On 12 January 2016, the European Court of Human Rights delivered a widely commented judgment in Case B?RBULESCU v. ROMANIA – Application n° 61496/08.
It concerns the dismissal of a Romanian worker who had used his professional email account for private purposes, in violation of the internal company policy. To demonstrate the breach, the employer produced a transcript of the communications of the worker which confirmed the use of the account for private purposes.
The Court found that the employer acted within the boundaries of its disciplinary power.
1. Facts
An employee works as a commercial engineer for a Romanian company.
The employer asks, within the job description, to use an email account that he is able to control. It appears however that the worker uses this account also for private purposes. Faced with the denial of the employee, the employer provides evidence through the transcription of the private communications.
The employee is dismissed based on the violation of the company internal policy.
The dismissal is contested by the worker before the Romanian courts which reject the complaint in both first instance and appeal.
The worker brings the case before the European Court of Human Rights. The application is based on the breach of his right for his private life and correspondence, protected by article 8 of the European Convention on Human Rights.
2. Question raised before the European Court of Human Rights
The application is limited to the regular monitoring by the employer of the communications of his workers in the framework of disciplinary power.
The issue raised before the Court is the following: could the worker expect an absence of control by using the email account, given the strict ban on private use, as imposed by the employer?
3. Position of the Court
The Court considers that by accessing the email account, the employer could presume that it contained business messages. Indeed, the worker had argued that it was used for the sole purpose of advising the customers. According to the Court, the employer has acted legitimately, within the boundaries of the disciplinary power.
The Court further notes that no particular importance was attached by national judges to the content of the communications. National judges relied on the transcript for the sole purpose of verifying the existence of a disciplinary offense. For example, nothing is revealed about the identity of persons with whom the worker communicated.
The Court considers that it is not unreasonable for an employer to check whether its workers perform their duties during working hours. The existence or not of a damage caused to the employer is not relevant in this respect.
The audit by the employer was limited and proportionate here: he only considered communications in the email account, to the exclusion of any other data.
The Court concluded that, in this case, a fair balance has been struck between the rights of workers and the interests of the employer. There has been no violation of Article 8 of the European Convention on Human Rights.
4. Impact of the judgment on the « cybersurveillance » of employees under Belgian law ?
Contrary to much of what the Belgian press relayed, this decision does not comment on the acknowledgement and disclosure by the employers of private communications of the employees. One should not conclude that the employer would henceforth be allowed to read, permanently, the content of emails exchanged by the employees.
However, if the employer presumes the existence of abuse in the use of communication tools, he does not violate the privacy of the employee only because the data collected during this control, for purposes of evidence , contain personal data. The judgment seems to confirm this point.
Under Belgian law, the cyber monitoring of employees is permitted in strict compliance with several conditions, defined by CBA n° 81. As part of this control, the employer must observe the following three main principles: purpose, proportionality and transparency.
According to the Commission for the protection of privacy, the employer may check email and websites visited by employees on the workfloor, subject to the principles mentioned above. This control can be performed in the absence of the worker, to ensure continuity of business, or in case of targeted monitoring, in compliance with the employment contract. The employer will however monitor, by priority, "metadata" : for example the frequency of emails sent and not the content of the emails.
In order to avoid any difficulties, the Commission issued several useful recommendations, including: hearing the employee before taking a decision, appoint a person in charge of data control in the company, or creation of separate professional and private email accounts. These recommendations can be consulted online here (FR/NL)
What can be learned from this decision?
In cases of alleged abuse by an employee of communication tools at his or her disposal, it is not forbidden for the employer to track and produce the transcript of those communications containing personal data.
However, to reach that conclusion, the Court underlines that the employer must act reasonably, and that the means of control should be limited and proportionate. The control at stake here aimed at verifying if the worker performed his duties well during working hours. Moreover, the control targeted an email account created for professional use at the request of the employer.
The impact of this decision must therefore be set into perspective. It does not constitute an absolute and permanent authorization of screening emails exchanged by employees at the workplace. The development of a company control policy, within a strict framework, remains essential.
