Privacy i(n)t context

The right to privacy, or the right to respect for private life, as the European Convention on Human Rights guarantees it, has been affected by the IT growth era. Privacy has long been protected, but will face a new dimension of protection for the generations to come. The right to respect for private life is not an absolute one, and may have a different feature in different context.

By Niemitz v. Germany judgment (1992) the European Court on Human Rights (‘the ECtHR’) included the right to connect with other individuals into the notion of private life, saying that it would be too restrictive to limit the notion of an ‘inner circle’ to personal life and exclude there from entirely the outside world not encompassed within that circle. The right to communicate was thus inserted into the privacy context.

But the extent of communication and technologies which enable it significantly changed since.

Few decades ago, it mainly consisted of personal communication, communication by conventional letters and phone communication. At the time the Convention was adopted in the mid last century, there was no internet, not even mobile/cell phones, nor personal computers. The feature of privacy protection was much more simple then today.

Now, when we approach the rule of IoT (internet of things) communication, not only do people communicate, but ‘things’ as well. The subject of that ‘non-human’ communication may also be private data of individuals. At the same time, the individual, human communication became more simple, available at any time, and versatile by its means.

New society digital evolution becomes a special challenge when speaking of the protection of privacy. Availability of every person not only in physical life but in cyber life as well, upgrades the privacy to a new sphere. If we do ourselves chose to use social networking, Skype, Instagram, Twitter, Yahoo Messenger, Linkedin, Facebook, the later being ‘the most powerful database of persons ever on internet’ as rightfully noted by prof. Bajrektarević, in his book ‘Is there life after Facebook?’ as well as other internet features, we must be aware that our privacy may come into the open. If we add to that e-context a physical surrounding of a working place, under certain conditions, the feature of privacy changes, i.e. it becomes less protected then in the context of an earthbound private circle, the surrounding which was in mind of lawmakers when adopting for instance the European Convention on Human Rights in 1950.

Recently, at the table of the ECtHR was the case of Barbulescu v. Romania (judgment enacted in January 2016), where the question arose of whether an employer is entitled to look into his employer’s private messages at Yahoo Messenger. The messages were written by the employee during the working time, at the computer owned by the employer. The employer monitored and made transcript of messages made at the Yahoo Messenger account that was created at the employer’s request for the purposes of contacts with clients, but the transcript also contained five short messages that Mr. Barbulescu exchanged with his fiancee using a personal Yahoo Messenger account.

The ECtHR found no violation of the right to respect the private life by such actions of the employer.

The ECtHR noted that the employer did not warn the employee of the possibility of checks of the Yahoo Messenger. However, the company where Mr. Barbulescu worked did adopt internal rules according to which it was strictly forbidden to use computers, photocopiers, telephones, telex and fax machines for personal purposes. Can that be seen as a warning? Does it give an employer a right to monitor personal messages of an employee?

We may wonder if the ECtHR gave the advantage to a market economy and profit growth, versus privacy? Did it give to employer the right to control the employee even if that would mean invading his privacy? This, under certain conditions, like internal policy rules or warning, gives the employers the right to rule the employees space, of course, during work hours, and their right to monitor the job done by his employees may be stronger then their right to privacy.

However one should be careful in concluding that all employers may now freely snoop into their employees’ e-mails, tweets, messages etc.

The ECtHR took into consideration the ‘expectation of privacy’, which Mr. Barbulescu, the employee, had regarding his communications. The internal rules of the employer which strictly prohibited the use of computers for private purposes, made the decisive shift towards ruling in favor of non violation. He probably should not have expected to have his privacy respected in such circumstances. But in the absence of such rules and in the absence of warning, any such intruding into employees’ private communication would rise an issue of privacy protection.

With the fast development of society and technology, the privacy is much more vulnerable, and it apparently affects its legal protection.

Almost two decades ago in the case of Halford v. UK the same ECtHR decided that tapping of Ms. Halford’s phone at the office did constitute a violation of her right to respect of her private life. Without being warned that one’s calls would be liable to monitoring the person would have reasonable expectation that his privacy is protected (Halford v. UK 1997). In Amann v. Switzerland ECtHR judgment (2000) telephone calls from business premises pursue to be clearly covered by ‘private life’ notion.

