Monitoring employees’ communications at workplace. Is it legal?
Over the last decade, communication via email and text has become the most commonly used method of communicating in the workplace.
In reality most employees would not be able to perform their job efficiently without the use of email. In most cases such employees frequently use one device for both personal and work-related correspondence and that device is either employee-owned or employer-provided. This consequently means that some employees combine their personal and work email accounts into one inbox. Undoubtedly this blurring of the two lines creates legal issues when it comes to determining whether an employer has the right to access, review and/or monitor the employee’s work-related communications.
Employers have legitimate business reasons and motives to want to monitor employee communications, especially with the case when an employee leaves the office/his employment and the employer is concerned that the latter has taken proprietary information or has solicited clients in violation of his duty of loyalty or a contractual agreement to that regard.
European Court of Human Rights recent decision
The employer may monitor the employee’s communications at the workplace under certain conditions. This was decided by the Grand Chamber of the European Court of Human Rights by the recent judgment in Bărbulescu v Romania (App. No. 61496/08) dated 05/09/2017. This judgment has cleared the blurred lines regarding the matter of monitoring employees at the work place. Specifically, it ruled that the monitoring of an employee’s email account amounted to a violation of Article 8 of the European Convention on Human Rights (ECtHR), namely, his right to respect for private life and correspondence.
In 2017 and after conducting an extensive overview of the relevant international legislation, the Grand Chamber found that Mr Bărbulescu’s right to privacy and correspondence was violated. On the assessment of the case, the Court reiterated the crucial aspect and the gravity of the right to private life under Article 8, while it further acknowledged the necessity to assess whether the applicant was left with a reasonable expectation of privacy even after having prior knowledge of the internal regulations of the company.
In deciding the case, the ECtHR found that, although Mr Bărbulescu was informed about the company’s policy, he was not informed on the extent and the nature of the monitoring activities or on the probability of his employer being able to have access to the content of the communications. The ECtHR further held that the domestic courts did not pay attention to the scope of the monitoring, the degree of the intrusion nor to whether the monitoring was justified by legitimate reasons. As such, it found the Romanian Courts had failed to strike a fair balance between the competing interests at stake, which resulted in the inadequate protection of Mr Bărbulescu.
What derives from the ECtHR’s decision is that, with an accurately worded policy that specifically provides for the right to access, monitor and review for legitimate business reasons any work-related correspondence made by the employee on a device provided by the employer or even a personal device used for work purposes, employers may do so and/or access such communication. Companies however should be cautious when adopting and enacting such policies since the workplace surveillance must be balanced with the employees' privacy rights if any claims for violation of human rights are to be avoided.
Applicable law in Cyprus
Within the jurisdiction of Cyprus, such matters employment matters were governed by ‘The Law on the Processing of Personal Data (Protection of the Individual) Law of 2001 (Law No. 138(I)/2001)’ which is based on the Directive 95/46/EC. However, the current relevant law applicable now is the newly adopted EU Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repealed the Directive 95/46/EC.
In a seminar held by the Cyprus Bar Association and the Office of the Commissioner for Personal Data Protection of Cyprus for the purpose of clarifying the features and application of the new EU Regulation, the Commissioner stated that the present matter is largely dependent upon the facts of each incident and as such the resolution of this kind of issues in an employment relationship requires, apart from compliance to the Cyprus and European Union law, a high degree of discretion from the Commissioner’s part. In order to help clear the blurred field on the matter, the Commissioner gave some guidelines, which are important in avoiding any kind of violation of human rights and the law, while also providing necessary information both to the employer as well as to the employee regarding their duties and rights respectively.
First and foremost, the company/employer should have a handbook referring to its established policy with exact precision on the regulation of data protection at the workplace and whether such company/employer allows the possibility to use such email account for personal or work use only.
Secondly, in case where there is such an employment dispute/issue, it will be considered whether the employer is the owner of the computer and the email account while also whether the email account was solely used for work purposes. If a company’s policy indicates clearly that any email accounts (in the workplace) shall be solely and strictly used for work purposes and that employees or use it for any other private purpose, then this will weigh in favour of the employer at the balancing stage.
Likewise, where there are suspicions for criminal or unlawful use of the email, the employer has an obligation to inform the employee about accessing his email and at such case the employee must be present. If the employee does not consent and/or approve such an act, then the employer might need to go to court in order to obtain a court order for accessing such email.
The Commissioner, therefore, attempts to find a fair balance between the two ends, on the one side, the legitimate business interest of the employer and, on the other end, the right of privacy of the employees, an endeavour which the ECtHR had also engaged into as observed in the Bărbulescu decision. What should be highlighted here, is that an employer is likely to be lawful in monitoring the employees’ email where there exists a workplace policy which states explicitly and with great accuracy the purpose and extent of monitoring (where necessary) while also expressing clearly that any email accounts used in the workplace are solely and strictly for work purposes.
- Case of Bărbulescu v Romania (App. No. 61496/08) dated 05/09/2017.
- The Law on the Processing of Personal Data (Protection of the Individual) Law of 2001 (Law 138 (I) / 2001).
- EU Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Seminar on the application of Regulation (EU) 2016/679 in December 2017.