The Grand Chamber of the European Court of Human Rights (ECHR) issued its ruling on September 5 2017 in the Bărbulescu v. Romania case, whereby reversing an earlier decision by the Fourth Section of the ECHR, and finding a violation of Article 8 of the European Convention on Human Rights (ECoHR).
The case concerns an employee (Bãrbulescu) whose employment contract was terminated after his employer discovered that Bãrbulescu had been utilizing company resources, such as Yahoo Messenger, for personal purposes. The discovery was made by the employer through monitoring the employees internet communications. Since utilizing company resources for personal purposes was in breach with their company policy, the Romanian employment tribunal confirmed the termination of contract.
The Fourth Section of the ECHR found that the national courts had struck the right balance between upholding Bărbulescu’s right to respect for his private life and correspondence on one hand (Article 8 ECoHR), and protecting the interests of the employer on the other. The case was referred to the Grand Chamber of the ECHR upon the request of Bărbulescu.
The ECHR found that the national courts had failed to protect Bãrbulescu’s right to private life and correspondence on the grounds that it should have been considered:
- Whether prior and clear notification was given to Bãrbulescu with regard to the possibility that monitoring could take place - Whether Bãrbulescu had been informed about the degree of intrusion of the measures - Whether the employer had legitimate reasons to justify the monitoring and accessing the private content - Whether less intrusive methods would have sufficed as well - What consequences the monitoring would have for the employee
Whilst it does not follow from this ruling that such employee monitoring should always be considered as prohibited, it does establish a higher threshold for lawfully allowing it. It therefore also challenges the approach for blanket monitoring to prevent malicious attacks for example. Moreover, in light of the GDPR, which will enter into force coming May 2018, such monitoring is likely to be considered as a processing activity that inflicts a high risk to individuals. It is therefore likely that such activities require to be preceded by a careful, risk-based and privacy-friendly assessments (Data Protection Impact Assessment).
The full text of the ruling can be found here.