Bulletins | January 27, 2016

Employee privacy – does it still exist?

A recent European Court of Human Rights (ECHR) case [1] has attracted much publicity in the UK press as giving employers the green light to read employees’ private emails. This is wrong. The decision actually confirms that employers may only review employees’ e-mails in limited circumstances.

Background

Mr Barbulescu was employed as an engineer in charge of sales. His employer had a strict policy of not permitting private use by employees of its computer and telecommunications systems. Mr Barbulescu was asked by his employer to set up a Yahoo Messenger account, so he could communicate with customers.

The employer notified Mr Barbulescu that it had been monitoring his account and it believed he had been using it for private communications. Mr Barbulescu denied this, and the employer presented him with a 45 page transcript of all his Yahoo Messenger communications, including private communications with his fiancée and brother. Mr Barbulescu was dismissed for breaching the employer’s telecommunications policy.

Mr Barbulescu subsequently brought employment claims in the Romanian courts alleging that his dismissal was void since the employer had breached his right to privacy by accessing his private communications. Mr Barbulescu was unsuccessful before the Romanian courts, but the case was referred to the ECHR. The argument was that Romania had failed to protect his Article 8 right to respect for his private and family life.

The ECHR’s decision

The ECHR confirmed that Article 8 protects employees who use their employer’s telecommunications systems for private purposes. In other words, employees have a reasonable expectation of privacy at work. Nonetheless, this right is not absolute. The question in this case was whether Romania had struck the right balance between protecting the right of Mr Barbulescu to privacy at work with that of his employer to manage its resources effectively.

The ECHR found against Mr Barbulescu in this regard. It noted that:

  • The employer had a clear policy regarding the private use of the employer’s telecommunications systems;
  • It was reasonable for the employer to check its employees were working during office hours;
  • Monitoring was the only practical way to check the computers were being used for work-related purposes;
  • When the employer accessed the Yahoo Messenger account, it “believed” it would only contain work-related messages, because the account was set up for client communications; and
  • The employer had not reviewed any other documents or data on his computer.

What does this mean for employers in the UK?

Contrary to some of the more lurid headlines in the press, this case does not mean employers have an unrestricted right to read their employees’ private emails. Instead, the decision clarifies that employees do have a right of privacy at work, subject to limited exceptions, and any monitoring must be a proportionate response to the issues involved.

The decision also reiterates the importance of issuing clear guidelines to employees around internet usage and monitoring. The ECHR focused on the fact that the employer had a specific policy, which banned the use of work computers for personal purposes.  This is unusual – the reality is that few workplaces ban all personal use of computers, email accounts etc.  The ECHR also placed importance on the fact that the employer had accessed the Yahoo Messenger account in the belief that it contained only work-related messages.  This type of access was, according to the ECHR, reasonable and not excessive.  This is surprising when you consider the fact that the employer allowed the private message transcripts into the hands of Mr Barbulescu’s colleagues, who then discussed them at work.  The ECHR did not mention this. Had this been a Data Protection Directive complaint to the Court of Justice of the European Union (CJEU), the CJEU would likely have said the disclosure breached data protection principles, including individual privacy rights.

If monitoring is to take place:

  • Have a policy and explicitly say what is and is not permitted.  Make sure your employees are aware of and familiar with your policy and remind them of it regularly;
  • Include a right to monitor usage but bear in mind that any monitoring should be reasonable, proportionate and not excessive;
  • Only monitor if you think it is reasonable and proportionate in all of the circumstances;
  • Do not access anything which is clearly marked personal unless you have reason to do so;
  • Limit the number of people who may undertake monitoring and ensure they know when and how it can take place;
  • Act proportionately – if your concern is, for example, the high number of personal emails being sent, it is probably not necessary to read them to establish the point.

 


[1] The European Court of Human Rights case of Barbulescu v Romania -61496/08 [2016] ECHR 61 is available at http://www.bailii.org/eu/cases/ECHR/2016/61.html.