(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)
With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.
Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law.
In 2007, a Romanian employee was dismissed by his employer for the private use of his corporate Yahoo Messenger account. During working hours, the employee shared private messages with his fiancée and brother, even though the company’s internal policies strictly prohibited the personal use of company resources. The employer became aware of the employee’s alleged misconduct by monitoring his communications on the corporate Messenger account. When the employee denied the allegations, the employer confronted him with a 45 page long transcript of his predominantly personal messages.
After having his case dismissed before the Romanian courts, the employee went before the European Court of Human Rights (ECHR) claiming that Romania failed to protect his right to respect for his private life and correspondence under Art. 8 European Convention on Human Rights.
Right to Respect for Private Life and Correspondence Violated
Whereas the ECHR found in favor of the employer, its appellate division, the Grand Chamber of the ECHR, concluded that the employer infringed the employee’s rights and hence the Romanian authorities did not adequately grant protection. As the Grand Chamber is the highest court of appeal within the European Union, the judgment is conclusive and binding for the Member States and their data protection authorities.
In its analysis, the Grand Chamber predominantly dealt with the question of whether the employer’s business interests outweighed the employee’s privacy rights, and hence justified the employer monitoring the corporate Messenger account. In that regard, the Grand Chamber took into consideration the following criteria (which are also summarized and further explained in an additional Q & A):
- previous notification of employee of the possibility that the employer might take measures to monitor correspondence and other communications, and of the implementation of such measures
- extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy
- legitimate reasons to justify monitoring of the communications and accessing their actual content
- possibility to establish a monitoring system based on less intrusive methods and measures than directly accessing the content of the employee’s communications
- consequences of the monitoring for the employee subjected to it
- adequate safeguards against abuse by the employer
The Grand Chamber found that the Romanian courts disregarded the aforementioned criteria and particularly failed to determine whether the employee was notified of possible monitoring by the employer or its extent. The Romanian courts had, therefore, failed to properly balance the employer’s interests against the employee’s privacy rights. As the dismissal and the underlying monitoring of private communication likely violated the employee’s privacy, the national courts thereby did grant inadequate privacy protections.
The criteria the Grand Chamber stated with respect to the balancing test for employer monitoring versus employee privacy, provide a framework for employers to consider before accessing employee communications – even if those communications occur through corporate accounts or systems. Most important is to balance the employer’s business interests on the one hand, and the employee’s personal privacy interests on the other hand. Also providing adequate prior notification is key for safeguarding the employees’ interests. The employee thus has to be (directly) informed about the fact that the employer might take measures to monitor his communications and to what extent. Furthermore, sufficient safeguards against abuse by the employer have to be met. For example, it must be ensured that monitoring is limited to specific time periods or based on specific filters. It should also be ensured that certain purely private communications not be accessed at all. Companies will no doubt find the foregoing challenging because Management’s role as a fiduciary charged with protecting the corporation can certainly conflict with individual notions of privacy and confidentiality in the workplace.