On September 5, the European Court of Human Rights (ECHR) issued a ruling in the case of Bărbulescu v. Romania that affirms employees’ right to privacy in the use of communications tools in the workplace. Although the ruling is strict, it aligns with the positions taken by the national courts of certain European Union Member States (e.g., Germany) and guidance issued by data protection authorities. And the criteria that the ECHR adopts for assessing the lawfulness of monitoring generally aligns with the requirements under the General Data Protection Regulation (GDPR), which takes full effect on May 25, 2018. In this post, we summarize the ruling and identify key takeaways for companies that monitor workforce use of information systems and tools in the EU.
In 2007, a Romanian company fired an employee for violating a company policy prohibiting the personal use of computer systems. To support the action, the employer produced a 45-page transcript of personal Yahoo Messenger communications between the employee, his fiancée, and his brother that the employer exchanged while using company computers. After his firing, the employee sued the company for violating Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (the Convention), which protects the “Right to respect for private and family life.” The employee claimed that the company’s monitoring of his personal communications violated Article 8’s protection of his “private life” and his “correspondence,” despite the fact that he had consented to the employer’s policy prohibiting personal use of company equipment. The Bucharest County Court and Court of Appeal dismissed the claims, and the employee brought suit against Romania in the ECHR claiming that the Romanian courts failed to comply with their obligation to protect his rights under Article 8. On September 5, the Grand Chamber of the ECHR voted 11-6 that there had been a violation of Article 8 of the Convention.
Article 8’s Protections Can Apply to Communications Sent via Company Systems
The ECHR noted that Article 8 “guarantees a right to ‘private life’ in the broad sense, including the right to lead a ‘private social life.’” In determining whether Article 8 applied to the employees’ use of company systems to send personal communications, the ECHR considered whether the communications were subject to a reasonable expectation of privacy and whether the employee’s use of the instant messaging tool was an element of his private social life. Although the court noted that the employee had received notice of the employer’s ban on personal communications, the ECHR held that Article 8 applied based on the following considerations:
- It was not clear that the employee was informed of the employer’s monitoring of communications before the monitoring began;
- The employee did not receive notice of the “extent and nature of his employer’s monitoring activities, or of the possibility that the employer might have access to the actual contents of his communications;” and
- Instant messaging services are one of the tools that employees can use to lead a private social life.
Employee Monitoring Problems Must Be Subject to Adequate and Sufficient Safeguards
The ECHR directed domestic authorities to consider the following when assessing the safeguards for employee monitoring programs:
- Have employers provided employees with clear notice about the nature and scope of monitoring activities?
- How intrusive is the monitoring?
- Has the employer provided legitimate justifications that support monitoring activities?
- Would less intrusive monitoring measures (e.g., monitoring metadata rather than contents of communications) effectively achieve the same purposes?
- What are the consequences for employees and has the employer limited use of the monitoring measures to achieve the specified purposes for monitoring?
- Has the employer taken steps to reduce the potential impact of monitoring (e.g., accessing contents of communications only if employees have been provided with prior notice that this may happen)?
In evaluating the case before the court, the ECHR noted that Romanian courts failed to adequately consider: (1) whether the employee received notice of the nature and extent of monitoring before his communications were monitored; (2) the employer’s specific justifications for the monitoring (though the ECHR did note that protecting company assets from damage and cyber threats may serve as justifications of monitoring programs); and (3) the serious consequences of the monitoring. As a result, the ECHR held that Romania’s domestic authorities violated Article 8 because they “did not afford adequate protection of the applicant’s right to respect for his private life and correspondence and [ ] they consequently failed to strike a fair balance between the interests at stake.”
The ECHR’s decision places employee monitoring practices under greater scrutiny. Companies should consider the following steps to reduce the risk that their employee monitoring practices run afoul of EU law:
- Provide Clear Monitoring Notices: Employers should provide employees with clear information about monitoring activities prior to monitoring employee communications. Notices should disclose the possibility that employee communications will be monitored and describe the nature and the extent of the monitoring, including whether monitoring collects metadata only or if it records the contents of communications.
- Issue Clear IT Acceptable Use Policies: Companies should establish clear rules for use of company systems, provide employees with notice of the rules, and prohibit personal use where possible. If personal use is allowed, limit the expectation of privacy and tell employees: “If you do not want the company to access information, please do not store it on our systems.“
- Document Justifications for Data Processing: Employers must be able to demonstrate that monitoring has a lawful basis. This generally requires establishing that monitoring supports employers’ legitimate interests. The evaluation of these interests will be informed by other relevant areas of European law, such as Articles 6, 9, and 88 of the GDPR.
- Consider Data Minimization: Employers should consider whether less intrusive monitoring practices can achieve the same goals. If less intrusive measures, such as monitoring metadata rather than content, would effectively address risk, data protection authorities will expect companies to deploy them.
- Consider Relevant GDPR Requirements: Employers should consider relevant requirements (including forthcoming GDPR requirements) when developing employee monitoring programs, such as conducting data protection impact assessments, providing transparent notices, securing data, addressing data transfer restrictions, and complying with data subject requests to access, delete, or correct information.
As companies go forward with their GDPR implementation plans, they should confirm that the criteria set forth by the ECHR are addressed in regard to employee monitoring activities.
Ryan Woo, in our Washington, D.C. office, contributed to this post.