AML: HMRC flexes enforcement muscle to the tune of £7.8 million
Don’t panic, they can. But, the decision in Barbulescu v Romania from the appeal chamber of the European Court of Human Rights (ECtHR) shows that, in future, employers must apply their mind in a much more rigorous way to how they go about it.
The facts of the original ECtHR decision were widely reported in 2016. The employee in question complained that his employer had unlawfully monitored his Yahoo! Messenger account, which had been expressly set up for business purposes, and used this as grounds to dismiss him. The ECtHR disagreed. He knew that he wasn’t allowed to use this for personal communication, but he did so extensively (and in a rather explicit fashion...). The employer’s interference to his right to privacy under Article 8 had been proportionate.
The ECtHR appeal court has now overturned that decision. It considered that the manner in which the communications were monitored did not give adequate protection to the employee’s right to privacy and so was disproportionate and unlawful.
A fundamental problem with the employer’s approach to monitoring was that they had not informed the employee in advance of its extent and nature or “of the possibility that [they] might have access to the actual content of his messages”. This is despite the fact that it was beyond doubt that the employee knew full well what he was doing was strictly prohibited by the employer’s policies.
The ECtHR stated that “it considers that proportionality and procedural guarantees against arbitrariness are essential”. It set out factors for courts to consider when determining what side of the line an employer’s monitoring activities fall upon:
In light of Barbulescu, it is undoubtedly prudent for employers to take a close look at their policies and practices regarding monitoring employees’ communications to ensure that they can comply with the above.
We will be providing further in depth analysis and practical guidance on what the Barbulescu case means for businesses at our data protection seminar next week - Managing employee data risks - Are you GDPR friendly and Brexit proofed?
At this seminar, as well as covering the impact of that decision, we will also be covering a range of issues including consent and recruitment; data management; subject access requests; and cross-border transfers.
This event is now fully booked, but materials will be available after the event, so please contact us at firstname.lastname@example.org if you would like to receive a copy of these.
You may also be interested in reading some of our recent blogs on the topic of data protection, subject access requests and GDPR, including:
Skip to content Home About Us Insights Services Contact Accessibility