Every employer wants to be sure that its employees perform their work duly, without wasting their working time on things not related to their job. While employers may use technical means, such as video surveillance or GPS-tracking, to ensure the physical presence of employees at their workplaces, it still remains difficult for them to lawfully dig into employees’ computers to ensure they do not waste their working time surfing the Internet. The right to use the Internet overlaps with the right to respect for private and family life and the right to freedom of expression prescribed by Articles 8 and 10 of the European Convention on Human Rights (the “ECHR”) respectively. The right “to seek … information through the Internet”1 also frequently involves personal data issues, since our personal data is usually processed while we enter and use websites. The European Court of Human Rights (the “ECtHR”) adjudicated on several occasions in cases dealing with issues of employee monitoring (email correspondence and telephone tapping) in the context of the right to respect for private and family life. On January 12 this year, the ECtHR delivered its judgment in the case ofBărbulescu v. Romania, no. 61496/08, § …, 12 January 2016. This case related to the personal use of the Internet by an employee using their employer’s equipment and the right of employers to monitor such use.
Article 8 of the ECHR and the Employee Monitoring Jurisprudence of the ECtHR
Article 8 of the ECHR states that “Everyone has the right to respect for his private and family life, his home and his correspondence.” Until the decision in Bărbulescu, the leading cases concerning employee monitoring were Halford v. the United Kingdom (1997) and Copland v. the United Kingdom (2007). In Halford, the applicant was a policewoman who sued her employer on the grounds of sex discrimination. She had her own office with telephones that were allowed for private use.2 However, in course of discrimination case hearings she found out that her private internal phone calls were intercepted and further used as an evidence. This led to her bringing a case against the employer before the Interception of Communications Tribunal, which she lost. The ECtHR considered that “[s]he would … have had a reasonable expectation of privacy for such calls.”3 This concept of the “reasonable expectation of privacy” can be further traced in other employee monitoring cases of the ECtHR. While considering Article 8 of the ECHR, the ECtHR concluded that the interference was not “in accordance with the law”, since the domestic legislation did not contain provisions on interception of internal communications.
In Copland, the applicant’s email correspondence, phone calls and Internet use were monitored by her boss. The ECtHR’s ruling that the employer had violated Article 8 of the ECHR concluded as follows: “The applicant in the present case had been given no warning that her calls would be liable to monitoring, therefore she had a reasonable expectation as to the privacy.”4 In Halford the employee was expressly allowed to use the telephone for private purposes. On the other hand, in Copland it was not expressly allowed, but there was no warning as to the prohibition of such use. Therefore, such private use was at least tolerated by the employer.
Facts of Bărbulescu
The facts in Bărbulescu are different from the cases described above. Unlike in Halford or Copland, in Bărbulescu the employer imposed a complete ban on any private use of its equipment (including the use of the Internet).
The applicant, Mr. Bogdan Mihai Bărbulescu, worked at a private Romanian company as an engineer responsible for sales. Upon the request of his employer, he created a Yahoo messenger account for texting clients and responding to their requests. Mr. Bărbulescu also used this account for his private purposes, including sending messages to his brother and fiancée. His employer suspected him of personal use of the Internet. The employer informed the applicant that his Internet use had been monitored for eight days and that the records proved that part of his communications had been personal. Mr. Bărbulescu rejected these allegations in a written statement. The employer then produced 45 pages of the applicant’s private correspondence via the Yahoo messenger account. Following this, the employer dismissed Mr. Bărbulescu for breach of its internal rules.5
Mr. Bărbulescu challenged this decision in Romanian courts claiming that the employer violated his right to respect for privacy of correspondence. The decision of the court of first instance upheld by the Bucharest Court of Appeal rejected his claims relying on the fact that violation of the privacy of correspondence was the only manner to achieve the employer’s legitimate interest to supervise the functioning of its business. The Court of Appeal had also relied on EU Directive 95/46/EC relating to data protection. The judgment of the Bucharest Court of Appeal held that the employer’s conduct was reasonable and that the monitoring of Mr. Bărbulescu’s correspondence was the only way to establish if there was a disciplinary violation.6
Judgment of January 12, 2016
In balancing the applicant’s right to respect for private and family life, and the employer’s interest of establishing a disciplinary breach, the ECtHR found that the employer’s access to the Yahoo messenger account was legitimate, since it was exercised within the employer’s disciplinary powers. The ECtHR concluded that the employer monitored the applicant’s use of Internet with a belief that it contained only professional correspondence, as it was stated by the applicant himself.
As to the “reasonable expectation of privacy” or whether the applicant could have expected that his private communications would remain undisclosed even after notification of an absolute ban of personal use of the Internet, the ECtHR in its assessment frankly noted that “the elements in the file do not easily allow a straightforward answer”. Notwithstanding that, the ECtHR concluded that Mr. Bărbulescu could not have relied on the reasonable expectation of privacy, since he was notified of the ban on personal use and the employer’s monitoring was limited in scope and proportionate. Therefore, the ECtHR concluded that the Romanian authorities did not violate the applicant’s rights under Article 8 of the ECHR, but they did stroke a fair balance between the applicant’s right to respect for private life and correspondence and the employer’s interests, where the latter prevailed. The ECtHR remained silent on the issue of personal data and its sensitivity. We understand that the ECtHR does not have jurisdiction to adjudicate on EU law matters.
The majority judgment was criticized by Judge Pinto de Albuquerque in his dissenting judgment. In particular, he criticized the lack of any guidance on the possible surveillance of employees’ Internet usage. Judge de Albuquerque stated that the mere fact of imposing a ban on personal use of the Internet is inadmissible to automatically allow monitoring and personal data processing. Judge de Albuquerque came to the conclusion that “the employer accessed the content of this communication and made transcripts of it against the applicant’s explicit will and without a court order.”7
While not reversing the previous judgments in Halford or Copland, the judgment in Bărbulescu has raised even more questions as to the rules of employee surveillance. It did not indicate a point of a fair balance between the employee’s rights under Article 8 of the ECHR and the employer’s interests of working process organization. Furthermore, it remains unclear whether the mere prohibition to use the Internet for personal purposes may automatically allow the employer to interfere into employee’s private life and correspondence. Does it mean that since the employer introduces a ban on personal use of the Internet in its internal rules, it can easily monitor the web history or even communications of its employees?
We believe that the answer is “no”, since the processing of personal data is built on the principle of the data subject’s consent (in both, the effective EU Directive 95/46/EC and the upcoming General Data Protection Regulation (EU) 2016/679). It is doubtful whether the breach of an employer’s internal rules automatically means that the employee gives his/her consent for personal data processing. Answers to these questions may soon come from the Grand Chamber of the ECtHR that has recently agreed to review the judgment in Bărbulescu.8 Finally, for employers, this judgment means that their internal rules and policies regarding personal data, use of technical means and, in particular, the Internet should be written in detail describing what is allowed and what is not, and what could be the consequences of any breach.
Published by: TerraLex Connections, August, 23, 2016