The right to respect for private life within the employment relation

05/04/202206/04/2022 redazione

Premessa: tale scritto, a cura di Margherita Antonelli, fa parte del Legal Research Group di ELSA Napoli intitolato “Right to private life: challenges and perspectives” organizzato da ELSA Napoli e curato da Francesco De Santis (professore di diritto processuale civile e procedure di tutela internazionale dei diritti umani presso il Dipartimento di Giurisprudenza dell’Università di Napoli “Federico II”).

Summary: 1. Introduction: The right to respect for private life in the workplace – 2. European and Italian legislation – 3. The ECtHR case law – 3.1 The applicability of Article 8 in the workplace – 3.2 Bărbulescu v. Romania – 3.2.1 The use of the Bărbulescu v. Romania criteria by the Italian Guarantor for personal data protection – 3.3 López Ribalda and Others v. Spain – 4. Conclusions.

Introduction: The right to respect for private life in the workplace

The present work aims at exploring the peculiar way in which the right to private life applies within the employment relation.

Certainly workers, like all other people, have a right for their private life and correspondence to be respected. However, their privacy cannot be protected tout court, in fact such protection must be balanced with and ultimately limited by the protection of other interests that come to relevance in the workplace, namely the employer’s interests[1]. Among them there is first and foremost the interest to verify the correct fulfilment of contractual obligations, thus meaning whether the employees are completing professional tasks during working hours and whether they follow employer’s directives. The employer also needs to ensure the safety of the working environment and the integrity of the corporate assets. The only way these interests can be adequately fulfilled is by limiting the protection of workers’ right to privacy by enabling the employer to control them. The power of control is a crucial prerogative for the employer because said control enables him/her to collect information on the employees’ behaviour that can be used for disciplinary purposes and, above all, for the purpose of proving the breach of contract on the part of the worker during potential court proceedings that are likely to ensue, should the worker deem the disciplinary measures taken unfair.

In other words, in the workplace there are two groups of opposing rights and interests that need to be fairly balanced: on one end the worker’s right to privacy, on the other the employer’s interests justifying a control that must nonetheless be contained within certain limits and implemented in such ways so as to be respectful of workers’ right to private life. Notably, even though the right to privacy can indeed be restricted in the workplace, it can never be suppressed altogether, a principle that has been recently stressed by the European Court of Human Rights[2].

The present work explores the problematic and dynamic interactions between the abovementioned rights and is structured as follows: Section 2 provides an overview of the European and national rules specifically dedicated to the protection of the right to private life in the workplace; Section 3 focuses on the case law of the European Court of Human Rights, namely on the cases Bărbulescu v. Romania and López Ribalda and others v. Spain; lastly, Section 4 provides some conclusions.

European and Italian legislation

Striking a fair balance between the interests at stake in case of workplace monitoring is no easy task, as shown by the number of controversies settled by domestic as well as international courts[3].

Given this difficulty it is no surprise that rules specifically dedicated to the protection of the right to private life in the workplace can be found both at the European and national level.

At the European level, within the European Union the processing of personal data in the context of employment is currently regulated by Art. 88 of the EU regulation 2016/679, generally known as General Data Protection Regulation (GDPR). Pursuant to Article 88, Member States may introduce more specific rules on the processing of employees’ personal data in the employment context and such rules shall include specific measures to protect workers’ dignity, legitimate interests and fundamental rights.

The Italian adaptation of the GDPR is Legislative Decree 101/2018 which modifies Legislative Decree 196/2003, the main Italian law on the protection of privacy whose Articles 114 and 115 cover the privacy in the employment relation. Article 114 is especially important since it regulates the remote control of the activity of the worker by recalling Art 4 of the Law no. 300/1970, the main Italian law on workers’ rights.

Art. 4 provides that audio-visual systems and other instruments from which also derives that the possibility to monitor the workers from a distance can only be used for organizational purposes or for the purpose of ensuring security and protecting company assets. Moreover, they can be placed in the workplace only after an agreement with trade unions that meet certain requirements. In the event that reaching an agreement proves impossible, the instruments in question may be employed with prior authorization of a governmental agency. However, Article 4 clarifies that such a provision is not applicable to instruments used by the employee to fulfil his/her obligations. Lastly, the rule provides that data collected through all the aforementioned instruments can be used for all purposes linked to the employment relation, including disciplinary purposes, provided that the employee is adequately informed of the possibility and of the implementation of the monitoring and the rules laid out by Legislative Decree 196/2003 are respected.

Article 4 mentions remote control of the worker’s activity. To understand what remote control or control from afar is, it is preliminarily necessary to distinguish between a direct control or an indirect one[4].

