Much ado about nothing in EU decision on monitoring of workplace electronic communications

March 9, 2016 David Whincup

‘Private Messages at Work can be Read by EU Employers’ blared the BBC online recently in the sort of alarmist over-simplification normally best left to the Daily Mail.

An employee at an unnamed business in Romania was instructed to set up a Yahoo Messenger instant messaging account. This account was intended for business use only, with the company’s rules making it clear that employees were forbidden to use its equipment, including computers, for personal purposes.

It was put to the employee, Bogdan Mihai Bărbulescu, that he had used the Yahoo account for personal communications, which he vigorously denied in writing. On the production of 45 pages of evidence that this was untrue (gathered by the employer in just eight days – no messing about with the occasional brief squint at eBay here, you know!), Bărbulescu was unabashed. He leapt onto the front foot and boldly accused the employer of unlawfully accessing his personal communications – an offence carrying up to three years’ imprisonment under Romania’s Criminal Code. Unmoved, the business sacked Bărbulescu for his private use of the Yahoo account, and not his breathtaking dishonesty. Its right to do so was upheld all the way up the Romanian judicial system until referred to the European Court of Human Rights (ECHR).

The ECHR was asked to decide whether the upholding of Bărbulescu’s dismissal constituted a failure by Romania to protect an individual’s rights under Article 8(1) of the European Convention on Human Rights to ‘respect for his private and family life, his home and his correspondence’. (This is of course subject to Article 8(2): ‘… except such as is … necessary in a democratic society … for the protection of the rights and freedoms of others’.)

The ECHR held that it is in effect a right and freedom of an employer to take reasonable steps to verify that an employee is indeed doing the work he is there for, and that this legitimises the business’s accessing and monitoring employees’ use of the communication systems that it requires or provides.

Nothing in this decision allows an employer to seize an employer’s personal smart phone and go through its contents on a whim, for example, as the headlines imply. The employer’s rights applied in particular where the employee’s denial of personal usage had led it to assume that accessing the Yahoo account would only disclose work-related messages, said the Court. (However, that overlooks the fact that here the monitoring had taken place before the denial and so cannot have been either motivated or justified by it, a point which no one involved seems to have spotted.)

In assessing whether Romanian law adequately protected Bărbulescu’s Article 8 rights, the ECHR also noted that he had ‘not convincingly explained why he had used the Yahoo account for personal purposes’. In fact, his explanation was entirely convincing: he was not paid very much and mobile phone usage cost a fortune. What Bărbulescu had not done was to explain his reasons in a way that showed the balance between his rights and his employer’s to lie in the wrong place (that might include being dismissed for personal use of the employer’s systems in a family emergency rather than for extended messaging about his sex life with his fiancée – which the Court obviously found to be somewhat less pressing).

The more-reported parts of this case actually lie in the single dissenting judgement, a series of arguments so tortured as to require 61 footnotes in just seven pages. These include that access to the internet is a basic human right because it is integral these days to the freedom of expression, but noting that a dissenting judgment is not law. In addition, said the Judge, a blanket ban on personal use of the internet by employees would be impermissible, ‘as is any policy of automatic continuous monitoring of internet usage by employees’. As a result, ‘only targeted surveillance in respect of well-founded suspicions of policy violations is admissible, with general unrestricted monitoring being manifestly excessive snooping on employees’.

This all sounds like bold stuff, but it is actually little more than a statement of current United Kingdom data protection law and practice, which is already based around the proportionality of the monitoring and surveillance to the risks in question and the employee’s personal rights.

The same is true for the dissenting Judge’s departing poke at the employer’s prior notice to Bărbulescu and its other staff that their internet activity was ‘under surveillance’: that it was ‘manifestly insufficient to provide [employees] with adequate notice about the nature, scope and effects of the internet surveillance procedures actually in place’. Ideally, United Kingdom employers should have a quick review of their internet policies to see that they are reasonably clear about such things; however, the reality must be that an employment tribunal would give no material airtime to a complaint like Bărbulescu’s anyway. His serial breach of policy and brazen dishonesty to his employer would surely see him off, with the tribunal very unlikely to be concerned in any way by how the employer had caught him at it.

So the banner headline in the Mail of ‘Bosses free to spy on emails’ should actually have read ‘Bosses free to check that you are using their equipment to do what you are paid to do’. But what would be the news in that?

 

 

Previous Article
The importance of third party compliance programmes
The importance of third party compliance programmes

Third parties work at various levels of almost all organisations and, at times, even act on behalf of organ...

Next Article
Choose your risk management tools wisely
Choose your risk management tools wisely

There is a growing channel-sales compliance trend of conducting due diligence on all partners in the channe...