Thursday 14 January 2016

Is Workplace Privacy Dead? Comments on the Barbulescu judgment




Steve Peers

When can an employer read an employee’s e-mails or texts, or track her use of the Internet? It’s an important question for both employers and employees. A judgment this week in Barbulescu v Romania addressed the issue, but unfortunately has been greeted by press headlines such as ‘EU court allows employers to read all employee e-mails’. This is wrong on two counts: it’s not a judgment of an EU court, but of the separate European Court of Human Rights; and the ruling does not allow employers to read all employee e-mails without limitation.

So what exactly did the judgment decide? And would the ruling have been any different if an EU court had decided it?

Background

The European Court of Human Rights (ECtHR) has jurisdiction only to interpret the European Convention on Human Rights (ECHR) and its protocols. The Barbulescu case concerns the right to privacy under Article 8 ECHR, which can be limited on certain grounds according to Article 8(2). It follows on from, and further develops, previous rulings on similar issues.

In Halford v UK, a well-known case concerning a policewoman suing her local force for sex discrimination, the ECtHR ruled that Article 8 was breached when the police force intercepted calls from a separate work telephone which they had provided for her to contact her lawyers. The key points of the judgment were that Article 8 can apply to workplaces, depending on whether there was a ‘reasonable expectation of privacy’. Ms. Halford had such an expectation since the police force had made a particular point of providing her with a separate telephone and assuring her that she could use it to discuss the litigation privately.

Obviously, situations like that are rare. It’s far more common that an employee might use a computer or phone provided by the employer in the ordinary course of work in order to have some private communication. Yet Article 8 can also protect employees in those cases too. In Copland v UK, the ECtHR ruled that Article 8 was breached when an employee’s phone calls, e-mails and Internet use from work were monitored by her boss. The crucial point was that there was ‘no warning that her calls [or e-mail or Internet use] would be liable to monitoring’.

The new judgment

How is Barbulescu different from Copland? The answer is that the facts are quite different. In the newer case, the employer had an absolute ban on employee’s use of work equipment for private reasons. Barbulescu’s boss suspected that he was not complying with this policy, and informed him of its suspicions, on the basis of monitoring his account. The employee denied non-compliance, so the employer presented him with a transcript of his Yahoo Messenger communications, which included personal communications. He sued his employer in the Romanian courts and lost, so he brought his compliant to the ECtHR.

The Court ruled that the complaint was admissible, but the majority rejected his Article 8 claim on the merits. While Article 8 was applicable, his employer was simply trying to enforce its absolute ban on private use of work equipment, and he had breached his employment contract. The employer had only accessed the account to check whether he was using it just for professional purposes, given that he had claimed that he did not use it for private reasons. The use of the transcript of his communications was limited, since the identity of the other parties to the communication was not disclosed. Other documents stored on his computer were not checked, and he did not have a convincing reason for using work equipment for private purposes.

One dissenting judge argued in detail that the majority was quite wrong on the merits, arguing for more stringent control of employers’ monitoring of employees’ private Internet use (primarily by means of detailed notification requirements). It should be noted that Mr. Barbulescu can still ask the Grand Chamber of the ECtHR to review this judgment, since it was issued by a Chamber of judges.

Impact

The Court is clearly not overturning its prior case law: it distinguishes Halford and Copland, rather than reversing them. So Barbulescu definitely does not give employers carte blanche to put their employees under surveillance. There remain – as there were before this judgment – cases where such surveillance is justified, and cases where it is not. The importance of Barbulescu is some clarification on where the dividing line falls between those two categories.

Legally speaking, that line is determined by the degree of ‘reasonable expectation of privacy’ that employees have at the workplace. They have such an expectation where the employer has expressly allowed them to use a phone or computer for private purposes (Halford), or where it was tolerated (Copland). In this case, the crucial difference is that the employer banned such use.

Moreover, the Court also mentions other specific factors, as listed above: access to the communications followed a denial by the employee; use of the transcript of the communications was limited; other documents stored on the computer were not checked; and there was no convincing reason for using work equipment for private purposes. The Court also emphasised the fact that the employee brought an employment law claim, rather than a criminal law or data protection law claim. Arguably, all of these factors are relevant and must be considered in addition to the employer’s ban on private use of work equipment.

