A recent case before the European Court of Human Rights Barbulescu v Romania has set the cat amongst the pigeons on the perennial hot topic of employees’ entitlement to privacy in the workplace.

Widespread media reports in the UK in particular would give employers to believe that unfettered monitoring of employee emails and internet use is now acceptable and that engaging in personal email or messaging during working hours is legitimate grounds for dismissal. However, this is simply not the case, and employers must beware. An employer who engages in this type of monitoring and imposes disciplinary sanctions as a consequence can, in fact, expect to find themselves in hot water in many jurisdictions. Employers must, as a minimum, have comprehensive, and bespoke, IT and internet policies in place, clearly setting out the rights and obligations of employees, how monitoring is conducted and how data is processed and used. The policies must also be effectively communicated to employees, accompanied by appropriate training and consistently enforced.

The case

The claimant, Mr Barbulescu, was an engineer in charge of sales. In July 2007, he was asked by his employer to set up a Yahoo Messenger account for the purpose of responding to clients’ enquiries. The employer gave notice to its employees at the beginning of July that internet use would be monitored (although this was disputed by Mr Barbulescu). In the period 5-13 July, the employer monitored Mr Barbulescu’s Yahoo communications. This identified that Mr Barbulescu had been using the internet for personal purposes, contrary to the company’s rules which prevented personal internet use.  The rules stated: “It is strictly forbidden to disturb order and discipline within the company’s premises and especially…to use computers, photocopiers, telephones, telex and fax machines for personal purposes“.

Mr Barbulescu initially denied any personal use, but the employer’s produced a transcript of his communications. Mr Barbulescu sought to argue that his employer had violated the Criminal Code and the Romanian Constitution by violating his correspondence and brought a claim in the Bucharest County Court.

The court dismissed his claim, finding that the employer had complied with the relevant disciplinary proceedings and that Mr Barbulescu had been informed about the employer’s rules on personal internet use. Mr Barbulescu appealed the court’s decision, claiming that emails are protected by Article 8 of the Convention relating to respect for private life and correspondence. The Court of Appeal dismissed Mr Barbulescu’s appeal, ruling that the employer’s conduct had been reasonable and that monitoring his communications was the only method of establishing the disciplinary breach.

Mr Barbulescu took his case to the European Court of Human Rights (ECHR). The ECHR identified that, on the face of it, telephone calls from business premises are covered by the notions of ‘private life’ and ‘correspondence’ for the purposes of Article 8, and that emails, and information derived from monitoring employee usage, would be similarly protected. The ECHR also relied on previously established case law that in the absence of notice about monitoring, employees would have a reasonable expectation as to the privacy of their calls and emails.

The ECHR said that it therefore needed to examine whether a fair balance had been struck between Mr Barbulescu’s right to respect for his private life and correspondence, and his employer’s interests. It found that there had, and that therefore Mr Barbulescu’s claim should fail (although one judge dissented in strong terms). It relied on the following findings:

  • Mr Barbulescu had been able to raise his arguments before the domestic courts and they had found that the employer had acted within its disciplinary powers;
  • The domestic courts had also found that Mr Barbulescu had used the company’s computer for personal use during working hours, and that there had therefore been a disciplinary breach of the employer’s rules;
  • The employer had only accessed Mr Barbulescu’s account on the basis that the information in question was assumed to relate to Mr Barbulescu’s professional activities given the clear rule against personal use and Mr Barbulescu’s statement that he had not made personal use of the account; it had not accessed any other documents or data on Mr Barbulescu’s computer and its monitoring was therefore limited in scope and proportionate;
  • The domestic courts had not placed any weight on the contents of the specific messages; it had only considered activity on that account to the extent it proved the breach of company rules;
  • It was not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours; and
  • Mr Barbulescu had failed to convincingly explain why he had used the Yahoo account for personal purposes.

Implications

On the face of it, this case does appear to give employers some confidence about their ability to monitor employee emails and internet use. However, the outcome was heavily dependent on the facts; in particular the ECHR was willing to find that a blanket ban on personal internet use was sufficient in this case to weigh the employer’s interests evenly against the claimant’s right to private life and protection of correspondence. This was so, even though it was in dispute whether the employee had been properly notified that monitoring would take place.

However, while in a few jurisdictions it is considered good practice to prohibit all personal use (e.g. Germany and Spain), in the majority of workplaces enforcing a blanket ban on personal use of communications systems is unworkable. In some jurisdictions a total ban on personal use may potentially be challenged as unlawful, particularly given the importance of the role of the internet in freedom of expression or right of assembly. In practice most employers will allow employees to use the company’s internet and email/messaging systems for reasonable personal use; others will allow employees to use their own equipment for work-related matters, and some employers will permit both. In that context, as the dissenting judge identified in his judgment, strict limits apply to an employer’s surveillance of employees’ communications.

The key issues to consider are:

  • Employees have a reasonable expectation of privacy;
  • Expectations of privacy may be displaced in most jurisdictions by a bespoke policy with specific rules on email, instant messaging, social networks, internet surfing etc and a comprehensive policy on employee monitoring that explains what is monitored and how. In some jurisdictions, however, any policy allowing employees to reasonable personal internet use will make it impossible for the employer to access / monitor e-mails without each time obtaining the employee’s specific consent;
  • Employees must be aware of the employer’s policies, both in terms of the rules which apply during working hours, and outside working hours, and in terms of any restrictions on the use of company equipment. Employees should preferably give their explicit consent to these policies. It some jurisdictions it may be necessary to obtain local works council’s consent before implementing such policies;
  • The enforcement of an employer’s internet policies should be guided by the principles of necessity and proportionality. For example, monitoring for systems protection should use filters only. Before carrying out any substantive monitoring, employers should consider whether the benefits of that measure outweigh the adverse impact on the employee’s right to privacy. Continuous monitoring of internet use or emails will not be permissible;
  • Local employment laws and collective agreements will also impact on the lawfulness of policies on email and internet use and monitoring. Any processing of personal data for the purposes of the employment relationship, including staff management, and termination of employment, by way of an electronic device must be regulated by contract or collective agreement in line with data protection laws and principles. Specific forms of data processing like internet and email use are likely to warrant detailed rules and procedures.