The Barbulescu vs Romania case has garnered much debate, with the Grand Chamber of the European Court of Human Rights (ECHR) clarifying the law surrounding the monitoring of employees’ private communications in the workplace.
Its recent decision overturns an earlier ruling made by the lower court. The Grand Chamber held that the Romanian courts failed to give effect to the employee’s privacy rights in their treatment of the original claim.
A ban on employee monitoring in the workplace hasn’t been put in place. However, it establishes clear conditions and limits on its use. Crucially, employees must be notified in advance about the nature and extent to which their communications are monitored.
Mr. Barbulescu was dismissed following his misuse of a Yahoo instant messaging account, set up, at his employer’s request, for responding to customer enquiries. He already had another personal Yahoo messenger account. His employer had discovered, through monitoring, that Barbulescu had used the account for private communications, exchanging messages (some intimate) with his fiancée and with his brother, having previously maintained that his use was solely work-related.
Unusually, the employer strictly prohibited the use of any company resources for personal purposes and Mr. Barbulescu was aware of this. Critically, he was not aware that his communications were being monitored, and so brought a claim of unfair dismissal to court.
What employers need to know
The ECHR’s decision set out key criteria that should inform any decision to monitor employees:
(1) Has the employee been notified in advance about the possibility of monitoring? Failure to provide prior notice of monitoring is highly likely to breach data privacy laws, especially where communications content is accessed.
(2) Has the employee been notified about the nature and extent of the monitoring?
(3) What is the degree of intrusion into the employee’s private communications? That is, how personal is the information that may be caught by the monitoring. The court sets out a clear distinction between monitoring the flow of communications and of their content. Another important factor is the number of people who have access to the results.
(4) Are there legitimate reasons to justify the monitoring and accessing the actual content? Broad theoretical justifications (e.g. vague references to the need to protect the company’s IT systems or prevent illegal activities) will not suffice; a real risk to the employer must be identified.
(5) Could the aim pursued by the employer in monitoring have been achieved by less intrusive means, which do not require access to the contents?
(6) How serious were the consequences of the monitoring in the context of subsequent disciplinary proceedings? The greater the consequences for the employee, the more thorough the employer’s compliance needs to be.
(7) Does the monitoring include access to the contents of private communications? Access to the content of communications requires weightier justifications. If the contents are accessed, they should not be reviewed unless the employee has been notified in advance of the possibility.
The Court reiterated its view that in order to be fruitful, labour relations must be based on mutual trust. This is something which many SMEs will strive to achieve, both legally and culturally. Over-intrusive monitoring can easily disrupt that carefully nurtured culture.
More broadly, these criteria should be taken into account by employers in implementing changes to their internal systems and processes in preparation for the EU General Data Protection Regulation, which will apply from the end of May 2018.
Employers must have a legal basis to carry out employee monitoring, especially when it comes to private communications. Employers will not be able to rely on employee consent to justify monitoring, even where an employee signs an IT Use policy.
As a result, employers may need to justify such monitoring on the basis of their “legitimate interests.” This requires a balancing assessment between (1) the legitimate interest of the employer and (2) the interests and fundamental rights of the employee.
Data protection impact assessments will be required where processing results in a “high risk to the rights and freedoms of natural persons” (and are already recognised as good practice). Depending on its scale and the level of intrusion, employee monitoring is likely to require a DPIA or, at a minimum, documented analysis as to why a DPIA is deemed unnecessary.
What should employers do
This decision reinforces the need for employers to approach employee monitoring rigorously. It is almost impossible to justify monitoring after the event. Good practice recommendations include:
♣ Ensure your IT Use policy provides that you may monitor employee communications.
♣ Provide enough information as to the nature and the circumstances in which monitoring may be carried out as required to be fair.
♣ Bring your IT Use policy to the attention of employees regularly.
♣ Conduct a data protection impact assessment before implementing invasive monitoring measures.
♣ Document your analysis as to why employee monitoring is justified in all the circumstances.
Jonathon Gunn is an associate in the corporate group and Emma Vennesson is an associate in the labor and employment group at international law firm Faegre Baker Daniels.