This article was written by Aimee Ireland during her work experience placement with us.
The European Court of Human Rights (ECtHR) has ruled this week that a Romanian employee who sent personal messages via a workplace Yahoo! Messenger account should not have been dismissed from his job.
Bogdan Bărbulescu was dismissed in 2007 after surveillance software was used to monitor his workplace Yahoo! messaging account, which the employer intended to be used for business purposes only. Despite Mr Bărbulescu denying personal use, his employer was able to produce several transcripts of personal exchanges with his brother and his fiancée.
Following his dismissal, Mr Bărbulescu complained to the Romanian courts, claiming that the employer had violated Article 8 of the European Convention of Human Rights (ECHR); his right to privacy. However, the court found in the employer’s favour, stating that Mr Bărbulescu had been informed that personal use of the account was not authorised, and that usage of the account would be monitored.
First ECtHR decision
When the Romanian appeal court dismissed his appeal, Mr Bărbulescu filed a claim with the Chamber of the ECtHR claiming that the Romanian Courts had failed to protect his rights under Article 8 of the ECHR. The ECtHR once again sided with the employer: concluding that the monitoring of Mr Bărbulescu’s communications was reasonable in the context of disciplinary proceedings.
Final ECtHR decision
Not satisfied with the Chamber’s decision, Mr Bărbulescu appealed to the Grand Chamber of the ECtHR, which is composed of 17 judges instead of the Chamber’s seven judges. This time, the ECtHR decided in his favour, ruling that the Romanian courts had failed to determine whether the employer had given prior notice of its policy on monitoring staff communications or whether such monitoring was justified when balancing Mr Bărbulescu’s right to privacy against his employer’s right to enforce company regulations. Further, the court ruled that “an employer’s instructions could not reduce private social life in the workplace to zero”.
The ECtHR says that the ruling will not stop firms from using measures to monitor employee communications; however it is necessary for these measures to be “accompanied by adequate and sufficient safeguards against abuse”. The court proposed six criteria that should be considered by the courts when assessing whether any measure is proportionate:
- Whether the employee was notified that monitoring might take place;
- The extent of the monitoring by the employer and degree of intrusion into the employee’s privacy;
- Whether the employer has provided legitimate reasons to justify monitoring;
- Whether the employer could have undertaken the monitoring by less intrusive means;
- The consequences of the monitoring for the employee concerned and use made by the employer of the results of the monitoring; and
- Whether the employee has been provided with adequate safeguards, especially where any monitoring is of an intrusive nature.
Senior Associate Ed Boal adds:
“Some employers may struggle with the outcome of this case: surely when transcripts of the personal messages were produced, Mr Bărbulescu was banged to rights? However we have known for some time that employees have a legitimate expectation of privacy in the workplace and that employers must exercise considerable caution when doing anything that could compromise that right.
The guidelines set out by the ECtHR broadly reflect those contained in the ICO’s Employment Practices Code. The Code makes it clear that employee monitoring is a processing activity which requires a lawful basis in accordance with the Data Protection Act 1998 and that employers should undertake an impact assessment of the risks associated with such monitoring beforehand. The position on employee monitoring will not change under the GDPR, in fact it could be argued that it will make employee monitoring much more difficult.”
If you require any advice regarding employee monitoring, please contact one of our Data Protection team. Working with our Employment specialists, they can assist with undertaking data protection impact assessments and reviewing policies and procedures.