Data Protection – can employers still monitor employees’ communications in light of Barbulescu v Romania?

Don’t panic, they can. But, the decision in Barbulescu v Romania from the appeal chamber of the European Court of Human Rights (ECtHR) shows that, in future, employers must apply their mind in a much more rigorous way to how they go about it.

The facts of the original ECtHR decision were widely reported in 2016. The employee in question complained that his employer had unlawfully monitored his Yahoo! Messenger account, which had been expressly set up for business purposes, and used this as grounds to dismiss him. The ECtHR disagreed. He knew that he wasn’t allowed to use this for personal communication, but he did so extensively (and in a rather explicit fashion...). The employer’s interference to his right to privacy under Article 8 had been proportionate.

The ECtHR appeal court has now overturned that decision. It considered that the manner in which the communications were monitored did not give adequate protection to the employee’s right to privacy and so was disproportionate and unlawful.

A fundamental problem with the employer’s approach to monitoring was that they had not informed the employee in advance of its extent and nature or “of the possibility that [they] might have access to the actual content of his messages”. This is despite the fact that it was beyond doubt that the employee knew full well what he was doing was strictly prohibited by the employer’s policies.

The ECtHR stated that “it considers that proportionality and procedural guarantees against arbitrariness are essential”. It set out factors for courts to consider when determining what side of the line an employer’s monitoring activities fall upon:

1. whether the employee has been given advance notice. In normal circumstances, this notice should be clear about the nature of the monitoring;
2. whether it is simply the flow of communications which is being monitored or the actual content of the messages and to what extent;
3. whether the employer has legitimate reasons to justify the monitoring which takes place. The bar is higher if the content of the messages is accessed;
4. whether less intrusive monitoring could have taken place, i.e. if the employer could have achieved its aims without actually accessing the content;
5. whether the employee was aware of what the monitoring could be used for, i.e. if the employee didn’t know the messages might be used to sack them, this may weigh against the employer; and
6. whether there were adequate safeguards in place to protect the employee, including preventing the employer from accessing the content of the messages until the employee has been notified of this possibility.

In light of Barbulescu, it is undoubtedly prudent for employers to take a close look at their policies and practices regarding monitoring employees’ communications to ensure that they can comply with the above.

We will be providing further in depth analysis and practical guidance on what the Barbulescu case means for businesses at our data protection seminar next week - Managing employee data risks - Are you GDPR friendly and Brexit proofed?

At this seminar, as well as covering the impact of that decision, we will also be covering a range of issues including consent and recruitment; data management; subject access requests; and cross-border transfers.

This event is now fully booked, but materials will be available after the event, so please contact us at events@kingsleynapley.co.uk if you would like to receive a copy of these.

Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.

You may also be interested in reading some of our recent blogs on the topic of data protection, subject access requests and GDPR, including:

• Implications of GDPR and new Data Protection Bill for employers
• Data Protection – 10 further top tips for responding to subject access requests
• Data Protection – practical guidance from recent case law on subject access requests
• The GDPR: What do employers need to be doing now?
• Top 10 tips for responding to a subject access request