The Bărbulescu case and employee monitoring: all the sordid details

A recent judgment of the European Court of Human Rights attracted an unusual amount of media attention. The decision in Bărbulescu v Romania [2016] in January concerned the tension between an employer’s right to monitor the activities of staff in the workplace, and an employee’s right to privacy. Many of the press reports that followed had alarmist headlines suggesting, wrongly, that companies could now engage in unrestricted monitoring of all private communications by their staff. This article outlines the factual background to the case, and discusses what it means for companies and their obligations in relation to private e-mails and internet use.

Bogdan Bărbulescu was employed by a private company in Romania as an engineer with responsibility for sales, and had created a Yahoo Messenger account at the company’s request, for the purpose of responding to client enquiries. In July 2007, his employer informed him that his Yahoo Messenger communications had been monitored for a number of days, and that the records showed that he had been using the internet for personal purposes, in contravention of a company policy that expressly prohibited personal use of its computers. When Bărbulescu responded that he had only ever used Yahoo Messenger for work, the company presented him with a 45-page transcript that included personal messages to and from his fiancée and his brother. Shortly after that, the company terminated his employment.

Bărbulescu challenged the dismissal through the Romanian courts, claiming that the monitoring was unlawful and that his e-mails were protected by Article 8 of the European Convention on Human Rights, as relating to his private life and correspondence. However, the national courts found that the employer’s right to monitor an employee’s use of company systems falls within the broad scope of the right to check the manner in which professional tasks are completed; and that as long as the employee had been warned that his activity was under surveillance and might lead to disciplinary action if it infringed company policy, it could not be argued that the employer had not been open about the monitoring. Following the final decision in the Bucharest Court of Appeal, Bărbulescu brought a claim against the Romanian government in the European Court of Human Rights, arguing that it had failed to protect his rights to privacy and correspondence under Article 8.

Referring to its own previous case law, the European Court of Human Rights noted that telephone calls, e-mails and internet usage at work were all prima facie covered by the notions of ‘private life’ and ‘correspondence’ protected by Article 8; and in general, in the absence of notification to contrary, an employee has a reasonable expectation as to the privacy of all of these. In this particular case though, it was not clear whether that reasonable expectation applied, as the company claimed
to have given actual notice that personal use would be monitored (an assertion that was disputed by the employee).

The Court went on to consider whether there was a fair balance, under Romanian law, between Bărbulescu’s right to respect for his private life and correspondence, and his employer’s interests. The conclusion was that the balance was fair: the dismissed employee had been able to raise his arguments before the domestic courts, which had given them due consideration and concluded that the employer had acted within its lawful disciplinary powers; the applicant had used Yahoo Messenger on the company’s IT systems on company time, so his disciplinary breach was clear; and it was not unreasonable for an employer to want to check that its employees are doing their job. The claim against the government of Romania accordingly failed.

What are the implications of this for employee monitoring in the UK? Part 3 of the Employment Practices Data Protection Code, published in November 2011 and available through the website of the Office of the Information Commissioner, contains detailed guidance as to what is permissible in terms of the monitoring of electronic communications. That guidance is still essentially sound, and its key points can be easily summarised:

  1. Basic principles. Employee monitoring generally is assumed to be intrusive. Staff have a legitimate expectation that their personal lives are private, and are also entitled to expect privacy in the workplace. They should accordingly be informed about the nature and extent of all monitoring that might be undertaken.
  2. Monitoring policy. If the employer intends to monitor electronic communications, it should establish a policy that sets out in clear terms the reasons why it wishes to do so (such as the enforcement of rules, quality control or fraud prevention), and how the monitoring will be done.
  3. Usage policy. If monitoring is to be used to enforce company rules and standards, the employer needs to make sure that the staff know and understand those rules as well. For example, if it is company policy that IT systems should not be used for private purposes at all (as in the Bărbulescu case), that should be made clear. If private use is permitted – and a limited degree of private use is accepted as the norm in most businesses – the extent of that use, and any restrictions on what may or may not be done, should also be made clear, including any special rules concerning activities like e-mail usage, instant messaging and social networks.
  4. Communication of policies to staff. Staff need to be made aware of these policies, and of any updates to them from time to time, as new systems or technologies are implemented or company practices change. Policies should ideally be signed by new joiners as part of their induction, and also made available through the company intranet and on notice boards.
  5. Communications with third parties. The employer should ensure that anyone making calls to staff, or receiving calls from them, is aware of any monitoring and the purpose behind it. Similarly, anyone sending e-mails to workers, as well as the workers themselves, should be made aware of the possibility that their communications will be monitored.
  6. Covert monitoring. Covert monitoring can rarely be justified. It should only be used in the most serious instances of suspected criminality, and only where authorised at the highest level in the organisation.

Nothing in Bărbulescu really changes this. The case certainly confirms the right of employers to monitor staff communications, but only where this is done in a transparent and proportionate way, and for legitimate purposes.

So for a major news website to blaze out ‘Having an affair? Your boss knows ALL the sordid details – because he’s spying on your e-mails’, as Mail Online did on 15 January, gives something of a misleading impression. Even the BBC’s more measured ‘Private messages at work can be read by European employers’ may have led people to think that the Bărbulescu decision conferred carte blanche on employers to monitor all personal communications that their staff make using company systems, or on company time. It did not. Boundaries still apply, and management needs to be mindful of them.