In any event, the ruling is questionable authority, for two reasons. First of all, it’s possible that the Grand Chamber of the ECtHR will review it and overturn it. This would be richly deserved because – with the greatest respect – it’s a very poorly reasoned judgment. Secondly, it’s arguable that EU law sets higher standards. Let’s examine these two points in turn.

Comments

What are the flaws in reasoning? First of all, the majority in Barbulescu purport to distinguish the prior judgment in Copland, but in fact they contradict that previous ruling. They describe it as a case where employee use of the employer’s Internet was ‘tolerated’. That’s true, but it’s not all. As can be seen from the quote above, the crucial point of that judgment was that the employee was not told about the employer’s surveillance. That’s a crucial distinction because it’s not clear whether the employee knew about the surveillance in this case (the point was disputed between the parties, and the ECtHR decided not to address it). Of course, the point has much broader relevance: there may be many other employers in Europe which have a blanket ban on employee use of the Internet, but which have not informed their employees about surveillance. Is that failure to inform crucial (Copland), or (apparently) not (Barbulescu)? Or is it only crucial where the private use of employer equipment is not banned?

Secondly, there are internal contradictions in the reasoning. The Court places great stress on the fact that the employer only subjected the employee to surveillance when he claimed that his use of the messaging service was for work reasons only. So it had no reason to expect to find personal data in those messages, when it checked them to see if he was lying (para 57). That sounds reasonable. But in the presentation of the facts (at para 7), the accusation that the employee was using work equipment for personal reasons was based on placing him under surveillance. In other words, he was put under surveillance first. This isn’t a minor quibble, because it raises an important question of whether employers which impose a general ban on the private use of work equipment have a general prerogative to place their employees under surveillance, or whether there must be some specific reason (such as the employee’s denial of an accusation to that effect) to do so.

The Court also asserts that the identities of other people were not disclosed in the transcripts of private messages. But the judgment refers to the applicant’s brother and fiancée. Anyone who knows him knows who they are. Indeed, if Barbulescu has a social media presence, I could probably find out who they are myself – with a bit of help from Google Translate. (I haven’t actually tried this).

Finally, the Court accepts that the Article 8 right to privacy is affected, but (as the dissenting judge points out) it doesn’t properly apply Article 8(2). This means that the Court doesn’t identify what interests justify the breach of the right to privacy, whether the breach was in accordance with the law, or whether it was proportionate and necessary. While the employer interest in enforcing its policy on work equipment should fall within the scope of ‘the rights and freedoms of others’ as a justification, it’s far from clear that the employer’s actions were clear and foreseeable (part of the ‘in accordance with the law’ test) or proportionate.

EU law

As noted at the outset, the judgment was issued by the European Court of Human Rights, not an ‘EU court’. (I’ll be sending every journalist who got this wrong a batch of pork pies specially seasoned by David Cameron). But there is a substantive EU law element here, as briefly noted by the ECtHR. Data protection law is one of the two main areas where EU law and human rights law frequently overlap (the other area is asylum law).

There are several reasons to distinguish between EU law and the ECHR.  First of all, EU law applies to 28 states, while the ECHR applies to 47. This distinction is blurred a little in data protection law, since some non-EU states (Schengen associates) have agreed to apply EU data protection law; that law also applies to some companies based outside the EU (Google Spain); and non-EU countries are judged by the EU on whether their law is ‘adequate’ from the EU’s perspective, meaning it has to be quite similar to EU law (Schrems).

Secondly, the procedure and remedies are different. EU law is usually developed by means of a national court pausing its proceedings, asking the CJEU some questions and then reopening the case at national level and applying the answers it gets. It can then apply the remedies available in national law, which can sometimes be affected by EU law too (see Vidal-Hall and Benkharbouche). In this case, the Romanian courts noted the EU law points, but decided against the applicants on the merits without asking the CJEU questions. Arguably the final national court should have sent questions to the CJEU, and its failure to do so is itself an ECHR breach (see Daniel Sarmiento’s discussion here), but Mr. Barbulescu didn’t raise that point. If he had won in the ECHR, the only remedies he could get would be a declaration, costs and damages.

