Feb 12016

The European Court of Human Rights Rules that an Employer did not Breach its Employee’s Privacy Rights by Monitoring his Email Account

William RM Long and Francesca Blythe
, , , ,

The European Court of Human Rights (“ECtHR”)  ruled earlier this month that an employer’s monitoring of an employee’s personal emails in a work-related Yahoo account was not a breach of the employee’s Article 8 privacy rights (“the right to respect for private and family life, the home and correspondence”).  The court’s ruling was not a general approval of employee monitoring, but was dependant on several critical facts, including the employer’s policy completely prohibiting personal communications on work accounts, and the limited nature of the monitoring into only the work account.

In the case of Barbulescu v Romania, Mr. Barbulescu was asked by his employer to create a Yahoo Messenger account to respond to email queries from clients. In  July 2007, Mr. Barbulescu was notified by his employer that his usage of the Yahoo account, which had been set up for communicating with clients, had been monitored. Mr. Barbulescu asserted that the account had only been used for professional purposes and in response his employer disclosed a 45 page transcript showing personal email correspondence  between Mr. Barbulescu and his brother and fiancée. Mr. Barbulescu was subsequently dismissed for breaching the company’s internal policy prohibiting personal use of company computers and resources.

Mr. Barbulescu appealed to the ECtHR on grounds that his Article 8 rights had been violated and that the domestic courts had failed to protect his rights in this respect. The ECtHR acknowledged that Article 8 was applicable and in turn, examined whether a fair balance had been struck between Mr. Barbulescu’s right to respect for his private life and correspondence and his employer’s interests. The ECtHR ruled (six votes to one) that there was no violation of Mr. Barbulescu’s Article 8 rights by his employer because the monitoring was:

  • necessary to ensure that Mr. Barbulescu was not breaching the employer’s policy which strictly prohibited employees from using company computers and resources for personal purposes;
  • fair as there was an assumption that the messages sent using the Yahoo account would be professional and not personal; and
  • proportionate and limited in scope as although communications on Mr. Barbulescu’s Yahoo account were examined, no other data on his computer had been accessed.

It is important to note that the facts of this case are very specific and the examination of the balance between the interests of the employer and an employee will always need to be carried out on a case by case basis. In this case it was an important factor that the employer had a policy which had an outright ban on personal use, which is somewhat unusual for many businesses.

From a practical perspective, it is important for businesses to have policies which clearly set out the terms under which work systems may be used (often called Appropriate Use Policies”), and the circumstances in which monitoring of employer systems or work accounts may occur. The dissenting judge commented that mere communication to employees that their activity was under surveillance was manifestly insufficient and should have included the specific misconduct being monitored, the technical means of surveillance and the employee’s rights regarding the monitored materials. In addition, before carrying out any monitoring, the proportionality of the proposed surveillance should be considered such as through carrying out  a privacy impact assessment.

Employee privacy and surveillance issues are likely to be increasingly tested with adoption of the EU’s proposed General Data Protection Regulation due to the increased rights of individuals, the greater level of enforcement and increased ability for complaints or claims to be brought on behalf of individuals. However, even once the proposed Regulation is implemented, national laws in EU Member States will need to be considered in similar cases due to the wide discretion given to Member States in the proposed Regulation over data protection in the employment context.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1