September 11, 2017
On September 5, 2017, the Grand Chamber of the European Court of Justice issued a decision of signal importance in the field of employee privacy. The Chamber condemned without sufficient justification an employer’s monitoring of an employee’s communications, leaving European employers with only vague guidance as to when such monitoring may be warranted.
The employee at issue, Bogdan Mihai Bărbulescu, was employed as a sales engineer from August 2004 through August 2007 in the Bucharest office of a Romanian private company. At the employer’s request, for the purpose of responding to customers’ inquiries, he created an instant messaging account for the company using Yahoo Messenger, an online chat service offering real-time text transmission. The employer’s internal rules prohibited the personal use of company resources by employees on company time, but did not refer to monitoring of employees’ use of information. The employer circulated an internal memorandum in July 2007 notifying employees of the fact that their communications might be monitored, but the record suggests that the monitoring at issue was completed prior to the promulgation of the notice.
In mid-July 2007, the employer recorded the employee’s Yahoo Messenger communications in real time. Shortly thereafter, the employee was advised that his Yahoo Messenger communications had been monitored and that there was evidence that he had used the internet for personal purposes, in breach of the internal regulations. The employee falsely responded that he had used the service for work-related items only, but was then confronted with forty-five pages of messages with his father and fiancée, some of a highly personal nature. Shortly thereafter, the employee was terminated. The employee pursued civil remedies in the Romanian courts, and filed a criminal charge with the authorities, but was rebuffed on the ground that the employer had the right to monitor activity on its own systems.
In Bărbulescu v. Romania, the Chamber determined, in an 11-6 decision, that the national courts of Romania had violated Article 8 of the European Convention on Human Rights, which provides that “[e]veryone has the right to respect for his private and family life, his home and his correspondence,” in wrongfully countenancing the termination of an employee whose communications had been monitored by his employer.
The Chamber faulted the Romanian courts for the failure to determine whether the employee had received prior notice from his employer of the possibility that his communications might be monitored. Moreover, the Romanian courts failed to consider whether the employee had been informed of the nature or the extent of the monitoring, in particular the possibility that the employer might have access to the actual content of his messages. The Romanian courts also failed to determine (1) the specific reasons justifying the introduction of the monitoring measures; (2) whether the employer could have used measures entailing less intrusion into the employee’s private life and correspondence; and (3) whether the communications might have been accessed without his knowledge.
The ruling applies to the forty-seven member states of the Council of Europe, which focuses on human rights issues. The Council includes nearly every European country, and includes Russia, Turkey and Ukraine.
The ruling contrasts strongly with federal electronic privacy statutes in the United States, the Stored Communications Act (SCA) and the Computer Fraud and Abuse Act (CFAA), which provide generally that an employee’s communications may be monitored without limitation on employer-owned electronic systems, or if the employee provides consent to the monitoring.
Unfortunately, for businesses operating in Europe, the Chamber’s ruling creates a case-by-case approach, rather than a bright line rule, so that an employer must be prepared to show that a given level of electronic monitoring was warranted; that less intrusive means were unavailable; and that the employee was warned about not only the fact of monitoring, but also the extent of the monitoring. For example, the decision leaves open the question of whether monitoring may be justified simply to enforce employee efficiency.
U.S. companies doing business in Europe should consider a review of all company policies for electronic monitoring, with attention to the justification of the monitoring and the intrusiveness of monitoring. Companies that operate in a regulated environment, such as securities firms or companies with a demonstrated need to protect trade secrets, should focus on these features of their businesses in justifying employee monitoring. Regardless of the decision, employees should continue to take care not to violate company policy using workplace devices, if for no other reason than the technical ease of electronic monitoring.
This article is intended only as a general discussion of these issues. It is not considered to be legal advice or relied upon. We would be pleased to consider providing additional details or advice about specific situations. For additional information on this topic, please feel free to contact Mark H. Moore, who regularly counsels and litigates for clients in connection with business disputes.