AEDH

European Court of Human Rights: at the workplace, an employer does not have every right

This post is also available in: frFrançais (French)

In July 2007, Mr Bărbulescu[1], a Romanian citizen, was dismissed for using his company e-mail services for personal purposes. He lodged a complaint with the Romanian court to challenge the dismissal on the ground that his employer violated his right to privacy by accessing the content of his private communications. The Romanian justice dismissed his complaint arguing that the employer did abide by the national Labour Code, which provides employers the right to determine the rules related to the use of the Internet for professional purposes. Mr Bărbulescu appealed against the decision to the Romanian Court of Appeal but the complaint was dismissed on the ground that the employer’s conduct was reasonable since he informed the employees that the use of company resources for personal purposes was prohibited, and that monitoring private communications was the only way to ensure the respect of the rule. Mr Bărbulescu subsequently lodged a complaint with the European Court of Human Rights (ECHR) under Article 8 of the European Convention on Human Rights, which provides a right to respect for one’s “private and family life, his home and his correspondence”. In January 2016, ECHR concluded that there was no violation of Article 8. Mr Bărbulescu then requested the referral of his case to ECHR Grand Chamber, which gathers all ECHR judges whereas the previous ruling was issued by a Chamber composed of seven judges only. The Grand Chamber decided by 11 votes to 6 that, in the case of Mr Bărbulescu, Article 8 is admissible as private life and correspondences are involved. The Court acknowledges that, even if Mr Bărbulescu had misused the Internet on his workplace for personal purposes, an employer cannot entirely deprive the employees from their social life. An employee is entitled to the respect of his/her privacy regarding his/her correspondence at the workplace[2].

ECHR deemed the Romanian justice correctly identified the interests at stake but failed at verifying whether the applicant “had been notified in advance… of the monitoring measures in place as well as of the scope and nature of such measures[3]. In addition, not only did the Romanian Court omitted to proceed to an evaluation of the legitimacy of such correspondences monitoring system , but it did not investigate either the possibility of establishing a monitoring system based on less intrusive methods. ECHR therefore found that there has been a violation of Article 8 of the European Convention on Human Rights and ruled in favor of Mr Bărbulescu. The Court also issued a number of measures that should be taken into account by national authorities when evaluating such accusations. They consist mainly of the following: monitoring system adopted by the employer must be accompanied with the necessary safeguards to prevent abuses, and in particular the employee must be informed of the employer’s possible monitoring, its scope, degree, and reasons for intrusion, as well as the access to content. Furthermore, the possibility of implementing a less intrusive monitoring system and the consequences of such surveillance must be considered[4].

Through this judgement, ECHR stands in favor of the protection of both privacy and personal data, based on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981, STE no 108, the so-called Convention 108). A position that AEDH can only but welcome. Through this case, AEDH would like to remind the recommendations issued by the Council of Europe in April 2015 to its 47 member States, spelling out the principles to be followed regarding data protection at the workplace. In order to avoid any litigation, the text mainly focuses on safeguards ensuring employees’ personal data protection by providing guidance on how employers should collect, store and externally communicate them.  The recommendations issued by the Council of Europe mainly focus on the following areas[5]:

  • With regards to the monitoring of Internet pages accessed by employees, instead of surveillance, the employer should give preference to preventive measures such as the use of filters.
  • Should the employer want to access his/her employees’ professional electronic communications, the latter must be informed in advance and the access be substantiated by legitimate or security reasons. The Council reminds however that monitoring private communication at the workplace should not occur under any circumstances.
  • The use of information systems, such as video surveillance, is not allowed in principle. It can exceptionally be authorised if subject to strict conditions.
  • The collection of biometric data should only be authorised if necessary to the protection of the employers, employees and third parties’ legitimate interests and only if no other less intrusive means are available.
  • An employee should be guaranteed the right to access evaluation data, including that related to his/her performance, productivity and capability assessments.
  • Genetic data can only be used in exceptional circumstances provided by the law and under strict legal safeguards. Processing health data by the employer must be directly related to the ability of an employee to carry out his or her duties[6].

Therefore, AEDH wants to remind that employees have rights vis-à-vis the employers regarding data protection. The recommendations issued by the Council of Europe are a mean to know the rights applicable in such situations since they apply to 47 member States. These recommendations are all the more useful given that data protection related rights remain a field still quite unknown to citizens and therefore an area where the risks of fundamental rights breaches are higher.

 


[1] EUROPEAN COURT OF HUMAN RIGHTS, Case of Barbulescu v. Romania, Strasbourg, September 2017, available on: https://hudoc.echr.coe.int/eng#{%22languageisocode%22:[%22ENG%22],%22appno%22:[%2261496/08%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22],%22itemid%22:[%22001-177082%22]}

[2] EUROPEAN COURT OF HUMAN RIGHTS, Monitoring of an employee’s electronic communications amounted to a breach of his right to private life and correspondence, sSeptember2017, available on https://www.taxheaven.gr/pagesdata/gcj_monitoring_of_an_employeeemail.pdf

[3] EUROPEAN COURT OF HUMAN RIGHTS, Case of Barbulescu v. Romania, Strasbourg, September 2017, available on: https://hudoc.echr.coe.int/eng#{%22languageisocode%22:[%22ENG%22],%22appno%22:[%2261496/08%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22],%22itemid%22:[%22001-177082%22]}

[4] EUROPEAN COURT OF HUMAN RIGHTS,  Questions-réponses Arrêt de Grande Chambre dans l’affaire Bărbulescu c. Roumanie (requête no 61496/08), September 2017, available on: http://www.echr.coe.int/Documents/Press_Q_A_Barbulescu_FRA.PDF

[5] COMMITTEE OF MINISTERS OF THE COUNCIL OF EUROPE, Recommendations on the protection of personal data in the workplace, Strasbourg, April 2015, available on: http://www.coe.int/en/web/portal/full-news/-/asset_publisher/VN6cYYbQB4QE/content/council-of-europe-issues-recommendations-on-the-protection-of-personal-data-in-the-workplace

[6] COMMITTEE OF MINISTERS OF THE COUNCIL OF EUROPE, Recommendations on the protection of personal data in the workplace, Strasbourg, April 2015, available on: http://www.coe.int/en/web/portal/full-news/-/asset_publisher/VN6cYYbQB4QE/content/council-of-europe-issues-recommendations-on-the-protection-of-personal-data-in-the-workplace

webmin