(Reflection on text: Privacy i(n)t context of 18 April 2016, www.moderndiplomacy.eu)

While there was a surge of media analyses more then one and a half year ago, when the European Court of Human Rights (“the Court“)  found no violation of the right to respect for privacy for monitoring Yahoo account of employee[1], earlier in September 2017 the story unfolded completely otherwise.

The Grand Chamber of the same Court now ruled that the monitoring of Mr. Barbulescu’s private correspondence with his fiancée and brother, by his employer, did constitute an intrusion into his privacy and the subsequent acts by domestic courts did amount to a violation of the right to respect for his privacy, under Article 8 of the European Convention of Human Rights. Online privacy gets protected and the new path of European Convention case-law is created.

But, back then, after the first judgment, legal society was worried that the privacy requirements were made vulnerable by the IT development and IT society. Two facts were then seen at the surface. First, the employer monitored employee’s private conversation and the second, no violation of Article 8, right to respect for privacy, was found.

However, in order that the case-law of the Court be correctly understood and applied, one has to look beneath the surface.

The Court noted, in January 2016, that the employer did not warn the employee, Mr. Barbulescu, of the possibility of checks of the Yahoo Messenger, but did adopt internal rules according to which it was strictly forbidden to use computers, photocopiers, telephones, telex and fax machines for personal purposes. So we wondered then if that could be seen as a warning? Did an employer have a right to monitor personal messages of an employee? Could it really be that the Court gave the advantage to a market economy and profit growth, versus privacy? (Privacy i(n)t context, moderndiplomacy.eu)

At that point the Court contended that internal policy rules or warning, did give the employers the right to rule the employees space, of course, during work hours, and that their right to monitor the job done by his employees could have been stronger then their right to privacy. However, the Court in the first judgment did not go into details as to the quality of internal rules or any more specific notification of monitoring. It took into consideration the ‘expectation of privacy’, pointing that Mr. Barbulescu could not have reasonably expected that his privacy would be protected, having in mind that the employer issued instructions forbidding the use of, inter alia, computers, for private purposes. On the other hand, the Court, sitting now in Grand Chamber, has very importantly contended that

‘…an employer’s instructions cannot reduce private social life in the workplace to zero. Respect for private life and for the privacy of correspondence continues to exist, even if these may be restricted in so far as necessary.’

In its final judgment of September, with far more details, it presented the standards which must be followed in order that Article 8 of the Convention is respected, in cases of protection ‘online’ privacy. The Court has thus provided a set of principles that ‘should be taken into consideration with a view to protecting right to online privacy and at the same time, respecting the right of employers to restrict the use of electronic communications for private purposes during work hours. So the States should take into consideration the following factors’(para 121):

  1. The employees have to be in advance and clearly notified of the possibility that the employer might take measures to monitor correspondence and of implementation of such measures.
  2. What is theextent of the monitoring by the employer and the degree of intrusion into the employee’s privacy? Is the flow of communications subject of monitoring, or their content? All communications or only part of them? Limited in time and space? Number of people having access?
  3. Has the employer provided legitimate reasons to justify monitoring the communications and accessing their actual content. The monitoring of content is more invasive and needs weightier justification.
  4. Are there possible any less intrusive methods and measures than directly accessing the content of the employee’s communications?
  5. What are the consequences of the monitoring for the employee subjected to it?
  6. Has the employee been provided with adequate safeguards, especially when the employer’s monitoring operations were of an intrusive nature. Such safeguards should in particular ensure that the employer cannot access the actual content of the communications concerned unless the employee has been notified in advance of that eventuality.

So, the employers should not generally monitor the employee’s private correspondence. But if they do, they must provide clear and beforehand notification, explain the extent of monitoring and degree of intrusion, provide legitimate reasons to justify it, check whether there are less intrusive methods, consequences of the monitoring, and safeguards.

