‘Bosses Free to Spy on Emails’? Well no, not really

Sometimes even a rather routine employment law case can capture the imagination of the press and become a big story. This week the European Court of Human Rights found that there was no breach of Article 8 (respect for private life) when an employer read personal messages sent by an employee on a work-owned Yahoo Messenger account.

The story has made the front page of the Sun and the Daily Mail. Surprisingly they both seem to disapprove of the decision – perhaps because they think that the Court has conferred a right to ‘snoop’ that wasn’t previously there.

The Article from the Daily Mail opens:

BOSSES were yesterday given the right to spy on staff emails.

In a landmark ruling, the European Court of Human Rights granted them full access to personal messages sent from company computers or smartphones.

This is wrong. Hopelessly, massively and completely wrong. The European Court of Human Rights does not go about telling other countries what their laws should be. It simply considers whether there has been a breach of the European Convention on Human Rights. If it finds that there is no breach of the Convention if employers spy on employees (it hasn’t, of course, but more of that later) then that does not mean that employers in the UK are be free to do that. We have our own laws on this (the Data Protection Act and the Employment Rights Act for instance) in which the European Court of Human Rights has no interest if they do not involve a breach of the Convention. This ruling does absolutely nothing to change UK law – you might have thought that the press would be pleased about that.

In any event, the Court has categorically not said that employers are free to monitor the private communications of employees. Nobody reading the case could possibly come close to thinking that. Let’s look at what the case is actually about.

Personal use of a Messenger App

In the Case of Barbulescu v Romania the employee was asked by his employer to create a Yahoo Messenger account to respond to enquiries from clients. The Company had a rule which stated:

“It is strictly forbidden to disturb order and discipline within the company’s premises and especially … to use computers, photocopiers, telephones, telex and fax machines for personal purposes.”

I suspect that that loses something in translation – but I like the idea of having a rule against disturbing order and discipline. However the key point is that the rule explicitly banned the use of computers (and telex machines!) for personal reasons.

The employee was told that his use of Yahoo Messenger had been monitored over the course of week and that this showed he had been using the account for personal reasons. He replied in writing denying this and said that he had only used it for professional purposes. In response the employer provided him with a 45 page transcript showing his personal use of the App.  That transcript also included 5 messages to his fiancee that were sent using a personal account. When he was fired, he claimed that the decision was ‘null and void’ because, by accessing his communications, the employer had violated his right to privacy set out in the Romanian Constitution and Criminal Code.

The domestic court dismissed his claim, holding that the employer was entitled to monitor the use of work computers to check that work was being done properly and that looking specifically at the messages sent by the employee was the only way of checking his claim that he had only used Messenger for professional purposes. He lost his appeal and then brought a claim in the European Court of Human Rights.

He relied on Article 8 of the Convention which says:

Everyone has the right to respect for his private and family life, his home and his correspondence.

Essentially, the Court held that there had been no breach of the Convention. But they categorically did not say that employers are entitled to monitor the private communications of employees. Indeed, they found that the claim was ‘admissible’ in that monitoring of private communications by an employer did come within the scope of Article 8 – especially since some of the monitoring picked up private communications between the employee and his fiancee.

Reasonableness and proportionality

The context of this particular case was important. The employee was not bringing an independent claim that his human rights had been violated by the state; he was using Article 8 to challenge his dismissal by a private employer. The Court’s task was to consider whether Romanian employment law struck a fair balance between his rights under Article 8 and the interests of the employer. They noted that the initial monitoring of the employee’s messages was done on the assumption that they would only contain professional information – as private communications were forbidden. Furthermore, the 45 page transcript had only been relied upon in response to the employee’s false assertion that he had only used Messenger for professional reasons. The Court held that:

it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours.

And that’s it. The court does not say that there is no right of privacy in the workplace. Indeed they only took the case on because it has been clearly established that there is. With Article 8 it all comes down to a question of balance and proportion and the extent to which an individual has a ‘reasonable expectation of privacy’ in relation to what they are doing. The crucial factors in this case were that all personal use of a computer was strictly forbidden and that the employee insisted that he had not broken that rule. The monitoring carried out by the employer was not about the content of the messages but about the fact that they existed. Their use was restricted to the question of whether the employee had committed misconduct and the Court held that that was reasonable.

Monitoring in UK workplaces

This is a nice case that will certainly find its way into my latest employment law update. But it is not a surprising outcome and it does not change the advice that I would have given employers about monitoring staff emails. In the UK that comes mainly under the Data Protection Act and the Information Commissioner has a detailed Code of Practice on handling employee data. Its worth a read (Part 3 deals with monitoring at work) and I don’t think it needs to be changed as a result of this case.

For what it’s worth, I would identify three key considerations when monitoring employee’s communications:

  • Do you have a clear business need for the monitoring?
  • Is the level and intrusiveness of the monitoring proportionate to  that business need?
  • Have you made it clear to employees  how and why monitoring might take place?

So here’s my suggested headline for any tabloid editors reading this (as if):

PRIVACY SHOCK! IT’S ALL A QUESTION OF REASONABLENESS

Not exactly the Daily Mail house style is it?

About Darren Newman

Employment law consultant, trainer, writer and anorak
This entry was posted in Privacy and Monitoring and tagged , , , , , , . Bookmark the permalink.

9 Responses to ‘Bosses Free to Spy on Emails’? Well no, not really

  1. markelt says:

    Hi Darren. We’ve included a link to this piece in an article we’ve published today on Workplace Insight.

  2. Pingback: Should employers ban their staff from social media during work hours? | Stefan Stern | allnewsboock.com

  3. Pingback: Weekly Security Roundup #61: Multiple Internet of Things Vulnerabilities Exposed - Heimdal Security Blog

  4. Pingback: Bruce Lawson’s personal site  : Reading List

  5. Jeremy Barker says:

    While the Data Protection Act is relevant The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) is also highly relevant to employers who want to look at electronic communications.

    However the bottom line is that this ECHR case changes nothing about the legal position in the UK.

    • Hi Jeremy
      Thanks for responding. As I see it those regs create an exception to RIPA which regulates the interception of of communications. That seems to be restricted to monitoring during the course of transmission. So I think checking someone’s use of, say, email after the message has been sent wouldn’t be covered and the Data Protection Act would be the most relevant piece of legislation.

      But as you say, the bottom line is that the decision does not alter the UK position in any way.

  6. Pingback: Racism human rights and privacy in the mass surveillance world | machine civilization

  7. Robert says:

    An honourable mention for you and your excellent blog in The My Virtual HR Radio Show, Show #3 at http://tinyurl.com/zpj6ekf

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s