There has been a lot of commentary on the recent European Court of Human Rights (ECHR) case of Barbulescu. The issue in the case was whether the Employer’s investigation of Mr Barbulescu’s Yahoo Messenger account (which he had opened in order to respond to client enquiries) was in breach of his right to Privacy (Article 8 of the European Convention on Human Rights). See previous article on idatalaw (https://idatalaw.com/2016/01/14/european-court-of-human-rights-echr-finds-that-monitoring-an-employees-internet-use-was-justified/)
Key to the Court’s decision was the company’s internal regulations in that case which stated: “It is strictly forbidden ….to use computers, photocopiers, telephones, telex and fax machines for personal purposes”. Whether this was clearly communicated to Mr Barbulescu appears to have been disputed.
It would be wrong to read this case as giving employer’s carte blanche to monitor employees’ usage of equipment and technology and of much more interest are the observations made by the Court, particularly Judge Pinto de Albuquerque, who disagreed on some aspects with the majority of his fellow judges.
Judge Pinto made this interesting comment about the increasingly blurred division between work and home life…”Strict limits apply to an employer’s surveillance of Internet usage by employees during their worktime and, even more strictly, outside their working hours, be that communication conducted through their own computer facilities or those provided by the employer.” When organisations are encouraging employees to bring their own devices and expect greater accessibility, this becomes even more important. One of the key issues is the need to protect freedom of expression and not just privacy. An employer drafting (or updating) their Email/ Electronic Communication, Internet and Social Media Policy or undertaking related investigations, must bear this in mind. The acid question is why interfering with these rights is necessary for the business?
The blanket ban relied upon in the Barbaluscu case is increasingly impractical – even more so where that policy operates across borders and where, in many European jurisdictions, there are stronger privacy rights than the UK. A more expansive and comprehensive policy is recommended, dealing not just with usage but also rules around monitoring and investigations. These need to address emails, instant messaging, social networking, blogging and web surfing – or in the Court’s words “cyberslacking”.
Those undertaking the monitoring/investigation must be aware of the employer’s responsibilities under the Data Protection Act 1998 and rights to privacy attached to these provisions, particularly around personal and sensitive personal data.
Audrey Williams is a partner in the HR team at City law firm Fox Williams LLP and can be contacted at Amwilliams@foxwilliams.com