Direct control is one the worker is aware of, meaning that he/she realizes the control is taking place as it happens – e.g., physical surveillance. Indirect control, on the other hand, can happen unbeknownst to the worker since it takes place from a temporal as well as spatial distance, thus meaning that usually it does not take place in the workplace and during working hours [5]. This feature is the reason why remote control is also known as control from afar and it is made possible by the fact that remote control is implemented through mechanical systems that register and collect data that the employer can review later and in a different place to verify the worker’s compliance with the contractual obligations.

Typical examples of remote control are audio-visual systems such as cameras[6]. Because of its features, remote control has a greater capacity of intrusion in the worker’s private life and that is why it has always been regulated more specifically and it has always been accompanied by specific guarantees. The development of new technologies has made the matter of protecting employees’ privacy even more pressing[7]. In fact, whilst until a few decades ago remote control was implemented mainly through cameras and other audio-visual systems, nowadays modern technologies – such as personal computers, tablets and the Internet – have multiplied the means of such control. The main innovation is that the use of said technologies in the workplace has made it so that oftentimes the instrument through which the control is carried out is the same one the worker uses to fulfil the contractual obligations[8] and the control takes place by accessing the data collected by it. It is the very same device (e.g., corporate mobile phone, computer, tablet or car, in the case of GPS) the employee uses in his/her daily working activity that enables an evaluation of the quality and continuity of the activity itself. These technologies enable a control extremely pervasive, as it is indiscriminate: it covers both the data related to the employment contract and personal data of the individual[9]. Lastly, remote control is oftentimes hidden, in the sense that the employee is not aware that it is happening and, above all, he/she is not able to understand the way it works[10]. Examples abound of remote control presenting the mentioned features: GPS systems in corporate computers, tablets and smartphones, and control through remote access tools – just to name a few.

Another example of remote control is the control of an employee’s e-mail account. It may take many forms: from monitoring of the email flow (control of the number of e-mails sent and received in a certain time frame) to recovering deleted e-mails, and even accessing the content of e-mails sent and received by employees[11]. It goes without saying that such a monitoring may prove exceedingly restrictive of the monitored employee’s right to the respect for private life and correspondence, and, in many instances, controversies have arisen when an employee has considered the monitoring implemented by the employer unlawful.

The ECtHR case law

The European Court of Human Rights has decided several cases where a violation of Art. 8 of the European Convention on Human Rights was alleged because of the monitoring of the employees in the workplace[12].

In the following sections, the cases Bărbulescu v. Romania and López Ribalda and others v. Spain will be analysed.

3.1 The applicability of Article 8 in the workplace

Before analysing the ECtHR case law, it is preliminarily necessary to recall the Court’s assessment of the applicability of Article 8 in the workplace.

The European Court of Human Rights accepts a broad definition[13] of private life and has a pluralistic approach to it[14]. It has in fact identified a broad range of interests that the right to privacy seeks to protect[15] and it has consistently stated in its case law that private life is a broad concept which is not susceptible to an exhaustive definition. In particular, the Court reckons that it would be too restrictive to limit the notion of private life to an “inner circle” in which the individual may live his/her personal life as he/she pleases and exclude entirely from it the outside world not encompassed within that circle[16]. In its view, the right to private life must be considered as encompassing the right for each individual to approach others in order to establish and develop relationships with them and with the outside world[17], that is the right to a “private social life”[18]. Precisely because Article 8 guarantees the right to a “private social life” understood as the possibility of establishing and developing relationships with others, it may well include relationships of a professional or business nature established within a person’s professional life[19]. As the Court has noted it is, in fact, in the course of their working lives that the majority of people have a significant opportunity of developing relationships with the outside world[20]. From this standpoint, it becomes clear that relationships established in the workplace fall within the concept of private life. In this context, as seen above, this right is limited by the employer’s rights, namely by his/her power or control, but the European Court of Human Rights has recently stated that, although the employer’s power of control can restrict the right to private life in the workplace, it can never suppress it altogether by reducing private social life in it to zero[21], since relationships established in the workplace are essential for developing one’s social identity.

The European Court of Human Rights adopts a similar broad interpretative approach with regards to the term correspondence, which, in its view, does not include only traditional forms of correspondence, but should be interpreted in light of all new technological developments[22]. Article 8 thus covers more traditional means of correspondence such as letters and telephone conversations, as well as data from Internet use, computer servers and smart phones. Furthermore, in Article 8 the word “correspondence”, unlike the term “life”, is not qualified by the adjective “private”. From this element, the Court has derived that the protection afforded by Article 8 encompasses correspondence of a private as well as of a professional nature and that the Article applies even to correspondence sent from or received on professional or business premises[23]. Article 8 therefore covers e.g., not only telephone calls even when made from or received on business premises, but also e-mails when sent from the workplace.

In light of the above, it becomes clear that the Court considers Article 8 to be fully applicable in the workplace, both to relationships established and to communications exchanged there.

To verify whether the provision applies in a given case, the Court has on many occasions examined whether individuals had a reasonable expectation that their privacy would be respected and protected[24]. The reasonable expectation of privacy test originated in the USA, where it was elaborated by the Supreme Court with the aim of expanding the protection of privacy, whereas the ECtHR has used it for the opposite reason: limiting the scope of application of Article 8, that its broad and pluralistic approach could potentially widen into indeterminacy. In the past, in fact, the Court has ruled that where there was no such expectation there could be no interference with Article 8, as it was not applicable. Key to verifying the existence of said expectation is the fact that an employee was warned of the monitoring, with the failure to provide such a warning giving rise to the expectation of privacy[25]. The Court has sometimes stated that a reasonable expectation of privacy is a significant, but not necessarily conclusive factor for the applicability of Article 8[26]. More recently, in the case Bărbulescu v. Romania, as I will explain in the following Section, it went as far as leaving open the question of whether or not the applicant had a reasonable expectation of privacy and stating that the latter is not necessary for Article 8 to become relevant.

A permanent departure from the reasonable expectation of privacy test has been endorsed by some, who have called its adequacy for determining the scope of Article 8 into question. One reason why this criterion has been considered inadequate to identify the scope of Article 8 is that in modern society intrusive technologies are prevalent and surveillance is widespread, so that the majority of people are likely to have a low expectation of privacy, thus narrowing the scope of protection afforded by Article 8[27]. Additionally, it has been argued that anchoring the application of the provision solely to an expectation of privacy makes it possible for public or private subjects – in the case of workplace surveillance, the employer –to dispose of the scope of application of the rule and even prevent its application[28]. In fact, by introducing progressively stricter forms of monitoring, the expectation of privacy would gradually be reduced, ultimately disappearing and making Article 8 inapplicable (if the criterion in question is accepted). But it is certainly not possible to let any subject, be it public or private, dispose of the scope of application of Article 8 and ultimately prevent its application. This danger is heightened in the context of the workplace, which is characterized by power dynamics marked by inequality and where the employer could ultimately shape the employee’s expectation of privacy[29].

Bărbulescu v. Romania

One of the instances in which workplace monitoring has led to a controversy before the ECtHR is the case Bărbulescu v. Romania^[30], which revolves around the monitoring of an employee’s e-mails^[31]. In light of the ECtHR consolidated jurisprudence recalled in Section 3.1 this hypothesis falls within the scope of application of Article 8[32]. This case ultimately saw the condemnation of Romania for the violation of Art. 8 of the European Convention on Human Rights.

The case Bărbulescu v. Romania is particularly relevant because in it the ECtHR defined the extent of the State’s positive obligations to ensure the respect for the right to private life. In fact, with regards to the rights protected by the Convention, including Article 8, States parties have a duty to respect and a duty to protect. This means that States not only have a negative obligation, i.e., a duty to refrain from violating the rights themselves, but also a positive one to take measures to prevent the rights from being violated by private actors. States usually have the choice of how to fulfil their positive obligations^[33]. They have, in other words, a certain margin of appreciation with regards to the means to secure compliance with the articles of the Convention[34]. In the specific case of the right to respect for private life in the workplace the Court found that such margin is especially wide, given the lack of consensus on the matter shown by the fact that only a limited number of States have regulated it[35]. Means of securing compliance include: a national legislation (which is not always compulsory, for instance with regards to Article 8 States are free to introduce it or not, while other articles such as art 4 require States to introduce specific legislation); the creation of a controlling authority for the respect of said legislation; the presence of administrative, conciliatory and above all judicial forms of protection ensuring that all public authorities safeguard the right in question. The applicant must prove the lack of effective means of protection for the State to be considered liable and for a violation of its positive obligations to be ascertained. Domestic courts are certainly among such authorities and therefore a failure on their part to protect the employee’s right to private life by fairly balancing it with the employer’s rights results in a violation of the positive obligations binding the State under Article 8.

In the case at hand the matter had surely to be examined from the standpoint of the State’s positive obligations, since the alleged violation of Art. 8 had been the result of a private employer and the applicant lamented the failure of domestic courts to protect his right[36]. As this paper will explain below, in Bărbulescu v. Romania the Court identified a series of criteria to verify whether domestic courts struck a fair balance between the relevant interests and, therefore, whether the State has fulfilled its positive obligations, whose extent is equally specified in the same ECtHR judgment.

