European Court of Human Rights on Employee Monitoring – EU Member States' Approach Remains Unchanged

On January 12, 2016, the European Court of Human Rights in Strasbourg (“Court”) (note that this is not the European Court of Justice (ECJ) in Luxembourg) held by six votes to one in the case of Bărbulescu v. Romania (ECHR 013 (2016)) that there had been no breach of Article 8 of the European Convention on Human Rights (ECHR) (i.e., right to respect for private and family life, the home, and correspondence) in a case concerning dismissal of a Romanian employee for using company Internet for private purposes during working hours in breach of internal company regulations. The Court found that monitoring of the employee’s communication had been reasonable in the context of the disciplinary proceedings at hand because a fair balance had been struck between the employee’s right to respect his private life and correspondence and his employer’s interests.

In the recent days, many media outlets reported that the judgement provides employers with carte blanche to monitor employee communication without limitations and that employees now have no right to privacy in the workplace. This is incorrect. The Court actually confirmed (as in many of its previous judgements) that employees have a reasonable expectation of privacy in workplace communications and that valid monitoring of employees may only take place under specific conditions, as provided by applicable law. Most importantly, if a company has a clear and comprehensive policy on what its employees may and may not do while using company resources, and the policy has been appropriately communicated to the employees, the company can access and review employee communication based on legitimate suspicion of misconduct, but only to the extent that such access is reasonable, proportionate, and all other safeguards to protect employee’s rights (as provided by applicable law) are put in place.

This judgement is a product of the facts of this specific case (as described below) and will therefore not fundamentally change the manner in which competent European regulators approach employee monitoring. Relevant European and local laws of individual EU Member States apply as before, as furthermore evidenced by the Slovenian and Italian data protection authorities’ (“DPA”) official reactions to this case:

• The Slovenian DPA noted that the judgement only assessed practice of the Romanian courts. The judgement does not provide any directly applicable guidelines to the Member States on how they should assess adequacy of employee monitoring in the workplace. Slovenian legal requirements for valid employee monitoring therefore remain unchanged. The DPA added that Slovenian employers are not generally entitled to monitor employees’ private communications in the workplace or their use of company resources, except in truly exceptional cases where this is especially justified.
• The Italian DPA noted that the Court reaffirmed the requirements for monitoring of employees as they stand under the Italian law: Monitoring is admissible only if employees are properly informed, and if such monitoring is proportionate, that is should not be excessive with regard to the purpose of verifying that the employee is performing his/her contractual duties, is limited in time and scope, is specific and not systematic, and is based on legitimate suspicion of employee misconduct.

Companies contemplating monitoring of their European employees are therefore advised to continue complying with all relevant local legal requirements (see below).

Note that this judgment was issued by the Court’s Chamber of seven judges. Mr. Bărbulescu (the applicant in this case) therefore has an option to request referral of the case to the Grand Chamber of the Court (17 judges) for fresh consideration. This judgement may, therefore, still be reconsidered and overturned. Also note that the Court in this case did not specifically consider the EU Data Protection Directive or Romanian data protection laws; It only focused on assessing whether the Romanian authorities have managed to strike a fair balance between the employee’s right under Article 8 ECHR and his employer’s legitimate interests. 

Facts of the Case

Mr. Bărbulescu created an email account for work purposes at his employer’s request. The company had a policy that contained an absolute ban on company email/Internet use for private purposes. In 2007, his employer informed Mr. Bărbulescu that his email account communication had been monitored and that the records showed he had used the company Internet for private purposes in breach of the company’s internal regulations that prohibit private use of company resources. When Mr. Bărbulescu denied such private usage, he was presented with a 45-page transcript of his communication, including transcripts of messages he had exchanged with his brother and his fiancée relating to sensitive personal matters pertaining to his health and sex life. The employer subsequently terminated Mr. Bărbulescu’s employment contract for breach of the internal regulations.  

