Monitoring private messages

In 2016 the case of Bărbulescu v Romania was dubbed a “snooper’s charter”. The European Court of Human Rights (ECtHR) ruled that the dismissal of an employee for using electronic communications for personal purposes was not a breach of Article 8 of the European Convention of Human Rights (respect for private and family life, home and correspondence). Mr Bărbulescu appealed to the Grand Chamber of the ECtHR, and the decision has now been reversed. What does this mean for employers who monitor workers’ communications?

Bărbulescu v Romania

Mr Bărbulescu was an engineer who was dismissed when his employers found that his electronic accounts had been used for personal purposes, contrary to company rules. A Yahoo Messenger account had been created by Mr Bărbulescu at his employer’s request, using his employer’s systems, to reply to clients’ enquiries – but he also used it to send personal messages during work hours. However, the employer had made clear to all staff that they were not allowed to use the IT systems for personal purposes. A colleague had recently been dismissed for using IT systems for personal purposes, and staff had been warned their activity was under surveillance.

When challenged by the employer, Mr Bărbulescu said he had used the Yahoo account only for professional purposes. The employer accessed the content of the account and presented him with a transcript of his communications, which included very personal messages. The Romanian courts accepted that this was the only way the employer could challenge Mr Bărbulescu’s assertion. They found the employer had the right to check how professional tasks were completed and monitor for breaches of company policy.

On appeal, the ECtHR ruled that although Article 8 applied, the employer’s interference with the right to respect for private life and correspondence was justified. The courts had struck a fair balance between Mr Bărbulescu’s rights and the employer’s right to act within the context of its disciplinary powers. The employer accessed the account when it was told by Mr Bărbulescu that it contained only business communications, and had disregarded the actual content when dismissing him.

Grand Chamber Appeal

Mr Bărbulescu successfully appealed to the Grand Chamber of the ECtHR, with 6 out of 17 judges dissenting. It ruled that Mr Bărbulescu’s rights had been infringed and that the courts had failed to strike a balance between the competing interests. The terms “private life” and “correspondence” should be construed broadly, including activities taking place in a professional context.

It considered whether employees have a reasonable expectation of privacy. Although prohibiting personal use, and referring to monitoring the employee’s work, the employer’s policies contained no reference to monitoring or intercepting the content of employee communications. Nor had Mr Bărbulescu been informed in advance of the nature and extent of monitoring. The Grand Chamber noted that an employer cannot eliminate private social life through its policies – respect for private life and correspondence continued to exist.

It also ruled that member states should ensure monitoring of correspondence has appropriate safeguards. This means:

• Unequivocal notice in advance, including the extent of the monitoring and the degree of intrusion – distinguishing between monitoring the flow of communications and their actual content.
• Whether monitoring content could actually be justified.
• Whether less intrusive methods could be used.
• The possible consequence of monitoring (e.g. dismissal).

UK law

The UK essentially already has such safeguards under:

• Regulation of Investigatory Powers Act 2000, which prohibit interception of electronic communications without express consent, and subject to the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. These allow interception of business communications for e.g. investigating/ detecting the unauthorised use of a telecommunication system (e.g. breach of company rules) or viruses etc;
• Data Protection Act 1998 (soon to be replaced by the GDPR and a new Act). The Employment Practices Data Protection Code makes clear that it will usually be intrusive to monitor workers, who have a legitimate expectation of privacy. Employers must undertake an impact assessment, identifying clear purposes for monitoring, benefits, alternatives (such as automated blocking), and judging whether monitoring is justified. If it is, staff should be clearly informed of the nature, extent and reason for monitoring (unless, exceptionally, covert monitoring is justified).

Policies should follow these limitations and make crystal clear in advance what employees can expect regarding personal communications on business systems (outside or during work time).

Key Points

• In Bărbulescu v Romania, the Grand Chamber reversed the ECtHR’s decision and ruled the employee’s right to private life and correspondence had been infringed;
• Monitoring requires an impact assessment to ensure it is justified and goes no further than is necessary; its scope must be clearly explained to staff;
• Employers should be aware of forthcoming changes under the General Data Protection Regulation and must clearly communicate any rules regarding personal use of IT systems.

This article was published in the October 2017 Issue of Reward Strategy Magazine.