Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Employment Privacy

The European Court of Human Rights Decides that Accessing an Employee’s Work IM Account Did Not Breach His Privacy Rights

shutterstock_236973880To what extent are the personal communications sent by an employee from their employer’s computer private? In Europe it has been accepted for some years that employees do not lose their right to privacy in the workplace. However a recent decision from the European Court of Human Rights (ECHR) confirms the rights of the employer to restrict employees from any personal use of the employer’s computer equipment and, consequently, rely on a contravention of the restriction (which is revealed through monitoring) as grounds for dismissal.

What were the facts?

The claimant in Barbulescu v Romania worked for a private company in Romania as a sales engineer. At his employer’s request, he set up a Yahoo Messenger account so that he could respond to clients’ enquiries. Company rules made it clear that using company computers for personal purposes was not permitted – effectively personal use was forbidden.

About three years later, and following another incident involving another employee using the Internet at work for private purposes, the employer asked the claimant whether he used the Yahoo Messenger account for only professional purposes (i.e. in line with the company rules). The claimant confirmed that he only used the account for professional purposes. A few days later, the employer told him that his Yahoo Messenger account had been monitored for a period of just over a week and that the records showed that he had used it for personal purposes on the company’s computer during working hours in direct contradiction to what the claimant had confirmed. When the claimant challenged this, he was presented with a 45 page transcript of messages he had exchanged with his fiancée and brother (some of which were very personal). Accordingly, he was dismissed for breach of the company’s regulations.

Right to private life?

The claimant contested the dismissal in his national courts arguing that it was void because access to his communications had violated his right to correspondence protected by the Romanian Constitution and Criminal Code. The courts in Romania decided that there had been no breach of Romanian law.  In their view, the employer’s conduct had been reasonable and monitoring had been the only way of establishing if there had been a disciplinary breach i.e. breach of the company rules.  They referred to the fact that not long before the incident employees (including the claimant) had been warned by notice that their activity would be monitored. The employer argued that this communication had put the claimant on notice that his communications would be monitored.

The claimant then applied to the ECHR for a ruling on whether his right to respect for private and family life and “home correspondence”, under Article 8 of the European Convention on Human Rights, had been infringed.

European Court rejects claim

The ECHR agreed that Article 8 applied to these circumstances. A key issue before the court was whether the claimant retained a reasonable expectation that his communications would not be monitored. The company argued that it had provided prior notice of the monitoring but the claimant disputed this. Indeed, the judgment does not satisfactorily clear up the issue of whether prior notice was effectively given to the claimant since no signed copy (signed by the claimant) of the employer’s notice was provided to the ECHR.

However, in the end, the majority of the ECHR decided that there was no violation of Article 8 and that Romanian law had struck a fair balance between employees’ rights and employers’ interests. In their view it was not unreasonable for an employer to verify that employees were completing their professional tasks during working hours and the employer had accessed the IM account thinking that it contained client-related communications only. Although the account had contained very personal and sensitive content, viewing this content had not been the focus of the monitoring. The issue was – did the claimant use the Yahoo Messenger account for personal use in direct contravention of the company rules?

The employer had examined the content only in response to the employee’s denial that he used the account for personal use but the employer did not look at anything else on his computer. Consequently in the eyes of the ECHR this satisfied the requirement for proportionality. The fact that the employer suffered no actual damage was irrelevant.  The revelation that the claimant had lied to his employer about his personal use of the Yahoo account and had not convincingly explained to the ECHR why he had used the account for personal purposes, also appeared to influence the ECHR’s position.

But a few issues remain…

Although this presents as a clear-cut case, there are several issues that the majority of the ECHR did not tackle fully. This led to one of the judges issuing a strong dissenting opinion. These issues are:

  1. As a result of technological changes in recent years, the line between work and private life has become increasingly blurred and the ECHR’s judgment failed to fully allow for that.
  2. Consequently, employers are no longer justified in taking “unfettered control” of employees’ Internet use. Indeed, a wholesale prohibition on employees using company computers and Internet access for personal use does not appear realistic or fair (and is contrary to guidance provided by the Article 29 Working Party in the past).
  3. It was not convincingly proven that effective notice of monitoring had been given to the claimant. The dissenting judge set out his belief that every company must adopt a comprehensive Internet usage policy to explain to employees the rules around use of the company equipment and how they could be monitored. In this case, the prohibition in the company rules on personal use of company equipment set out the limitations of use but did not explain that monitoring would occur. The wording of the notice to employees about monitoring that had been subsequently given was insufficient in the eyes of the dissenting judge (even if it had been effectively provided to the claimant).
  4. The access of very sensitive data (i.e. about the claimant’s sex life) required higher standards of protection which were arguably lacking in this instance particularly given that the claimant’s messages had been circulated to his colleagues and not restricted only to use in disciplinary proceedings.
  5. The employer also accessed the claimant’s private Yahoo Messenger account but there was no criticism of this intrusion from the ECHR.

Regardless of the findings, it is still important to emphasise that this recent decision by the ECHR does not say that employees have no right to privacy in the workplace.

Same result in the UK?

In the UK, courts and tribunals have to interpret legislation in line with the Human Rights Act 1998, which includes the Article 8 right.  This means an examination of Article 8 is relevant to unfair dismissal, for example. A dismissal should be found to be unfair if there has been unjustified interference with an employee’s Article 8 right. But, as the Court of Appeal made clear in a decision (X v Y) in 2004, what is “private life” depends on the circumstances, such as whether the conduct is on private premises and, if not, whether it happens in circumstances in which there is a “reasonable expectation of privacy of that kind”.ame result in the UK?

The UK’s Employment Appeal Tribunal (EAT) examined a case (Atkinson v Community Gateway Association) in 2014 with facts not dissimilar to Barbulescu. The EAT decided that intimate emails (not flagged as private or personal) that had been discovered during the employer’s disciplinary investigations did not amount to an unjustified interference with the employee’s private life. On the facts, the employee did not have a reasonable expectation of privacy. The email policy (which, ironically, the employee had been responsible for drafting) specified that personal emails had to be marked as such.

Lawful employee monitoring

Any EU employer seeking to monitor employees should always carefully consider at least the following compliance issues in order to ensure lawful monitoring:

  1. Transparency – providing proper and comprehensive notice to employees about when and why monitoring will take place and their rights in relation to the monitoring
  2. Fairness – ensuring that the intrusion into an employee’s privacy is fair
  3. Necessity – demonstrating that the employer is not able to establish the truth of matters through a less intrusive means so that monitoring is the only way forward
  4. Proportionality – that the employer only accesses the information that is relevant and necessary in order to achieve the purpose of the monitoring
  5. Security – that the monitoring takes place in a secure environment with those responsible for access subject to confidentiality obligations and the information obtained only used for the purpose of monitoring and not shared more widely