One of the biggest challenges for U.S. employers, investigators, and e-discovery practitioners in cross-border litigation involving European companies or citizens has been obtaining digital data about European individuals. The privacy rights European citizens have—under both EU and member state law—are significant.
However, things may have just become a little easier for data-seeking employers or investigators in the European Union.
The European Court of Human Rights on Jan. 12 issued a decision that gives employers greater ability to monitor their employees’ online activities.
Surfing on Company Time
Bogdan Barbulescu was an engineer in charge of sales for a private company in Bucharest, Romania, when his employer asked him to open a Yahoo! Messenger account for company business.
In 2007, the employer informed Barbulescu it had been monitoring his communications and determined he had been using company systems for personal purposes. When Barbulescu protested, saying he had done only company business, the employer presented Barbulescu a communiqué on issues of the day, such as Barbulescu’s personal health and sex life.
After the employer terminated Barbulescu’s employment contract for breach based on his unauthorized computer use, Barbulescu sued, arguing his employer had violated his right to correspondence in accessing his communications in breach of the Constitution and Criminal Code.
Both a Romanian court of first instance and an appellate court held for the employer, and Barbulescu brought the case before the European Court of Human Rights.
EU Win for Employers
In a rare win for employers before the European Court of Human Rights, the court held on Jan. 12 that the domestic court held correctly that the employer had not violated Barbulescu’s rights under Article 8 of the European Convention on Human Rights, which protects an individual's right to private and family life and the privacy of home and correspondence.
The Court of Human Rights held the employer’s reading of Barbulescu’s professional Yahoo! Messenger messages did trigger the application of Article 8, but the court held also that the employer had not violated Article 8 and that the courts had ruled correctly.
“The domestic courts had struck a fair balance between Mr. Barbulescu’s right to respect for his private life and correspondence under Article 8 and the interests of his employer,” the European Court of Human Rights said in a press release, paraphrasing the court’s holding.
The court rejected Barbulescu’s argument that the Yahoo! Messenger service by its very nature was designed for personal communication and that his communications constituted “both ‘personal data’ and ‘sensitive personal data’ within the meaning of Law no. 677/2001 and Directive 95/46/EC.”
However, the European Court of Human Rights noted that it was not unreasonable that an employer would want to know if its employees were performing company work on company time and that the employer had accessed Barbulescu’s account because it believed it contained company information.
The court noted that legal prohibitions against employers monitoring employee data were not absolute, adding that a Data Protection Working Party was established under Article 29 of the Directive in order to examine the issue of surveillance of electronic communications in the workplace and had concluded that any monitoring measure must pass a list of four tests: 1) transparency, 2) necessity, 3) fairness, and fourth—one American audiences should appreciate—proportionality.
In this case, the court held the employer’s actions were lawful.
“There had therefore been no violation of Article 8 of the European Convention,” the court said in its ruling.
Why Barbulescu Matters
In the wake of the USA PATRIOT Act and the Snowden-NSA controversy, data privacy has become a major political, economic, and legal issue affecting cross-border transfers of information. For years, the general rule in Europe has been that employers did not have the right to access employees’ personal information.
The European Court of Human Rights holding in Barbulescu illustrates important exceptions to the general rule of employee data privacy. Although the Barbulescu court concedes examining data files—even on a company account—trigger the privacy protections of Article 8 of the of the ‘ropean Convention on Human Rights, trigger the application of Article 8 wasn’t enough.
In US-EU debates on the Safe Harbor Framework and the General Data Protection Regulation, the EU almost always has stronger individual data privacy protections, and European privacy regulations tend to favor employees over employers. Howeber, the Barbulescu Balancing Test is an important consideration in EU data privacy law, with employers having a right for reasonable monitoring of their employees.