Last week the European Court of Human Rights (ECtHR) decided in the case of Barbulescu v Romania [2016] ECHR 61 that it was not a breach of an employee’s Article 8 rights for his employer to access a private, web-based email and messenger account. The case was widely reported in the press as a major development in the relationships between employers and employees. It has obvious ramifications for many aspects of policing, including officer’s conduct at work and the investigation of it by supervising officers or the Professional Standards Department.
So what does the decision actually change?
The position before last week
Human rights cases are of course very fact sensitive. This is particularly so when considering whether a claimant had a “reasonable expectation of privacy” in any particular scenario. Previous Strasbourg cases indicate a relatively protective approach to employee’s expectations of privacy.
In Halford v United Kingdom [1997] ECHR 32 the European Court of Human Rights considered a claim by a former Merseyside ACC that police had unlawfully intercepted her work and home telephones, to support their defence to her sex discrimination claim. Perhaps unsurprisingly, the Court had little difficulty in finding that Article 8 was engaged by such intrusion, including in relation to her work telephone: “…it is clear from its case law that telephone calls made from business premises as well as from the home may be covered by the notions of ‘private life’ and ‘correspondence’ within the meaning of Article 8(1)”.
Copland v United Kingdom [2007] ECHR 253 dealt with email and internet usage. The employer had monitored an employee to ascertain whether he was making excessive use of facilities for personal purposes (i.e. abusing resources). Under the heading “Scope of private life” the Court referred to its decision in Halford regarding telephones and concluded: “…It follows logically that emails sent from work should be similarly protected under Art.8, as should information derived from the monitoring of personal internet usage”.
More generally in Niemietz v Germany [1992] 16 EHRR 97 the Court stated,
“Respect for private life must also comprise to a certain degree the right to establish and develop relationships with other human beings. There appears, furthermore, to be no reason of principle why this understanding of the notion of ‘private life’ should be taken to exclude activities of a professional or business nature since it is, after all, in the course of their working lives that the majority of people have a significant, if not the greatest, opportunity of developing relationships with the outside world. This view is supported by the fact that … it is not always possible to distinguish clearly which of an individual’s activities form part of his professional or business life and which do not.”
It was therefore reasonably clear that communications at work, using work resources, were at least capable of falling within the scope of private life and correspondence. Whether they do in the particular case depends on all the facts.
Barbulescu v Romania: the facts
Mr Barbulescu worked for by a private company as an engineer in charge of sales. At his employer’s request, he created a ‘Yahoo Messenger’ account for the purpose of responding to clients’ enquiries. The company’s regulations stated, “It is strictly forbidden… especially… to use computers, photocopiers, telephones, telex and fax machines for personal purposes.” The employer claimed that on 3rd July 2007 it issued a notice bringing employees’ attention to this provision, and informing them that their activity was under surveillance. Mr Barbulescu denied that this had been expressly brought to his attention prior to the surveillance taking place, but it appears that the domestic courts found the notice had indeed been issued.
The employer monitored Mr Barbulescu’s internet/Messenger usage from 5th to 13th July 2007. It later informed him that his Yahoo Messenger communications had been monitored, showing that he had used the Internet for personal purposes, contrary to internal regulations. The applicant replied that he had only used Yahoo Messenger for professional purposes. The employer subsequently produced a forty-five page transcript of the messages Mr Barbulescu had exchanged with his fiancée and his brother during the eight day period when his communications had been monitored. These related to personal matters, although no intimate details were revealed. The employer terminated Mr Barbulescu’s employment for breach of its internal regulations.
Mr Barbulescu sued his employer, arguing that the decision to dismiss should be reversed as, by accessing his communications, his employer had violated his right to correspondence protected by the Romanian Constitution and Criminal Code. Both his claim and his appeal failed, and he appealed to the ECtHR, arguing that the Romanian Courts had failed to protect both his Article 8 rights and his rights under the EU’s Data Protection Convention (which is also the basis for the UK’s Data Protection Act 1998).
