Author: Columba Cordingley
The concept of employee privacy is increasingly complex due to technological advancement. The ease of modern communications has blurred the boundaries between work and private life. People often answer work emails during their free-time, and similarly, respond to family and private messages during their working days.  This is understandable, as widespread access to the internet has resulted in a growing pressure to keep up with the fast-paced demands and expectations of both work and family life.
Employee monitoring is often undertaken by employers to ensure that time is being used efficiently and that there is an adequate level of productivity being achieved in the workplace. It is also carried out to protect trade secrets, to address other security concerns, and for reasons pertaining to litigation such as role played by electronic evidence in lawsuits. This practice significantly impacts upon the privacy of employees. Different organisations employ varying methods of employee monitoring, which intrude to different extents. The use of company computers, telephones and software facilitate tracking and monitoring of employee online activity. Common methods include telephone tapping, video surveillance, email monitoring, and location monitoring.
I plan to critically analyse the landmark case of Bărbulescu v Romania and subsequently its wider ramifications in the sphere of employee monitoring and privacy. I aim to provide an overview of the evolution of this area in European law, and will conclude by highlighting emerging challenges and making recommendations on how to more adequately protect employees’ privacy across Europe.
- FACTS OF BARBULESCU BĂBULESCU
Bogdan Bărbulescu was a sales engineer, employed by a private Romanian company which gave him access to a professional Yahoo Messenger account to reply to client queries. Charts indicated that his internet activity was greater than that of his colleagues, thus his employer asked for an explanation. Mr. Bărbulescu replied that he used it for work-related purposes only. His employer consequently presented him with a transcript of messages he had exchanged with his brother and fiancée on the professional messenger account; some of the messages were of an intimate nature. On account of company regulations prohibiting personal use of computers and internet access, Mr Bărbulescu was dismissed. Accordingly, he took the case to the European Court of Human Rights (hereafter the Court).
- JUDGEMENT OF BARBULESCU BĂBULESCU
In 2016, the Chamber held that there had been no violation of Article 8 of the Convention. This judgement was heralded as a ‘carte blanche’ for employers to monitor the private messages of employees. It is for this reason that the Grand Chamber’s reversal of this decision was so important and necessary. The Grand Chamber judgement centered around two arguments: firstly, the applicability of Article 8, and secondly, the compatibility with it. These will be addressed accordingly.
With regards to applicability, the state maintained that the applicant should not have had a reasonable expectation of privacy regarding the communications exchanged via the instant messaging account which was created for professional use. They argued that there were sufficient indications for him to have been aware his employer could monitor his communications. In response, the applicant argued that he did indeed have a reasonable expectation of privacy since he had created the Yahoo Messenger account himself and was the only person who knew the password. This was asserted by the fact that he had not received prior notification from his employer about the monitoring of his messages. The Court reiterated it would be too restrictive to limit the notion of private life to an ‘inner circle’, thus excluding entirely the outside world; instead, it must be interpreted broadly, in order for the possibility to develop a social identity. While the Court considered that it was clear the applicant had been informed of the ban on personal internet use laid down in his employers’ internal regulations, it was not so clear that he had been informed prior to the monitoring of his communications that such a monitoring operation was to take place. Importantly, it did not appear the applicant was informed in advance as to the “extent and nature” of the monitoring, thus the Court concluded that Article 8 was applicable.
As to compliance, the applicant submitted that the court should note the distinction between personal internet use for a profit-making purpose on one hand, and a ‘small harmless private conversation’ on the other. Moreover, he pointed to the fact that he was given no warning of the possibility of monitoring, and that he would have refrained from disclosing certain aspects of his private life on Yahoo messenger had he known. His argument was furthered by pointing to the failure to carry out an appropriate balancing exercise. In response, the state argued that the applicant did not contest being informed that his messages were monitored in the domestic proceedings and that the national courts had performed an appropriate balancing exercise: finding that the employer’s decision to investigate the applicant’s argument was necessary. The Court reiterated the State’s positive obligations to ensure Mr. Bărbulescu’s privacy, noting that while states are afforded a wide margin of appreciation, this does not constitute an unlimited discretion. Proportionality and procedural guarantees against arbitrariness are essential. The Court outlined six factors relevant to the balancing exercise, and the national courts failed had to determine many of the factors pointed out (which will be discussed below in more detail). Accordingly, the Grand Chamber held, by 11 votes to 6, that there had been a violation of Art. 8 ECHR.
