Business that monitored employee's personal communications breached his rights to privacy, rules ECHR

Out-Law News | 05 Sep 2017 | 3:54 pm | 4 min. read

A business that monitored an employee's personal communications during work time breached his rights to privacy, the Grand Chamber at the European Court of Human Rights (ECHR) has ruled.

Romanian engineer Bogdan Bărbulescu was dismissed from his job in 2007 for breaching the terms of his employment contract after his employer showed that he had been using a messaging service for personal communications during work time, against company policy.

During disciplinary proceedings, the employer presented Bărbulescu with a copy of personal emails he had exchanged with his brother and fiancée via Yahoo Messenger as evidence that he had breached company policy. Bărbulescu had been requested to set up a Yahoo Messenger account by the employer to enable him to handle enquiries from clients.

Bărbulescu claimed that his right to secrecy of correspondence under Romanian law had been breached by his employer's monitoring.

The Romanian Court of Appeal previously ruled that the monitoring was justified under EU data protection laws. However, the Grand Chamber said the Romanian court had not properly examined "the scope of the monitoring and the degree of intrusion into [Bărbulescu's] privacy" when it had examined the case. Nor did it appear the court "carried out a sufficient assessment of whether there were legitimate reasons to justify monitoring [Bărbulescu's] communications", it said.

As a result, the Romanian court "did not afford adequate protection of [Bărbulescu's] right to respect for his private life and correspondence and … consequently failed to strike a fair balance between the interests at stake", the Grand Chamber said.

The split decision, backed by 11 of the 17 sitting judges in the Grand Chamber, overturned a 2016 ruling issued by a Chamber of the ECHR in the case.

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind, said the judgment served to highlight new responsibilities that employers seeking to deploying employee monitoring technology will have under the new General Data Protection Regulation (GDPR), while Paris-based employment law expert Coline Bied-Charreton, also of Pinsent Masons, said the ruling shed new light on employers' responsibilities under French law.

According to the new judgment, while businesses are entitled to set out internal policies that restrict the rights of staff to use the internet for personal purposes, "an employer’s instructions cannot reduce private social life in the workplace to zero".

The employee's rights to privacy in their communications "continues to exist, even if these may be restricted in so far as necessary", it said.

The Grand Chamber concluded Bărbulescu's rights to privacy under article 8 of the European Convention on Human Rights had been violated after assessing whether his employer had informed him in advance of the true extent and nature of communications monitoring it would engage in under its policy, and whether the monitoring activity was carried out in the pursuit of legitimate interests that justified the intrusion of privacy.

According to the judgment, Bărbulescu was aware of his employer's policy on internet use and had signed a copy of it in 2006. His employer had also reiterated the policy in an email to staff in June 2007, which referred to the dismissal of another member of staff for breach of the policy, it said.

Bărbulescu's awareness of the possibility of monitoring had been raised when he had been "warned that he should not use company resources for personal purpose" and when he received the email regarding his colleague's dismissal, which came shortly before disciplinary proceedings were opened against him, the court said.

However, the Grand Chamber said that it did not appear the employer had given Bărbulescu sufficient advanced notice of "the extent and nature of [their] monitoring activities, or of the possibility that [it] might have access to the actual content of his messages". It said this had only become clear to Bărbulescu when he was presented with a copy of the communications he had exchanged with his fiancé and brother during his disciplinary hearing.

"To qualify as prior notice, the warning from the employer must be given before the monitoring activities are initiated, especially where they also entail accessing the contents of employees’ communications," the Grand Chamber said. "International and European standards point in this direction, requiring the data subject to be informed before any monitoring activities are carried out."

The Grand Chamber also said that the Romanian courts had also "failed to determine, firstly, the specific reasons justifying the introduction of the monitoring measures; secondly, whether the employer could have used measures entailing less intrusion into [Bărbulescu's] private life and correspondence; and thirdly, whether the communications might have been accessed without his knowledge".

"The ruling should serve to remind firms that it is no longer sufficient just to establish an employee monitoring policy and get employees to sign it," said Kathryn Wynn of Pinsent Masons. "Employers should carry out a privacy impact assessment before deploying communications monitoring technology to satisfy themselves that the software is not too intrusive and that its use is proportionate to the objectives they are pursuing and that there are not other ways to achieve those objectives that are less intrusive. Many organisations will be obliged to carry out these privacy impact assessments under the new General Data Protection Regulation (GDPR)."

"In some cases, employers may wish to engage in enhanced monitoring of employees' personal communications if, for example, they believe that it is affecting performance or productivity. However, businesses should in most cases be able to demonstrate an overuse of personal communications during work hours by reference to the type of communications tool being used and/or the address of recipients, and avoid having to read the content of communications to reach that conclusion. At each stage that monitoring of an employee is cranked up, employers should carry out a mini privacy impact assessment to ensure the activity is justified," Wynn said.

Coline Bied-Charreton of Pinsent Masons said: "Until now, according to French employment case law, employers have been able to access any messaging system used by employees for work purposes, provided the messages are not tagged as 'private' by the employee," Bied-Charreton said.

"A communication is deemed 'private' if it is made on a private device or private messaging system, or it is made on a professional device or company messaging system and is badged as 'private' in the message title. As a consequence, all communications sent or received on a professional device that are not denoted 'private' are considered as professional and non-private communications," she said.

"However, this ruling by the Grand Chamber of the ECHR suggests that even where employees' communications are not marked as 'private', employers are not able to open those emails unless they have provided those employees with prior information that explains that this type of monitoring might take place. The judgment imposes a strong prior obligation of information on employers which has, until now, not been mandated in French case law," Bied-Charreton said.