New ECHR ruling on personal correspondence in the workplace
Are employers taking personal liberties?
Today’s ruling by the European Court of Human Rights (ECHR) that employers can read workers’ private messages sent via chat software and webmail accounts during working hours should come as little surprise, but it does highlight the importance of having clear policies on what employees can and can’t do in the workplace.
The ruling follows an incident in which a worker claimed his employer had breached his right to confidential correspondence when it accessed his Yahoo messages and subsequently sacked him. At issue was the fact that the employee was using Yahoo Messenger for both professional and personal reasons.
Most companies have clear policies on internet usage – for example, banning accessing of explicit or other suspect sites from company machines – although the boundaries have become more blurred with the rise of bring-your-own-device (BYOD). Most employment contracts also stipulate that the employee mustn’t carry out any activity that could bring the organization into disrepute.
Privacy campaigners might well argue that the new ruling now gives carte blanche for employers to snoop on personal emails and similar correspondence. From the employer’s perspective it makes perfect sense to protect itself from possible malicious activity – and to ensure its staff are being as productive as possible during work time.
The legal minefield of monitoring personal communication
Up to now there have been laws that protect individuals and laws that protect employers. The principle has been that employers can monitor staff emails, but in human rights laws also mean everyone’s private life should be respected. This translates into a great deal of variance and discretion, and in 2007 an employee at a college in Wales won a case against her employer, which had been monitoring her emails. She won because the employer was shown to be infringing her right to privacy.
From a technology standpoint it’s easy to monitor emails and messaging. In the absence of any other information it’s best to assume that it happens where you work, but you should ask for clarification and details of the formal policy. If you’re an employer, you should have made sure everyone is signed up to that policy.
The major development from today’s ruling is that it might not only be personal correspondence carried out on, say, your work email address that can be monitored. It’s the use of private accounts during work time on work equipment that remains open. There were also claims about a second, personal account, but the judges only discussed the work account in their ruling.
What might happen next will have legal counsels scratching their heads… for example, what happens if an employee uses a personally-owned device to send an email from a personal account using the company’s network? Even trickier is the question of who would own the data about that message. Even without access to the content, the employer could monitor the behavior. It’s the kind of quandary that generates more ‘gray data’… and who will have control over that in the long term?
Things get even more interesting if you consider a legal case affecting the employee further down the line. To maintain compliance all work email and messaging correspondence is archived, migrated, and kept discoverable. The same is not normally true of personal correspondence sent using private accounts, but perhaps organizations are going to have to consider overtly retaining and archiving personal correspondence too. Will there be a future need to supervise data for compliance? Should it somehow be considered within the scope of an eDiscovery request?
Not the end of the story
The ECHR said that because the firm in today’s case did not access other information stored on the employee’s work computer – and the employee had had prior warning that the company could check his messages – the employer was well within its rights. The device used to send the messages was owned by the employer, and the ECHR’s judges did not elaborate on whether it would have made any difference if he had used a personal device.
Notably, one of the ECHR’s eight judges disagreed with today’s decision, saying that a blanket ban on personal internet use in the workplace would be unacceptable. So it seems there’s plenty more clarification to come in rulings on future cases.