Understanding policies and breaching them
In Bặrbulescu v Romania, the European Court of Human Rights (“ECHR”) confirmed that employers would not breach human rights legislation by monitoring work email accounts or emails sent using work devices during working hours, even where the employee has sent private emails, provided the employer has communicated its clear policy prohibiting the use of work email accounts and devices for personal use. Employers, however, remain subject to data protection laws and telecommunication laws when intercepting or reviewing private electronic communications sent by employees using work email accounts or on work devices.
The case in detail
Mr. Bặrbulescu was asked by his employer to create a Yahoo Messenger account to respond to clients’ enquiries. The employer had a policy which prohibited the use of work equipment, such as computers and telephones, for personal use. The employer notified Mr. Bặrbulescu in writing that he had used the Yahoo Messenger service for personal purposes during a specified period. He replied to say he had only used it for professional purposes. The employer responded by providing the transcripts of all communications he sent on Yahoo Messenger during this period, including exchanges with his fiancée and his brother which were personal communications. The employer subsequently dismissed him for breach of its policy.
Mr. Bặrbulescu challenged the dismissal and argued that it was a breach of his human right to protection of private and family life under the Romanian Constitution. The court decided that the employer had a right to monitor his use of the employer’s computers, particularly as he had denied using Yahoo Messenger for personal purposes, and the dismissal was lawful. This decision was upheld on appeal.
What was the outcome?
In this case against the Romanian Government, Mr. Bặrbulescu claimed that the courts had failed to protect his human right to the protection of his private life under the Romanian Constitution in deciding that his dismissal had been lawful.
The ECHR stated that, in the absence of a notification from the employee that email communications would be monitored, employees had a reasonable expectation as to the privacy of email communications. The ECHR noted that the employer accessed Mr. Bặrbulescu’s Yahoo Messenger account to obtain the transcripts on the basis that Mr. Bặrbulescu had said all communications were professional, notwithstanding that the employer had initially notified him that he had been sending personal emails during working hours. Obtaining the transcripts meant that the employer was able to make a finding that he had breached the policy against using its computers for personal purposes. The courts had found that Mr. Bặrbulescu had sent personal emails during working hours and, therefore, a disciplinary breach had been established.
The ECHR concluded that the courts had struck a fair balance between Mr. Bặrbulescu’s right to protection of private and family life and his employer’s interests.
The decision helpfully confirms for employers that there would not be a breach of the human right to respect for a private life and family life if employers monitored their employees’ use of work computers, email accounts and the internet, provided that employers clearly communicate their policy to do so and make clear to employees that they have no right to expect privacy in such communications or in their use of the internet.
The right to monitor employees’ emails and internet usage is, however, still subject to data protection laws and, in the UK, the Regulation of Investigatory Powers Act 2000 (“RIPA”). The Employment Practices Code issued by the Information Commissioner’s Office (the “Code”) gives guidance to employers who wish to monitor electronic communications in compliance with the Data Protection Act 1998. It recommends conducting an impact assessment in advance and only undertake monitoring of communications and internet use if it is proportionate to the employer’s legitimate aims, such as ensuring employees are undertaking their duties during working hours and not misusing work equipment or IT services provided to employees for work purposes, balanced against the employee’s right to respect for a private and family life. The Code also recommends that employers train the employees on how to undertake monitoring of the communications and to keep the data obtained, if it includes personal data, secure against unauthorised access or use. The Code is not binding but it can be taken into account in any enforcement action taken against the employer. The Code’s recommendations are consistent with the Article 29 Working Party’s note on workplace surveillance.
Under RIPA, the interception of a communication without lawful authority could give rise to a claim by the sender, the recipient or the intended recipient (if the interception results in the communication not being received). Lawful monitoring by an employer of employees’ electronic communications can be conducted with consent (or on reasonable notification of monitoring). In the absence of consent, employers will need to be able to rely on grounds such as the need to monitor communications relevant to the business. As this is a difficult ground to rely on when private communications are reviewed, the key point for employers is to notify employees that email and internet monitoring takes place and that employees could face disciplinary action for breaching this policy.