What was the outcome?
In this case against the Romanian Government, Mr. Bặrbulescu claimed that the courts had failed to protect his human right to the protection of his private life under the Romanian Constitution in deciding that his dismissal had been lawful.
The ECHR stated that, in the absence of a notification from the employee that email communications would be monitored, employees had a reasonable expectation as to the privacy of email communications. The ECHR noted that the employer accessed Mr. Bặrbulescu’s Yahoo Messenger account to obtain the transcripts on the basis that Mr. Bặrbulescu had said all communications were professional, notwithstanding that the employer had initially notified him that he had been sending personal emails during working hours. Obtaining the transcripts meant that the employer was able to make a finding that he had breached the policy against using its computers for personal purposes. The courts had found that Mr. Bặrbulescu had sent personal emails during working hours and, therefore, a disciplinary breach had been established.
The ECHR concluded that the courts had struck a fair balance between Mr. Bặrbulescu’s right to protection of private and family life and his employer’s interests.
The decision helpfully confirms for employers that there would not be a breach of the human right to respect for a private life and family life if employers monitored their employees’ use of work computers, email accounts and the internet, provided that employers clearly communicate their policy to do so and make clear to employees that they have no right to expect privacy in such communications or in their use of the internet.
The right to monitor employees’ emails and internet usage is, however, still subject to data protection laws and, in the UK, the Regulation of Investigatory Powers Act 2000 (“RIPA”). The Employment Practices Code issued by the Information Commissioner’s Office (the “Code”) gives guidance to employers who wish to monitor electronic communications in compliance with the Data Protection Act 1998. It recommends conducting an impact assessment in advance and only undertake monitoring of communications and internet use if it is proportionate to the employer’s legitimate aims, such as ensuring employees are undertaking their duties during working hours and not misusing work equipment or IT services provided to employees for work purposes, balanced against the employee’s right to respect for a private and family life. The Code also recommends that employers train the employees on how to undertake monitoring of the communications and to keep the data obtained, if it includes personal data, secure against unauthorised access or use. The Code is not binding but it can be taken into account in any enforcement action taken against the employer. The Code’s recommendations are consistent with the Article 29 Working Party’s note on workplace surveillance.
Under RIPA, the interception of a communication without lawful authority could give rise to a claim by the sender, the recipient or the intended recipient (if the interception results in the communication not being received). Lawful monitoring by an employer of employees’ electronic communications can be conducted with consent (or on reasonable notification of monitoring). In the absence of consent, employers will need to be able to rely on grounds such as the need to monitor communications relevant to the business. As this is a difficult ground to rely on when private communications are reviewed, the key point for employers is to notify employees that email and internet monitoring takes place and that employees could face disciplinary action for breaching this policy.