In a surprising decision, the Grand Chamber of the European Court of Human Rights has overturned a previous judgement of its own lower Chamber and found that in failing to protect an employee from his employer’s e-mail monitoring, the Romanian government had violated his right to privacy under Article 8 of the European Convention on Human Rights (‘ECHR’).
Facts of the case
Barbulescu v Romania
Mr Barbulescu was an engineer for a heating company. At his employer's request, he set up a Yahoo Messenger account to deal with client enquiries.
In 2007, the employer informed Mr Barbulescu that it had monitored his Yahoo Messenger account and found that he had used it to exchange personal e-mails in contravention of the employer's strict policy prohibiting any personal use whatsoever of the company's computers, internet or telephones.
Mr Barbulescu replied in writing denying this and saying that he had only used it for work purposes. His employer then produced a 45-page transcript of his communications, which included the text of e-mail messages he had exchanged with his brother and his fiancé, some of which contained intimate personal information about his health and sex life. The employer subsequently dismissed Mr Barbulescu for unauthorised personal use of the internet.
Following unsuccessful complaints to the Romanian labour courts, which found that his dismissal was lawful, Mr Barbulescu brought a claim against the Romanian government in the European Court of Human Rights (‘ECtHR’) arguing that it had failed to protect his rights to privacy and correspondence under Article 8 ECHR.
The original decision of the lower Chamber of the ECtHR in January 2016 found that the Romanian national courts had been entitled to conclude that Mr Barbulescu’s employer had acted reasonably in accessing his emails. Given the employer’s strict policy of restricting person use of work resources, it had been entitled to ‘assume’ that all information on Mr Barbulescu’s work account would be work-related.
The judges of the Grand Chamber have now reversed this original decision, finding (by a majority) that the Romanian national courts had failed to strike a 'fair balance' between Mr Barbulescu’s right to a private life and his employer’s right to ensure its work rules were enforced and upheld. Key to the decision was the fact that Mr Barbulescu had not been expressly informed in advance that his e-mails and their content would be monitored.
The latest ECtHR judgement contains a statement by the Grand Chamber confirming that 'an employer’s instructions cannot reduce private social life in the workplace to zero. Respect for private life and for the privacy of correspondence continues to exist, even if these may be restricted in so far as necessary.'
UK courts and tribunals have grappled for some time with the conflict between the right to privacy and employers’ requirements to uphold internal discipline. UK judges are required to take ECtHR rulings into account and, whilst in some workplaces it may be necessary for email correspondence to be monitored, the factors identified in Barbulescu are equally relevant to UK employers in assessing whether and to what extent it is appropriate, and legal, to monitor employee communications at work. In particular, the following factors must be considered:
- Whether there is a legitimate reason to justify any intended monitoring
- The degree of intrusion the intended monitoring might involve
- The potential consequence of monitoring for employees
- Whether a less intrusive form of monitoring would be more appropriate to achieve the identified legitimate aim
- Whether an employee has been given clear advance notification of the possibility that their correspondence/communications might be monitored
- Whether sufficient safeguards are in place for those who might be subjected to monitoring
Of course, the ECHR is not the only legislation impacting on privacy and monitoring issues in the workplace. In particular, increased employer obligations and strengthened individual rights contained in the General Data Protection Regulation (GDPR), which comes into effect in the UK on 25 May 2018, provide a further pressing reason for employers to look again at any current (or proposed) employee monitoring activities. What is the reason for such activity and are your current practices, policies and safeguards adequate in this new era of data privacy?
How EEF can help
EEF is running a national seminar programme - GDPR and Data Protection for HR: On the Road to Major Changes – in order to help HR understand their new legal obligations under the GDPR, and how they can prepare to apply these in their day-to-day HR practice and procedures. To book a place, or find out more, click here.