The Grand Chamber of the European Court of Human Rights’ (ECtHR) ruling in Barbulescu v Romania (61496/08) is a timely reminder of the limits of employers’ ability to monitor their employees’ private activity on work IT systems.
The case concerned an employee’s personal use of a Yahoo Messenger account set up at the employer’s request to be used purely for work messages, and in contravention of an absolute rule prohibiting personal use. The Romanian court found the employee’s dismissal for breach of workplace rules to be fair, concluding that the employer was entitled to check whether its workplace rules had been breached. The Grand Chamber ruled that, in so doing, the Romanian court had violated the employee’s right to privacy under Article 8 of the European Convention of Human Rights by failing to strike a fair balance between his rights and those of his employer to supervise its employees at work. The court had failed to give due consideration to relevant factors, in particular the employer’s failure to give adequate notice of the nature of the monitoring.
The ruling highlights the broad interpretation that the ECtHR gives to the term “private life” when applying Article 8 to communications. The fact that a platform is explicitly reserved by an employer for professional communications only does not mean that private communications made on it lose their private status. An employer’s instructions “cannot reduce private social life in the workplace to zero” and accessing such communications is a potential breach of employees’ human rights. This was held to be so even when the employee insisted that he had only engaged in professional communications on the employer’s system.
The ECtHR’s guidance to domestic courts determining whether monitoring breaches Article 8 is also instructive for employers. The ECtHR emphasised that, without clear and advance notice warning of the operation of monitoring and detailing its extent and nature, the monitoring is likely to be unlawful. The guidance also indicates that extreme caution should be used when accessing and using the content of employees’ private communications, and that it should be avoided if at all possible.
Despite the media’s portrayal of the case, Barbulescu has not substantially changed the position on monitoring of communications under UK law (largely contained in the UK Information Commissioner’s Code of Practice on workplace monitoring).
Employers cannot rely on their prohibition of private use of technology alone to justify monitoring employees’ private communications.
If employers feel that they may need to monitor employees’ communications, this must be clearly communicated in advance with full details of what such monitoring entails; in the absence of such notice, monitoring is likely to be unlawful. Even in cases where employees have been notified of a monitoring program, the implementation of such a program must be considered carefully. Monitoring should occur only when strictly necessary and to a proportionate extent. Accessing the content of communications is more intrusive than mere monitoring of flow, and the test for whether this is lawful is commensurately stricter.
In addition to complying with data protection and interception laws, these steps will be important to avoid an employee claiming constructive unfair dismissal on the ground that the employer’s monitoring breached the implied duty of trust and confidence. They will also maximise the prospects of the employer being able to adduce the evidence obtained from monitoring at tribunal should a claim be brought.
See our Litigation blog post here for a more detailed discussion of the ruling.