misconduct (ex post and not ex ante).

The investigation should be focused only on the suspected illicit misconduct (and not on the employee’s overall working performance).

When the case is brought before the relevant court, the burden of proof regarding the existence of the aforementioned conditions lies on the employer ‒ given that digital forensics are often used in relation to employee dismissal. This party must persuade the court that the suspicion of the employee’s illicit misconduct was reasonable and based on material evidence (and not merely on a subjective belief).

It is important to point out that, subject to the above-mentioned requirements, even pieces of information obtained through defensive investigations that were initiated without prior agreement with the trade unions or authorisation from the labour inspection authority may be lawfully used before the court. In fact, the criminal judge may admit such pieces of information, provided that the use of defensive investigations was aimed at protecting the company’s property and assets and that they do not imply extensive monitoring of the employee’s performance.

Conversely, in the absence of a grounded suspicion, relevant pieces of information on an employee’s illicit misconduct that are obtained unlawfully cannot be used as evidence before the court. This is set forth by the regulations on privacy currently in force in Italy ‒ in particular, pursuant to the GDPR.

The protection of the employee’s privacy and dignity cannot disregard privacy regulations, especially those concerning the employer’s prior disclosure obligations towards the employee and the purpose of the data processing. In fact, pursuant to GDPR provisions, data processing is lawful when it is aimed at enforcing a right before a court of law ‒ provided that the data is processed for a limited period of time.

European case law

As the matter is also covered by supranational legislation and involves the application of Section 8 of ECHR, the European Court of Human Rights has also provided some case law on the topic. According to this court, use of defensive investigations is lawful when justified by a grounded suspicion of illicit misconduct and when the investigations are proportionate to the employer’s organisational interests (see, among others, the case of Lopez Ribalda et al v Spain in 2021 and the case of Gramaxo v Portugal in 2022).

European Court of Human Rights case law has identified some aspects that should be considered in the evaluation of the proper balance between the interests of employers and those of employees, focusing on proper disclosure to employees of any monitoring systems potentially used by the employer. Case law implies that the employer must:

• inform the employees of the possibility that monitoring systems will be used, prior to their usage, and of the extent of such monitoring activities;
• have grounded reasons to use monitoring systems;
• take into account whether such measures are proportionate to their scope and minimise as much as possible the impact on the employee’s privacy; and
• use the investigation’s results only for the stated purposes of the monitoring activities.

According to the above-mentioned requirements outlined by the European Court of Human Rights, there is a tendency for the Italian courts to deem as unlawful those defensive systems:

• used without a grounded reason and without prior disclosure to the employee regarding the use and extent of such defensive systems;
• that are able to monitor all correspondence on the computer provided by the company; and
• that do not comply with the company’s internal regulations on the use of electronic mail.

Recent developments

Owing to the current legal framework and case law practice, defensive investigations are subject to strict rules that do not only result from the application of Section 4 of Italian Law No 300/1970 (when they fall under the scope of that legislation). These rules also ensure the necessary balance between the interests of the employer and the employee, as well as compliance with privacy regulations.

The courts’ evaluation of the concrete circumstances in which defensive systems can be used tends to be quite restrictive, as an employer’s power to monitor employee working performance through technological tools may threaten employees’ rights to privacy and dignity. Nevertheless, the boundaries between lawful and unlawful investigations may be blurred, and it can be difficult to restrict investigations on illicit misconduct by employees without interfering with their performance evaluation.

Given the issues outlined here, and the increasing use of technological tools and monitoring systems in everyday employment relationships, European and Italian legislators have approached the topic with a certain sensitivity. In fact, the recent Italian Legislative Decree No 104/2022 (called the “Transparency Decree”) expressly sets forth specific disclosure obligations towards employees in the event that working performance is evaluated (totally or partially) by means of automated decision-making or monitoring systems (eg, those involving algorithms), save for the provision under Section 4 of Italian Law No 300/1970. This is a direct consequence of GDPR provisions concerning transparent data processing and disclosure obligations towards employees, and of the employee’s fundamental right to privacy.

Outlook

Agile working is likely to become more and more widespread in the near future, along with the use of defensive systems and the development of more pervasive technologies. As such, it is reasonable to expect that the courts will interpret the requirements for lawful investigations even more restrictively and that, in the coming years, there will be new interventions by the legislator. The aim is for both case law and legislative interventions to bring more clarity to a matter that has no clear boundaries and that involves conflicting and delicate interests, in the context of practices in an employment market subject to continuous evolution and challenges still to be addressed from a legal perspective.