There has been considerable publicity last month in relation to the recent ECHR case of Bărbulescu v Romania (January 2016). This has frequently been reported as holding that employers can monitor employee communications. The ECHR press release heading states ‘Monitoring of an employee’s use of the internet and his resulting dismissal was justified.’ Popular commentary suggests and implies that all employers can monitor all employee communications including email and internet. A strong and significant word of caution should be noted by organisations. While space prevents a very detailed analysis the following case points should be noted.
The case does not find on a general basis that employers can monitor all employee email, all employee internet usage, nor all employee communications. The case technically related to a claim that national laws are insufficient. It is not a case between the employee and the employer at all.
There is a significant dissent encompassed within the judgement – which some will feel is a more correct assessment of the law – and provides better guidance to employers. The majority decision acknowledges difficult legal and factual issues and certain matters missing from the claim file from the respective sides.
The employer had accessed two online communications’ accounts of the employee: one ostensibly for business; and one personal. Notwithstanding that the personal account was clearly personal and private, and there being various apparent issues, the majority seemed to ignore this clear breach by the employer. There was no lawful basis for accessing the personal account, neither was this argument attempted. There was a clear breach by the employer.
Details of one or both accounts were then disclosed to other employees in the organisation and was discussed by them openly. This further breach by the employer was also ignored by the majority.
In terms of the account established, ostensibly for business purposes, which was accessed by the employer, this contained personal data and sensitive personal data. The employer was not able to establish any reason or suspicion of wrongdoing to trigger a wish to access or monitor this account.
As such, a considered analysis would suggest that there was no basis for general monitoring in this instance, and this seems to lead to the conclusion that there is also a breach by the employer here. This important point is ignored in the majority decision.
It is well established and recognised that employees do not give up their privacy and data protection rights at the door of the employer. The majority decision appears to ignore that employers must have some genuine reason or suspicion in the specific case to go beyond the employee’s rights to monitor and access online communications. The issue related to Yahoo Messenger accounts, not the official company email.
It does not appear that specific warnings to employees beyond a general communications policy (which did not refer to monitoring issues), were issued, or that they were issued to the employee in question, or at least this was not established. For some, the majority decision ignores this important point. Again, this leans strongly towards there being an employer breach.
The employer was not able to establish any reason or suspicion of wrongdoing to trigger a wish to access or monitor this account. Without such a reason, it is generally accepted that the employer cannot so access. Notwithstanding the decision, there does appear to be an employer breach.
It might be speculated whether a different result would have been achieved before the EU Court of Justice in this instance.
On balance, employers should remain cautious against global employee monitoring in the UK and the EU. Employees, national data protection supervisory authorities such as the ICO, and others might suggest the decision is regressive not progressive, or that it is simply wrong or that it might be interpreted cautiously and confined to unusual facts and to an unusual decision. The logic of the majority decision could be criticised as being in contrast to the established body of law and the legal understanding in relation to these issues. The majority suggests a logic which means that the result justifies the means and issues of law, and that rights and process are irrelevant. The majority do not point to any lawful basis for the employer monitoring or having any access prior to any issue being raised with the employee. It has to be cautioned that organisations may better be guided by the dissent analysis than the frequently misunderstood blanket monitoring headline of the case. The decision should not be taken as a carte blanch for employee monitoring. This case should prove to be an outlier decision.
Dr Paul Lambert is author of: A User's Guide to Data Protection, Second Edition; Gringras: The Laws of the Internet, Fourth Edition; International Handbook of Social Media Laws; and Courting Publicity: Twitter and Television Cameras in Court.