In the week of 11 January 2016, the European Court of Human Rights ("the Court) delivered a landmark decision regarding the inappropriate use of social media messaging platform, Yahoo Messenger ("Messenger"), by an employee in Romania. The employee had been using the service for private messages at work and the account had been accessed and read by his employer. He was dismissed for contravening the company's computer policy by participating in personal correspondence during working hours. The employee alleged that his right to privacy had been breached by the company's surveillance of his Messenger account.
Briefly the facts of the case are that the employee, an engineer in charge of the sales of a private company in Romania, had been directed by his employer to set up a Messenger account for the purposes of responding to client queries. A while thereafter, the employee was informed by the company that his Messenger account had been under surveillance and that the records indicated that he had been using the service for private messages during working hours and that this was a contravention of the company's internal procedures. The employee stated that he had only used Messenger for professional purposes. A printed transcript of his account showed that this was clearly untrue and he was dismissed for using company property for personal purposes.
Issues of the employee's right to privacy and the processing of personal data were at the forefront of the Court's decision in this matter. The protection of personal data is a long established requirement and legal practice in Europe. South Africa has recently passed the Protection of Personal Information Act ("POPI") which is closely based on the principles enunciated in the European codes. Therefore, guidance from the European Courts shall be significant in implementing POPI in South Africa. This recent decision is binding on all signatories of the European Convention on Human Rights, which includes the United Kingdom.
Significantly, the Court stated that an employee's right to privacy does not mean that every activity that he or she engages in is protected from scrutiny. Although employees could have a reasonable expectation as to the privacy of telephone calls, emails and internet access at the workplace in the absence of explicit policies governing such matters, it was not a blanket protection. Thus, if a company has an unambiguous policy prohibiting the use of its facilities for private communications, then there can be no expectation of privacy for those communications. The Court held in this case that the employer had a clear prohibition against private communication and that the employer was entitled to ensure and verify that the employee was completing his "professional tasks during working hours". The Court also found that the processing of the employee's personal information had been "limited in scope and (was) proportionate" to the purpose the employer was trying to achieve.
This judgment is incredibly far-reaching in its consequences for employees in Europe. Whether this approach would be able to pass muster in South Africa remains to be seen. What this judgment does show, is that statutes such as POPI may not mean that an employee is immune from surveillance by their employer when using company IT equipment during working hours. Furthermore, it also shows that the Europeans do not regard strict IT policies as encroaching on an individual's right to privacy or protection of personal information.
Consequently, employers would be well advised, with the proper and necessary legal assistance, to revise their IT policies and procedures regarding personal communications during working hours.