- SIGNIFICANCE OF BĂRBULESCU
This welcome decision marks the first time the ECHR has examined a case about the monitoring of an employee by a private employer and thereupon expands the rights to privacy of employees by affirming the obligation of states to protect them from unjustified interference from employers. The Chamber’s initial ruling was widely misreported as creating a right for employers to spy on their staff’s activities at work, hence, the Grand Chamber judgement provides an all-important clarification. Both the French government and the European Trade Union Confederation intervened in the case because of its broader privacy and employment implications.
The Court’s clarification and interpretations on employee monitoring are vitally important. The Court acknowledges that there are limits to the employer’s authority to forbid private communication in the workplace. “The employer’s instructions cannot reduce private social life to zero”. Here the judges refer to the famous Niemitz reasoning of workplace privacy: that the term ‘private life’ cannot be limited to solely include the notion of an ‘inner circle’ in which one is limited to live a private and personal life, thereby completely excluding the rest of the outside world. It is important that the right to respect for private life must also cover, to a certain extent, the right to establish and develop relationships with other human beings. In today’s society, where technology has blurred the dividing line between private and social life, this is all the more relevant.
The most important contribution of the Court to increasing respect for employee privacy is the set of six specific factors it outlines to assess the proportionality of monitoring activities of employers on their employees. These factors conform with the relevant United Nations, Council of Europe standards and EU legislation, such as the GDPR, on how to monitor employees’ communications at work. I will discuss these in turn.
Firstly, a notification of the monitoring is required. While he was aware that some monitoring was occurring, Bărbulescu did not appear to have been informed of the extent and nature of the monitoring activities. This clarification is key, as prior to this judgement, employers were able to superficially and inadequately notify employees. Secondly, the extent of the monitoring and the degree of intrusion into the employee’s privacy is to be taken into account. Here, the court pointed to the distinction between merely monitoring the flow of communications, and on the other hand, the significantly more intrusive alternative of actually viewing their content. Another consideration in this regard is whether all or only parts of the communications have been monitored; the number of people who had access to results; and over how long a period of time the monitoring took place. Thirdly, there must be legitimate reasons to justify the monitoring of the communications and accessing their actual content. Notably, monitoring the content of communications is by nature a distinctly more invasive method, thus it requires weightier justification. Fourthly, whether less intrusive methods and measures are available. It was noted that there should be a case-by-case assessment so that the particular circumstances and facts of each situation may be taken into account. In fifth place to be considered: the consequences of monitoring for the employee and the use made by the employer of results of monitoring operation. In the Bărbulescu case, the most severe disciplinary sanction was employed – his dismissal. Lastly, it should be considered whether the employee was provided with adequate safeguards, especially when employer’s monitoring operations are intrusive in nature. These guidelines are highly fact-specific, which is crucial, given that this limits ambiguity and ensures better safeguards for employee rights.
- LIMITATIONS OF BĂRBULESCU
It is important not to get carried away with the success of this case, as the judgement by no means creates an absolute right to privacy for employers, nor a complete ban on employer monitoring of employees’ workplace communications. Such monitoring may still be lawful if it is proportionate and pursuing a legitimate aim. Despite the importance finding of a violation in this case, it does grant states a considerably wide margin of appreciation on regulating employer monitoring habits. The Court takes the view that “the Contracting States must be granted a wide margin of appreciation in assessing the need to establish a legal framework governing the conditions in which an employer may regulate electronic or other communications of a non-professional nature by its employees in the workplace.” This bears a risk of insufficient employee protection. The third criteria on legitimate reasons and justifications is problematic as it remains unclear exactly what these legitimate reasons may be. This criterion lacks actual significance and would benefit from further clarification. At paragraph 80, the Court said that “It is open to question whether and if so, to what extent the employers’ restrictive regulations left the applicant with a reasonable expectation of privacy.” This notion remains ambiguous and means that the harms of monitoring may be underestimated: it is open to many different interpretations and it is conceivable that one could assume that prior knowledge implies consent. Certainly, whether such an expectation exists in the first place is highly subjective.
- THE EVOLUTIVE JUDICIAL INTERPRETATION OF “PRIVACY”
The concept of privacy for a long time was defined as ‘the right to be alone’. Thus, when at work, the right essentially did not exist. Considering that one makes the decision to work voluntarily, it was widely assumed that when you enter the workplace, you voluntarily leave your privacy at home.
Halford was the watershed case for the topic of workplace privacy, and established the notion ‘reasonable likelihood of privacy’. Ms Halford successfully argued that her Article 8 right to privacy had been infringed by her employer eavesdropping on her personal telephone line at her place of work. It was held that she did indeed have a reasonable expectation of privacy in relation to the telephone calls in question, as she had not been warned that they might be intercepted. Since Halford, workplace practice has changed.
