June 19, 2018

June 18, 2018

Subscribe to Latest Legal News and Analysis

New Ruling in European Employee Monitoring Case

On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.

Overturning the ECtHR’s prior ruling in the case, the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer.  That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.

The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment.  The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual.  A fulsome balancing exercise was therefore required in cases such as these.

The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case).  Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.

Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned.

The Grand Chamber put forward six factors to be considered when assessing the proportionality of a workplace monitoring scheme’s intrusion on worker privacy:

  1. Whether (and if so, how) the employee had been notified of the nature of the monitoring;

  2. The extent of the monitoring, and degree of intrusion into the individual’s privacy, influenced by factors such as:

    • Whether content or the mere “flow” of communications was monitored;

    • Whether all communications or just a subset had been monitored;

    • Whether the monitoring was limited in time and/or space; and

    • How many people had access to the results;

  3. The justification for the monitoring (with access to content requiring “weightier justification”);

  4. The possibility of taking a less intrusive approach to achieving the same aim;

  5. The consequences of the monitoring for the employee (such as dismissal), and the employer’s use of the results (in particular whether the results were used to achieve the declared aim of the measure); and

  6. Whether the employee had been provided with adequate safeguards, which “should in particular ensure that the employer cannot access the actual content . . . unless the employee has been notified in advance.”

Though directed at Romania, the precedent set down by the case will extend to the 47 states that have ratified the Council of Europe’s European Convention on Human Rights.  The ruling was supported by 11 of the Grand Chamber’s judges, with another six dissenting.

© 2018 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Philippe Bradley-Schmieg, Covington Burling, Data privacy and cybersecurity attorney
Associate

Philippe Bradley-Schmieg's practice covers a range of regulatory and commercial matters affecting the IT, internet media, e-health and telecoms sectors across the world.

Mr. Bradley-Schmieg advises on legislation, enforcement, advocacy and contracts relating to privacy, data protection, consumer protection, intermediary liability, copyright and databases, Big Data, medical confidentiality, cybersecurity, law enforcement data requests, and smart medical devices and apps.

44-20-7067-2282