14 January 2016
The newspapers today are full of banner headlines proclaiming that employers now have the unrestricted right to read all employee emails including those which are marked personal. But we see this as a misunderstanding of the outcome yesterday in a European Court of Human Rights case, Barbulescu v Romania (Application 61496/08).
The first misconception is that Barbulescu was about email. It wasn’t. The employer had asked specific employees (including the applicant) to set up a Yahoo Messenger account, to deal with client orders and queries. These were specifically to be set up for work purposes only. In addition, the employer had policies which made it clear that work accounts, including Yahoo Messenger, were not to be used for any personal purposes.
In 2007 the employer began to suspect Mr Barbulescu of using his messenger account for personal purposes. So it started monitoring his messages. It did not tell Mr Barbulescu.
Mr Barbulescu was then subjected to disciplinary procedures. In the course of those, he was shown a printout of his messages which ran to over 45 pages. Some of these messages were of an intimate nature and it was clear that the employer had also accessed Mr Barbulescu’s private messenger account. Mr Barbulescu was duly sacked. He took his employer to court, challenging his dismissal. He said in particular that by accessing his personal messages, his employer had violated Article 8 of the European Convention on Human Rights. The court agreed with Mr Barbulescu to the extent that his rights under Article 8 had been interfered with when his accounts and the contents were accessed and used against him.
However, the court went on to consider whether the employer’s actions could be justified. It held that they could. The court did not think it unreasonable for an employer to want to verify that its employees “were completing their professional tasks during working hours”. This is a line of reasoning not too dissimilar from approach of the UK’s Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. However, the point missed by most of today’s press reports is the court’s finding that whilst Yahoo Messenger had been accessed and the contents examined, other data and documents stored on the same computer had not been accessed or viewed. It was in other words a limited, targeted, search. On this basis, the court was able to find that in the particular circumstances of this case, the employer’s actions were proportionate and lawful. In addition, the court looked at the employer’s policies specifically prohibiting the use of work accounts for personal purposes. The court was somewhat critical of the applicant, finding that he had not convincingly explained why he had used the Yahoo Messenger account for personal purposes.
From a technical point of view this case is a little unsatisfying because it is about ten-year old technology that fell out of favour for a while, to the extent that Yahoo Messenger was relaunched on 7th December 2015 with the invitation “Hello… It’s me. I was wondering if after all these years you’d like to meet.” Reintroducing Yahoo Messenger”. Also one wonders how many 2016 business use direct messaging to service clients as opposed to SMS text, social media and email.
The judgement undoubtedly establishes that employees cannot always expect their private communications on work systems to be untouchable, but in our opinion this decision does not grant every employer in the EU carte blanche to access all employees’ communications and documents. The case is very fact-specific, and it is perhaps telling that the single dissenting judgement concludes by highlighting the EU Article 29 Working Party view that “workers do not abandon their right to privacy and data protection every morning at the doors of the workplace.” Monitoring will still have to comply with national law and, in the case of the UK, will have to comply with the Lawful Business Practice Regulations. In addition, employers in the UK are subject to very detailed guidance from the Information Commissioner on employee monitoring and, at present, that guidance states employees do have some expectation of privacy in the workplace. It will be interesting to see whether amended ICO guidance is issued in the light of the Barbulescu decision.
Paul Motion, Partner & Solicitor Advocate firstname.lastname@example.org T: 0131 222 2939