Last year we reported on the case of Barbulescu v Romania, a decision of the European Court of Human Rights ("ECHR") which appeared to confirm that bosses could snoop on workers' emails. Mr Barbulescu's employer had a policy which made clear that its work computers could not be used for personal purposes. It did not however specifically indicate the nature and extent of the monitoring or that the employer could access the content of his communications. Mr Barbulescu only became aware of this when the employer produced evidence of his personal use of a work Yahoo account during a disciplinary that lead to his dismissal. After unsuccessful claims in the Romanian courts the case was referred to the ECHR where Mr Barbulescu argued his Article 8 right to respect for private and family life had been breached by virtue of the employer monitoring his emails. The ECHR decided by a majority that article 8 had not been violated, with the majority being of the view that the employer was permitted to check whether or not Mr Barbulescu was performing his work.
Mr Barbulescu appealed to the Grand Chamber of the ECHR (a panel of 17 judges). His appeal was upheld with the majority of the judges finding his Article 8 rights had been infringed. The court found that Mr Barbulescu's communications - emails to his fiancé - were covered by the concepts of private life and correspondence even though they were emails sent from his employer's computer. The Grand Chamber decided that the Romanian courts had failed to meet their positive obligation to protect an employee's Article 8 rights by not upholding his unfair dismissal claim. Although Mr Barbescu had been made aware of the employer's policy on internet usage, its failure to expressly advice him that the content of his personal communications could be monitored was key in the Grand Chambers decision.
If employers in the UK are complying with the Data Protection Act 1998 ("DPA") then they are unlikely to fall foul of this ruling. The DPA and the Regulation of Investigatory Powers Act 2000 ("RIPA") limit an employer's power to monitor employees' private communications, and the Employment Practices Code recommends employers carry out impact assessments to show they have achieved a fair balance between the interests of the business and workers' privacy rights. Should a similar case arise a UK employee would be likely to be held to have a reasonable expectation of privacy and employers should bear that in mind when undertaking any monitoring. In particular, employers should have clear policies making clear that communications may be accessed and monitored.