European Court Restricts Employer Access to Employee’s Private Communications

by Orrick - Trust Anchor
Contact

(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)

With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.

Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law.

Background

In 2007, a Romanian employee was dismissed by his employer for the private use of his corporate Yahoo Messenger account. During working hours, the employee shared private messages with his fiancée and brother, even though the company’s internal policies strictly prohibited the personal use of company resources. The employer became aware of the employee’s alleged misconduct by monitoring his communications on the corporate Messenger account. When the employee denied the allegations, the employer confronted him with a 45 page long transcript of his predominantly personal messages.

After having his case dismissed before the Romanian courts, the employee went before the European Court of Human Rights (ECHR) claiming that Romania failed to protect his right to respect for his private life and correspondence under Art. 8 European Convention on Human Rights.

Right to Respect for Private Life and Correspondence Violated

Whereas the ECHR found in favor of the employer, its appellate division, the Grand Chamber of the ECHR, concluded that the employer infringed the employee’s rights and hence the Romanian authorities did not adequately grant protection. As the Grand Chamber is the highest court of appeal within the European Union, the judgment is conclusive and binding for the Member States and their data protection authorities.

In its analysis, the Grand Chamber predominantly dealt with the question of whether the employer’s business interests outweighed the employee’s privacy rights, and hence justified the employer monitoring the corporate Messenger account. In that regard, the Grand Chamber took into consideration the following criteria (which are also summarized and further explained in an additional Q & A):

  • previous notification of employee of the possibility that the employer might take measures to monitor correspondence and other communications, and of the implementation of such measures
  • extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy
  • legitimate reasons to justify monitoring of the communications and accessing their actual content
  • possibility to establish a monitoring system based on less intrusive methods and measures than directly accessing the content of the employee’s communications
  • consequences of the monitoring for the employee subjected to it
  • adequate safeguards against abuse by the employer

The Grand Chamber found that the Romanian courts disregarded the aforementioned criteria and particularly failed to determine whether the employee was notified of possible monitoring by the employer or its extent. The Romanian courts had, therefore, failed to properly balance the employer’s interests against the employee’s privacy rights. As the dismissal and the underlying monitoring of private communication likely violated the employee’s privacy, the national courts thereby did grant inadequate privacy protections.

Takeaways

The criteria the Grand Chamber stated with respect to the balancing test for employer monitoring versus employee privacy, provide a framework for employers to consider before accessing employee communications – even if those communications occur through corporate accounts or systems.  Most important is to balance the employer’s business interests on the one hand, and the employee’s personal privacy interests on the other hand. Also providing adequate prior notification is key for safeguarding the employees’ interests.  The employee thus has to be (directly) informed about the fact that the employer might take measures to monitor his communications and to what extent.  Furthermore, sufficient safeguards against abuse by the employer have to be met. For example, it must be ensured that monitoring is limited to specific time periods or based on specific filters. It should also be ensured that certain purely private communications not be accessed at all.  Companies will no doubt find the foregoing challenging because Management’s role as a fiduciary charged with protecting the corporation can certainly conflict with individual notions of privacy and confidentiality in the workplace.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick - Trust Anchor | Attorney Advertising

Written by:

Orrick - Trust Anchor
Contact
more
less

Orrick - Trust Anchor on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.