European Court of Human Rights Sets New Boundaries on Monitoring Employees in the Workplace

The Grand Chamber of the European Court of Human Rights (ECtHR) has clarified the law surrounding the monitoring of employees’ private communications in the workplace. The decision overturns the earlier ruling of the lower court, which held that the Romanian courts failed to give effect to the employee’s privacy rights in their treatment of his original claim.

The decision does not ban employee monitoring in the workplace. However, it does establish clear conditions and limits on its use. Most importantly, the decision establishes that employees must be notified in advance about the nature and extent to which their communications may be monitored.

The decision concerned the interpretation of the European Convention on Human Rights (ECHR). It is important to note that the European Court of Human Rights is not an institution of the European Union, but of the Council of Europe (comprising 47 member states including Russia and the U.K.). Article 8 of the ECHR guarantees the right to ‘private and family life’. It is well established that this extends to activities in the workplace.

This decision involved an invasion of privacy by a commercial company rather than by a government authority. It was not, therefore, about state intrusion into private life. The decision was not directly concerned with whether the actions of the company were lawful, since it was not a public authority bound by the European Convention. Rather, the case concerned the question whether the Romanian courts (as public authorities) had given proper effect to the ECHR.

Practical Impact

The practical impact is that any U.S. business operating in Europe (not just the European Union) will need to think carefully about employee monitoring and make sure that it complies with local laws in each country in which it operates (whether it is in Romania, Portugal or Norway) since the courts in those countries will need to interpret their laws in a way which gives effect to ECHR rights (as interpreted by the ECtHR).

Facts of the Case

Mr. Barbulescu was dismissed from his job as a sales engineer following his alleged misuse of a Yahoo instant messaging account. The account had been set up, at his employer’s request, for responding to customer inquiries. He already had another personal Yahoo messenger account. His employer had discovered, through monitoring, that Mr. Barbulescu had used the account for personal purposes, exchanging messages (some intimate) with his fiancée and with his brother, having previously maintained that his use was solely work-related. Unusually, the employer strictly prohibited the use of any company resources for personal purposes and Mr. Barbulescu was aware of this. However, he was not aware that his communications could be monitored.

What Employers Need to Know

• Has the employee been notified in advance about the possibility of monitoring? Failure to provide prior notice of monitoring is highly likely to breach data privacy laws, especially where monitoring includes access to the content of communications.
• Has the employee been notified about the nature and extent of the monitoring?
• What is the degree of intrusion into the employee’s privacy? That is, how personal is the information that may be caught by the monitoring. The Court sets out a clear distinction between monitoring the flow of communications and of their content. Another important factor is the number of people who have access to the results.
• Are there legitimate reasons to justify the monitoring and accessing the actual content? Broad theoretical justifications (e.g., vague references to the need to protect the company’s IT systems or prevent illegal activities) will not suffice; a real risk to the employer must be identified.
• Could the aim pursued by the employer in monitoring have been achieved by less intrusive means, which do not require access to the contents?
• How serious were the consequences of the monitoring in the context of subsequent disciplinary proceedings? The greater the consequences for the employee, the more thorough the employer’s compliance needs to be.
• Does the monitoring include access to the contents of communications? Access to the content of communications requires weightier justifications. If the contents are accessed, they should not be reviewed unless the employee has been notified in advance of the possibility.

More broadly, these criteria should be taken into account when employers implement changes to their internal systems and processes in preparation for the EU General Data Protection Regulation (GDPR), which will apply from the end of May 2018 (for more on the GDPR, read our summary and our in-depth guide). This is a parallel set of general laws which apply independently of the ECHR. Employers must have a legal basis to carry out employee monitoring. Employers will not be able to rely on employee consent to justify monitoring, even where an employee signs an IT Use policy. Instead, employers may need to justify such monitoring on the basis of their “legitimate interests”. This requires a balancing assessment between (1) the legitimate interest of the employer and (2) the interests and fundamental rights of the employee.

Data protection impact assessments (DPIA) will be required where processing results in a “high risk to the rights and freedoms of natural persons” (and such assessments are already recognized as good practice). Depending on its scale and the level of intrusion, employee monitoring is likely to require a DPIA or, at a minimum, documented analysis as to why a DPIA is deemed unnecessary.

What Should U.S. Businesses With European Operations and Employees Do?

This decision reinforces the need for employers to approach employee monitoring rigorously. It is almost impossible to justify monitoring after the event. In light of this, employers should:

• Ensure your IT Use policy provides that you may monitor employee communications.
• Provide detailed information as to the nature and the circumstances in which monitoring may be carried out.
• Specify whether personal use of IT systems is permitted, and the parameters of such use. A blanket ban on personal use is often viewed as impractical.
• Bring your IT Use policy to the attention of employees regularly and provide appropriate training on it.
• Conduct a data privacy impact assessment before implementing invasive monitoring measures.
• Document your analysis as to why employee monitoring is justified in all the circumstances.
• Ensure that your disciplinary policy sets out the potential consequences for employees of breaches of the IT Use policy.

Our London Office has recently commissioned a survey on the use of social media in the workplace, which includes a survey of monitoring practices among employers.