One of the fundamental rights protected under the European Convention on Human Rights is the right to respect for private and family life, home and correspondence, which is set out in Article 8.
In the case of Bărbulescu v Romania, the Grand Chamber of the European Court of Human Rights (ECtHR) was asked to consider whether the Romanian domestic courts had failed to protect an employee's Article 8 rights when they found that an employer been entitled to monitor instant messaging accounts of an employee, which led to his dismissal for breach of its IT policy.
With a majority ruling of 11 to 6, the Grand Chamber held that the employee's right to private life and correspondence had been breached by the employer's monitoring. Its conclusion was that the Romanian courts had failed to strike a fair balance between the opposing interests, in particular the employee's right to respect for his private life and correspondence and, on the other hand, the employer's right to take measures to ensure the smooth running of the company.
On the face of it the decision appears unhelpful to employers who want to ensure its employees are not using their IT systems in an inappropriate way or contrary to their policies. However, the decision does not mean that employers can no longer monitor its employees' correspondence under any circumstances. Instead, it means that employers should be thinking carefully about whether monitoring is required and, if it is, identifying what is the least intrusive way in which it can be carried out to meet the employer's objectives. Employers also need to be upfront with employees about the possibility that monitoring may occur and what any monitoring involves.
Mr Bărbulescu was dismissed by his employer on the grounds of a breach of the company's internal regulations, in particular breach of its policy on use of IT equipment.
His employer had a policy that prohibited any personal use of its IT equipment. On 3 July 2007, a notice was circulated reminding employees of its IT policy and reiterating that personal use of the internet, phone or fax machine was not permitted. The notice also informed employees that their work would be monitored and that misconduct would be monitored and punished.
Mr Bărbulescu had been asked by his employer to set up a Yahoo Messenger account for work purposes. He also had a personal Yahoo Messenger account.
In the days after the notice had been circulated, the employer monitored Mr Bărbulescu's Yahoo Messenger communications. On 13 July, he was informed that the company had monitored his Yahoo Messenger communications over the course of a week and that it considered he had been using it for personal purposes, contrary to its IT policy. Mr Bărbulescu replied saying that he had only used Yahoo Messenger for work purposes. The same day, the employer presented Mr Bărbulescu with a 45 page transcript of his Yahoo Messenger communications, including the text of communications he had exchanged with his brother and his fiancée relating to personal matters, some of which were of an intimate nature. The majority of the messages had been sent on his work Yahoo Messenger account but a few had been sent on his personal account.
Mr Bărbulescu was dismissed on 1 August 2007. He brought a claim in the Romanian courts challenging his dismissal. He was unsuccessful in his claim as the Romanian courts found that the employer was entitled to check his work and that he had been told about the company's position on personal use of IT equipment and monitoring of use of the equipment.
Having lost his claim in the Romanian courts, Mr Bărbulescu claimed in the ECtHR that his dismissal had been because of a breach of his Article 8 rights (i.e. right to respect for private life and correspondence) and, as such, the domestic courts had failed to protect his rights. The Grand Chamber overturned the decision of the lower Chamber of the ECtHR, finding that respect for private life and for the privacy of correspondence continues to exist at work, even if these may be restricted in so far as necessary.
Whilst the impact of the decision of the Grand Chamber is not as dramatic as some headlines suggest, employers should be mindful of the fact that the Grand Chamber has recognised the right to private life even at work and, where it seeks to restrict that, should have compelling reasons to do so.
Employers should use this decision as a prompt to revisit their 'Acceptable Use of IT' policies and their monitoring practices to ensure there are adequate safeguards against abuse of the right to respect for private life and correspondence. Some action points and practical tips include:
- Carrying out an assessment of the degree of intrusion into the employees' privacy. Monitoring the flow of communications rather than the actual content of communications and limiting the number of people who have access to the data that is collected will make the monitoring less intrusive.
- Considering why the monitoring is being carried out, what the employer is hoping to achieve and whether the objectives can be met through less intrusive means.
- Notifying employees of the possibility that monitoring may be carried out. Revisit existing policies, update where necessary and make sure employees are made aware of them. Notification should be given in advance of any monitoring taking place.
It will be difficult to apply a one-size fits all approach to monitoring and an analysis should be carried out when monitoring is proposed as to whether it is appropriate in the circumstances.
In addition to considering the impact of the decision in the Grand Chamber, employers in the UK should also be mindful of the fact that monitoring of emails is subject to the Regulation of Investigatory Powers Act 2000 (RIPA) which makes it unlawful to monitor electronic communications unless justified in accordance with RIPA. The Lawful Business Practices Regulations (which sit alongside RIPA) permit monitoring on certain grounds. (although note that these Regulations are also under review as part of the wider developments and implementation of the Investigatory Powers Act 2016) Helpful guidance on monitoring in the workplace generally and on the impact of the Lawful Business Practices Regulations have been produced by the Information Commissioner's Office and can be found at the following links: Employment Practices Code and Supplementary Guidance. This is also a topic that is firmly on the agenda of the Article 29 Working Party, with a recent Opinion having been published on Processing Data at Work which addresses monitoring in more detail (Opinion 2/2017) and so employers should be alert to these developments and other changes in this area in the future.