Update on the protection of private correspondence against employers’ right of interference following the European Court of Human Rights’ 5 September 2017 decision

The debate concerning the applicability and respect of privacy rights in the workplace is an ongoing one and has yet to reach a congregating conclusion.

The use of new technologies at work and the secret of employees’ correspondence are two things that, due to their complexity, continue to fuel national and European case law.

On 20 March 2014, the Luxembourgish criminal court took a contradictory stance to the traditional case law position on such matter. In that decision, the court admitted that an employer could read the private emails of its employees. However, this decision was partially reformed by the criminal chamber of the court of appeal on 28 April 2015 (see our previous newsletter). Surprisingly, the criminal chamber of the court of appeal considered that the term “private” in the email’s title did not evidence the private nature of the electronic correspondence. The court of appeal actually argued that it was the “confidential” mention which established the private nature of this email. However, one must point out that confidentiality is an integral part of the business world and does not necessarily imply privacy.

Later on, two judgments of the European Court of Human Rights (“ECHR”) clarified the conditions for the employers to validly interfere in their employees’ right to private life.

Bᾰrbulescu v. Romania

Initially, the ECHR had upheld the right of employers to intrude into their employees’ privacy at work by ruling in favour of a Romanian employer who had exerted surveillance and recorded communications made by his employee through a professional yahoo messenger account, which included details surrounding the employee’s health and sex life, and that this did not disproportionally violate the employee’s privacy rights1.

The ECHR had concluded that:

  • it was not unreasonable for an employer to wish to verify that his employees are completing their professional tasks during working hours;
  • the employee should have expected his communications to be potentially monitored, since the internal regulations of the company did prohibit the use of all electronic devices for private ends;
  • the Yahoo Messenger account had been created on the request of the employer for professional purposes;
  • the employee’s denial that he had used this account for personal reasons has left the employer with no choice but to analyse his communications; and
  • the employer did not access other documents on the desktop of the employee, but limited himself to the Yahoo messages, whilst presuming those were of professional nature.

From these conclusions, the ECHR ruled that the national jurisdiction had preserved a just balance between the right to private life and correspondence of the claimant and the legitimate interests of the employer. Accordingly, the ECHR ruled that the national jurisdiction rightfully excluded any breach of Article 8 of the European Convention on Human Rights (the “Convention”).

Since then, this decision has been revoked by the Grand Chamber of the ECHR through its 5 September 2017 judgment2. The Grand Chamber ruled that Romanian national law “did not afford adequate protection of the applicant’s right to respect for his private life and correspondence”. It further ruled that Romania ”failed to strike a fair balance between the interests at stake”. The Grand Chamber justified its decision by bringing forward the following points:

  • Whether communications are conducted in the workplace or in the home of the employee, they are not excluded from the scope of Article 8’s notions of private life and correspondence3.
  • Whilst the internal regulations of the company did have provisions that prohibited the employee from using company means for his personal ends, “an employer’s instructions cannot reduce private social life in the workplace to zero4”. Accordingly, even though rights to private life and correspondence at the workplace can be limited or monitored under certain conditions, those rights certainly continue to apply.
  • Even though the employer “has a legitimate interest in ensuring the smooth running of the company, and that this can be done by establishing mechanisms for checking that its employees are performing their professional duties adequately and with the necessary diligence5”, it still has to balance its activities of surveillance with the rights to private life and correspondence of his employees.
  • In the case at hand, whilst the employee was aware of the restriction of the use of electronic devices for personal matters, it has yet to be proven that he was made aware of the said surveillance, of its starting point, its nature or its extent (i.e. that employer would delve into correspondences).
  • Finally, insufficient control was operated by the previous judgment on the motives raised by the employer to justify the surveillance. The employer maintains that the purpose of the monitoring was “to avoid the company’s IT systems being damaged, liability being incurred by the company in the event of illegal activities in cyberspace, and the company’s trade secrets being disclosed6”, however since no material allegations were made as to why that particular employee was exposing the company to such risks, the thorough surveillance exerted by the employer was illegitimate and disproportional.

For these reasons, and considering the 95/46/EC directive, the court concluded that there was a breach of Article 8 of the Convention in the case at hand.

At this point, it might be of interest to reiterate the guiding principles of the 95/46/EC directive, a piece of legislation to which the Court referred and which aims to provide for a just balance between the right of an employer to monitor its employees and the privacy rights of the latter:

  • Necessity principle: the surveillance must be necessary to attain a pre-established goal.
  • Finality principle: the data has to be collected for a specific, legitimate and explicit purpose.
  • Transparency principle: the employer has to provide all the data relative to the surveillance exerted on demand of the employee.
  • Legitimacy principle: the data treatment operations must only be executed with a legitimate end.
  • Proportionality principle: all the personal data collected through the treatment/surveillance have to be adequate and relevant for the purpose indicated.
  • Security principle: the employer is required to take all reasonable security measures to ensure that the data collected is not accessible to third parties.

