Employees’ monitoring: a prior privacy notice might not suffice, especially under the GDPR!

Privacy rights of employees are protected, if they are previously informed of the monitoring and a right balance of interests is achieved according to the Grand Chamber of the European Court of Human Rights. But is this decision compliant with the GDPR?

The Bărbulescu v. Romania case on the monitoring of employees

In a case related to the dismissal of an employee after monitoring his electronic communications through the usage of tools dedicated to the working activity and accessing to their contents, the Grand Chamber of the European Court of Human Rights held that the employee’s right to respect for his private life and correspondence had not been protected since Mr. Bărbulescu had not been adequately previously informed about the potential monitoring of communications.

In particular, according to the Court in order “to qualify as prior notice, the warning from an employer had to be given before the monitoring was initiated, especially where it entailed accessing the contents of employees’ communications“, while “The Court concluded, from the material in the case file, that Mr Bărbulescu had not been informed in advance of the extent and nature of his employer’s monitoring, or the possibility that the employer might have access to the actual contents of his messages.”.

The Court does not say that with an adequate prior notice any type of monitoring of employees would have been lawful through. In particular, according to the Court an employer’s instructions could not reduce private social life in the workplace to zero. The right to respect for private life and for the privacy of correspondence continued to exist, even if these might be restricted in so far as necessary. In this respect, the Court ruled that national courts on this case had not sufficiently assessed whether

• The goal pursued by the employer could have been achieved by less intrusive methods than accessing the contents of Mr Bărbulescu’s communications which; and
• There had been legitimate reasons to justify the monitoring which officially was aimed at avoiding that the company’s IT systems was damaged or any liability being incurred by the company, even if such potential damages and liability were not proven in this case.

Is this approach compliant with privacy principles of the GDPR?

I read some comments to this decision that has been considered as a “landmark” change. In my view, the position of the Court does not considerably differ from the one taken by European data protection authorities in the recent opinion of the Article 29 Working Party on the privacy on the workplace.

It is true that this decision might in any case push privacy authorities to adopt a more flexible view on technologies aimed at performing a monitoring of employees. This is also because the European General Data Protection Regulation requires to implement adequate security measures which also includes the need to prevent potential misuses of personal data by employees that inevitably requires a more stringent control over their activities.

The hardest hurdle will be then to properly balance privacy rights with operational needs as well as the objective to prevent potential privacy breaches and in general illegal conducts. This balance is achieved by running a privacy impact assessment which becomes a necessary step in case of usage of these technologies.

What is your view on the above? If you found this article interesting, please share it on your favourite social media.