European employers are now permitted to read private messages sent at work
Private messages sent via chat software and e-mail accounts during working hours can now be read by European employers, the European Court of Human Rights (“ECHR”) has ruled.
In the judgment of Barbulescu v Romania (handed down on Tuesday 12 January 2016), the ECHR explained that an employer who read a worker’s Yahoo Messenger chats which were sent during his contracted working hours, acted within the scope of its rights as an employer, without violating Article 8 of the European Convention on Human Rights i.e. the right to respect for private and family life, the home and correspondence.
In 2007, Mr Barbulescu, a Romanian engineer, was found using ‘Yahoo Messenger’ for the purposes of professional contacts, as well as personal contacts.
The messenger service had been set up by Mr Barbulescu (at the request of his employer) for the sole purpose of responding to client enquiries.
On 13 July 2007, Mr Barbulescu was informed that his messenger had been monitored between 5 July 2007 and 13 July 2007 and that he had been found to be using the internet for personal purposes, including communications between his fiancée and brother.
Mr Barbulescu had been given prior warning of its employees ban on sending personal messages and using company resources generally for personal purposes.
Having already been unsuccessful in the domestic Court, Mr Barbulescu had hoped that the ECHR would find that his employer had breached his right to confidential correspondence when it accessed his messages, and thereafter dismissed him.
It was held that Mr Barbulescu had breached company rules with his behaviour and that his employer had a right to check on his activities. Whilst Article 8 had been engaged for these purposes, there had been no violation.
As the employer had believed it was accessing an account developed solely for the purpose of professional communications, the judges said that a fair balance had been struck between the Mr Barbulescu’s rights under Article 8, and the interests of an employer.
The judges explained that the steps taken were also proportionate as the employer did not access other information stored on Mr Barbulescu’s computer.
It was stated that “the employer acted within its disciplinary powers since, as the domestic courts found, it had accessed the Yahoo Messenger account on the assumption that the information in question had been related to professional activities and that such access had therefore been legitimate.”
Interestingly, the judges only discussed the work messenger account held by Mr Barbulescu, and not his personal messenger account.
Moreover, the device on which messages was sent was the property of the employer, and it was not considered whether, had the device been owned by the employee, the decision would have varied.
Impact on Employers and Employees in England and Wales
The decision binds all countries who have endorsed the European Convention on Human Rights, including England and Wales. The judgment falls in line with previous cases in the UK and as such, the Respondent Romanian firm acted in accordance with the behaviour expected from an English employer.
Whilst this case may panic employees (as it may also be applicable to messages sent and websites accessed using Company wifi) it is important to note that there must be a legitimate reason for searching an employee’s property or accessing their accounts in the first place. In this case, that reason was to verify that employees were completing their professional tasks during working hours – a purpose which in a practical sense seems entirely reasonable when individuals are being paid to complete their specific role.
Going forwards, all employers should be sure to explain any rules that allow them to review an employee’s online activities. The easiest way to do this will be to notify them of any policy in place (whether this be upon their initial recruitment, or at any other point during their employment), and obtain their consent explicitly – ideally by them signing the policy as a mark of their acceptance of the terms within it.
In a society where instant messaging and social media are so very prominent, this judgment highlights the overwhelming need for appropriate monitoring policies to be implemented within companies, and a need to make sure the terms of these policies are effectively communicated to all staff members, and upheld by those in more senior positions accordingly.
Employers need to be mindful that this judgment does not give them the right to snoop. Monitoring employee use of email and the internet involves the processing of personal data and so the Data Protection Act 1998 (“DPA 1998”) must be considered. The eight data protection principles under the DPA 1998 and Part 3 of the Employment Practices Code (monitoring at work) are both relevant when monitoring is carried out.
These eight principles require personal data to be:-
- Fairly and lawfully processed;
- Processed for limited purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Not kept for longer than necessary;
- Processed in line with the data subjects’ rights;
- Secure; and
- Not transferred to other countries without adequate protection.
In particular, point 1 (data being fairly and lawfully processed) should be at the top of any employer’s list of considerations when reviewing information. For this to be satisfied, it is necessary that at least one of the conditions in Schedule 2 of the DPA 1998 is met (for example, that the data subject has given their consent to the processing of personal data, the processing is necessary for the performance of a contract to which the data subject is a party etc.) Schedule 2 in its completeness can be found at http://www.legislation.gov.uk/ukpga/1998/29/schedule/2.
If you would like to discuss the drafting of an appropriate policy, or would like further advice on how to implement the inevitable changes stemming from this matter, please do get in touch with our Employment team on firstname.lastname@example.org.