Recent ECHR Decision Not a Blank Check to Snoop on Employees

The European Court of Human Rights recent decision in Bărbulescu v. Romania (application no. 61496/08) should not be read as giving employers carte blanche to snoop on employees’ private communications.  Rather, Bărbulescu should be construed as merely affirming that employers have a right to take reasonable and proportionate measures to verify that an employee is actually engaged in the professional activities for which he or she is getting paid (at least during working hours).  Or, to put it differently, an employee’s right to privacy under the European Convention on Human Rights does not give an employee carte blanche to “blatantly” waste time during working hours.

The Facts in a Nutshell

From 2004 to 2007, Bogdan Mihai Bărbulescu was an engineer in charge of sales for a private employer.  His employer had asked him to create a Yahoo! Messenger account on his employer-owned computer so that he could respond to customer inquiries.  Turns out, Bărbulescu also used the account for personal purposes.  A lot.  Such use was a violation of his employer’s policy specifically prohibiting all use of the company internet for personal purposes.  When confronted about his personal use of Yahoo! Messenger, Bărbulescu lied, denying the personal use in a written response to his employer.  So his employer presented him with 45 pages of transcripts (covering a mere eight day period from July 5th to July 13th, 2007) of personal communications between Bărbulescu and his fiancée and his brother.  Bărbulescu threatened to sue his employer for violating his right to privacy and, shortly thereafter, his employer fired him. 

Bărbulescu followed through with his threat and sued his employer alleging, among other things, that his employer had violated his privacy rights under the Romanian Constitution.  Having lost at both the trial and appellate levels in Romania, Bărbulescu filed an appeal with the European Court of Human Rights alleging a violation of his rights under Article 8 (right to respect for private and family life, the home and correspondence) of the European Convention on Human Rights.

In January 2016, the ECHR ruled that Bărbulescu’s Article 8 rights were, indeed, “engaged” by his employer’s actions.  But there was no violation of those rights because the employer’s monitoring had been reasonable and proportionate in the context of the disciplinary proceedings.

Given the unique circumstances in Bărbulescu, the ECHR’s ruling has limited value as a precedent.  Here’s why.

This is Not a BYOD Case (note to BYOD employees—don’t panic!)

Bărbulescu occurred in 2007.  That was “pre-mobile” and “pre-BYOD”.  Bărbulescu’s employer owned the computer and the network that Bărbulescu used to access the internet.  In addition, Bărbulescu’s use of Yahoo! Messenger was directed by his employer and the account was a business account that had been set up for purposes of the employer’s business.  Moreover, Bărbulescu‘s employer had a policy that expressly forbid any use of company assets for personal communication. 

By way of contrast--fast forward to 2016.  Mobility and BYOD have transformed the expectations of both employers and employees.  In a managed BYOD mobile environment, personal data is not accessible to the employer.  So Bărbulescu (had he been concerned about personal privacy) would have had (at least) the opportunity to avoid employer snooping by using his personal email or text accounts rather than his employer’s.  Of course, use of a personal account would not necessarily have prevented his employer from suspecting that Bărbulescu was engaging in an inordinate amount of personal business during working hours.  The right to privacy is not a right to host a virtual coffee klatch with family and friends while, supposedly, at work.  But, at least, the employer would not have had access to personal communications relating to Bărbulescu’s health and sex life. 

The Content of the Communication was Not the Issue

To be clear—this case was not about an employer’s right to use the content of personal messages against the employee.  Rather, the issue in this case was simply whether or not Bărbulescu was using employer assets to conduct personal business.  Bărbulescu could have saved himself the embarrassment of having his personal communications presented as evidence if he just told the truth when asked.  As noted by all three courts in this matter, Bărbulescu forced his employer’s hand by lying.  Bărbulescu’s employer presented the transcripts of personal communications not for the purpose of demonstrating that anything in the content of the messages was a violation of company policy.  Rather, the transcripts were simply evidence that Bărbulescu had been engaging in personal communication using company resources in violation of company policy.

Limited to Article 8

As other commentators have noted, the ECHR’s judgment is limited to the very narrow question of whether the monitoring and use of evidence in this case was a violation of Article 8 and will not serve as a precedent with regard to the “national, general and sector specific data protection, telecommunication and employment laws” that may apply from one jurisdiction to another.  For this reason, employers should be sure to work with local counsel when developing and implementing their policies and practices around employee private communication. For example, in Germany, an employer who wanted to engage in monitoring employee email accounts would likely require the works council’s (if any) prior consent.

Employers Still Need to Act with Reason and Proportionality

Nothing in the Bărbulescu case should be construed as expanding the rights of employers to monitor employee personal communications.  The court in Bărbulescu was careful to note that the only reason that Bărbulescu’s employer was not in violation of Article 8 was that it had acted with reason and proportionality.  If anything, Bărbulescu can act as a signal to employers to re-examine their policies and practices to make sure that they are up-to-date and effective.

Recognize That Employees Will Engage in “Shadow Tasking”

A policy completely prohibiting personal use of company internet resources may have been sustainable in a pre-mobility, pre-BYOD world.  But in 2016, where 60% of “Generation Mobile” would quit if prohibitions against “Shadow Tasking” (i.e., engaging in some personal activity while at work and in some work activity while at home) were rigidly enforced, an employer would be well advised to adopt a policy that more closely reflects the reality of the workplace.  This point is made by the dissent in the Bărbulescu case (albeit on legal versus practical grounds): “A blanket ban on personal use of the Internet by employees is inadmissible, as is any policy of blanket, automatic, continuous monitoring of Internet usage by employees.”  In reviewing their policies, employers should also recognize that today’s enterprise mobility management tools enable the dual use of mobile devices for both business and personal purposes without a compromise of privacy or security.  So, in short, there are alternatives to an all or nothing approach.

Communicate Policy to Employees

One of the threshold legal issues in this case was whether Bărbulescu had had a reasonable expectation of privacy with regard to his use of Yahoo! Messenger.  And one of the key facts in the analysis was whether Bărbulescu had been given adequate prior notice of employer monitoring. 

Employers who would like to avoid a similar controversy should be sure that employees are aware of their policies regarding personal use of company resources.  Such notice could also prove invaluable in correcting employee misinformation (and fears) about their employer’s access to personal data.  One tool for providing readily accessible notice is the Visual Privacy that MobileIron has built into the Mobile@Work app.  MobileIron Visual Privacy is customizable and provides a readily accessible summary of the employer policies and practices.

Keep the Bărbulescu Case in Context

Both employers and employees should be careful not to read too much into this case.  It is not a bullhorn announcing open season on employee personal communication.  Rather, it just a limited decision that, on a single point of law (Article 8) and under a unique set of circumstances, an employer’s right and obligation to “check the manner in which its employees complete their professional tasks” cannot be completely overridden by an employee’s mistaken expectation of privacy. 

Carl Spataro