Libert v. France

On 22 February 2018, the ECHR ruled again on an issue related to the protection of privacy at work. The Court actually waited for the outcome of the Bᾰrbulescu v. Romania case before making its ruling. Unlike Bᾰrbulescu v. Romania, this case dealt with the interference by a French public employer in the private life of one of its employees. The employee had stored 1,532 pornographic files on the hard drive of his professional computer. He had renamed his entire personal disk “D:/ personal data” and had recorded the controversial files under a folder entitled “laughs”. His employer had opened his personal files in his absence.

The ECHR had concluded that7:

There is a legal basis for the employer’s interference’ right within the meaning of Article 8 (2) of the Convention, since French law sufficiently details in which circumstances and under which conditions a public authority may take measures compromising the citizen’s right to private life;

  • The interference was intended to guarantee the protection of the rights of the employer since employers “may legitimately wish to ensure that their employees were using the computer facilities which they had placed at their disposal in line with their contractual obligations and the applicable regulations”.
  • French law has a legislative system in place to guarantee the protection of privacy. Employers cannot open files contained in the hard drive of their employees’ computers which are clearly identified as personal “unless there is a particular risk or event”. In such a case, these personal files must be opened in the employee’s presence or after the employee has been duly called, as specified by the French Court of Cassation. These principles have actually been applied by the French courts, which are responsible for interpreting domestic law. It is therefore not up to the ECHR to substitute its interpretation.

The domestic courts have thus rightly concluded that the files could have been opened by the employer because they had not been duly identified as private. Although “the employee renamed his entire internal hard drive to “D:/ personal data” “ and the controversial files were stored in a folder called “laughs”, the public employer was entitled to access them because:

the IT policy of the employer provides that personal data must be stored on the computer’s hard drive under a file entitled “private” (and not “personal” or “laughs”), which the applicant clearly did not do; and - the applicant could not use his entire professional hard drive for private purposes, whereas the IT policy states that “occasional use” of computer tools for personal use is tolerated. Unlike the Bᾰrbulescu v. Romania case, the interference of the employer in the private life of the applicant has been ruled compatible with Article 8 (2) of the Convention. Both judgments highlighted the importance of complying with the legislation in force and demonstrated the value of implementing a clear and precise IT policy on the use of professional tools and on the labelling of private correspondence. Hence, any employer who contemplates surveillance of employees’ correspondence must make sure to comply with the legal requirements, namely: (i) the law of 11 August 1982 relative to the protection of private life; (ii) the modified law of 2 August 2002 relative to the protection of persons against the treatment of personal data8; and (iii) the modified law of the 27 February 2011 relative to networks and electronic communications services.

Additionally, employers shall abide by the following best practices:

  • Implement an IT policy In order to limit possible cases of interference and justify them where appropriate, it is useful to provide a clear framework for the use of professional resources, by specifying the use that can be made of them, as well as indications on how to classify employees’ private data in their workplace and the proportion that is tolerated in the workplace.
  • Have concrete and legitimate reasons justifying the setting-up of surveillance measures Theoretical and general reasons are not sufficient. Under Luxembourgish law, Article L.261-1 of the labour code sets the conditions under which such surveillance can be realised (health and safety of employees, protection of company goods, control of machine efficiency in the production process, monitoring of working hours and/or task realisation of employees when it is the only way to determine their exact salary, and finally for purposes of organisation in companies with flexible schedule policies).
  • Check if there are less intrusive measures that can be taken to protect the rights to private life and correspondence of employees that would still achieve the intended outcome

Prior to putting the surveillance measure in motion, it is good practice to verify if the goal pursued can be reached by any other means than direct and integral access to the employee’s communications.

Consequently, the employer must favour the use of programs which can directly target suspect pieces of mail, so as to reduce unnecessary intrusion from the employer in the private life of its employees. Accordingly, the surveillance of electronic mail should, at first, focus on metadata (i.e. volume, frequency, size, nature of attachments). Preferably, this information would also be collected without identifying the person concerned. Only if the employer notices irregularities, may it, consequently, proceed to the identification of the concerned person.

The national commission for data protection (CNPD) has posited that, upon leaving the company, the employer must offer to its employee the possibility of copying private messages and other private documents onto a private electronic device, before their removal from company servers.

  • Obtain the CNPD’s approval
  • Before any surveillance is exerted, a request for approval must be sent to the CNPD.
  • Inform the employees of the possibility that their communications may be monitored prior to the start of the surveillance The notification must be straightforward as to the nature of the monitoring, and must come prior to the start of the measure. We recommend that the company adopts an internal regulation concerning the use of electronic devices by employees (professional and/or/without personal use), and that all employees sign the document upon arrival at the firm. This regulation must include information about the potential surveillance of correspondence.
  • Make sure the employee understands the nature and extent of the surveillance and reduce intrusion into his privacy to a minimum It is necessary to specify to the employee if the surveillance will concern the flux of communications or their content, if it concerns the integrality of communications or specific types, if it is time prescribed and who will have access to it. All this information can be included in an internal regulation that would have to be signed upon arrival at the company.
  • Consider the consequences of the surveillance exerted for the concerned employee

The surveillance exerted and the data extracted through it must only serve to the attainment of the declared goal, excluding any other use that can be made of it. In case a sanction is taken against the employee, the sanction must always remain legitimate and proportionate.