Tag Archive: internet use

ECHR confirms that employers do not have green light to monitor employee emails

Further to our Be Aware post of 1 February 2016 on 5 September 2017  the Grand Chamber of the European Court of Human Rights overturned the Lower Chamber’s judgment in Barbulescu v Romania and held the dismissal of an employee after his employer monitored his Yahoo Messenger communications and discovered that he had used the internet for personal purposes had breached his Article 8 of the Convention on Human Rights right to respect for his private life and correspondence. This decision makes it clear that employers need well-drafted, well-communicated policies which  clearly explain what internet and social media usage is prohibited in the workplace and what measures the employer will take to monitor and control such usage.

The employer’s internal regulations prohibited personal use of computers  but did not contain any reference to the possibility that employees’ communications would be monitored. The employer undertook monitoring of Mr Barbulescu’s Yahoo Messenger account, including both the frequency and content of personal communications. Mr Barbulescu unsuccessfully challenged his dismissal in the Romanian courts, arguing that the employer had breached his Article 8 right to respect for his private life and correspondence. He then brought a claim in the ECHR, arguing that the domestic courts had failed to protect his Article 8 right. In 2016 the Lower Chamber dismissed his claim, holding that Mr Barbulescu had no reasonable expectation of privacy in his communications at work. The national authorities had struck a fair balance between his right to respect for his private life and the employer’s interests. Mr Barbulescu then took his case to the Grand Chamber, who disagreed with the Lower Chamber.  The Court considered that it was clear that Mr Barbulescu had been informed of the ban on personal internet use, but not so clear that he had been informed about the monitoring before it took place, particularly about the possibility that the employer might have access to the content of communications. The Court considered that when domestic courts are considering the proportionality of employer monitoring of communications, the following factors should be taken into account:

  • Whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence;
  • The extent of the monitoring and the degree of intrusion into the employee’s privacy. A distinction should be made between the flow of communications and their content;
  • Whether the employer has provided legitimate reasons to justify monitoring the communications and accessing content
  • Whether it would have been possible to establish monitoring based on less intrusive methods;
  • The consequences of the monitoring; and
  • Whether the employee has been provided with adequate safeguards.

In this case, the Grand Chamber found that the court’s conclusion that a fair balance had been struck between the employee’s rights and the employer’s interests questionable. The Grand Chamber considered that the Romanian courts did not protect Mr Barbulescu’s Article 8 rights.

This decision makes it clear that if employers want to monitor and restrict personal use of the internet and other communications at work, the policy must make it clear what is or is not permitted and must inform employees of any monitoring which will take place. Restrictions and monitoring should be proportionate; the Grand Chamber noted that an employer’s instructions cannot reduce private social life in the workplace to nothing.

 

 

Permanent link to this article: http://www.dlapiperbeaware.co.uk/echr-confirms-that-employers-do-not-have-green-light-to-monitor-employee-emails/

Employers do not have green light to monitor employee emails, despite ECHR judgment

A recent case before the European Court of Human Rights has set the cat amongst the pigeons on the perennial hot topic of employees’ entitlement to privacy and data protection in the workplace.

Widespread media reports would give employers to believe that unfettered monitoring of employee emails and internet use is now acceptable and that engaging in personal correspondence during working hours is legitimate grounds for dismissal. However, this is simply not the case, and employers must beware. An employer who engages in this type of monitoring, and imposes disciplinary sanctions as a consequence, can, in fact, expect to find themselves in hot water.  Employers must, as a minimum, have comprehensive, and bespoke, internet policies in place, clearly setting out the rights and obligations of employees, how monitoring is conducted and how data is processed and used.  The policies must also be effectively communicated to employees, accompanied by appropriate training and consistently enforced.

The case

Barbulescu v Romania

The claimant, Mr Barbulescu, was an engineer in charge of sales who was employed from August 2004 – August 2007. In July 2007, Mr Barbulescu was asked by his employer to set up a Yahoo Messenger account for the purpose of responding to clients’ enquiries. The employer gave notice to its employees at the beginning of July that internet use would be monitored (although this was disputed by Mr Barbulescu). In the period 5-13 July, the employer monitored Mr Barbulesco’s Yahoo communications.  This identified that Mr Barbulescu had been using the internet for personal purposes, contrary to the company’s rules which prevented personal internet use.  The rules stated, “It is strictly forbidden to disturb order and discipline within the company’s premises and especially…to use computers, photocopiers, telephones, telex and fax machines for personal purposes“.

Mr Barbulescu initially denied any personal use, but the employer’s findings were backed up by a transcript of his communications. Mr Barbulescu sought to argue that his employer had violated the Criminal Code and the Romanian Constitution by violating his correspondence and brought a claim in the Bucharest County Court. The court dismissed his claim, finding that the employer had complied with the relevant disciplinary proceedings and that Mr Barbulescu had been informed about the employer’s rules on personal internet use.  The court said that as Mr Barbulescu had denied using the internet for personal use, the employer had no option but to check the content of his Yahoo communications, and that monitoring employees’ use of company computers was within the broad scope of the employer’s right to check the manner in which professional tasks were being completed.

Mr Barbulescu appealed the court’s decision, claiming that emails are protected by Article 8 of the Convention relating to respect for private life and correspondence. The Court of Appeal dismissed Mr Barbulescu’s appeal, ruling that the employer’s conduct had been reasonable and that monitoring his communications was the only method of establishing the disciplinary breach.

Mr Barbulescu therefore took his case to the European Court of Human Rights (ECHR). The ECHR identified that, on the face of it, telephone calls from business premises are covered by the notions of ‘private life’ and  ‘correspondence’ for the purposes of Article 8, and that emails, and information derived from monitoring employee usage, would be similarly protected. The ECHR also found that in the absence of notice about monitoring, employees would have a reasonable expectation as to privacy of their calls and emails.

The ECHR said that it therefore needed to examine whether a fair balance had been struck between Mr Barbulescu’s right to respect for his private life and correspondence, and his employer’s interests. It found that there had, and that therefore Mr Barbulescu’s claim should fail (although one judge dissented in strong terms).  It relied on the following findings:

  • Mr Barbulescu had been able to raise his arguments before the domestic courts and they had found that the employer had acted within its disciplinary powers;
  • The domestic courts had also found that Mr Barbulescu had used the company’s computer for personal use during working hours, and that there had therefore been a disciplinary breach of the employer’s rules;
  • The employer had only accessed Mr Barbulescu’s account on the basis that the information in question was assumed to relate to Mr Barbulescu’s professional activities; it had not accessed any other documents or data on Mr Barbulescu’s computer and its monitoring was therefore limited in scope and proportionate;
  • The domestic courts had not placed any weight on the contents of the Yahoo account; they had only considered activity on that account to the extent it proved the breach of company rules;
  • It was not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours; and
  • Mr Barbulescu had failed to convincingly explain why he had used the Yahoo account for personal purposes

Implications

On the face of it, this case does appear to give employers some confidence about their ability to monitor employee emails and internet use. The ECHR was willing to find that a blanket ban on personal internet use was sufficient in this case to weigh the employer’s interests evenly against the claimant’s right to private life and protection of correspondence. This was so, even though it was in dispute whether the employee had been properly notified that monitoring would take place.

However, employers must still exercise significant caution. The UK has a raft of legislation and guidance governing employee monitoring and data protection, and in many workplaces, the lines are unlikely to be as clearly drawn as in this case. Further, in many cases, a blanket ban on personal internet and email use may be impractical. As identified by the dissenting judge, some employers will allow employees to use the company’s internet and email/messaging systems for personal use; others will allow employees to use their own equipment for work-related matters, and some employers will permit both. The dissenting judge was at pains to make clear that an employer’s right to monitor an employee’s communications is not unrestricted or at its discretion. The key issues to consider are:

  • Employees have a reasonable expectation of privacy;
  • Expectations of privacy may, in certain circumstances, be displaced by a bespoke internet policy with specific rules on email, instant messaging, social networks, internet surfing etc and a comprehensive policy on employee monitoring. Automatic or continuous monitoring of internet use is unlikely to be permissible;
  • Employees must be aware of the employer’s policies, both in terms of the rules which apply during working hours, and outside working hours, and in terms of any restrictions on the use of company equipment. Employees should give their explicit consent to the policies;
  • The enforcement of an employer’s internet policies should be guided by the principles of necessity and proportionality. For example, before carrying out any monitoring, employers should consider whether the benefits of that measure outweigh the adverse impact on the employees’ right to privacy;
  • Sanctions for a breach of the employer’s internet rules should normally start with a verbal warning, before moving to a written warning, and ultimately dismissal. Relevant considerations for the appropriate sanction are likely to include whether damage has been caused to the employer and/or whether there has been a pattern of behaviour over a sustained period of time;
  • Any processing of personal data for the purposes of the employment relationship, including staff management, and termination of employment, must be regulated by contract or collective agreement in line with data protection laws and principles. Specific forms of data processing like internet and email use are likely to warrant detailed rules and procedures.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/employers-do-not-have-green-light-to-monitor-employees-emails-despite-echr-judgment/