A recent case before the European Court of Human Rights has set the cat amongst the pigeons on the perennial hot topic of employees’ entitlement to privacy and data protection in the workplace.

Widespread media reports would give employers to believe that unfettered monitoring of employee emails and internet use is now acceptable and that engaging in personal correspondence during working hours is legitimate grounds for dismissal. However, this is simply not the case, and employers must beware. An employer who engages in this type of monitoring, and imposes disciplinary sanctions as a consequence, can, in fact, expect to find themselves in hot water.  Employers must, as a minimum, have comprehensive, and bespoke, internet policies in place, clearly setting out the rights and obligations of employees, how monitoring is conducted and how data is processed and used.  The policies must also be effectively communicated to employees, accompanied by appropriate training and consistently enforced.

The case

Barbulescu v Romania

The claimant, Mr Barbulescu, was an engineer in charge of sales who was employed from August 2004 – August 2007. In July 2007, Mr Barbulescu was asked by his employer to set up a Yahoo Messenger account for the purpose of responding to clients’ enquiries. The employer gave notice to its employees at the beginning of July that internet use would be monitored (although this was disputed by Mr Barbulescu). In the period 5-13 July, the employer monitored Mr Barbulesco’s Yahoo communications.  This identified that Mr Barbulescu had been using the internet for personal purposes, contrary to the company’s rules which prevented personal internet use.  The rules stated, “It is strictly forbidden to disturb order and discipline within the company’s premises and especially…to use computers, photocopiers, telephones, telex and fax machines for personal purposes“.

Mr Barbulescu initially denied any personal use, but the employer’s findings were backed up by a transcript of his communications. Mr Barbulescu sought to argue that his employer had violated the Criminal Code and the Romanian Constitution by violating his correspondence and brought a claim in the Bucharest County Court. The court dismissed his claim, finding that the employer had complied with the relevant disciplinary proceedings and that Mr Barbulescu had been informed about the employer’s rules on personal internet use.  The court said that as Mr Barbulescu had denied using the internet for personal use, the employer had no option but to check the content of his Yahoo communications, and that monitoring employees’ use of company computers was within the broad scope of the employer’s right to check the manner in which professional tasks were being completed.

Mr Barbulescu appealed the court’s decision, claiming that emails are protected by Article 8 of the Convention relating to respect for private life and correspondence. The Court of Appeal dismissed Mr Barbulescu’s appeal, ruling that the employer’s conduct had been reasonable and that monitoring his communications was the only method of establishing the disciplinary breach.

Mr Barbulescu therefore took his case to the European Court of Human Rights (ECHR). The ECHR identified that, on the face of it, telephone calls from business premises are covered by the notions of ‘private life’ and  ‘correspondence’ for the purposes of Article 8, and that emails, and information derived from monitoring employee usage, would be similarly protected. The ECHR also found that in the absence of notice about monitoring, employees would have a reasonable expectation as to privacy of their calls and emails.

The ECHR said that it therefore needed to examine whether a fair balance had been struck between Mr Barbulescu’s right to respect for his private life and correspondence, and his employer’s interests. It found that there had, and that therefore Mr Barbulescu’s claim should fail (although one judge dissented in strong terms).  It relied on the following findings:

  • Mr Barbulescu had been able to raise his arguments before the domestic courts and they had found that the employer had acted within its disciplinary powers;
  • The domestic courts had also found that Mr Barbulescu had used the company’s computer for personal use during working hours, and that there had therefore been a disciplinary breach of the employer’s rules;
  • The employer had only accessed Mr Barbulescu’s account on the basis that the information in question was assumed to relate to Mr Barbulescu’s professional activities; it had not accessed any other documents or data on Mr Barbulescu’s computer and its monitoring was therefore limited in scope and proportionate;
  • The domestic courts had not placed any weight on the contents of the Yahoo account; they had only considered activity on that account to the extent it proved the breach of company rules;
  • It was not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours; and
  • Mr Barbulescu had failed to convincingly explain why he had used the Yahoo account for personal purposes

Implications

On the face of it, this case does appear to give employers some confidence about their ability to monitor employee emails and internet use. The ECHR was willing to find that a blanket ban on personal internet use was sufficient in this case to weigh the employer’s interests evenly against the claimant’s right to private life and protection of correspondence. This was so, even though it was in dispute whether the employee had been properly notified that monitoring would take place.

However, employers must still exercise significant caution. The UK has a raft of legislation and guidance governing employee monitoring and data protection, and in many workplaces, the lines are unlikely to be as clearly drawn as in this case. Further, in many cases, a blanket ban on personal internet and email use may be impractical. As identified by the dissenting judge, some employers will allow employees to use the company’s internet and email/messaging systems for personal use; others will allow employees to use their own equipment for work-related matters, and some employers will permit both. The dissenting judge was at pains to make clear that an employer’s right to monitor an employee’s communications is not unrestricted or at its discretion. The key issues to consider are:

  • Employees have a reasonable expectation of privacy;
  • Expectations of privacy may, in certain circumstances, be displaced by a bespoke internet policy with specific rules on email, instant messaging, social networks, internet surfing etc and a comprehensive policy on employee monitoring. Automatic or continuous monitoring of internet use is unlikely to be permissible;
  • Employees must be aware of the employer’s policies, both in terms of the rules which apply during working hours, and outside working hours, and in terms of any restrictions on the use of company equipment. Employees should give their explicit consent to the policies;
  • The enforcement of an employer’s internet policies should be guided by the principles of necessity and proportionality. For example, before carrying out any monitoring, employers should consider whether the benefits of that measure outweigh the adverse impact on the employees’ right to privacy;
  • Sanctions for a breach of the employer’s internet rules should normally start with a verbal warning, before moving to a written warning, and ultimately dismissal. Relevant considerations for the appropriate sanction are likely to include whether damage has been caused to the employer and/or whether there has been a pattern of behaviour over a sustained period of time;
  • Any processing of personal data for the purposes of the employment relationship, including staff management, and termination of employment, must be regulated by contract or collective agreement in line with data protection laws and principles. Specific forms of data processing like internet and email use are likely to warrant detailed rules and procedures.