Another British case from 2007 which reached the ECtHR, Copland, established that there is a right to privacy in the workplace and that surveillance by employers can be intrusive and illegal. The Court found that the UK had violated Copland’s right to respect for her private life and correspondence under Article 8 by the way in which it monitored her telephone calls, e-mail correspondence and internet use. Although the circumstances of the case took place before employers started introducing policies covering the monitoring of employee communications as a matter of course, the case does highlight the care that employers should take in managing employees’ expectations and in ensuring that policies are applied fairly in practice. Just as telephone calls from business premises could be part of an employee’s “private life and correspondence” (as held in Halford), so could e-mails sent from business premises and information derived from the monitoring of personal internet use.
- CURRENT EU LAW PROTECTIONS
EU legislation has also evolved to cover this issue. Clearly, Article 8 of the ECHR and Articles 7 and 8 of the The Charter of Fundamental Rights of the European Union are applicable. The main item is the European Parliament and Council Directive on ‘The Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data’. In particular, Article 88 refers to the processing in the context of employment. This Directive’s aim is ‘the protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data’ in the EU Member States. The General Data Protection Regulation also is important to mention in this regard: it was clear that a revision was necessary, considering society has changed enormously in recent years and the striking scale on which data is being collected is unprecedented. This applies very importantly in the workplace. Companies gather the data of their employees throughout their tenure – from their recruitment until termination. Technological developments, often viewed as intrusive and pervasive, certainly raise questions about data protection.
- CURRENT CHALLENGES AND RECOMMENDATIONS
The ECtHR ruled again on the issue of workplace privacy in February 2018, on a case concerning the monitoring of employee’s internet use. Eric Libert was fired by the French national rail operator after his boss discovered pornographic files and a series of forged certificates on his computer. French law offers protection to employees who store personal material on their work computers, as long as it is clearly marked as such. In this decision, the judges held that an employer would need to notify the staff member of their intention to look in the files or open them in their presence. As Libert had marked the files as personal, but not private, there was no question as to whether the employer had the right to open the files. Article 8 of the Convention was not violated. Like Bărbulescu, this case illustrates that justifying the dismissal of an employee will depend on both the nature of the conduct of the monitoring.
A new challenge we must grapple with in terms of employee monitoring is the rise of desk sensors. Several corporations have implemented such sensors, which are used to detect an employee’s presence at their desk. This pilot scheme proved unsuccessful when the Daily Telegraph had to withdraw the use of desk sensors within a day due to backlash from employees and journalist unions. By contrast, a promising example of this type of monitoring can be drawn from Abode’s London Office. They consulted with both employment lawyers and a committee of employees, meaning the idea was introduced gently, in order to allow the staff time to consider this scheme and to understand the reasoning behind it. In fact, sensors are not quite as intrusive as they first come across because they are anonymous and cannot identify particular people. Through asking for their opinions in advance, Adobe illustrated their concern and care for their employees. In particular, sensors are useful in tandem with hot desking, a form of agile working that encourages flexibility which is meant to better suit the mobile way business is done today. This paper is not denying the importance of some form of employee accountability. However, it is important to ensure that workers are still treated with dignity and trust while using new technologies for monitoring.
An important source of guidance on this issue can be found in the Article 29 Working Party Opinion on Data Processing at Work. This advisory body suggests that employers should implement a clear policy concerning the purposes for, when and by whom log data can be accessed. This policy should be easily and permanently accessible for all employees. Moreover, they highlight the importance of a requirement of subsidiarity; for example, taking a less extreme measure such as the blocking of certain websites is preferred over a more intrusive option, such as the constant monitoring of all communications.
In conclusion, the case law of the ECtHR and the guidelines of the Working Party are an important step forward in protecting the right to respect for private life – yet they are not to be taken as a victory. The practice of employee monitoring is widespread and violations of the right to privacy occur frequently and go unaddressed. If all Member States were to explicitly regulate the issue of workplace privacy, it would be granted an appropriate level of seriousness as an issue and employees all over Europe would have the necessary tools to make claims and be empowered to fight for their right to privacy, even when at work. Although the case of Bărbulescu provides some useful guidance in the form of the six criteria, there is still a real lack of clarity and transparency in this area. Specifically, it remains largely unclear as to what ‘legitimate reasons’ to monitor are. More explicit guidelines at the national or European level would be welcomed to ensure rights of employees are better secured.
