Employers face stricter controls on private internet monitoring
But experts say that the headline writers have missed the point, as the ruling in Bărbelescu v Romania puts greater pressure on employers to justify any monitoring of private messages, rather than any relaxation.
The ruling did allow that companies have a right to monitor internet usage by employees during working hours, but only under very clear circumstances. In this case, an employee had been fired for using an instant messaging service for personal use, in breach of internal policy. Mr Bărbelescu had created a Yahoo Messenger account at his employer’s request so he could respond to enquiries from clients, but when the employer monitored the chats over a week-long period, personal messages were found and his employment was terminated.
Following a number of court hearings in Romania, the case went to the European Court to decide whether the employer’s actions had breached Mr Bărbelescu’s right to respect for his private life and correspondence under Article 8(1) of the European Convention of Human Rights (Article 8).
The ECtHR ruled that Article 8 was engaged, so if the employer did look at the Yahoo Messenger chats, such action had to be proportionate to the situation. They ruled that because of the particular circumstances in this case there was no violation of Article 8, as it was not unreasonable for an employer to verify that employees are completing their professional tasks during working hours. The decision relied, importantly, on what Mr Bărbelescu had told his employer, which was that the account contained client-related communications only.
“This ruling doesn’t give any new powers to employers,” explained Ray Crudgington, Managing Partner of Grant Saw solicitors, “Rather, it has emphasised that workplace monitoring should only take place within very controlled circumstances.
“It’s not enough to simply tell employees that monitoring will be taking place. Employers who monitor internet, email or social media usage are processing personal data and so they must comply with data protection requirements. Policies should be in line with the Employment Practices Code from the Information Commissioner, which requires employers to give a reason for any monitoring, set out how the information will be used, who will have access to it and how it will be safeguarded.”
Where policies are strict in setting out no personal usage, this can be easier to implement than allowing for limited personal use, where the boundaries need greater definition. One option is to encourage employees to use their own devices for private use, but that requires a clear BYOD – ‘bring your own device’ – policy alongside. With BYOD, employees may also need reminding that unless they use their own data connection, any content that uses company wi-fi could be monitored, if that’s the policy.
He added: “The important thing is to get the balance right between the rights of the employee and those of the employer.”
Bărbulescu v Romania – 61496/08  ECHR
This is not legal advice; it is intended to provide information of general interest about current legal issues.