Workplace monitoring - how much is too much? Bărbulescu v Romania

We're all living our lives increasingly online and leaving our digital footprints as we go. And the dividing line between home and work is blurred by remote working and use of employer-issued devices. It is much easier to track and monitor digital communications than the old paper kind. All this means that employers have the ability to see into their employees' correspondence more than ever before. But how far can employers go in monitoring digital communications without falling foul of the law? A recent ruling of the European Court of Human Rights Grand Chamber looks at this difficult question. It provides guidance on when workplace monitoring is permissible and when it goes too far.

Respect for private correspondence

There has been a lot of comment recently on the changes to privacy law that the General Data Protection Regulation, or GDPR, will introduce next May. But this case looks at employee privacy from a more general human rights perspective. The ECHR Grand Chamber mainly deals with the European Convention on Human Rights, focusing here on Article 8 - the right to respect for private and family life, the home and correspondence. The job of the court was to find the right balance between conflicting interests – the employee's right to respect for his private correspondence as against the employer's right to take steps to ensure the smooth running of the business. 

What happened?

Briefly, Mr Bărbulescu had set up a Yahoo messenger account in his employer's name which he denied using for private purposes. Employees were banned from using workplace equipment for personal purposes, and told that their “activity was under surveillance”. The employer monitored the account for a two week period and produced a transcript of some very personal communications. Mr Bărbulescu ended up being fired.

Getting the balance right

The Grand Chamber concluded that the Romanian courts had fallen short and had not given Mr Bărbulescu the protection he deserved. The case gives guidelines to tip the balance in favour of an employer:

• Give clear notice to employees, in advance, that communications might be monitored and how.
• Take care to limit the extent of monitoring to what is necessary. Differentiate between monitoring the flow of communications and their content. Limit monitoring in time, and limit those who have access to material.
• Think through your reasons for monitoring communications and accessing their content. Are these objectively justifiable to achieve a business purpose? Looking at the content of communications is intrinsically more invasive than monitoring their flow and so requires stronger reasons.
• Use the least intrusive methods necessary to achieve the business aim.
• If the result of the monitoring is serious, such as dismissal, is that fair and has it been made clear to employees?
• Give employees safeguards so that their communications cannot be accessed unless they know that this might happen.

The decision also emphasises the general point that there should be mutual trust between employers and employees.

In the UK, very similar principles are already set out in domestic law and guidance, particularly the Employment Practices Code published by the ICO. But the Grand Chamber concluded that Romanian legislation did not provide a sufficiently robust framework.

This decision reverses a lower level ruling given last year – then the European Court of Human Rights came down on the side of the employer. This just shows how difficult it can be to get the balance right.