Data protection lawyers are often heard to complain that their calling is misunderstood. But few areas of jurisprudence are so readily misreported as human rights law. This week saw another example, with news editors leaping on a Strasbourg judgment - appealed from Romanian national courts on an Article 8 Convention Rights point - as the end of privacy in the workplace.
The facts were that a Mr Barbulescu lost his engineering job in 2007 after his employer accessed his Yahoo messenger communications, apparently in the good faith belief that it was accessing work-related material on a work account (as it was expressly entitled to do under its own employment policy). It discovered a swathe of personal messages exchanged on employee time, which it used in transcripts at a disciplinary hearing to contradict Mr Barbulescu's denials. It was held significant that Mr Barbulescu had falsely maintained his innocence, and insisted the messages were professional.
The reasoning was complicated by the fact that Mr Barbulescu also had a personal Yahoo messenger account which he had used from work, and some material (which would have qualified as sensitive personal data) was also retrieved from this source. However, the European Court of Human Rights (ECtHR) only ruled on whether the domestic court breached Mr Barbulescu's Article 8 Convention right to respect for his private life and correspondence in upholding the employer's decision and procedure to sack him.
Newswires were soon buzzing with scare stories. "Employers have right to snoop on workers' private online messages, Euro court rules", advised Russia Today – itself closely associated with a state known for its interest in citizens' private lives. But British newspapers ran with a similar angle, with one broadsheet declaring (all the while merrily confusing the Court of Justice of the European Union and the ECtHR): "Bosses can snoop on workers' private emails and messages, European court rules". And the Daily Express did away with any subtlety, screaming: "WARNING: Your boss can now read EVERY Facebook and WhatsApp message you send at WORK."
Gradually, in the days following the ruling, thought-pieces began to appear acknowledging that, in fact, this was a great simplification of a very fact-specific case - and that, although the decision provided an interesting test for the validity of long-established workplace policies, nothing had especially changed in terms of privacy law in Europe (whether derived from Convention rights, or the 1995 EU data protection directive). The ECtHR was simply asked the question whether the Romanian court's decision was inconsistent with human rights law?
Commentators have also noted with interest points raised in the dissenting judge's opinion, who argued that "a blanket ban on personal use of the Internet by employees is inadmissible, as is any policy of blanket, automatic, continuous monitoring of Internet usage by employees." He concluded, uncontroversially perhaps, that employers should ensure that workers are notified personally of a firm's Internet usage policy - but also that they should consent to it explicitly. Such explicit consent might be obtained via an employment contract, but for the consent to be effective the specific provisions would need to be adequately drawn to the individual's attention. It remains to be seen whether Mr Barbulescu will pursue his case and ask the Grand Chamber of the ECtHR to review the judgment.
Had the case been brought in the UK, it would have been interesting to see on what basis. Many employers claim a similar right and, although it is widely considered bad practice and probably bad management to pursue an active surveillance policy except where it is a regulatory requirement (eg certain financial services), it can be perfectly lawful to do so. Rights of interception by employers (and authorities) are covered by various pieces of legislation including RIPA (the Regulation of Investigatory Powers Act) and the Lawful Business Practice Regulations - whilst it also engages questions of how a data controller is entitled to process personal information under the Data Protection Principles.
At the heart of all these pieces of legislation is the issue of notice and consent: did the employee know and accept that this could happen? In a common law sense, did the individual have any real expectation of privacy when sending this personal information over a monitored work server, through a supposed work account? Or in a data protection sense, was a condition for processing this information (ideally, consent) satisfied clearly enough by the employer?
Employers still have a duty to process personal data fairly and lawfully, and should consider whether their policies truly and clearly accord them this right; and, if relying on a "legitimate interests" condition to conduct a general inspection exercise, whether they are unduly prejudicing the rights, freedoms and interests of the data subject by doing so. Reasonable and proportionate steps to achieve a legitimate purpose are most likely going to be lawful when the employee has been made aware this is a possibility. But widespread and indiscriminate snooping, or 'fishing' for wrongdoing, is always risky territory for employers - even where their HR or IT policies might purport to allow it. This is especially true of obviously personal Apps, chats and accounts which happen (rightly or otherwise) to be carried on work servers, either via Wifi or workplace devices.
Within 24 hours of the story breaking here in the UK, the Institute of Directors had released the following statement: "We would strongly urge businesses not to read an employee's personal messages, apart from in the most exceptional circumstances." The fact remains that, while it may be foolish for employees to assume anything they send electronically via the workplace is private - and very likely a breach of contract to devote working hours to Facebook, Twitter and WhatsApp - it is also inadvisable for employers, both in terms of the law and staff morale, to think that either this decision or even their own policies accords them the indiscriminate right to monitor staff's private messages.
As ever, context is key and proportionate judgment must be applied – both in terms of where the legal line is drawn, and simply in managing human relationships and expectations in a digital world.
If you require further information on anything covered in this briefing please contact Owen O'Rorke (owen.o'[email protected]; 020 3375 7348) or your usual contact at the firm on 020 3375 7000. Further information can also be found on our Intellectual Property & Technology page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2016