Steve Peers
The question of when employers can access employee emails, texts, or internet usage is crucial for both parties involved. A recent judgment in the case of Barbulescu v Romania tackled this issue, but unfortunately, misleading headlines like “EU court allows employers to read all employee e-mails” have emerged. This is inaccurate for two reasons: the ruling originates from the European Court of Human Rights, not an EU court, and it doesn’t grant employers unrestricted access to employee emails.
Let’s clarify the judgment’s actual decision and consider whether the outcome would differ if an EU court had presided over the case.
Background
The European Court of Human Rights (ECtHR) specifically interprets the European Convention on Human Rights (ECHR) and its protocols. The Barbulescu case centers around Article 8 ECHR, which guarantees the right to privacy, subject to limitations outlined in Article 8(2). Building upon previous rulings, this case provides further insights into workplace privacy.
In Halford v UK, a case involving a policewoman suing for sex discrimination, the ECtHR determined that intercepting calls from a dedicated work phone provided for confidential legal discussions violated Article 8. The court emphasized that Article 8’s workplace applicability hinges on a “reasonable expectation of privacy.” Ms. Halford held such an expectation due to the separate phone and assurances of privacy from the police force.
Admittedly, such circumstances are uncommon. Employees using employer-provided devices for private communication during work are far more prevalent. Importantly, Article 8 safeguards employees in such scenarios as well. In Copland v UK, the ECtHR ruled that monitoring an employee’s calls, emails, and internet use without prior notice violated Article 8.
The new judgment
What sets Barbulescu apart from Copland? The answer lies in the distinct circumstances. In Barbulescu, a strict employer ban on private use of work equipment was in place. Suspecting a violation, Barbulescu’s employer confronted him based on account monitoring. When Barbulescu denied the allegations, his employer produced transcripts of personal Yahoo Messenger conversations as evidence. Despite losing his case in Romanian courts, Barbulescu appealed to the ECtHR.
While the Court acknowledged the complaint’s admissibility, the majority dismissed his Article 8 claim. They reasoned that despite Article 8’s relevance, the employer was enforcing a clear policy against private use of work equipment, a policy Barbulescu had breached. The employer accessed his account solely to verify its use for professional purposes following his denial. Additionally, the Court highlighted the limited use of communication transcripts, concealing the identities of other parties involved. Notably, no other computer files were accessed, and Barbulescu lacked justification for personal use of work equipment.
However, a dissenting judge strongly criticized the majority’s stance, advocating for stricter control over employer monitoring through comprehensive notification requirements. It’s worth noting that Mr. Barbulescu retains the option to request a review by the Grand Chamber of the ECtHR, as the ruling came from a lower Chamber of judges.
Impact
Crucially, the Court’s decision doesn’t overturn previous case law, instead distinguishing Barbulescu from Halford and Copland rather than overruling them. Barbulescu does not grant employers unrestricted surveillance rights. Justified and unjustified surveillance situations persist, and this judgment merely provides some clarification on the boundary between the two.
Legally, this line hinges on the level of “reasonable expectation of privacy” employees hold at work. Such an expectation exists when employers explicitly allow private use of devices (as in Halford) or tolerate it (Copland). The key difference in Barbulescu is the employer’s outright ban.
Furthermore, the Court highlights specific factors, such as: surveillance initiation after employee denial, limited use of communication transcripts, no access to other files, and the absence of a valid reason for personal use of work equipment. The Court also emphasized the employment law context, distinct from criminal or data protection law. These factors, alongside the ban on personal use, warrant consideration.
However, the ruling’s authority is questionable on two grounds. Firstly, the Grand Chamber of the ECtHR may review and potentially overturn it, which is arguably warranted given the judgment’s arguably weak reasoning. Secondly, EU law potentially sets a higher standard. Let’s delve into these points.
Comments
What are the flaws in the reasoning? The Barbulescu majority claims distinction from Copland but arguably contradicts it. While they accurately describe Copland as involving “tolerated” employee internet use, the crucial point was the lack of employee notification about surveillance. It’s unclear if Barbulescu was aware of the monitoring (a point of contention the ECtHR didn’t address). This lack of clarity holds broader implications: countless employers across Europe might have similar bans but without employee notification of surveillance. Is this lack of notification crucial as per Copland, or not, as Barbulescu seemingly suggests? Is it only crucial when personal use isn’t banned?
