In its recent decision in the case of Bărbulescu vs. Romania, the Grand Chamber of the European Court of Human Rights (ECtHR) ruled that Romania has violated Article 8 of the European Convention on Human Rights by failing to maintain a balance between the employee's right to privacy and the employer's right to secure his business.

Facts of the case

Bogdan Bărbulescu worked in a sales company in Bucharest. One of his tasks was to set up and manage a Yahoo Messenger account for customer services - Facebook was not yet popular.

He was the one who used the account. He had the password, and he thought he was the only one who knew it and who was using it. According to data cited in the ruling of the Grand Chamber, Bărbulescu found out the company was monitoring its employees' correspondence only in 2007, when a female employee was subjected to public shaming and fired because she used the company’s phone and printer for personal purposes.

Some time after this, Bărbulescu was called in by his supervisors and scolded for abusing the internet more than his colleagues. He replied that he was doing that for work purposes.

In response, his supervisors showed him 40 pages of transcripts of conversations form his private Yahoo account, where he was talking with his fiancée and his brother. Bărbulescu accused the company of violating his right to privacy. He was then fired.

Domestic proceedings

Bogdan Bărbulescu sought relief from the Romanian courts, complaining of the violation of his rights. But the Romanian justice system found that he was lawfully fired and that his employer complied with the labor code and all other existing legislation, informing him he was being monitored and having the right to do so at work, when the employee was using the company’s computer and Internet. In their opinion, such monitoring was one of the company's tools for protection against cyber attacks or potential employee frauds.

In 2008, after he exhausted all legal avenues available in Romania, Bărbulescu sent his complaint to the ECtHR, which in the first decision from 2016 confirmed to some extent the decisions of the Romanian courts. However, the trial was moved to the Grand Chamber, which, on 5 September 2017, decided that in order to be entitled to such actions, business must fulfill certain conditions. In the same time, states must take certain measures to ensure that the employees' rights are respected even in these situations.

In an article published by hotnews.com, the lawyers who represented Bărbulescu at the ECtHR, Emeric Domokos-Hancu and Ovidiu Juverdeanu, list the issues that employers need to be careful when monitoring their employees:

• -It is not enough to have a general policy (such as an internal regulation) imposing a general ban on employees using the company's resources and to notify employees in a general way of the monitoring of their mail correspondence and/or of other communications.
• -Informing the employees and/or the company policy on this issue should be customized and clear about the nature of the monitoring, and it should be detailed to include at least the following:
  • Whether they are monitoring only the flow of correspondence, or its content as well;
  • Whether they are monitoring all types of communications or only a part of them;
  • Whether monitoring is limited in time and who are the persons who have access to these communications;
  • The consequences of monitoring for the targeted employees;
  • The use of monitoring data by the employer.
• -The employer should justify and express a legitimate reason/interest for monitoring of the data. Due to the sensitive nature of correspondence, the Court emphasized that monitoring the content of correspondence requires detailed argumentation from the employer.
  • A theoretical reason / interest such as the general need to avoid damaging IT systems or the possible liability of the company for illicit acts cannot, in the Court's view, be a real/actual reason/interest
  • Employers should be aware that a general advanced notice on monitoring, including within the internal regulation, does not necessarily fulfill the condition to have a real and particular reason/interest. Thus, employers may be required to demonstrate the real reason/interest and to meet the prior notice requirement before initiating monitoring of employees’ communications.
• -The employer must assess in the light of particularities of each case if the aim pursued can be achieved without actually accessing the full content of the employees’ communications.

Commenting on his personal blog on the decision of the Grand Chamber, Bogdan Manolea, a lawyer specialized in information technology and digital rights, emphasized the role of the state in such cases:

1. Firstly, states (including Romania) have an obligation to ensure that an employer cannot supervise its employee just because they want to do so and without providing adequate safeguards against abuse. At the same time, there is a large margin of appreciation for states to explain how can such obligations be fulfilled - from a specific normative framework or an appropriate jurisprudence of the courts (including those in the area of labor law - see paragraphs 113-120 of the judgement for details)
2. Secondly, the ECtHR provides in paragraph 121 six criteria who are establishing a minimum core as a basis that needs to be considered when establishing the proportionality and guarantees when monitoring employees:
   1. Prior notification of the employee, including on the nature of the monitoring and timing of the implementation of the measures;
   2. Proportion of monitoring and level of intrusion into the employee's privacy, including details on the data traffic, content or location coordinates;
   3. If access to the content of communications is needed, identify the legitimate reasons why such a measure is necessary;
   4. The possibility of implementing a less intrusive system of monitoring;
   5. Consequences of the monitoring and whether the results have not been used for any other purpose;
   6. Sufficient safeguards for the employee, especially in relation to access to the content of communications.

Bogdan Manolea says it will be critical for courts to properly apply the decision: "Given that the market is full of possibilities of electronic surveillance (not just of employees), where most of those involved (producers or sellers or consultants) "forget" to mention that these possibilities can only be used under certain legal conditions, it will be crucial for the courts to properly apply the ECtHR decision and the competent authorities to fulfill their role to apply the EU Personal Data Protection Act – GDPR for a legal system that is functional and does not exist only on paper."