Protection against arbitrariness, which is the leading principle of the European Convention, remained at the first and utmost place. If too loose rules exist or if they do not exist at all, that leaves a place for arbitrariness and that is a step closer to violation of rights.

The Court did allow a wide margin of appreciation to States when determining whether and how they will enact a legislation on conditions in which employer may regulate electronic or other communications of a non-professional nature by its employees in the workplace. But, the protection against arbitrariness, being recognized through a Court’s well established case-law, was stressed once more.

Speaking of State’s role in protection of ‘online’ privacy it should be noted that the monitoring of employee’s correspondence was analyzed not through the interference, since it was done by private employer and not by Contracting State, but through the positive obligations inherent to states in order to respect human rights. In that regard it is important to evaluate whether the State has done enough to protect the employee from interference by his employer. Accordingly, even if the employer does certain acts of intrusion into his employee’s privacy, the State, through its positive obligations has to do enough in order to examine thoroughly the acts in question and to provide the employee with redress if suitable. Otherwise, the State will be responsible for violation of the privacy rights under the European Convention.

The Chamber, in the first judgment, was satisfied that the applicant’s case was heard by labour courts, that he was able to raise his arguments, and that domestic courts had not based their decisions on the contents of the employer’s communications and that the employer’s monitoring activities were limited to his use of Yahoo Messenger.

However, Mr. Barbulescu claimed that he was not informed beforehand of the monitoring by the employer, which monitoring resulted in forty-five pages transcript of messages that he exchanged with his brother and fiancée, which included personal matters some of which being of intimate nature.

The Court, sitting in a Grand Chamber, has put a task upon it to see whether the national authorities performed a balancing exercise, between the applicant’s right to respect for his private life and correspondence and the employer’s interests. The employer’s interests were recognized as smooth running of the company even through mechanisms for checking that its employees are performing their professional duties adequately and with the necessary diligence. The employee’s interest is of course the protection of his privacy.

The Court, in the last judgment noted that the domestic courts failed to determine whether the prior notice on monitoring was given to applicant, whether he was informed of the nature or the extent of monitoring, the reasons to justify monitoring measures, whether the employer could use less intrusive measures. For those reasons the Court has found a violation of Article 8 of the European Convention.

Overall, the Grand Chamber judgment is much more comprehensive and exhaustive comparing to the Chamber judgment in which the Court’s assessment as to the merits was rather brief. The Chamber was openly inclined towards the employer, suggesting that it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours, that the monitoring was limited in scope, including only Yahoo Messenger, blaming Mr. Barbulescu for not having convincingly explained why he had used the Yahoo messenger account for personal purposes (para 60, 61 of the Chamber judgment).

While it is very interesting that the Court shifted 180 degrees from its first judgment, we must be contended that the right to privacy was once more protected by the final judgment of the Court, placing a path for new future cases involving protection of rights on internet.

So, looking back to view of dissenting judge Mr. Pinto de Albuquerque in the first judgment of the Court in this case, that was raised in the previous article,  who regretted the Court not taking the opportunity to develop its case-law in the field of protection of privacy with regard to employees’ Internet communications, it seems now that the Court did succeed to open a new path to its case-law, which will in future certainly be increasingly important, having in mind the fast IT growth and its influence to everyday life.

But do not forget to still keep it simple, as the Court has reminded: “In order to be fruitful, labour relations must be based on mutual trust[2]”. Monitoring of employees goes against the mutual trust, and certainly undermines not only the privacy of the monitored employee, but also the dignity of the company which was connected with monitoring.

[1] Barbulescu v. Romania, judgmnet of the European Court of Human Rights of 12 January 2016 https://hudoc.echr.coe.int/eng#{"tabview":["document"],"itemid":["001-159906"]}

[2] Palomo Sánchez and Others v. Spain, judgment of the European Court of Human Rights of 12 September 2011, para 76

Jasna Čošabić, PhD

Professor of EU and IT law, Banja Luka College, BiH