EU law can also be applied against private parties, subject to the limited ability to apply it in the case of Directives. That limitation will soon disappear when the upcoming data protection Regulation comes into force. The ECHR cannot apply to private parties as such, which is why this case had to be brought against the Romanian state, not Barbulescu’s employer, although the ECtHR swept aside that distinction by referring to the doctrine of positive obligations (ie the State must ensure that human rights are protected in private relationships).

The biggest issue is whether substantive EU law would give greater protection. While the ECtHR noted that this case involved Mr. Barbulescu’s ‘personal data’ within the meaning of EU law, it did not examine the EU legislation (the current data protection Directive) further. The dissenting judge did so, taking into account also ‘soft law’ of the EU’s ‘Article 29 working party’. This body of national data protection supervisors frequently meets to adopt detailed policy statements taking a very assertive view of how to interpret EU data protection law. Then they return home, and fail to enforce the policies they agreed to.

Under the EU Directive, can his employer justify collecting Barbulescu’s personal data? He did not consent to the collection of that data, so the employer would either have to argue that it was ‘necessary for the performance of a contract’, or for its ‘legitimate interests’. In the latter case, those interests could be outweighed by his rights. There’s no clear answer from this wording whether the CJEU would decide this case the same way, interpreting the Directive: it’s arguable (as the national courts held) that it was ‘necessary’ to monitor the employee’s communications in order to enforce the rule against private use of communications, or that the factors referred to by the ECtHR were enough to give precedence to the employer’s interests over the worker’s rights. But the overall pro-privacy tone of recent CJEU rulings on data protection (Digital Rights, Google Spain, Rynes, Schrems) suggest that the CJEU would be more likely to rule that some prior notification of surveillance was required.

Another issue is that some of the data concerned the employee’s health and sex life. EU law prohibits processing this, and other ‘sensitive’ personal data. But this prohibition is a legal fiction, as in fact a number of grounds for processing sensitive data are permitted. In practice, it’s more accurate to say that it’s harder to justify processing such data. Applying that rule to this case, the Directive states that such data can be processed if ‘necessary’ to carry out the employer’s obligations and rights ‘in the specific field of employment law’, if that is ‘authorized by national law providing for adequate safeguards’. It’s hard to know if these criteria were met in this case. (These rules will not change much under the future Regulation. There will be a new clause allowing Member States to have special rules for employment issues, but there’s no specific mention of employer surveillance).

Given that Romania is bound by the EU Directive, should the ECtHR have looked further at the EU law issues? It’s an awkward point, since the ECtHR doesn’t have jurisdiction as such to rule on EU law. But interferences with the right to privacy must be ‘in accordance with the law’. So there should at least have been a cursory examination of whether the national law, and the national court’s interpretation of it, appeared to be consistent with the relevant EU law. The ECtHR avoided doing this, because (very unusually for a privacy case) it ignored the ‘in accordance with the law’ test entirely.

Conclusion

Altogether, this judgment is not the ECtHR’s finest hour. But it may not be the final word on this important issue either. It remains to be seen whether the Grand Chamber might review this case, or whether the CJEU or national courts, perhaps excited by the new Regulation, might insist that higher standards apply in national law. For the time being, though, employers should be aware that there is still a fine line between acceptable and unacceptable monitoring of their employees.


Barnard & Peers: chapter 9

7 comments:

  1. That's a very nice and interesting analysis of the recent judgment. Thanks a lot. I would say it is still very hard for the ECtHR to rule on issues such as Data Protection and to maintain strict position. I think, CJEU (generally EU Law) is equipped with better and stronger tools (Article 8 of the Charter of Fundamental Rights, plus Regulation) to make the personal data protection framework more vlauable. I hope the Grand Chamber will have a different position and will take into account recent developments in Data Protection, not only inside the EU, but also outside it.

    ReplyDelete
  2. Well studied post Steve Peers .

    ReplyDelete
  3. Great analis. However, I dont agree with you. It´s the same thing that happens in a relationship. Could you read your girlfriends mails in order to verify her fidelity? Probably not. It doesnt matter if i gave her the laptop. IT´S HER PRIVACY.

    ReplyDelete
    Replies
    1. That raises different issues, and would possibly fall outside the scope of EU law (due to the 'household exception' to data protection law). But I don't think we disagree - I am being critical of the judgment.

      Delete
  4. It was an different analysis, thanks for sharing.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete