A recent ruling by the European Court of Human Rights in Bărbulescu v. Romania, no. 61496/08 affirms the right of employers to monitor their employees’ online activities and electronic communications, subject to certain restrictions. The ruling is aligned with EU and member state law, including the General Data Protection Regulation, as well as guidance on the topic issued by the Article 29 Working Party. Companies operating in countries that have agreed to be bound by the Council of Europe’s European Convention on Human Rights must comply with the decision and should review and update their employee monitoring policies and practices as warranted. 

Background

The case involved a Romanian sales engineer who was fired for using his employer’s instant messenger account to send personal messages in violation of the company’s acceptable use policy. The account was created at the employer’s request for customer support and related business communications. The employer monitored and recorded the complainant’s communications in real time, discovered the offending messages and used their content in a subsequent disciplinary action.

The employee brought suit, alleging that the company’s monitoring and recording of his personal messages violated his right to respect for private life under Article 8 of the European Convention on Human Rights. He demanded 60,000 euros in pecuniary damages and 200,000 euros in non-pecuniary damages.

The decision of the court

The Grand Chamber of the ECHR, reversing a previous judgment by its Lower Chamber, held that the monitoring was unlawful. First, the court ruled that the company violated transparency requirements under the Council of Europe’s recommendations, Romanian and EU law. In the court’s view, the company did not “appear” to give the employee prior notice of the monitoring, let alone the nature and extent of the intrusion, including accessing sensitive content in the messages.

Second, the court questioned whether the employee had a reasonable expectation of privacy in the messages at issue in light of the company’s use policy, which prohibits employees from sending personal messages using company equipment. At the same time, the court opined that employer policies cannot simply “reduce [privacy] in the workplace to zero.”

The court also found that, in dismissing the claim, the lower courts failed to strike an appropriate balance between the employee’s privacy rights and the employer’s business interest. In particular, the lower courts failed to assess:

  • The company’s justifications for the monitoring;
  • Whether less intrusive monitoring measures could have been employed; and
  • The severity of the impact of the monitoring on the employee (the employee had received the most severe disciplinary sanction — dismissal).

After assessing these factors the court ruled in favor of the employee but dismissed his claim for damages, finding (1) no link between the damages sought and the violation; and (2) that the finding of the violation alone was “just satisfaction” for the employee which was sufficient to dismiss the request for damages.

Takeaways

Employers who implement employee monitoring in the workplace should find assurance in the outcome of this case. While recognizing employee privacy rights in the workplace, the decision validates monitoring that is tailored to enforcing workplace policies with proper notice to employees. Further, employee monitoring is already highly regulated by the member states, with transparency, necessity and proportionality as core requirements. The decision imposes no new requirements. The decision also aligns with recent guidance from the Article 29 Data Protection Working Party that emphasizes the need to consider employees’ privacy rights irrespective of the technology used to monitor employee activities (including emails, chats and VOIP, but also wearables, data loss prevention tools, eDiscovery technologies and cloud-based apps and services).

We expect member states to engage in an enhanced scrutiny of employer policies and practices and undertake a careful balancing of employee and employer interests when presented with similar cases in the future.

Businesses should ensure that their monitoring practices are narrowly tailored to achieve legitimate business objectives and that monitoring policies and practices are clearly communicated to all employees. In anticipation of the GDPR, businesses should also be prepared to conduct privacy impact assessments prior to implementing DLP tools, as this kind of employee monitoring will likely be seen as “high-risk” data processing by regulators. In the event the privacy impact cannot be mitigated, consultation with data protection authorities will be called for.

Businesses should also watch for member state–specific requirements with respect to the processing of employee data as the GDPR authorizes member states to require enhanced safeguards for employee data. Finally, companies with global operations should be familiar with global employee privacy requirements.

photo credit: Business via photopin(license)