European Court Rules on the Permissibility of Accessing Employee Email
In the newly released case of Bărbulescu –v- Romania, the European Court of Human Rights (the “ECHR”) has ruled that an employer in Romania did not breach the privacy rights of its employee when it monitored personal chats on a Yahoo Messenger account which he was meant to use for business purposes.
The employee had been dismissed in 2007 after he had been informed by his employer that his communications had been monitored from 5 to 13 July 2007 and the records showed he had used the internet for personal purposes. The employee replied that he had only used the service for professional purposes but was presented with extensive transcripts of his messages with his brother and fiancée relating to personal matters such as his health and sex life. These messages were sent during working hours and from his work computer. Mr Bărbulescu’s employment was terminated for breach of the company’s internal regulations prohibited.
After challenging his dismissal through domestic forums, Mr Bărbulescu argued that the decision to terminate his employment had been based on a breach of his privacy which was protected by Article 8 of the European Convention on Human Rights (a right to respect for private and family life, the home and correspondence).
The ECHR found that it was “not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours”. It was noted that the employer had not carried out a broad search of other documents on the employee’s computer but had accessed the Yahoo messages on the assumption they were work related.
Importantly, the employee had been directed by his employer to set up the Yahoo account for the specific purpose of responding to client enquiries and had also been explicitly banned for using it for personal reasons.
This case underlines the importance of issuing clear directions to employees around the use and monitoring of email.
The issue of monitoring employee emails raises data protection considerations. Under the Data Protection Acts 1988-2003 (the “DPA”), personal data must be obtained fairly for specific, explicit and legitimate purposes. Employers must therefore act transparently in how they collect and manage employee information. To meet this requirement, contracts of employment and specific policies should clearly inform employees about any monitoring.
The Office of the Data Protection Commissioner (the “ODPC”) has guidance on staff monitoring and emphasises the importance of clearly drawing employees’ attention to “acceptable use policies” governing their use of electronic resources.
Importantly, employers cannot rely solely on the fact that they have notified employees that their email will be monitored. The second key requirement is that there is justification for the monitoring and that it goes no further than necessary for the legitimate purposes of the employer. An employee retains their privacy and data protection rights even when in the workplace and any limitation of this right must be proportionate to the likely damage to the employer’s legitimate interests.
Following the new ECHR decision, employers are advised to take the opportunity to review their policies and practices on email usage and staff monitoring.