Private messages at work: what can an employer read?

Background

Mr Barbulescu was dismissed from his employment in Romania in 2007 for using an instant messaging system to send messages to his brother and fiancée. The messaging system had been set up by Mr Barbulescu at the request of his employer to respond to customer queries and only Mr Barbulescu knew the password. His use of the messaging system was in contravention of the employer's policy which stated that the use of its computers for personal purposes was prohibited. During the disciplinary process, the employer produced a transcript of Mr Barbulescu's personal communications in support of its assertion that he had breached their policy.

Earlier decision

The Chamber found that, although Article 8 of the Convention had been engaged, the state of Romania had to strike a fair balance between Mr Barbulescu's right to respect for his private life and correspondence, and the interests of his employer. It ultimately found that it was not unreasonable for an employer to verify that employees are completing their professional tasks during working hours and the access to his communications was both legitimate and proportionate in the circumstances.

Latest decision

On appeal, the Grand Chamber found that, although the employer's policy was clear that the personal use of computers was prohibited, the fact that Mr Barbulescu may have his private communications monitored was not clear.

The national courts in Romania had not carried out a sufficient assessment to determine whether there were legitimate reasons to justify monitoring Mr Barbulescu's communications and what specific aim was achieved by doing so.

Further, the courts did not consider whether Mr Barbulescu's employer could have achieved its aim by less intrusive means.

Ultimately the Grand Chamber found that a fair balance had not been struck. Mr Barbulescu was not afforded adequate protection of his right to private life and correspondence. Therefore, there had been a violation of Article 8 of the Convention.

What does the decision mean for employers in the UK?

This decision does not necessarily mean that employers cannot monitor the communications of their employees. However, it does mean that employers need to approach this area with great caution as simply notifying employees that their communications may be monitored may not be sufficient. When considering monitoring practices, amongst other things, an employer should consider the factors listed below:

• whether the employee has been appropriately (and explicitly) notified of the possibility of their communications being monitored;
• the extent of the monitoring and the degree of intrusion into the employee's private life; for example, whether the employer is actually monitoring the content of private communications or just the flow of the communication?;
• whether the employer has provided legitimate reasons to justify why it is necessary to monitor communications and access their content;
• whether it is possible for the employer to achieve its objectives or monitor its employees by another means that is less intrusive;
• what the consequences may be for the employee subject to the monitoring activity; and
• where monitoring activities may be particularly intrusive, whether employees have been provided with appropriate safeguards to protect the actual content of their communications, unless the employer has explicitly notified them in advance that the content may be viewed.

Impact of the decision in EU jurisdictions

This decision will not necessarily have a major impact in some European jurisdictions which already have in place similar regulations, such as in France.

As a matter of principle, French employers may access employees' computers (and professional mailboxes) on the company premises, provided that the messages or documents concerned are not identified as personal. For communications identified as personal, the French Supreme Court has previously stated that these communications cannot be accessed by the employer without first informing the employee concerned, notwithstanding any company policy that prohibits the use of emails for personal reasons.

Further, the employer is prohibited from accessing messages on the employee's personal mailbox, even if the employee has access to such messages from their professional computer. Finally, accessing employees' computers as a mean to control their activity is subject to several restrictions under French law and in particular, renders it necessary to inform employees and their representatives. Otherwise, the emails and data collected cannot be used as evidence against the employee as part of a dismissal procedure. It is therefore likely that the French Supreme Court would have considered the dismissal of Mr Barbulescu unfair.

The Grand Chamber's stipulations for the monitoring of employee communications and internet use are also essentially the same as those reflected in the decisions of the German Federal Labour Court.

What is different, however, is the level of detail of information which employers have to provide to employees prior to monitoring such as timing, scope and types of monitoring. Therefore, the decision in Barbulescu should be taken as a prompt to review and adjust existing "Acceptable Use of IT" policies.

Impact of data protection law on employee monitoring

The Grand Chamber was not looking at this matter from the perspective of EU data protection law but, had it done so, it is likely it would have come to a very similar conclusion. The EU Data Protection Directive (EU/95/46) and the EU General Data Protection Regulation (2016/679) do not prevent an employer from monitoring its employees, but they do impose obligations as to how and when it can be done. The monitoring of employee emails will certainly involve the processing of personal data; such processing can only be carried out where there is a lawful basis for it.

Given that consent has to be freely given (and the general consensus is that consent is not a safe legal basis on which employers may rely), the principal legal bases on which an employer is likely to need to rely are that the processing is necessary for one of the following reasons:

• for the purposes of the employer's legitimate interests; or
• for compliance with a legal obligation to which the employer is subject.

The first reason permits processing so long as those legitimate interests are not overridden by the interests of the employees. This involves the employer carrying out a balancing exercise between its legitimate interests and those of the employee, a process in which the employer will need to consider the sort of questions which the Grand Chamber suggested it should do from the perspective of the Convention (see above).

The second reason would apply where it is necessary for an employer to monitor an employee's emails to comply with its legal obligations; for example, if it was required to do so in order to determine whether there has been a breach of the law dealing with insider trading.

However it would be unusual if such a reason could be applied for systematic monitoring rather than occasional monitoring as a short term measure in response to a particular issue.

The legal bases described above allow the processing of non-sensitive personal data. As personal emails may well contain sensitive personal data, the processing of such emails would need to be based on narrower conditions such as whether it is necessary for the purpose of legal proceedings or a legal obligation in connection with employment. This makes the systematic monitoring of emails very difficult.

In addition to employers ensuring that they have an appropriate policy in place and have taken steps to ensure employees are aware of that policy, it is important that they review any monitoring practices bearing in mind the above factors. It is unlikely that simply notifying employees in itself will be a sufficient means of discharging an employer's obligations to its employees if there are less intrusive means by which an employer might achieve its aim when monitoring employees.