この記事は現在英語でのみご利用いただけます。
Is AI Reading My Work Emails? What Employers Can and Cannot Do
Microsoft Copilot, Google Workspace AI, and other enterprise AI tools have access to your emails and messages by default. What your employer can see, what they are allowed to do with it, and what your rights are.
Key Takeaways
Enterprise AI tools like Microsoft 365 Copilot and Google Workspace AI are trained on or have access to your work emails, calendar, and documents by default — your employer can use these tools in ways that effectively analyse your communications.
Your employer owns work email systems and can generally access work emails — but in Australia and the EU, accessing employee communications requires disclosure and must be proportionate to a legitimate business purpose.
AI-powered email analysis for productivity, sentiment monitoring, or compliance scanning must be disclosed to employees — covert AI analysis of employee communications is unlawful in most jurisdictions.
Personal emails sent on work systems occupy a grey area — your employer generally should not access truly personal messages, but the legal protection is limited if you use a work email account for personal communication.
Practical advice: treat work email as potentially visible to your employer and to AI systems. Use personal email accounts for personal communications. Raise any concerns about undisclosed monitoring in writing.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
What enterprise AI tools can access
When your employer deploys AI tools across your organisation — Microsoft 365 Copilot, Google Workspace AI, Slack AI, or similar — those tools have access to everything those platforms contain. For Microsoft Copilot, that means your emails, Teams messages, calendar, documents, SharePoint, and meeting recordings. The AI can summarise your conversations, surface information from your emails in responses to colleagues, and analyse patterns across your communications. This access is by design — it is what makes these tools useful. But it means the data you previously thought of as "your" emails is now potentially being processed by AI in ways you may not have expected.
The legal question is not whether the AI can access this data — it is whether it is lawful for your employer to process it in this way, and what your rights are if you have concerns.
What the law says in different jurisdictions
In the UK, the ICO's Employment Practices: Monitoring at Work guidance requires employers to inform employees about monitoring, have a legitimate basis for it, and ensure it is proportionate. UK GDPR requires a DPIA before deploying monitoring technology that significantly affects employees. Covert monitoring — monitoring employees without telling them — is only lawful in very limited circumstances involving specific suspected criminal activity. Routine AI analysis of work emails without telling employees it is happening is likely unlawful under UK GDPR.
In the EU, GDPR Article 88 allows member states to adopt specific rules on data processing in the employment context, including monitoring. Most EU member states impose stricter requirements than the baseline GDPR. Germany requires works council consultation before introducing employee monitoring technology. France's CNIL has issued guidance requiring employers to inform employees before AI-assisted monitoring. The general principle across the EU is that email monitoring must be necessary, proportionate, and transparent.
In Australia, the Privacy Act applies to the handling of personal information by employers covered by the Act (>$3M turnover). The APPs require open and transparent management of personal information (APP 1) and restrict use and disclosure to the purpose of collection (APP 6). The Telecommunications (Interception and Access) Act 1979 applies to interception of communications, but includes a workplace exemption that generally allows employers to monitor communications on employer systems where employees have been informed. State and territory surveillance laws (such as the Workplace Surveillance Act 2005 in NSW) add a further layer — covert computer monitoring in NSW requires a court order.
In the United States, federal law (ECPA) has a broad employer exception that allows monitoring of employer-owned systems with employee notice. Several states require written notice before electronic monitoring — Connecticut, Delaware, New York, and others. New York's Electronic Monitoring Law (effective 2022) requires employers to notify new employees of monitoring at hiring and post notice in the workplace. There is no federal law prohibiting AI analysis of work emails — but the monitoring must not be used to identify employees engaged in union activity or protected concerted activity under the NLRA.
What your employer can legitimately do
In most jurisdictions, your employer can lawfully: monitor email communications on employer systems where you have been informed this may happen; use AI tools to analyse emails for business purposes (compliance, security, customer service quality) provided this is disclosed; retain records of work communications for business and legal purposes; and use AI email monitoring as part of a legitimate investigation into misconduct where there is a specific reason.
What your employer generally cannot do
In most jurisdictions: conduct covert monitoring without informing you; monitor personal email accounts accessed on employer systems without specific consent; use monitoring to identify employees engaged in protected union or concerted activity; retain communications data longer than necessary; or share monitoring data with third parties without an appropriate basis. AI analysis of personal messages — WhatsApp, personal Gmail, personal social media accessed on employer devices — is generally not lawful without explicit consent even in permissive jurisdictions.
Practical steps if you have concerns
Read your employment contract, staff handbook, and any IT acceptable use policy. These should disclose what monitoring occurs. Check your employer's privacy notice — if your employer is subject to GDPR, UK GDPR, or the Australian Privacy Act, they should have provided a privacy notice explaining how your data is handled. If AI monitoring is not disclosed, you may be able to raise this as a concern. Ask your employer's HR or Data Protection Officer for clarification. If you believe monitoring has been used unlawfully — for example, to identify protected union activity or to discriminate — seek legal advice. Maintain awareness of what you communicate on employer systems. Work emails on employer systems are not private in most employment relationships, regardless of AI. Treat them accordingly.