“Private Messages at Work can be Read by EU Employers” blared the BBC online yesterday in the sort of alarmist over-simplification normally best left to the Daily Mail.
Mr Barbulescu worked for an unnamed business in Romania. He was instructed to set up a Yahoo Messenger account for business purposes only. The company’s rules made it clear that employees were forbidden to use its equipment, including computers, for personal purposes.
It was put to Mr Barbulescu that he had used the Yahoo account for personal communications, which he vigorously denied in writing. On the production of 45 pages of evidence that this was untrue (gathered by the employer in just 8 days – no messing about with the occasional brief squint at eBay here, you know), Mr Barbulescu was unabashed. He leapt onto the front foot and boldly accused the employer of unlawfully accessing his personal communications, an offence carrying up to three years’ imprisonment under Romania’s Criminal Code. Unmoved, it sacked him, though for his private usage of the Yahoo account, and not his breathtaking dishonesty. Its right to do so was upheld all the way up the Romanian judicial system until referred to the European Court of Human Rights.
The ECHR was asked to decide whether the upholding of Mr Barbulescu’s dismissal constituted a failure by Romania to protect an individual’s rights under Article 8(1) of the European Convention to “respect for his private and family life, his home and his correspondence”. This is of course subject to Article 8(2):…….”except ….. as is necessary in a democratic society….. for the protection of the rights and freedoms of others”.
The ECHR held that it is in effect a right and freedom of an employer to take reasonable steps to verify that an employee is indeed doing the work he is there for, and that this legitimises its accessing and monitoring employee use of communication systems which it requires or provides. Nothing in this decision allows an employer, for example, to seize an employer’s personal smart phone and go through its contents on a whim, as the headlines imply. The employer’s rights applied in particular where the employee’s denial of personal usage had led it to assume that accessing the Yahoo account would only disclose work-related messages, said the Court. However, that overlooks the fact that here the monitoring had taken place before the denial and so cannot have been either motivated or justified by it, a point which no one involved seems to have spotted.
In assessing whether Romanian law adequately protected Mr Barbulescu’s Article 8 rights, the ECHR also noted that he had “not convincingly explained why he had used the Yahoo account for personal purposes”. In fact his explanation was entirely convincing – he was not paid very much, he said, and mobile phone usage cost a fortune. What he had not done was to explain his reasons in a way which showed the balance between his rights and his employer’s to lie in the wrong place. That might include, for example, his being dismissed for personal use of the employer’s systems in a family emergency, rather than for extended messaging about his sex life with his fiancée, which the Court obviously found to be somewhat less pressing.
The more-reported parts of this case actually lie in the single dissenting judgement, a series of arguments so tortured as to require 61 footnotes in just 7 pages. These include that access to the internet is a basic human right because it is integral these days to the freedom of expression, but NB a dissenting judgement is not law. In addition, said that Judge, a blanket ban on personal use of the internet by employees would be impermissible, “as is any policy of automatic continuous monitoring of internet usage by employees”. As a result, “only targeted surveillance in respect of well-founded suspicions of policy violations is admissible, with general unrestricted monitoring being manifestly excessive snooping on employees”. This is all bold stuff, but actually little more than a statement of current UK data protection law and practice anyway, which is already based around the proportionality of the monitoring/surveillance to the risks in question and the employee’s personal rights.
The same is true for the dissenting Judge’s departing poke at the employer’s prior notice to Mr Barbulescu and its other staff that their internet activity was “under surveillance” – this was “manifestly insufficient to provide [employees] with adequate notice about the nature, scope and effects of the internet surveillance procedures actually in place”. This does ideally suggest that UK employers should have a quick review of their internet policies to see that they are reasonably clear about such things. However, the reality must be that an Employment Tribunal would give no material air-time to a complaint like Mr Barbulescu’s anyway. His serial breach of policy and brazen dishonesty to his employer would surely see him off, with the ET very unlikely to be concerned in any way by how the employer had caught him at it.
So today’s banner headline in the Mail : “Bosses free to spy on emails” should actually have read : “Bosses free to check that you are using their equipment to do what you are paid to do”. But where would be the news in that?