The high cost of hidden chats: Regulators crack down on employee messaging

By Clare-Alice Vertue, partner; Karl Blom, partner; Siya Ngcamu, senior associate; and Sidrah Suliman, associate at Webber Wentzel
Clare-Alice Vertue, partner, Karl Blom, partner, Sidrah Suliman, associate and Siya Ngcamu, senior associate, Webber Wentzel.
Clare-Alice Vertue, partner, Karl Blom, partner, Sidrah Suliman, associate and Siya Ngcamu, senior associate, Webber Wentzel.

The European Commission recently fined a European company after a senior employee deleted private WhatsApp messages during a dawn raid pertaining to a competition law violation. The WhatsApp chat in question was with a competitor and contained business-related information. This fine illustrates the growing scrutiny on digital communication channels as employees increasingly rely on platforms like WhatsApp for personal and professional interactions. Regulators are recognising the need to adapt their enforcement strategies.

The use of messaging platforms such as WhatsApp and Snapchat, which offer ephemeral or disappearing message features, likely provides a false sense of privacy to employees and managers. Employees may feel more comfortable sharing information or discussing sensitive topics that they might not want to address in a more permanent format, like e-mail. Similarly, when the regulator is at the door, employees who are hesitant to switch on the shredder can quickly reach into their pocket and hit delete on communications they don’t think their employer will want the regulator to see. As the European Commission’s fine illustrates, the consequences can still be borne by the company. Financial institutions globally have faced regulatory scrutiny over the use of messaging apps by employees to discuss sensitive matters. There has been a move away from the use of third-party messaging apps on the work mobile phones of employees, a trend we have not yet seen in South Africa.

In South Africa, a number of regulators and public bodies are empowered to conduct dawn raids. For example, dawn raids may be conducted by:

  • The South African Police Service.
  • The South African Revenue Services.
  • The Competition Commission.
  • The Information Regulator.

While each authority is subject to different laws governing the powers granted to them, as a general principle, they may enter a firm's premises, seize and/or make copies of documents and collect electronic data that form part of the investigation. In Webber Wentzel’s experience, a significant focus of dawn raids is accessing electronic documents such as those on servers and devices. If a company fails to comply with its legal obligations during a dawn raid, significant fines and/or criminal penalties may be imposed. As dawn raids have proven to be effective investigatory tools, we anticipate that regulators and law enforcement will continue to conduct dawn raids in South Africa (and that their frequency will likely increase).

The best defence is having an effective document management and communication policy that is well known and understood. The hallmarks of a dawn raid-ready company are the following:

  1. Employees have clear reporting guidelines, indicating who they must contact in the event of a dawn raid.
  2. Employees are aware that they cannot delete, destroy, hide or falsify any documents or information during the dawn raid, as this may result in criminal liability not only against the employer but also against the employee. This includes information stored on mobile phones or computers, which relate to the business of the employer.
  3. Employees are provided with training on their rights and obligations during a dawn raid, as well as the manner in which they must act to protect the confidential and legally privileged information of their employer within the confines of the law.
  4. Employees are aware that any dawn raid must be conducted with due regard to their dignity as well as their right not to answer questions that may be incriminating, particularly without the assistance of a legal representative. This being said, employees must co-operate with the investigators and answer questions truthfully and to the best of their ability.
  5. Employers should implement procedures for the disclosure of confidential information. This may include a process that requires employees to disclose to the employer any information that they have been required to disclose by law to enable the employer to take steps to mitigate any harm to its business and/or its clients.
  6. Employees are aware that they cannot discuss the dawn raid with other employees or third parties unless they have been authorised by their employer to do so.

Employers must take measures to protect the confidentiality, availability and integrity of communications pertaining to their business and may face difficulties if employees routinely utilise messaging apps to conduct business. Some applications make provision for encrypted messaging, and communication data is typically kept 'in the cloud', to which employers do not have access. Companies should understand the extent to which employees are using third-party applications in conducting business and appropriately adjust their policies and procedures.

Share