Yahoo! We’re watching you… Monitoring employee communications

The case concerned Mr Bărbulescu, who was an engineer in charge of sales at a Romanian company. He had been asked to create a Yahoo Messenger account for professional use and was informed of the company’s policy forbidding personal use of email in work hours. 

The company subsequently monitored Mr Bărbulescu’s communications for nine days. When he denied he had used the account for personal messages, his employer produced a 45-page transcript for disciplinary proceedings. This showed he had exchanged messages with his brother and fiancée on matters described by the court as “very intimate subjects”, including his health and sex life. He was dismissed for breach of the employer’s policy.

Original judgment of the ECtHR

Mr Bărbulescu challenged his employer in the Romanian courts and at the ECtHR, alleging a breach of Article 8 of the European Convention on Human Rights (the right to respect for private and family life, home and correspondence).

The ECtHR did not make a specific finding about whether Mr Barbulescu had an expectation of privacy in the messages sent via the Yahoo account. There did not appear to be clear evidence before the Court that the employer’s intentions concerning potential monitoring had been drawn to his attention. In considering the processing of employee data in the context of workplace monitoring, however, the ECtHR noted that monitoring should be “a proportionate response by an employer to the risks it faces taking into account the legitimate privacy and other interests of workers”. The ECtHR concluded that the company had a legitimate aim in monitoring employees to ensure they abided by company policy prohibiting personal use. The monitoring was:

• necessary to ensure that employees were not breaching the policy;
• fair, as there was an assumption that messages sent using the account would be in a professional, rather than a personal capacity; and
• proportionate, as no other data had been accessed.

The ECtHR concluded, by six votes to one, that the domestic courts had struck a fair balance between Mr Bărbulescu’s right to respect for his private life and correspondence and the interests of his employer. The Court noted that Mr Bărbulescu’s private life and correspondence had been engaged, but concluded that his employer’s monitoring of his communications had been reasonable in the context of disciplinary proceedings.

This ruling appeared to set the bar quite low on the facts. An employer did not seem to have to establish a particularly compelling reason to monitor in order for the proportionality requirements to be met. We took the view at the time that the case was specific to its facts and advised that employers should be cautious about relying too heavily on the judgment.

Judgment of the Grand Chamber

Mr Bărbulescu then asked for the case to be referred to the Grand Chamber of the ECtHR. This is an exceptional process, in which a case is re-considered by a larger group of judges, including the Court’s President and Vice-President. The Grand Chamber gave its ruling on 5 September 2017.

The Grand Chamber agreed with the original decision of the ECtHR that it was questionable whether Mr Bărbulescu could have a reasonable expectation of privacy, given the company’s policy forbidding personal use of email in work hours. But it also noted, with some potential significance, that an employer’s instructions could not reduce private social life in the workplace to zero.

In reviewing the ECtHR’s judgment, the Grand Chamber noted that the principles in the EU Data Protection Directive of necessity, purpose specification, transparency, legitimacy, proportionality and security had been reviewed in reaching the judgment. As with the original ruling, the Grand Chamber was willing to consider this EU-level legislation and guidance in addition to previous decisions on Article 8.

The Grand Chamber decided that ECtHR’s previous ruling had not taken sufficient account of whether Mr Bărbulescu had received prior notice of the monitoring. It had merely stated that Mr Bărbulescu had been warned that he could not use company resources for personal purposes. The company had not informed Mr Bărbulescu in advance of the extent and nature of monitoring, or of the possibility that the contents of messages may be reviewed.

The Grand Chamber also found that the national courts had failed to consider a number of key aspects of the case, such as:

• The scope of the monitoring and the degree of intrusion, even though all of Mr Bărbulescu’s private communications during the monitoring period had been both accessed and printed by the company.
• An assessment of whether there had been legitimate reasons to justify monitoring – the company’s arguments for monitoring were theoretical rather than relying on any evidence of Mr Bărbulescu exposing the company to risk.
• Whether the monitoring could have been achieved by less intrusive methods.

What are the implications?

The decision is not particularly surprising. In practice, it puts the bar back where it should have been, in that Mr Bărbulescu’s employer needed to do more in order to meet the well-established tests that would justify their monitoring activity.

This case reaffirms the importance of having full policies setting out in clear terms the circumstances in which personal use of systems is permitted and, importantly, the extent of monitoring and circumstances in which it may occur. A major reason why Mr Bărbulescu’s arguments succeeded was the fact that his employer had failed to tell him clearly about the nature and extent of any monitoring of his personal communications before this monitoring took place.

A policy of this kind is useful because it helps to give the employer an argument that the employee had no expectation of privacy at all. The fuller the information, the more likely it is that an employee will not be able to demonstrate an expectation of privacy over communications on workplace equipment. Generic words may not be sufficient and, in any event, would not meet data protection requirements. Take, for example, social media - do your policies make clear that you may monitor social media posts made in the employee’s spare time and on their own equipment?

It is also important to note the Grand Chamber’s comments that an employer’s instructions could not reduce private social life in the workplace to zero. Even if an employer states clearly that particular equipment can only be used for work-related communications, this does not necessarily remove all privacy rights, meaning that monitoring of private communications would not be lawful unless the other tests set out above are also met.

A detailed policy will go some way to ensuring a compliant approach under both Article 8 and data protection requirements, but employers should not consider that this gives them carte blanche to monitor all employee communications in all circumstances. The Grand Chamber emphasised that the scope of any monitoring should be considered, as well as the level of intrusion.

This reaffirmation of the principle of proportionality confirms the importance of making an assessment of how the proportionality requirements are met, before commencing any sort of surveillance or monitoring of employees. This allows employers to argue that, even if the right to privacy is engaged, the monitoring is in accordance with a legitimate aim and proportionate. It will also assist in meeting current good practice recommendations under the UK’s Data Protection Act. As the Information Commissioner’s Office’s Employment Practices Code indicates, privacy impact assessments should be conducted before introducing technology which could be used to monitor employees, and before using that technology in specific circumstances. A proper impact assessment will also help to meet the need for documented processes and risk assessments under the forthcoming EU General Data Protection Regulation.

See here for more information about the future changes to data protection and privacy law, including our video on “11 things you need to do to prepare your workplace for GDPR”.

Bărbulescu v Romania – the ECtHR Grand Chamber’s judgment is available here.