EU says prior permission required to monitor staff electronic communications

[bsaambl]

Organisations will have to ask permission first before being allowed to conduct electronic monitoring of staff.

The European Court of Human Rights has ruled that companies can only monitor employee's emails and other electronic communications if they are notified in advance.

The case was brought by a Romanian man who was sacked in 2007 for exchanging messages online from his workplace about intimate matters with his fiancée. He was asked to set up an email account to answer clients' inquiries.

Bogdan Bărbulescu claimed his right to a private life was not properly upheld by Romania's courts. He brought the case to a Romanian court. It ruled in 2016 that the company was within its rights to sack him.

The ECHR heard that communications sent to his fiancée and also his brother were "intimate in nature". His employer used surveillance software to watch his computer activity. His employer also confronted the appellant with print-outs of his conversations before sacking him. He claimed his was unfairly dismissed, and that the privacy of his emails should have been protected by the European convention on human rights, which guarantees respect for private and family life and correspondence.

In a ruling, the ECHR said that his right to privacy had not been "adequately protected". It also said that it was not clear if the appellant had been notified if his communications would be monitored.

“The right to respect for private life and for the privacy of correspondence continued to exist, even if these might be restricted in so far as necessary,” read a statement released by the Court.

“Although it was questionable whether Mr Barbulescu could have had a reasonable expectation of privacy in view of his employer's restrictive regulations on internet use, of which he had been informed, an employer's instructions could not reduce private social life in the workplace to zero,” the court added.

The ECHR ruling has now overturned this in an 11-6 majority against the Romanian judges who had backed the employer. In January, the ECHR ruled against his claim, as did the Romanian court, but yesterday's decision cannot be overturned.

“This is a very important step to better protect worker's privacy" said Esther Lynch, ETUC Confederal Secretary in a statement. "The ECHR required very detailed scrutiny by national Courts before allowing employers to monitor electronic communications at the workplace. Although it does not prohibit monitoring it sets high thresholds for its justification.

“The judgment means that even if the national courts have established that the worker has used employer's electronic devices for personal purposes and even if the employer had prohibited such communication, this is not in itself a sufficient justification for monitoring the content of the communication or dismissing the worker”.

Dr Guy Bunker, senior vice president of products at Clearswift, told SC Media UK that most companies, especially the larger ones will have this in their ‘acceptable use' policies.

“In Europe, eg Germany, this activity is much more explicit and done through groups such as the Workers Council,” he said.

He added that this would not apply to EU citizens outside the EU, “though many US companies have equivalent acceptable use policies. Today many people have multiple mobile phones, one for work and one for personal use and so they can keep personal activity separate.”

Dr Bunker said that organisations need to ensure that they have suitable acceptable use and security policies in place and communicated.

Rashmi Knowles, Field CTO EMEA at RSA Security, told SC Media UK that the simple fact that monitoring activity or employee surveillance is considered convenient for the employer would not justify intrusion into the employees' privacy. 

“It would only be in exceptional circumstances that monitoring of employees' mail or internet use would be considered appropriate, and maybe best practice to rely on technology to restrict access rather than monitoring employees. This is a battle that will be played out when GDPR comes into effect as it will have to take into account the European Convention to Human Rights, EU Data Protection Directive, Article 29 Working Party and local employment laws,” she said.