- Atkinson v Community Gateway Association, 21 August 2014, Appeal No. UKEAT/0457/12/BA
– Bărbulescu v Romania, 12 January 2016, ECtHR App. No 61496/08
- Copland v. the United Kingdom, 3 April 2007, ECtHR App. No. 62617/00
- Halford v. the United Kingdom, 25 June 1997, ECtHR App. No. 20605/92
- Libert v. France, 19 February 2018, ECtHR App. No. 588/13
- Niemietz v. Germany, 16 December 1992, ECtHR App. No. 13710/88
- European Convention on Human Rights (Article 8)
- Charter of Fundamental Rights of the European Union (Articles 7 and 8)
- General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
- Directive 95/46/EC (Article 88)
- Regulation of Investigatory Powers Act 2016
- Lawful Business Regulations of 2000
- Human Rights Act 1998
- Data Protection Act 1998
- Computer Misuse Act 1990
- Chatzinikolaou, ‘Bărbulescu v Romania and workplace privacy: is the Grand Chamber’s judgment a reason to celebrate?’, 19 October 2017, available at: https://strasbourgobservers.com/2017/10/19/barbulescu-v-romania-and-workplace-privacy-is-the-grand-chambers-judgment-a-reason-to-celebrate/
- Jervis, ‘Bărbulescu v Romania: Why There is no Room for Complacency When it Comes to Privacy Rights in the Workplace’, 26 September 2017, available at: https://www.ejiltalk.org/barbulescu-v-romania-why-there-is-no-room-for-complacency-when-it-comes-to-privacy-rights-in-the-workplace/
- Columbia University Global Freedom of Expression, ‘Case of Bărbulescu v. Romania’, available at: https://globalfreedomofexpression.columbia.edu/cases/case-barbulescu-v-romania/
- Lavin, ‘Employer Access to Instant Messaging – Bărbulescu Revisited by the ECHR’, 6 September 2017, available at: https://www.williamfry.com/newsandinsights/news-article/2017/09/06/employer-access-to-instant-messaging-barbulescu-revisited-by-the-echr
– Finances Online, ‘What is Employee Monitoring Software? Analysis of Features, Benefits and Pricing’, 27 May 2018, available at: https://financesonline.com/employee-monitoring-software-analysis-features-benefits-pricing/
- Gupta, ‘The GDPR Balancing Act: Employer Interests and Employee Privacy’, 23 March 2018, available at: http://www.acc.com/docket/articles/gdpr-employer-interests-and-employee-privacy.cfm
- Rawlinson, ‘UK press accused of ‘misinformed media storm’ over email spying story’, 16 January 2016, available at: https://www.theguardian.com/technology/2016/jan/16/uk-press-accused-of-misinformed-media-storm-over-email-spying-story
- Bowcott, ‘Employers’ rights to monitor office emails to be decided by European court’, 4 September 2017, https://www.theguardian.com/law/2017/sep/04/european-court-human-rights-strasbourg-to-rule-on-workplace-privacy-test-case
- Wilson, ‘Sensors and sensibility: Technology and workplace privacy’, 26 September 2017, available at: https://www.recruitment-international.co.uk/blog/2017/09/sensors-and-sensibility-technology-and-workplace-privacy
- D. Warren; L. D. Brandeis, ‘The Right to Privacy’, Harvard Law Review, Vol. 4, No. 5., 15 December 1890, pp. 193-220, available at: https://www.cs.cornell.edu/~shmat/courses/cs5436/warren-brandeis.pdf
 O. Bowcott, ‘Employers’ rights to monitor office emails to be decided by European court’
 Bărbulescu v Romania, 12 January 2016, ECtHR App. No 61496/08
 Bărbulescu v Romania, 12 January 2016, ECtHR App. No 61496/08 paras 65, 66
 Ibid para 68
 Ibid para 70
 Ibid para 78
 Ibid para 87
 Ibid para100
 K. Rawlinson, ‘UK press accused of ‘misinformed media storm’ over email spying story’
 Bărbulescu v Romania (n2) para 80
 Niemietz v. Germany, 16 December 1992, ECtHR App. No. 13710/88
 Bărbulescu v Romania (n2) para 119
 Bărbulescu v Romania (n2) para 80
 S. D. Warren; L. D. Brandeis, ‘The Right to Privacy’, Harvard Law Review, Vol. 4, No. 5. (Dec. 15, 1890), pp. 193-220.
 Halford v. the United Kingdom, 25 June 1997, ECtHR App. No. 20605/92
 Copland v. the United Kingdom, 3 April 2007, ECtHR App. No. 62617/00
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)
 K. Gupta, ‘The GDPR Balancing Act: Employer Interests and Employee Privacy’
 Libert v. France  ECHR 185
 R. Wilson, ‘Sensors and sensibility: Technology and workplace privacy’