A recent judgment by the European Court of Human Rights has focused the spotlight on the issue of monitoring employees and data protection compliance.
In the case of Barbelescu -v- Romania a business dismissed an employee on the basis of breach of a computer usage policy, having monitored the individual’s electronic communications and accessed the contents. The individual took a case against his former employer through the Romanian courts, which ruled against him. The case ended up before the European Court of Human Rights (“the Court”) in Strasbourg where on 5 September 2017 the Grand Chamber in effect reversed the 2016 judgment of another chamber of the Court in the case and upheld the individual’s claim that the Romanian courts had failed to protect his right to respect for his private life and correspondence under Article 8 of the European Convention on Human Rights (“the Convention”). The judgment can be found here: https://hudoc.echr.coe.int/eng#{“documentcollectionid2”:[“GRANDCHAMBER”,”CHAMBER”],”itemid”:[“001-177082”]}
What did the Court decide?
The Court ruled that the Romanian national authorities had failed to determine whether Mr. Barbelescu had received prior notice from his employer of the possibility that his communications had been monitored, and the authorities had not paid regard to the fact that he had not been informed of the nature or the extent of the monitoring or the degree of intrusion into his private life and correspondence. In addition, the Romanian courts had failed to determine:
- the specific reasons justifying the introduction of the monitoring measures;
- whether the employer could have used measures entailing less intrusion into Mr. Barbelescu’s private life and correspondence; and,
- whether the communications might have been accessed without his knowledge.
Because of the way the Court and the Convention work the matter is more directly concerned with the activities of the state, but this case nevertheless has implications for employers. The ruling does not mean that employers cannot monitor employees’ communications under any circumstances or that employers cannot dismiss employees for using the internet at work for private purposes. Instead it might be said that the upshot of the case is more about the boundaries that must be in place when an employer monitors employees’ communications which might be generalised by saying that any measures in question must be appropriately justified, necessary and proportionate and there must be adequate and sufficient safeguards against abuse (there may of course be devil in the detail!).
Although the matter was decided under the Convention, a key part of the legal background concerns data protection, which in this case was the Romanian data protection law. This law itself was an implementation of the EU Data Protection Directive. The EU General Data Protection Regulation (GDPR) will fully replace the EU Data Protection Directive from 25 May 2018 and it has a number of aspects that employers will have to take on board to ensure that monitoring employees’ communications are compliant (and by way of note the Court also referred to GDPR).
Regulatory guidance
Regulatory guidance on employee monitoring also exists. At the EU level on 8 June 2017 the EU WP29 issued an Opinion on data processing at work which takes into consideration the additional obligations that GDPR will place on employers; the Opinion can be found here: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. Our data protection glossary explains who WP29 are and what their role is. In the UK the ICO has also issued guidance on monitoring employees’ communications in Part Three of its Employment Practices Code (that is quite similar to the “guidance” set out in the Barbelescu judgment), which can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/employment/. UK guidance includes the following which when looked at in the context of Barbelescu judgment shows how granular the issues can get. Employers should encourage employees to mark their messages as “private” or “personal” so that they can protect their communications and warn employers not to open them unless there is a good reason for doing so. In the Barbelescu case the messages in question were sent on a messaging service, which has no subject line, and so unlike emails they could not be marked as “private” or “personal” – if the messages had been so marked then the employer wouldn’t have had any justification in opening them but the fact of marking them would have been sufficient for the employer to conclude that there had been a breach of the computer usage policy.
The CRH case in Ireland
The Barbelescu case is not the only case to reach the courts this year concerning data protection and investigations. In CRH plc, Irish Cement Ltd and Seamus Lynch v The Competition and Consumer Protection Commission the Irish Supreme Court looked at the conduct of a dawn raid by the Commission which seized some of Mr. Lynch’s emails which he said were not relevant to their investigation.
What should you do?
In light of these cases and GDPR businesses would do well to thoroughly review their policies on monitoring employees (in and outside the workplace) which should include the following aspects:
- providing legitimate reasons to justify monitoring – this will include properly scoping out any investigation;
- notifying employees clearly that monitoring correspondence and other communications might take place, prior to the monitoring taking place;
- determining the extent of monitoring and the degree of intrusion into employees’ privacy;
- determining whether monitoring can be undertaken based on less intrusive methods and measures other than directly accessing communication content – undertaking a Data Protection Impact Assessment (DPIA) would help determine this issue;
- deciding on the use of the results of the monitoring and whether the results are used to achieve the declared aim of the monitoring; and,
- examining whether employees have been provided with adequate safeguards, especially where monitoring is of an intrusive nature.
Please see here for our GDPR FAQs: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/. In addition, Cordery’s GDPR Navigator has extensive resources on GDPR including a film showing how to conduct a DPIA – www.bit.ly/gdprnav.
We have also written previously on European Court of Human Rights judgements of interest for businesses, which can be found here: http://www.corderycompliance.com/european-court-of-human-rights-rulings-on-website-user-generated-content/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com