Mr. Bărbulescu challenged the contract termination before the Romanian court as being null and void because his employer had violated his right to private correspondence afforded to him under the Romanian Constitution and Criminal Code. The court dismissed the claim on the grounds that the employer had complied with the dismissal proceedings provided for by the Romanian Labor Code. Mr. Bărbulescu’s appeal (that his email was protected by Article 8 ECHR) was dismissed on the grounds that (also under the European Data Protection Directive) the employer’s conduct had been reasonable and (in view of Mr. Bărbulescu’s denial of private use) this had been the only method of establishing whether there had been a disciplinary breach.   

Findings

The scope of the Court’s examination was limited to assessing whether the State of Romania (in the context of its positive obligation under Article 8 ECHR to ensure protection of human rights in private relationships) struck a fair balance between (i) the employee’s right to respect his private life under Article 8 ECHR, and (ii) his employer’s legitimate interests. The Court found that the State of Romania did not violate Article 8 ECHR. The employee was able to raise all of his arguments before the Romanian courts. After duly examining the case, the courts found that the employer had acted in the context of its disciplinary powers provided for by the Romanian Labor Code. There was no doubt that the employee breached company regulations, and termination was thus acceptable.

The Court did not consider Romanian Data Protection laws or the Article 29 Working Party opinion on employee monitoring in great detail, apart from briefly noting their existence and relevance. The Court only observed in general that it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours. It then went on to consider that in this particular case:

• The employer had accessed the employee’s account believing that it contained only professional communications, considering that the employee claimed he did not use the account for private purposes. Such access was therefore legitimate under Romanian laws;
• The Romanian courts had used the 45-page transcript of the communications only to the extent that it proved that the employee had used the company’s computer for his own private purposes during working hours, and the identity of the people with whom he had communicated was not revealed. The courts did not attach any particular weight to the content of the transcripts, so the content was not a decisive element for the courts’ findings;
• The employer had accessed the account only to check/confirm whether the employee was using it for professional purposes. The use of the transcript was limited, and other documents on the employee’s computer were not accessed. The monitoring was therefore limited in scope and proportionate; and
• The employee’s reason for using the account for private purposes during work hours (i.e., prices for mobile phones had been very high and requests for his professional services had been very low at the time) was not convincing.

Having regard to the foregoing, the Court concluded that there is nothing to indicate that the domestic authorities failed to strike a fair balance, within their margin of appreciation, between Mr. Bărbulescu’s right under Article 8 ECHR and his employer’s interests.

Practical Considerations

This case shows that under the right conditions, EU Member State laws may allow monitoring of employee (private) communication, provided that companies comply with all relevant local privacy, data protection, and labor legislation. In general, the main conditions for valid employee monitoring will consist of the following:

• Relevant company policies (such as Internet Usage Policy) should clearly and comprehensively set out the possibility of monitoring and the rights and obligations of the company and the employees in this regard;
• Depending on local law, employee consent and/or Works Council/employee representatives consultation/approval may be required for such policy;
• Depending on local law, the competent local data protection regulator may need to be informed (registration requirement), consulted, and/or provide its prior approval for the contemplated monitoring;
• Depending on local law, employees may need to be informed about specific monitoring action in addition to company policy setting out a general possibility of monitoring – covert monitoring may only be justified in specific situations provided by local law;
• Employer should only act based on an actual legitimate suspicion of employee misconduct – preventive strikes and systematic monitoring will not be deemed appropriate;
• Monitoring must be proportionate for the goal to be achieved, especially in respect of content of communication. Before implementing any concrete monitoring measures, the employer should assess whether the benefits of that measure outweigh the adverse impact on employee privacy – if there is a less privacy-invasive manner to achieve the goal that might eliminate or minimize negative impact on employees, the employer should use it;
• Monitoring must be limited in time and scope – continuous and unrestricted monitoring will generally be considered manifestly excessive;
• Communication that is clearly private should not be accessed, unless local law provides appropriate legal ground for such action;
• Personnel with access to the information obtained through monitoring must be limited and appropriately trained on the relevant privacy, data protection, and labor law issues; and
• Blanket prohibition of all private use of company resources may be possible and even advisable in certain jurisdictions (e.g., Romania and Germany), but not in others (e.g., the Netherlands) – obtain local advice before trying to prevent employees from using company devices and systems for private purposes.