The European Court of Human Rights Rules that an Employer did not Breach its Employee’s Privacy Rights by Monitoring his Email Account
The European Court of Human Rights (“ECtHR”) ruled earlier this month that an employer’s monitoring of an employee’s personal emails in a work-related Yahoo account was not a breach of the employee’s Article 8 privacy rights (“the right to respect for private and family life, the home and correspondence”). The court’s ruling was not a general approval of employee monitoring, but was dependant on several critical facts, including the employer’s policy completely prohibiting personal communications on work accounts, and the limited nature of the monitoring into only the work account.
In the case of Barbulescu v Romania, Mr. Barbulescu was asked by his employer to create a Yahoo Messenger account to respond to email queries from clients. In July 2007, Mr. Barbulescu was notified by his employer that his usage of the Yahoo account, which had been set up for communicating with clients, had been monitored. Mr. Barbulescu asserted that the account had only been used for professional purposes and in response his employer disclosed a 45 page transcript showing personal email correspondence between Mr. Barbulescu and his brother and fiancée. Mr. Barbulescu was subsequently dismissed for breaching the company’s internal policy prohibiting personal use of company computers and resources.
Mr. Barbulescu appealed to the ECtHR on grounds that his Article 8 rights had been violated and that the domestic courts had failed to protect his rights in this respect. The ECtHR acknowledged that Article 8 was applicable and in turn, examined whether a fair balance had been struck between Mr. Barbulescu’s right to respect for his private life and correspondence and his employer’s interests. The ECtHR ruled (six votes to one) that there was no violation of Mr. Barbulescu’s Article 8 rights by his employer because the monitoring was:
- necessary to ensure that Mr. Barbulescu was not breaching the employer’s policy which strictly prohibited employees from using company computers and resources for personal purposes;
- fair as there was an assumption that the messages sent using the Yahoo account would be professional and not personal; and
- proportionate and limited in scope as although communications on Mr. Barbulescu’s Yahoo account were examined, no other data on his computer had been accessed.
It is important to note that the facts of this case are very specific and the examination of the balance between the interests of the employer and an employee will always need to be carried out on a case by case basis. In this case it was an important factor that the employer had a policy which had an outright ban on personal use, which is somewhat unusual for many businesses.
From a practical perspective, it is important for businesses to have policies which clearly set out the terms under which work systems may be used (often called Appropriate Use Policies”), and the circumstances in which monitoring of employer systems or work accounts may occur. The dissenting judge commented that mere communication to employees that their activity was under surveillance was manifestly insufficient and should have included the specific misconduct being monitored, the technical means of surveillance and the employee’s rights regarding the monitored materials. In addition, before carrying out any monitoring, the proportionality of the proposed surveillance should be considered such as through carrying out a privacy impact assessment.
Employee privacy and surveillance issues are likely to be increasingly tested with adoption of the EU’s proposed General Data Protection Regulation due to the increased rights of individuals, the greater level of enforcement and increased ability for complaints or claims to be brought on behalf of individuals. However, even once the proposed Regulation is implemented, national laws in EU Member States will need to be considered in similar cases due to the wide discretion given to Member States in the proposed Regulation over data protection in the employment context.