In January 2016 we issued an update in relation to a Mr Bărbulescu, whose case involved him being monitored by his employer. The initial decision, made by the European Court of Human Rights (ECHR), was that his employer had committed no wrongdoing. However, that decision has now been appealed.
As a recap, Mr Bărbulescu was in a sales role for a Romanian company and as part of his duties was asked to set up a Yahoo Messenger account to handle customer queries. In July 2007 his employer told him that they had been monitoring his online activity and discovered that he had been making personal use of the messenger system to discuss private matters with his brother and fiancée.
He was subsequently dismissed for breaching his employer’s rules on use of the internet, which made it clear that such use was prohibited. Mr Bărbulescu was unsuccessful in the Romanian courts, which led to his case being heard by the ECHR. His argument was that the personal discussions should have been protected by Article 8 of the European Convention on Human Rights, which outlines the right to private and family life.
However, the ECHR decided (almost unanimously) that the Romanian courts had properly balanced both the employer’s interests and Mr Bărbulescu’s rights when deciding on his case. Accordingly, they saw no infringement of Article 8.
Undeterred, Mr Bărbulescu appealed that decision to the Grand Chamber (GC) of the ECHR, which involves 17 appeal judges addressing the issue. In what is seen by some as a surprising turn, the GC overturned the earlier decision and found that a breach of Article 8 did in fact take place.
Much of the GC’s decision centred on the fact that Mr Bărbulescu’s employer did not inform him that monitoring was taking place. The GC also noted the employer’s failure to consider why it was necessary to introduce monitoring or whether it could have adopted a different tack that would have been less of an infringement of his right to privacy.
As a result of the decision, Mr Bărbulescu was entitled to compensation for the breach of his human rights.
This case may not be a seismic shift away from current guidelines, at least in the UK. The Information Commissioner’s Office (ICO), which is the data protection regulator in the UK, already advises employers that they should conduct an ‘impact assessment’ in relation to monitoring, to determine whether the monitoring is necessary or justified. The ICO also recommends that employees be informed of monitoring when it is taking place.
However, what this case does show is that, even where the employer has a policy in place clearly explaining a prohibition of personal use of IT systems, it will not necessarily provide them with a legitimate and justifiable reason for monitoring employees’ activity.
In addition, when the new General Data Protection Regulation comes into force, it will tighten up the rules on the information that employers can and should be accessing that relates to employees. That again may make it more difficult for employers to justify keeping tabs on employees in this way.
Our recommendation therefore is that employers have robust policy documentation in place regarding the use of IT systems. If you wish to monitor employees and be able to take action for infringements similar to Mr Bărbulescu’s, it would be prudent to inform employees that monitoring is taking place. Employers are also encouraged to have a good reason for monitoring and to regularly consider whether such activity remains necessary and/or justified.
If you have any questions on any of the issues raised in the above article please contact Seanpaul McCahill.