Secondly, internal contradictions arise. The Court emphasizes that surveillance only followed Barbulescu’s claim of work-related messaging, implying no expectation of finding personal data. However, the facts (para 7) reveal that the accusation itself stemmed from prior surveillance. This isn’t a minor detail; it raises concerns about whether a blanket ban equates to a general surveillance prerogative for employers, or if specific reasons are needed.
The Court also asserts that the transcripts protected third-party identities. However, the mention of Barbulescu’s brother and fiancĂ©e negates this claim. Anyone acquainted with him could deduce their identities, especially with online resources.
Lastly, while acknowledging the impact on Article 8’s privacy right, the Court fails to adequately address Article 8(2) (as the dissenting judge points out). It neglects to identify the interests justifying the privacy breach, the legality of the breach, or its proportionality and necessity. While employer interests in policy enforcement might fall under “rights and freedoms of others” as justification, the actions’ clarity, foreseeability, and proportionality are debatable.
EU law
Importantly, this judgment comes from the European Court of Human Rights, not an “EU court.” However, a substantive EU law element exists, as the ECtHR briefly acknowledges. Data protection law represents one of two primary areas where EU law and human rights law frequently intersect (the other being asylum law).
Distinguishing between EU law and the ECHR is crucial due to several factors. First, EU law applies to 28 states compared to the ECHR’s 47. While this distinction blurs in data protection law due to agreements by some non-EU states (Schengen associates) to adhere to EU law, the territorial scope remains a relevant factor.
Second, procedures and remedies differ. EU law typically involves a national court seeking clarification from the CJEU before applying the interpretation nationally. This case saw the Romanian courts acknowledge EU law aspects but rule on the merits without CJEU consultation. While this could be argued as an ECHR breach, Mr. Barbulescu didn’t raise this point. Winning at the ECtHR would only yield a declaration, costs, and damages, not necessarily a change in the Romanian court’s decision.
Third, EU law can apply directly to private entities, unlike the ECHR, explaining why this case targeted the Romanian state and not Barbulescu’s employer.
The most critical question is whether substantive EU law offers superior protection. Although the ECtHR recognized the involvement of Barbulescu’s “personal data” as per EU law, it didn’t analyze the EU’s data protection Directive further. In contrast, the dissenting judge, considering the EU’s “Article 29 Working Party” opinions, did. This group of national data protection regulators often issues strong, pro-privacy interpretations of EU law.
Under the EU Directive, the employer’s justification for collecting Barbulescu’s data, absent his consent, relies on demonstrating it as “necessary for the performance of a contract” or for “legitimate interests.” The latter hinges on balancing employer interests against individual rights. Whether the CJEU would interpret the Directive similarly, considering the factors outlined by the ECtHR, is debatable. However, recent CJEU judgments on data protection (Digital Rights, Google Spain, Rynes, Schrems) suggest a higher likelihood of mandating prior notification for surveillance.
Another concern is that some data pertained to Barbulescu’s health and sex life. While EU law restricts processing such “sensitive” personal data, numerous exceptions exist, essentially making it harder to justify processing rather than prohibiting it. In this context, the Directive allows processing if “necessary” for employer obligations in employment law, subject to national law authorization and adequate safeguards. It’s difficult to ascertain if these criteria were met in this case, and these rules remain largely unchanged under the future Regulation.
Considering Romania’s obligation to uphold the EU Directive, should the ECtHR have delved deeper into EU law aspects? While the ECtHR doesn’t inherently possess jurisdiction over EU law, interferences with privacy must comply with the law. A cursory assessment of the national law’s alignment with EU law seems warranted. However, the ECtHR entirely bypassed the “in accordance with the law” test, a departure from typical privacy cases.
Conclusion
In conclusion, this judgment might not represent the ECtHR’s most robust work. However, it might not be the final word on this crucial matter either. Whether the Grand Chamber will review the case or if the CJEU or national courts, perhaps motivated by the new Regulation, will demand higher standards remains to be seen. For now, employers should tread carefully, recognizing the fine line between acceptable and unacceptable employee monitoring.
Barnard & Peers: chapter 9
Photo credit: tony_anscombe_work_privacy-618x336.jpg