Snooping on employee emails breaches the right to a private life

In the case of Bărbulescu v Romania, a case in which an employee was fired for using his workplace instant messenger to send personal messages, the Grand Chamber of the Court of Human Rights has ruled that the Romanian domestic authorities’ failure to adequately protect Mr Bărbulescu (B) from the monitoring of his workplace communications by his employer was in violation of his right to respect for private and family life under Article 8 of the Convention.

Background

Upon his employer’s request to respond to clients, B had created a Yahoo Messenger account. He was aware of the strict internal policies in place that prohibited the personal use of company resources. After the employer found messages sent to B’s brother and fiancée B’s employment was terminated. After losing a number of court battles in Romania contesting his dismissal, the lower Chamber of the ECtHR eventually ruled that Article 8 had been engaged but not violated by B’s employer.

The Grand Chamber overturned the judgement, emphasising the importance of regarding the principals set forth in Directive 95/46/EC. It states that the collection and processing of ‘personal data’ should be necessary for specified and legitimate purposes, and should be transparent and proportionate.

It felt that the domestic authorities should have balanced B’s Article 8 right and his employer’s legitimate interests, considering the following factors:

  • Whether the employer had given B clear advance notification of the possibility that his correspondence might be monitored;
  • The degree of intrusion and extent of possible monitoring;
  • Whether the employer had legitimate reasons to justify monitoring;
  • Whether a less intrusive form of monitoring might have been appropriate;
  • The consequences of monitoring for the employee; and
  • Whether the employer had provided adequate safeguards. 

Given that B had not been informed in advance of his employer’s monitoring activities, and the fact that his messages were sent from a private password-protected account, B would arguably have had a reasonable expectation of privacy. As well as this, the monitoring in question was of an intrusive nature, in that it observed not just the flow of communications but also their content, and did not appear to be justified by legitimate reasons.

Furthermore, it was felt that the domestic court had not sufficiently examined whether the employer could have achieved its aim through less invasive methods.  It was also not made clear whether B had been given the chance to provide an explanation before his employer accessed the contents of the messages.

Whilst this case focuses on a Romanian jurisdiction, this case has a bearing on how UK courts may now view employee privacy and monitoring.

For more information on our expertise in data privacy and cyber security, as well as related IT law, click here.