Blog
Why does software ownership matter? Six key legal takeaways for tech businesses
Christopher Perrin
Don’t panic, they can. But, the decision in Barbulescu v Romania from the appeal chamber of the European Court of Human Rights (ECtHR) shows that, in future, employers must apply their mind in a much more rigorous way to how they go about it.
The facts of the original ECtHR decision were widely reported in 2016. The employee in question complained that his employer had unlawfully monitored his Yahoo! Messenger account, which had been expressly set up for business purposes, and used this as grounds to dismiss him. The ECtHR disagreed. He knew that he wasn’t allowed to use this for personal communication, but he did so extensively (and in a rather explicit fashion...). The employer’s interference to his right to privacy under Article 8 had been proportionate.
The ECtHR appeal court has now overturned that decision. It considered that the manner in which the communications were monitored did not give adequate protection to the employee’s right to privacy and so was disproportionate and unlawful.
A fundamental problem with the employer’s approach to monitoring was that they had not informed the employee in advance of its extent and nature or “of the possibility that [they] might have access to the actual content of his messages”. This is despite the fact that it was beyond doubt that the employee knew full well what he was doing was strictly prohibited by the employer’s policies.
The ECtHR stated that “it considers that proportionality and procedural guarantees against arbitrariness are essential”. It set out factors for courts to consider when determining what side of the line an employer’s monitoring activities fall upon:
- whether the employee has been given advance notice. In normal circumstances, this notice should be clear about the nature of the monitoring;
- whether it is simply the flow of communications which is being monitored or the actual content of the messages and to what extent;
- whether the employer has legitimate reasons to justify the monitoring which takes place. The bar is higher if the content of the messages is accessed;
- whether less intrusive monitoring could have taken place, i.e. if the employer could have achieved its aims without actually accessing the content;
- whether the employee was aware of what the monitoring could be used for, i.e. if the employee didn’t know the messages might be used to sack them, this may weigh against the employer; and
- whether there were adequate safeguards in place to protect the employee, including preventing the employer from accessing the content of the messages until the employee has been notified of this possibility.
In light of Barbulescu, it is undoubtedly prudent for employers to take a close look at their policies and practices regarding monitoring employees’ communications to ensure that they can comply with the above.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
You may also be interested in reading some of our recent blogs on the topic of data protection, subject access requests and GDPR, including:
- Implications of GDPR and new Data Protection Bill for employers
- Data Protection – 10 further top tips for responding to subject access requests
- Data Protection – practical guidance from recent case law on subject access requests
- The GDPR: What do employers need to be doing now?
- Top 10 tips for responding to a subject access request
You may also be interested in:
We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.
You may also be interested in:
Blog
Enhancing Public Accountability: Key Elements of the Public Office (Accountability) Bill 2025
Kirsty Cook
Blog
HMRC Covid scheme amnesty: action by 31 December 2025
Waqar Shah
Share insightLinkedIn X Facebook Email to a friend Print