Mr Barbulescu’s appeal concluded with the submission that an employee’s “right to establish and develop personal relationships during business hours” could not be suppressed at the discretion or by a decision of their employer. This seemed a reasonable submission, based on the earlier cases such as Copland and Niemietz.
The Court’s decision
The Court looked carefully at the report of the Data Protection Working Party, an organisation set up by the European Union to monitor and advise on compliance with the EU’s Data Protection Convention. With regard to monitoring of employees, the Working Party suggests that it should be, “A proportionate response by an employer to the risks it faces taking into account the legitimate privacy and other interests of workers”. It goes on to observe that “Opening an employee’s e-mail may also be necessary for reasons other than monitoring or surveillance…”
The Court concluded that telephone calls and emails from business premises are covered by the notions of “private life” and “correspondence” for the purposes of Article 8. It went on to clearly state that e-mails sent from work should be protected under Article 8, as should information derived from the monitoring of personal Internet usage (metadata).
The Court repeated the conclusions it had reached in previous cases that, “In the absence of a warning that one’s calls would be liable to monitoring, the applicant had a reasonable expectation as to the privacy of calls made from a work telephone… and the same expectation should apply in relation to an applicant’s e-mail and Internet usage.”
However, in this case the ECtHR placed significant reliance on the fact (at least, as found in the Romanian Courts) that the employer’s internal regulations “strictly prohibited employees from using the company’s computers and resources for personal purposes”. This factor distinguished the case from previous situations.
Crucially, in its conclusion the ECtHR found that:
1. It is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours (paragraph 59).
2. Mr Barbulescu had used Yahoo Messenger for personal correspondence on the company’s computer and that he had done so during working hours, thus his disciplinary breach was established (paragraph 56).
3. The employer had accessed the applicant’s Yahoo Messenger account in the belief that it had contained professional messages, since Mr Barbulescu had initially claimed that he had used it in order to advise clients (paragraph 57).
4. The access to Yahoo Messenger had therefore been legitimate (paragraph 57).
In relation to the content of the messages, the ECtHR found on the facts that:
5. The domestic courts had relied on the transcript only to prove the use of the company’s computer for personal purposes during working hours, and
6. There was no mention made of the content of the emails or the parties with whom he had communicated (paragraph 58).
7. Other data and documents were not accessed (paragraph 60).
It therefore concluded that the extent of the monitoring was limited and proportionate. Mr Barbulescu’s claim was dismissed.
The Future
This decision is more about the use of an employer’s systems during working hours, than the actual content of messages sent or received. The case does not mean an employer is entitled to read an employee’s personal messages, only to interrogate the system to establish whether he or she has been sending such messages during working hours.
Nevertheless, the Court appears to have disagreed with the applicant’s argument that he had a right to establish or develop personal relationships during business hours that could not be suppressed by his employer. Provided an employer’s prohibition on the use of its computers or mobile devices during working hours is sufficiently clear, it does have a right to monitor employee’s use of these devices, particularly in order to deter “cyber slacking”.
The decision does not cover the question of the use of company-owned laptops or mobile devices outside working hours. Provided the regulations are clearly communicated, there appears to be no barrier to the proportionate monitoring both the use of these devices and the content of any messages sent. The highest profile casualty following the examination of an officer’s personal data stored on police-owned equipment is former Chief Constable Nick Gargan’s widely publicised resignation last October.
Although it was rather hysterically reported in the media, the Barbulescu decision may make little difference, as far as the use of police systems are concerned. Police officers and staff will almost always have their own mobile phone that they can use for personal communications. They are generally very conscious of the need not to misuse police devices. In the absence of suspicion of wrongdoing:
- There remains no right or power to access privately owned devices, even for evidence of a worker sending messages during working hours.
- Supervisors or Professional Standards Departments must not assume they have carte blanche to read every message or email on police devices, as opposed to merely identifying the personal or professional use of the system/device. While on a case by case basis, this might be permissible, but such actions would run the risk of being regarded as disproportionately intrusive monitoring.
The decision emphasises the need to maintain clear, simple rules for the use of all computers and mobile devices by police officers and staff (including privately owned devices), and to ensure that such rules are effectively communicated.
This article was first published in Police Professional.