In its landmark decision of 5 September 2017 (Barbulescu v. Romania, 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) found that, in the case at stake and notwithstanding their margin of appreciation, the national courts failed to strike a fair balance between the competing interests of an employee’s right to privacy and the employer’s right to monitor the employee’s communications. As a result thereof, there had been a violation of Article 8 of the European Convention on Human Rights (right to respect for private and family life, the home and correspondence).
What happened?
Well, to put it in a nutshell, the national courts didn’t do the job they were supposed to do.
Actually, they “failed to determine, in particular, whether the applicant had received prior notice from his employer of the possibility that his communications on Yahoo Messenger might be monitored; nor did they have regard either to the fact that he had not been informed of the nature or the extent of the monitoring, or to the degree of intrusion into his private life and correspondence. In addition, they failed to determine, firstly, the specific reasons justifying the introduction of the monitoring measures; secondly, whether the employer could have used measures entailing less intrusion into the applicant’s private life and correspondence; and thirdly, whether the communications might have been accessed without his knowledge”, the Court said (§140).
So, what’s the bottom line?
The Court acknowledges that an employer has a legitimate interest in ensuring the smooth running of the company, and that this can be done by establishing mechanisms for checking that its employees are performing their professional duties adequately and with the necessary diligence (§127).
However, in the Court’s mind, it is important that the introduction of measures to monitor correspondence and other communications must be accompanied by adequate and sufficient safeguards against abuse (§120).
In this regard, the following factors are relevant (§121):
(i) whether the employee has been notified in advance of the possibility of monitoring measures and of the implementation thereof, and not only of the prohibition to use company resources for personal use!
(ii) the extent of the monitoring and the degree of intrusion into the employee’s privacy, with a distinction between monitoring of the flow of communications and of their content,
(iii) whether the employer has provided legitimate reasons to justify such monitoring,
(iv) whether it would have been possible to establish a monitoring system based on less intrusive methods and measures than directly accessing the content of the employee’s communications,
(v) whether the employee has been provided with adequate safeguards, ensuring in particular that the employer cannot access the actual content of the communications without prior notice, and
(vi) the consequences of such monitoring for the employee concerned.
Finally, it’s worth noting that an employer’s instructions cannot reduce private social life in the workplace to zero (§80).
In short, the European Court emphasizes three important principles an employer must observe when monitoring its employees:
- Transparency : the employer must notify its employees about the existence and the extent of monitoring,
- Purpose or legitimacy principle : the purpose(s) of monitoring must be legitimate,
- Proportionality: the control must be adequate and cannot be excessive.
In Belgium, those three principles are found in various provisions governing employee monitoring, such as the Collective Bargaining Agreement n° 81 on the monitoring of electronic online communication data and the Belgian Data Protection Act of 8 December 1992.
In 2012, the Privacy Commission adopted a recommendation and a brochure on surveillance at the workplace. They are still relevant!
Nicolas Roland and Stéphanie Remy
The ECHR decision, the recommendation and the brochure of the Privacy Commission can be found on:
http://hudoc.echr.coe.int/eng?i=001-177082
https://www.privacycommission.be/sites/privacycommission/files/documents/Cybersurveillance_FR.pdf
https://www.privacycommission.be/sites/privacycommission/files/documents/Cybersurveillance_NL.pdf