A ruling last week from the European Court of Human Rights (ECHR) in the case of Barbulescu v Romania, has been the hot topic of conversation at water coolers (and, somewhat ironically, on social media) all over Europe in relation to whether employers may be entitled to trample employees' privacy rights and access personal employee messages sent while employees are at work. The ECHR has held that an employer has, in certain circumstances, the right to read and access information that is sent by an employee during their working hours.

Irish employees can be assured, however, that this case does not set a precedent for unlimited access by employers to personal messages sent by employees during office hours.

What happened? 

The claimant engineer set up a Yahoo messaging account at the request of his employer for communicating with clients. The claimant was informed that his account had been monitored over several days and provided with a 45 page transcript including several communications to his fiancée and brother concerning sensitive issues such as his health, sex life, etc. Significantly, the employer's internal regulations (i.e. employment handbook) expressly stated the company’s computers could only be used for business purposes. The claimant was subsequently dismissed for breach of the internal regulations and he unsuccessfully challenged this decision in Bucharest's domestic courts before taking a claim to the ECHR for breach of his right to privacy contrary to Article 8 of ECHR.

What arguments were made?

The claimant argued that his right to privacy under Article 8 had been breached by his employer and that the domestic courts had failed to protect this right. He argued that this breach could not be justified under one of the exceptions under Article 8 and that his employer’s response had not been proportionate.

The State, on the other hand, argued that they had met their obligations under Article 8 and that there was no European consensus on the use of personal information in the workplace. The State also alleged that a different balancing act might have been engaged if the claimant hadn’t initially denied that he had been using the account for personal purposes. It was also submitted that a ban on using company property for personal information was expressly contained in company’s employment handbook and both the use and breach of same was well known to all employees, with a different employee having been dismissed.

What did the ECHR decide?

The ECHR looked at the meaning of Article 8 and found that it contains both positive and negative obligations. The precise scope of the boundary between these obligations cannot be defined. The test which the court had to apply was whether a fair balance had been struck between the employee’s expectation of a right to privacy and the employer’s interests in protecting the operations of their business.

The ECHR was influenced by the fact that the reason the company had accessed the messages was because the employee had claimed he had used the account solely for business purposes. The employer had acted within the remit of its own disciplinary process as it had therefore assumed that any information it accessed on Yahoo messenger was related to business purposes and, consequently, such access was legitimate.

Significantly, while no allegation was made that the employee caused damage to the employer’s business, the court found that it was not unreasonable that an employer would want to ensure that an employee is completing their work tasks during working hours.

The court also found that, as it hadn’t accessed any other information of the employee, the employer’s response was proportionate.

Comment

The outcome of the case is not entirely surprising.  The ECHR was heavily influenced by the company’s general prohibition on using company property for personal purposes and noted that all employees had been advised that surveillance of these messaging accounts would take place.

The issue of workplace privacy is becoming an increasingly tricky subject for employers to navigate as ever evolving forms of communication mean the lines between work and home life are increasingly blurred.  The only dissenting judge raised some interesting questions about the future of work and technology in the workplace when he said that workers do not abandon their right to privacy and data protection when they arrive at the workplace every morning. He called for comprehensive internet usage policies to be put in place which should include “specific rules on the use of email, instant messaging, social networks, blogging and web surfing. Although policy may be tailor-made to the needs of each corporation as a whole and each sector of the corporation infrastructure in particular, the rights and obligations of employees should be set out clearly, with transparent rules on how the Internet may be used, how monitoring is conducted, how data is secured, used and destroyed, and who has access to it.”

Will Irish courts be bound by an ECHR decision?

Ireland is a signatory to the Convention and, while not bound by the decisions of the ECHR, they are of persuasive influence and likely to be borne in mind by the courts in future decisions.

What does the decision mean for Irish employers?

  • This case serves as a reminder of the importance of having a well drafted internet usage/employee monitoring policy in place which is communicated to employees and strictly adhered to by employers.
  • Employers should regularly review and update these policies to ensure that they take account of new means of communication (wearable devices, etc.) and that the appropriate checks and balances are in place.
  • If employers decide to monitor or audit employees’ online activity they should do so cautiously as it can cultivate a culture of mistrust and hostility in the workplace.
  • This case does not give a carte blanche to employers to monitor employees' personal online activities. The employee in this case was using a company computer (not a personal smartphone or even a BYOD device) to send personal messages while at work, in direct contravention of a well-advertised and well-known company policy. Use by employees of purely personal mobile devices appears to be generally safe from employer scrutiny…for now.