In a decision rendered last January 12, 2016, the European Court of Human Rights (“ECHR”) held that the dismissal of an employee for having used his professional email account for personal purposes during working hours did not violate Article 8 of the European Convention on Human Rights1.

The applicant, a Romanian national, was employed by a private company from 2004 to 2007 as an engineer in charge of sales. At the employer’s request, he created a Yahoo Messenger account to respond to client enquiries. In July 2007, the employee was informed by his employer that his Yahoo Messenger account had been monitored for a week and the records showed that he had used the device for personal purpose, whereas the company internal regulations expressly prohibited the use of company device (e.g., computers, telephones) for personal purposes. Dismissed on this ground, the employee challenged his dismissal first before the national Romanian courts, which rejected his claim, and then before the ECHR.

The ECHR considered that by using his professional account on the company computer during working hours with disregard to company internal regulations, the employee committed a disciplinary fault. The ECHR observed that the employer had accessed the employee’s professional account on the assumption that it contained professional messages. Moreover, the monitoring showed only the list of extra-professional communications and the content of the messages, nor its recipients had not been disclosed during the litigation. Such surveillance was therefore considered as reasonable and not viewed as a violation of Article 8 of the European Convention. In this regard, the Court noted that it is not unreasonable for an employer to want to verify that his employees are completing their professional tasks during working hours. Here, the employer had acted within its disciplinary powers provided for by the Romanian Labor Code when it dismissed the employee.

This decision is in line with ECHR case-law on the principles of private life and confidentiality of correspondence. The ECHR considers that personal telephone calls from business premises are prima facie covered by the notions of “private life” and “correspondence” pursuant to Article 8 of the European Convention (ECHR, June 25, 1997, Halford v. UK, No. 20605/92). Likewise, e-mails sent from work must be similarly protected by Article 8 (ECHR, April 3, 2007, Copland v. UK, No. 62617/00). The ECHR considers generally that employees must have a reasonable expectation of privacy for personal calls, e-mails and internet usage they make at work. In the January 12, 2016 decision, the applicant could not have such expectation of privacy since the company internal regulations expressly prohibited the use of company devices for personal purposes and the employer’s surveillance had been reasonable.

How Will This Decision Affect EU Jurisdictions?

France

The solution retained by the ECHR is transposable for France, bearing in mind that a reasonable private use of company professional tools during working hours is generally tolerated. French law also imposes certain limits on an employer’s right to monitor the use of company IT tools by employees. The existence of a surveillance system must have been brought to the employees’ attention prior to its use and also requires prior consultation of the works council, as well as the filing of a notification with the French Data Protection Authority (CNIL) in the event of collection of personal data. The employer’s monitoring must further be proportionate to its objective and must be conducted in a non-discriminatory manner.

Germany

The ECHR decision reflects the current legal situation in Germany. It is permissible to ban private use of company devices during working hours. Depending on the case at hand, time-consuming private use of the internet or of an employee’s professional email account during working hours may qualify for a termination. However, in practice, transparent prohibitive rules often lack so that terminations issued have often been considered disproportionate by German labor courts. Employer monitoring of internet use and in doing so potentially accessing employee private data has been found to infringe basic self-determination rights with regard to the handling of such information. Access would only be legitimate if it occurs under the justified assumption that the information in question only relates to professional activities. Thus, it is recommended to prohibit any private use of professional email accounts or devices. Moreover, Besides, employers need to check if any co-determination rights of the works council may be triggered before considering any monitoring of internet use and professional email accounts.

UK

The UK position on electronic forms of workplace surveillance is regulated by the UK Data Protection Act 1998 (the "DPA") and the Employment Practices Data Protection Code (the "Data Code") which recognise such monitoring as involving the processing of personal data. 

Under the DPA and the Data Code, personal data must be processed fairly and lawfully, and should only be obtained and processed for lawful purposes and with either the data subject's consent or where deemed "necessary" under the DPA. Employers should implement an impact assessment when deciding whether monitoring is "necessary" which will involve identifying clearly the purpose behind the monitoring arrangement and the benefits it is likely to deliver, identifying any likely adverse impact of the monitoring arrangement, considering alternatives to monitoring or different ways in which it might be carried out, taking into account the obligations that arise from monitoring, and judging whether the monitoring is justified. This will generally not justify monitoring private communications as a matter of routine.

Accordingly, it is unlikely that the ECHR’s decision in the Barbulescu case will have any practical impact on UK law. The employer in that case would still be expected to justify the monitoring as necessary.

Italy

Notwithstanding the ECHR’s decision, in Italy, employer control of employees’ private data and activities using professional tools during working hours is possible if provided in the company’s policy and proportionate and adequate to the aim sought(i.e., need to prove inefficiency on the job). Moreover, the employer must inform employees on the conditions of use of professional tools, possible controls that may be done for a legitimate aim, and potential disciplinary sanctions in case of violation of the company’s policy. Moreover, the principles of necessity, legitimacy, fairness and proportionality must be complied with.