The European Union: Facing a New Employee Privacy Paradox

On January 12^th, the European Court of Human Rights determined that an employee’s private chats sent during their work day are accessible by the employer. The ruling, naturally, called into question the sanctity of employee data privacy in the EU.

Bogdan Barbulescu, a Romanian engineer, was instructed to create a Yahoo Messenger account for business purposes during his time at the company between 2004-2007. At the same time, he occasionally accessed a separate personal Yahoo Messenger account that was not created for business, and had been established entirely for personal communication.  For several days in 2007, the corporation monitored the chats from this personal account and Barbulescu was subsequently terminated, with rationale being that he had broken company policy by using company time to access personal accounts.

Barbulescu took the case to the European Court of Human Rights after losing in Romania’s domestic court. The court found that the company had a clear policy around chats and messaging that stated that any communication during work hours could be monitored, and employees were also instructed not to have personal chats or messages at work.

The ruling comes as a bit of a shock to the European business community, which has traditionally been more protective of worker privacy rights than the US or Canada. It leaves doubts about any privacy of personal communications in the European workplace, and certainly raises more questions than it answers.  In fact, unrestricted access to personal email and messages may result in increased liability for businesses. Just because the enterprise is legally allowed to access personal content doesn’t mean that it *should* want to.

Organizations need to shed light on the following grey areas if they technically have the right to view personal accounts accessed at work.

• Does this mean that employees can never use company devices and/or time to conduct personal business without risk of their private accounts being monitored?
• In today’s BYOD world, do employers have unrestricted access to data in any device that is also used for work purposes?
• What constitutes “work hours?” Sales individuals and executives are often on call even when they’re away from the office.  Does this mean that employers have full access to this data 24/7?

These issues will take time to clarify, but in the meanwhile organizations must take some protective steps. The key is to create clear, documented policies that leave no room for ambiguity on the acceptable use of private accounts at work.

The dissenting judge in the European case made an argument that free speech is a fundamental human right, and by extension, access to means of free expression – such as the internet – should be a human right as well. Perhaps it’s not reasonable for companies to entirely prohibit access to private accounts while at work; it’s not uncommon for employees to spend 10+ hours of their day at their workplace. But policies are the clear first step for businesses to help create meaningful structure, and creating fair but clear policy (such as private activity only allowed during breaks) should help the enterprise sidestep some of the potential pitfalls of this new ruling.

BYOD legal privacy risk security

Linda G. Sharp, Esq., MBA, is the Associate General Counsel for ZL Technologies. Her responsibilities include corporate legal matters and related legal product initiatives. Prior to joining ZL, Linda consulted with Fortune 500 companies and Top 200 law firms on federal investigations and large litigation matters. Linda writes and speaks regularly on the subjects of eDiscovery, records management and information governance. Linda is an expert in her field, with membership in the OLP Advisory Board, and Chair position with the AC C New to In-House Committee.