When Mr. Bogdan Bărbelsecu created a Yahoo instant messenger (IM) account at his employer’s request to respond to inquiries from customers, he probably had no idea it would spark such a storm or lead to litigation that would reach the European Court of Human Rights (ECtHR). However, it has, and by doing so, it has provided us with a significant ruling regarding the privacy of workers in the workplace, particularly in light of the upcoming
What’s the big deal?
Mr. Bărbulescu’s employer issued a notice to all employees in July 2007 prohibiting personal internet use while at work. Employees were also informed that their work would be monitored in the notice. Mr. Bărbulescu claims that while he was aware that he was not permitted to use his work computer for personal purposes, he was unaware that his communications would be monitored until after the notice was distributed.
Not long after the notification was sent, Mr Bărbulescu’s boss started to screen his Web use, including how and when he utilized the IM account he had made. Mr. Bărbulescu’s employer later gave him 45 pages of private IM messages he had sent using his work account. Thusly, he was excused.
Mr. Bărbulescu claimed that his work-related telephone, email, and instant messaging communications were protected by his right to privacy and correspondence under Article 8 of the European Convention on Human Rights. This dismissal led to the litigation that reached the ECtHR.
What implications does this have for workers and employers?
When in doubt, to decide if Article 8 has been locked in, the court included would think about whether the individual had a sensible assumption for protection. For instance, the policy of an employer might specify to an employee whether or not they have a right to privacy and what that right entails.
The ECtHR’s decision, on the other hand, has “thrown the cat among the pigeons.” The following is what the court said when it concluded that Mr. Bărbulescu’s employer had violated his Article 8 rights: It is impossible for an employer’s instructions to eliminate private social life in the workplace. Even though these may be restricted as necessary, respect for private life and correspondence privacy persists. As a result, the European Court of Human Rights has made a clear statement for the first time, stating that regardless of what an employer says, employees have an absolute right to their private social life while they are at work. In the end, this may well lead to more lawsuits based on Article 8 claims.
However, the ruling in no way implies that employers are now prohibited from monitoring employees at work. In contrast, employers have a legitimate, albeit limited, right to monitor the communications of their employees. Therefore, the test of proportionality must be used to strike a balance when there is a conflict between an employee’s right to privacy and the employer’s right to ensure the smooth operation of the business by monitoring employee communications and/or internet use.
In the end, the domestic court will have to weigh the effects on the employee and the employer of the monitoring process if the measures are challenged. The court outlined the factors domestic courts should take into account when attempting to strike this balance. In her excellent analysis of the decision that appeared in November’s Counsel magazine, Siân McKinley distilled the guidance provided by the court, the relevant provisions of the Information Commissioner’s Office (ICO) Employment Practices Code 2011, and Article 35 GDPR impact assessment (which will be discussed in greater detail below), into five very useful “practical steps for employers” that I wholeheartedly agree with. Employers can defend their monitoring of employee communications against Article 8 challenges by taking these steps:
The manner in which an employer may monitor employees’ communications should be made clear to them in advance. The monitoring’s “nature” must also be made clear. Therefore, employees must be informed in advance if an employer wishes to monitor the content of communications.
Employers ought to conduct an assessment of the extent of the monitoring they intend to carry out and the degree to which it will violate the privacy of their employees prior to initiating it. When doing so, they ought to think about the following issues:
- Can they monitor only the flow of communications, or must content be monitored as well?
- Is it necessary to monitor all communications, or will monitoring some communications suffice?
- Is there a time limit on the monitoring?
- Can physical restrictions be placed on monitoring?
- Could the quantity of individuals who at any point approach the consequences of the observing be restricted?
The flow of communications must be monitored for legitimate reasons. The content monitoring will necessitate even more specific justifications because of its intrusive nature.
Businesses ought to evaluate whether a less nosy observing framework could be set up. The employer must determine whether they can meet the legitimate reasons (see point 3) for content monitoring without directly accessing the entire communication(s).
The employer should review the monitoring process on a regular basis, looking at how the results of the operation are used, the effects on employees, and whether the results meet the “legitimate reasons” that were identified.
The ECtHR decision is largely in line with the ICO’s Employment Practices Code of 2011 and, at least in some cases, with the requirements of the GDPR, which will be implemented soon. Therefore, employers’ monitoring procedures ought to already conform to the ECtHR’s finding, subject to the Court’s finding that employers cannot access the content of communications unless employees have been informed in advance that this may occur.
Article 35(9) of the General Data Protection Regulation (GDPR) stipulates that data controllers must, if necessary, consult with data subjects or representatives regarding the processing.