Mr Bărbulescu v Romania
Some of you might recall the case of Mr Bărbulescuv Romania in 2016, which involved an employee (Mr Bărbulescu), who sent private emails through his personal Yahoo account from an office computer. Some messages were innocent exchanges with his brother, and some were of a more salacious nature with his fiancée. His account was monitored by his employer in accordance with company policy, which said that no private communications were to be sent from workplace devices. Mr Bărbulescu was fired for breaching the company's policy. He sued his employer, arguing that their decision to terminate his employment was void and argued that his private messages were protected by Article 8 of the European Convention on Human Rights (ECHR) (which is the right to private and family life, the home and correspondence).
The Chamber of the European Court of Human Rights (ECtHR) (not to be confused with the separate, European Court of Justice) held that such monitoring did not violate Mr Bărbulescu's right to private life because it was not unreasonable that an employer might want to verify that its employee was actually working during working hours. They noted that the employer had only accessed Mr Bărbulescu's accounts in the belief that it contained work-related client emails. At the time, this judgment met with heavy opposition, with critics claiming that the right to privacy at work was over.
However, this case was appealed to the Grand Chamber of the ECtHR, and the controversial decision has been reversed.
The Grand Chamber found in favor of the employee, based on the specific facts in this case. The Grand Chamber first questioned whether Mr Bărbulescu had a reasonable expectation of privacy, as he knew there was a policy that prohibited him from accessing his personal emails from a work computer. At the same time, the judgment also made clear that an employer's IT policy could not reduce workers' private and social life in the office to zero. The right to private life and the right to privacy of correspondence continues to exist in the workplace. Employers may restrict these rights in so far as is necessary, but any restriction has to be reasonable.
Crucially, the Grand Chamber decided that Mr Bărbulescu had not been expressly informed that the content of his personal communications on work equipment was being monitored. It was this failure to notify the employee which was one of the key factors influencing the Grand Chamber's decision.
Technology and the age of “smarter working” makes employee monitoring a tricky area for employers. Smart phones and almost universal internet access facilitates remote working, which is fast becoming the new norm. However, this flexibility comes at a price; it blurs the temporal and spatial boundaries of work and play. Beginning next year, under the new General Data Protection Regulations (GDPR), employers will have to carry out a privacy impact assessment to demonstrate that they have achieved the correct balance between protecting employees' privacy and the interests of the business. In particular, employers will need to review their HR policies on data protection and ensure they are GDPR compliant. Some of the factors that will need to be included are informing your employees of their particular rights under the GDPR, such as the right:
- to be informed about what personal data is collected about them and how long it is stored;
- of access to any personal data the organization holds about them;
- to request any stored incorrect personal data is corrected; and
- to complete erasure of their personal data by the organization to the point where it cannot be recovered.
In addition, if the organization has more than 250 employees, you must maintain additional detailed internal records about how you process, that is use in any manner, your employees' personal data.