Following the European Court of Human Rights’ decision in the Bărbulescu case, Mason Hayes & Curran looks at what exactly the ruling means for employees’ privacy, and for employers.
“Workers do not abandon their right to privacy and data protection every morning at the doors of the workplace.” So says the EU Working Party set up to consider the processing of personal data in an employment context.
There has been much hype over the course of the last few days about the European Court of Human Rights (ECtHR) decision in the Bărbulescu case. The word on the street this week is that employers now have carte blanche to go and snoop around their employees’ email accounts. However, a word of caution to employers: this is absolutely not the case.
The ECtHR’s decision does not give or offer unlimited justification for employers to access, monitor, review or generally snoop around their employees’ use of computers, emails or indeed internet access, and the decision is very specific to its facts.
The facts
Bărbulescu was asked, by his employer, to set up a Yahoo Messenger account for the purpose of communicating with clients and contacts. Bărbulescu did as he was asked and went on to use the Yahoo Messenger account for its intended purpose.
But Bărbulescu’s employer had in place a very clear policy that expressly stated that employees were “strictly forbidden… to use computers, photocopiers, telephones, telex and fax machines for personal purposes…”. When Bărbulescu denied having used his employer’s Yahoo Messenger account for personal purposes, his employer was able to produce 42 pages of communications between Bărbulescu and his brother and fiancée.
In subsequent dismissal proceedings, Bărbulescu tried to argue that his rights to personal privacy had been breached. The Romanian courts held that his employer’s conduct had been reasonable and that the monitoring of his communications had been the only method of establishing if there had been a disciplinary breach – a view with which the ECHR agreed.
The ECHR held that Bărbulescu’s employer’s actions, and specifically their monitoring of the company Yahoo Messenger account, were limited in scope and proportionate.
What this means for you
Tuesday’s ECHR decision does not, however, change the current Irish position in relation to accessing employee communications. If an employer has a very clear policy on what an employee can and can’t do on employer devices and systems, and the employee has been given that policy, an employer can access and review an employee’s use and communications, but only to the extent that such access is reasonable and proportionate.
What Tuesday’s decision does is reiterate the importance of issuing clear guidelines to employees around the use and monitoring of employer devices and internet usage.
The ECtHR placed particular importance on the fact that the employer had a specific policy that contained a blanket ban on the use of work computers for personal purposes. This is most unusual. The reality is that there are few workplaces where some element of personal use of telephones, computers, mobiles, email accounts, etc, is not permitted or tolerated.
The ECHR also placed importance on the fact that the employer had accessed the Yahoo Messenger account in the belief that it contained only work-related messages. Thus, the access was reasonable and not excessive.
Employees in Ireland – and all over Europe – are entitled to a reasonable expectation of privacy, including in the workplace. This entitlement is enshrined in common law, under statute, in the Irish Constitution and in the European Convention on Human Rights. It is an expectation and a right which has been upheld time and time again.
That expectation of privacy can sometimes be limited and narrowed, but only in very limited circumstances.
So, our top tips to employers are:
- Think about who your employees are, what they do, why they do it and what equipment/access to systems they need to do it
- Think about whether it is actually practical or workable to try to prevent employees from using any employer devices or systems for personal purposes
- Have a policy and spell out what you are prepared to tolerate, when, how and to what extent
- Include a right to monitor usage but bear in mind that any monitoring should be reasonable, proportionate and not excessive
- Only monitor when such monitoring would be considered reasonable and proportionate in all of the circumstances
- Do not snoop and do not access anything which is clearly marked personal, unless you have reason to do so
- Make sure your employees are aware of and familiar with your policy, and remind them of it regularly
For more information, please contact a member of the MHC Employment Law & Benefits team.
Main image via Shutterstock
