E-Mail Monitoring by the Employer
ECHR tightens the transparency obligations of the employer
On 5 September 2017 the Grand Chamber of the European Court of Human Rights ("ECHR") issued its judgement in the case Bărbulescu v. Romania on the legality of monitoring measures in the workplace. According to the judgement, an employer can
limit the privacy of an employee in the workplace but not reduce it to zero. Employees must be informed of possible monitoring measures and these must have the least possible impact on the employee's privacy.
1. The Decision of the ECHR
The Grand Chamber of the ECHR dealt with the case of an employee who was dismissed after the employer had discovered and opened private communications, although the private use of the company's infrastructure was prohibited. The employee claimed that the dismissal was based on a breach of his privacy and thus infringed Article 8 of the European Convention on Human Rights. Article 8 states that "everyone has the right to respect for his private and family life, his home and his correspondence."
Contrary to earlier decisions, the Grand Chamber found that the Romanian courts had infringed Article 8 of the Convention on Human Rights and that there had not been a sufficient balance of interests as it had not been taken into account that the employer had not informed about the implementation, the extent or the reason for
possible monitoring measures. In addition, the Romanian courts had not clarified whether the employer had legitimate reasons for the monitoring and whether, potentially, less intrusive measures would have sufficed. The Grand Chamber finally concluded that the private use of the business infrastructure cannot be completely prohibited.
2. Requirements on Employers
According to the decision of the ECHR, the following conditions must be fulfilled for an employer to be permitted to monitor the e-mail traffic of his employees:
- Transparency: The employee must be informed in advance about the possible monitoring of his e-mails, the extent and the purpose.
- Proportionality: The employer must always choose the measure that is least intrusive in the employee's privacy. If simple monitoring of the communication flow is sufficient for the monitoring purpose, the e-mails' content may not be read. In addition, access must be limited to as few people as possible.
- Legitimacy: Any monitoring must be based on legitimate interests of the employer. The more intrusive the measure, the weightier the employer's interests in the monitoring must be.
- Protective measures: The employer must take appropriate technical and organizational measures so that e-mails are not read or edited by unauthorized persons. Without a spe-cific suspicion, e-mails marked as "private" may not be opened.
3. Consequences and Options for Swiss Employers
The Swiss law on data protection is currently being revised with the aim of taking account of the new technological possibilities and, in particular, of increasing the transparency, diligence and control of the processing of personal data, and continuing to ensure an appropriate level of data protection with regard to the new EU General Data Protection Regulation. Although the decisions of the ECHR are not binding on Swiss employers, they will nevertheless be taken into account by the local courts. Employers should therefore ensure that all employees are informed about the possibility of e-mail monitoring. For this purpose, a usage and monitoring regulation is particularly appropriate, and would specifically clarify the permitted (private) use, the purpose and scope of monitoring measures, as well as possible consequences in the case of violations. Without a general rule, employees must
be informed before each individual monitoring operation, which, particularly in the case of a suspected violation, could thwart the purpose of the monitoring.
In order to avoid this problem, it has so far been assumed that private use can also be completely prohibited. According to the decision of the ECHR, this is not enforceable. Even if the employer wants to limit the private use of the business e-mail account, it cannot be excluded anymore. This can become a problem especially after the termination of an employment relationship if successors or other employees are to have access to the e-mail account. With an e-mail address based on function - in contrast to a personal business address - this problem cannot arise at all and the employer has access at all times.
Authors: