The simple answer is ‘yes’, according to the recent European Court of Human Rights judgment in Barbulescu v Romania, though this needs some explanation; especially given Judge Pinto de Albuquerque’s dissenting opinion.
The European Court of Human Rights decided that a Romanian engineer had not had his Article 8 right (from the Convention for the Protection of Human Rights and Fundamental Freedoms, to respect for his “private and family life, his home and his correspondence”) breached by his employer when it monitored personal messages he had sent on a work-owned Yahoo Messenger account. He had created the account on his employer’s request, to respond to client enquiries.
Barbulescu was dismissed back in 2007 for breaching his company’s internal regulations which stated “it is strictly forbidden to disturb order and discipline within the company’s premises and especially…to use computers…for personal purposes”. Neither the Bucharest Country Court, nor the Bucharest Court of Appeal were persuaded by his argument that the decision to dismiss was void due to the violation of Barbulescu’s right to private life and correspondence, protected by Romanian law.
On 13 July 2007 (a couple of weeks before his dismissal) Barbulescu’s employer told him that his Yahoo communications had been monitored from 5 to 13 July. We should pause for reflection here as this was a fact highlighted by the dissenting judge: he was informed that he was being monitored after he had been monitored. His records (a forty-five page transcript of his messages to his fiancée and brother relating to personal matters such as his sex life) showed that he had used the internet at work for non-work purposes in breach of the company’s regulations.
Whilst on first blush this monitoring may appear to be a wanton violation of Barbulescu’s privacy, from a data protection perspective the court’s decision to permit it is not surprising. The key point to note is that the employer’s policies clearly stated that the use of work messenger accounts for personal purposes was prohibited i.e. that there was an absolute ban on the use work accounts for private reasons. By reading Barbulescu’s emails as a basis for monitoring his use of the account, his employer had exercised its rights for a legitimate purpose – namely to ensure that the account was being used for work purposes only. Further, as his employer had only checked the communications of his Yahoo Messenger account (and not the other data and documents stored on his computer) the employer’s monitoring was also deemed by the court to be limited in scope, and therefore proportionate.
The court’s considerations
The court acknowledged that the notion of a private life is a broad concept and that individuals have the right to i) establish and develop relationships with others; and ii) identity and personal development. Further, it held that emails sent from work should be protected, as should information derived from monitoring personal internet usage, in deciding that Article 8 right was ‘engaged’. When considering whether Barbulescu had a reasonable expectation of privacy when communicating from the Yahoo account, the court considered that it was clearly a strict rule in the company’s regulations that computers should not be used by employees for personal reasons. The court then queried, in view of this general prohibition, whether the employee retained a reasonable expectation that his messages would not be monitored. The employee clearly disagreed. The court also noted that he had not signed a copy of the employer’s notice (another point raised by the dissenting judge).
In any case, the court held that there had been no ‘violation’ of the employee’s Article 8 right. The question debated was whether a “fair balance between the applicant’s right to respect for his private life and correspondence and his employer’s interests” had been struck: the answer was ‘yes’. The court was also happy that the content of the messages had not been a decisive element in the previous courts’ findings. It was enough that the messages had been sent to prove that he had breached his contract of employment. The court appreciated that it is not unreasonable for employers to want to verify that their employees are completing their professional tasks during working hours.
The dissenting opinion considered that the right to freedom of expression in society implies freedom to access such services. The judge drew attention to the Convention principle that “internet communications are not less protected on the sole ground that they occur during working hours, in the workplace or in the context of an employment relationship, or that they have an impact on the employer’s business activities or the employee’s performance of contractual obligations”. In considering how best to protect employee’s private electronic communications held by employers for employment purposes, he suggested that a comprehensive internet usage policy should be in place with “specific rules” on the use of emails and instant messaging and “transparent rules” on how monitoring is conducted.
The key point to note from the judgment is that any intention to monitor employee activity should be fairly disclosed to employees before it is carried out, and that any monitoring conducted must be proportionate and for justified purposes.
Information gathered as part of a monitoring activity must be securely handled amongst appropriately-authorised reviewers. It is particularly important to remember that enterprise-wide monitoring across group affiliates in different EU countries will also attract different local regulatory expectations, and that in some countries local works’ council or data protection officer consultations may be required before monitoring can be performed.
Companies should take time to assess what policies are in place on the monitoring of employees’ private electronic messages. In this case there was a blanket ban on personal internet use – but most employers in the UK permit occasional personal use of their IT and communication systems, as long as such communication does not get in the way of work to be done and is kept to a minimum (and, ideally, outside of working hours). Policies should therefore provide clear guidance on acceptable private use and also the circumstances in which such communications may be monitored.
Most important to check is whether such policies have actually been brought to the attention of employees. Granted, signed consent was not thought to be necessary in this case but it would certainly have made it more difficult for the employee to bring his case if he had signed on the dotted line.
A parting thought also on disciplinary sanctions; whilst the employee was dismissed as a result of his breach in this case, employers should be careful (especially for those with over two years’ service) to apply an appropriate sanction to any breach found. Dismissal may not always be reasonable on the facts of each case and verbal and/or written warnings should be considered in the first instance, to head off any potential unfair dismissal claims.