The ban on monitoring in the Norwegian e-mail regulation
Norway has a separate regulation that regulates an employer’s access to employees’ electronic mailboxes and other electronically stored material (the e-mail regulation).
When a user interacts with M365 Copilot, data about these interactions are stored containing the user’s prompts and M365 Copilot’s answers, including references to source material (the interaction log). The interaction log is stored in a hidden folder in the user’s ‘mailbox’. Such hidden folders are not designed to be directly accessible to users or administrators, but can be searched by compliance administrators using ‘eDiscovery tools’.
Deletion of the log
Whether and when the interaction log is permanently deleted depends on the organisation’s storage policy. A user may have the opportunity to delete the interaction log themselves as an option in the M365 Copilot settings, but it is unclear to NTNU whether a user deleting their own log also entails deleting the log that the administrator can see. Microsoft itself states that ‘Messages visible in Copilot are not an accurate reflection of whether they are retained or permanently deleted for compliance requirements’. The interaction log will first be moved to the SubstrateHolds folder. The interaction log will not be permanently deleted until the storage period set by the organisation expires.
The e-mail regulation encompasses electronic mailboxes, personal areas in the organisation’s computer network and other electronic equipment that an employer has placed at the employee’s disposal for use in their work for the organisation. The regulation also applies to data that have been deleted, if they are found on backup copies or similar. It is clear that the interaction log falls within the scope of the regulation.
The e-mail regulation contains, firstly, conditions as to when the employer may, in an individual case, access information stored in the above-mentioned area. Secondly, Section 2 of the e-mail regulation contains a ban on monitoring the employee’s use of electronic equipment, unless the purpose of monitoring is
- to manage the organisation’s computer network or
- to detect or resolve security breaches in the network
The Norwegian Data Protection Authority’s guidelines state that the ban applies if: (1) the measure concerns monitoring, (2) the monitoring is aimed at employees’ use of electronic equipment and (3) the employer has access to the information.
Is the interaction log monitoring?
The interaction log will show the history of an employee’s use of electronic equipment. The question is therefore whether the interaction log is to be regarded as monitoring pursuant to the e-mail regulation. The interaction log can be considered monitoring, even if this is not the intention of the employer. Relevant factors in the assessment include the type and amount of information in the log, how long the information is stored and how much of the workday can be traced.
The interaction log can reveal a lot about someone’s behaviour and workday. M365 Copilot is built into all the tools the employees use on a daily basis, such as Word, Excel, PowerPoint and Teams. The extensive mapping that takes place when employees use M365 Copilot indicates that the interaction log should be regarded as monitoring.
Log access
If only the employee had access to the log, the ban would not apply. As described above, the ban applies if the employer has access to the data.
NTNU found that the employer has access to the interaction log using eDiscovery and Purview. There is also a function that causes a user’s prompts to be sent for control if certain criteria are met – in other words, an ‘alarm’ is triggered. NTNU can change these criteria itself. However, it is unclear how much of the interaction log is sent for control, to whom and for what purpose.
Overall, we consider it likely that the interaction log could fall under the prohibition on monitoring employees’ use of electronic equipment as set out in Section 2 second paragraph of the e-mail regulation. In order for the interaction log to be created lawfully, the purposes of the interaction log must fall under one of the exemptions.
Exemptions from the prohibition
One exemption applies if the purpose is to ‘manage the organisation’s computer network’. This is to be understood as all practical and technical measures necessary for the functioning of systems, networks, equipment and software. We understand that the main purpose of the interaction log is to ensure that the quality of the service is as it should be. By reviewing the user’s prompts and M365 Copilot’s answers, NTNU can identify weaknesses and improvement potential in the system. Potential systematic wrong answers can be detected and corrected. That purpose may fall under the exemption that applies to managing the organisation’s computer network.
The second exemption may apply if the purpose of the interaction log is to ‘detect or resolve security breaches in the network’. We consider that what is meant by security breach is a breach of information security in general. This is generally said to be about ensuring that information does not become known to unauthorised persons (confidentiality), is not changed unintentionally or by unauthorised persons (integrity) and is available when necessary (availability). Whether this exemption applies must be assessed specifically in light of the purpose of the interaction log.
For both exemptions, NTNU must be aware of the principles of data minimisation and purpose limitation.