Europe’s human rights court ruled Tuesday that companies can monitor their employees’ email only if they are notified in advance, giving shape to a rapidly evolving area of the law at the intersection of technology, privacy and workers’ rights.
In doing so, judges are scaling back a previous ruling that had stirred unease in Europe, where privacy is viewed as a fundamental right. That earlier decision had taken a similar approach to existing law in the United States, which gives companies wide-ranging powers to monitor workplace communications.
The latest decision, by the Grand Chamber of the European Court of Justice, provides more protection by requiring companies to inform workers of their policies. Judges also urged governments to establish safeguards against abuse and said businesses should consider using forms of monitoring that avoid infringing on an employee’s privacy.
The case centered on Bogdan Mihai Barbulescu, a Romanian man who had created a Yahoo Messenger account to communicate with clients. But his bosses summoned him on July 13, 2007, confronting him with a week’s worth of chat transcripts in which he talked with his brother and fiancee about personal matters.
Two weeks later, he was fired.
Romanian courts ruled against Barbulescu, who then brought his case to the European Court of Human Rights. In January 2016, the court ruled, 6-1, that the employer was justified in reading the chat history in the context of enforcing discipline. “It is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours,” it said at the time.
In the new ruling, the Grand Chamber, effectively the final appellate division within the European Court of Human Rights, dialed that back.
In an 11-6 ruling, it found that Barbulescu’s privacy rights had been violated.
“Today’s ruling is fairly clear in how it outlines the parameters of monitoring employees,” said Stephen Ravenscroft, a London-based partner specializing in employment law at White & Case, a law firm. “It won’t be sufficient for employers to have a general policy permitting monitoring — the policy will need to be much more detailed, outlining why, how and where employees may be monitored and explaining how any information gathered through monitoring may be used.”
Although a colleague at the Romanian company had been fired for using her work computer, phone and photocopier for personal purposes, the court found that Barbulescu had “not been informed in advance of the extent and nature of his employer’s monitoring or the possibility that the employer might have access to the actual contents of his messages,” it said in its ruling.
Furthermore, the chamber found, Romanian courts did not sufficiently examine the company’s need to read the entirety of Barbulescu’s messages or the seriousness of the consequences of the monitoring, which resulted in dismissal.
The court noted that only a few countries in Europe — Austria, Britain, Finland, Luxembourg, Portugal and Slovakia — have explicitly regulated the issue of workplace privacy through domestic legislation. Most countries in the region do, however, require employers to give prior notice of monitoring. In countries like Denmark, France, Germany, Italy and Sweden, employers may monitor emails marked by employees as “private” but may not look at the content without permission.
The chamber ruled that countries should ensure that companies’ efforts to monitor employees’ communications are “accompanied by adequate and sufficient safeguards against abuse.”
The latest ruling in the case, Barbulescu v. Romania, applies to the 47 members of the Council of Europe, which includes nearly every country on the Continent, including Russia, Turkey and Ukraine. (The Council of Europe, which focuses on human rights, is separate from the European Union and is not to be confused with the European Council, one of the bloc’s governing bodies.)
In a dissent, six judges wrote that the Romanian courts had not violated Barbulescu’s right to privacy. They argued that Romanian authorities had carried out a “careful monitoring, including the corresponding disciplinary powers, in order to ensure the smooth running of the company.”
In a statement, one of Barbulescu’s lawyers, Emeric Domokos-Hancu, said the court’s decision proved that “the right to privacy in the workplace does exist.”
And, he said, the court had “correctly ascertained that a large part of the social, human, professional and personal relations are in fact initiated in workplaces.”
The Romanian Ministry of Foreign Affairs, which represented the country in court, did not immediately respond to a request for comment.
This was the first case that the court had taken up concerning the monitoring of an employee’s electronic communication by a private employer.
When it comes to electronic surveillance, the court has focused mostly on government use and collection of personal data, often in the context of criminal law or health care and not the conduct of private companies.
In 2007, the European Court of Human Rights found that Britain had violated the privacy of a secretary at a government-run college in Wales by monitoring her phone calls, email and internet use in 1999.
She had not been notified that her communications might be monitored, and the legal framework at the time was not clear. Britain enacted regulations in 2000, giving employers broad power to record or monitor employees’ communications without consent, as long as they took reasonable steps to inform employees that their communications might be intercepted.
In a case that is pending, an employee of the French national rail company, SNCF, has protested his firing. His employer had found pornography on his work computer, on a hard drive marked “personal data.”