The ECtHR further spread the privacy protection to e-mails sent from work in the Copland v. United Kingdom judgment (2007). In this case it also decided that monitoring of telephone usage in the way of analysis of business telephone bills, telephone numbers called, the dates and times of the calls, duration and cost, constituted “integral element of the communications made by telephone”, and made an interference into the privacy. Moreover, the ECtHR was of the view that the storing of personal data relating to the private life of an individual also fell under the protection of the Article 8, being irrelevant whether it was or was not disclosed or used against the person. It further held that that ‘e-mails sent from work should be similarly protected under Article 8, as should information derived from the monitoring of personal Internet usage’ like analysing the websites visited.

In Halford and Copland case the personal use of an office telephone or e-mail or was either expressly or tacitly allowed by the employer. Accordingly the ECtHR found a violation of privacy when the employer intruded therein. In Barbulescu, on the other hand, due to the internal regulations that forbid the private use of computers, the ECtHR did not consider a monitoring by employer to be a violation of his privacy, although the intrudment happened in the form of making the transcript of employee’s messages and keeping that transcript. The ECtHR considered that ‘broad reading of Article 8 does not mean, however, that it protects every activity a person might seek to engage in with other human beings in order to establish and develop such relationships’ (Barbulescu para 35)

We can see that the position of employer towards allowing or non allowing phone, e-mail, or internet usage, made a diference as to the employee’s expectation of privacy. But can we add to that the more open communication, as a reason of lowering the level of the ‘expectation of privacy’?

It still remains up to the individual how he/she shall expose his/her privacy. The means of multiple communication, are now in everyone’s pocket, and a person does not have to use a land phone line, in order to call home. By simple touching the screen he/she may communicate, share, like, tweet, comment. If it is done during working hours, it gives, under certain conditions, a possibility to employers to look into that ‘share’, ‘like’, ‘tweet’, ‘comment’ and still not to invade anyone’s privacy.

The more open the conversation is, its protection gets more demanding and complicated. So the protection of privacy remains a big test for the future.

The European Commission has launched an EU Data Protection Reform in 2012, in order to ‘make the Europe fit for the digital age.’ Strengthening citizens’ fundamental rights, Digital Single Market, are the areas that need special attention. Currently in force Directive 95/46/EC of the European Parliament and of the Council of the EU of 1995, provides that personal data is ‘any information relating to an identified or identifiable natural person’.

Article 29 Data Protection Working Party (‘DPWP’), in 2002 adopted a Working Document on the Surveillance and the Monitoring of Electronic Communications in the workplace. According to that Document the mere fact that monitoring serves an employer’s interest could not justify an intrusion into workers’ privacy. Monitoring, according to the DPWP, must pass four tests: transparency, necessity, fairness and proportionality.

‘Workers do not abandon their right to privacy and data protection every morning at the doors of the workplace’ provides the Document, however, ‘this right must be balanced with other legitimate rights and interests of the employer, in particular the employer’s right to run his business efficiently to a certain extent’.

Under Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications) of 2002 ‘Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation.’ It provides for the prohibition of ‘listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other then users without the consent of the users concerned’. Exceptions may be made, inter alia, for the interests of national security, prevention of criminal offences or of unauthorised use of the electronic communication system etc.

Data protection of citizens will be a big challenge in future. The judge Pinto de Albuquerque in his partly dissenting opinion in Barbulescu case has criticized the ECtHR’s majority in missing the chance to develop its case-law in the field of protection of privacy with regard to Internet communications and for overlooking, inter alia, some important features like sensitivity of the employee’s communication and non-existence of Internet surveillance policy duly followed by the employer (apart from the above mentioned internal regulations forbidding the use of computers).

On one hand there is a request for privacy protection, while on the other hand, there is a request from the market economy/employers that the job be done. The interests of the two must always be fairly balanced, but with the speedy development of technology and the internet interaction, the danger of exposing private data rises. That is why the legal creators have a big responsibility to act ahead of time, which, in the IT context, is running at the light speed.

Jasna Čošabić, PhD
Jasna Čošabić, PhD
Professor of EU and IT law, GDPR specialist