This judgement is also relevant for the way the Court approached the reasonable expectation of privacy test. While, as seen in Section3.1, in previous decisions the Court had limited the scope of application of Article 8 by using the test, in the present case it ended up leaving open the question as to the existence of such an expectation and stating that Article 8 can apply even if there is little to no reasonable expectation of privacy[37]. The Court surpassed the test because in the case at hand it was inconclusive as it was not clear if the applicant had been informed in advance of the monitoring and it remained “open to question” whether or not he had a reasonable expectation of privacy[38]. In the view of the Court, this circumstance did not impact the applicability of Article 8, since, in any event, should there be or not such an expectation, a right to private life continues to exist because the employer can never reduce private social life in the workplace to zero[39]. As recalled above, relationships established in the workplace are essential for developing one’s social identity. The surpassing of the reasonable expectation of privacy test is to be welcomed, as it makes it possible to avoid the problems mentioned in the previous Section.

Moving to the case, the application concerns the dismissal of an employee, Mr. Bărbulescu, as a consequence of his use of the Internet at his workplace as proved through monitoring of said use.

Mr. Bărbulescu was employed as a sales engineer in a private company and had been asked to set up a Yahoo Messenger account for the purpose of responding to customers’ enquiries. He was dismissed by his employer for using the aforementioned account for personal purposes during working hours, in breach of the internal regulations. These regulations, which Mr. Bărbulescu had signed, prohibited personal use of company computers, but did not expressly mention monitoring. This prohibition was later reiterated by an informative notice, a copy of which Mr. Bărbulescu signed, that additionally stated that employees could be subjected to monitoring. It remained unclear whether the applicant became aware of said informative notice before or after the monitoring had begun[40]. He was later dismissed on the grounds of breaching the company’s rules on personal use of computers backed by data collected by monitoring his communications on the corporate e-mail, which showed that he had used it for not work-related matters and that he had exchanged messages of a private nature. Domestic courts held that the dismissal in question had been lawful.

In the proceedings before the ECtHR the applicant, Mr. Bărbulescu, argued that the termination of his contract had been based on a breach of his right to respect for his private life and correspondence and that the domestic courts had failed to protect that right. In a Chamber judgement, the Court held, by six votes to one, that there had been no violation of Article 8. In the Chamber’s view, there was no indication that the domestic authorities had failed to strike a fair balance, within their margin of appreciation, between the applicant’s right to respect for his private life under Article 8 and his employer’s interests.

At the applicant’s request, the case was referred to the Grand Chamber and the previous decision was overturned. The Grand Chamber held, by eleven votes to six, that a violation of Art. 8 had indeed occurred and that Romanian authorities had not adequately protected the applicant’s right. They had correctly identified the interests at stake but had failed to strike a fair balance between them.

In this decision the Court set out clear principles that domestic courts have to follow for striking a fair balance between Article 8 and the employer’s interests in the context of workplace monitoring. By verifying the respect by domestic courts of such criteria it is possible to ascertain whether the State has fulfilled its positive obligations and therefore whether or not a violation of the right to private life has occurred.

According to the Court the following factors are relevant to determine whether or not domestic courts have struck a fair balance between the interests involved and whether the monitoring was proportionate[41]:

– whether the employee has been notified prior to its initiation of the possibility and nature of the monitoring, of the implementation of the measures and, lastly, of the extent of the monitoring and the degree of intrusion into the employee’s privacy it entails[42];

– whether the employer has provided legitimate reasons justifying the monitoring[43];

– whether it would have been possible to resort to a less intrusive method of monitoring[44];

– the consequences of the monitoring for the employee[45];

– whether he/she had been provided with adequate safeguards, especially when the monitoring was particularly intrusive[46].

Lastly, the Court held that, to ensure effective compliance with the criteria listed above, States should ensure that the employee whose communications have been monitored has access to a judicial body competent to determine whether said criteria have been respected and therefore whether the measures taken have been lawful[47].

When applying these criteria in the case at hand[48] the Court found that it was not clear whether the applicant had been informed of the possibility of monitoring prior to its start, but he surely had not been notified in advance of the nature, scope and extent of said monitoring, and of the degree of intrusion into his private life it would entail. Such degree was particularly high, considering that even the content of Mr. Bărbulescu’s e-mail was accessed. Furthermore, domestic courts had omitted to verify whether the monitoring had been justified by legitimate purposes and whether the aim pursued could have been achieved with less intrusive methods, in particular whether it would have been possible to avoid accessing the content of the employee’s communications. Neither domestic court had considered the seriousness of the consequences of the monitoring, namely the dismissal of Mr. Bărbulescu’s dismissal, and, lastly, it had not been determined at what point of the disciplinary proceedings the applicant’s communications had been accessed.

For all these reasons the Court concluded that domestic authorities had correctly identified the interests at stake but had failed to strike a fair balance between them thus giving rise to a violation of art 8 had occurred.

3.2.1 The use of the Bărbulescu v. Romania criteria by the Italian Guarantor for personal data protection

Criteria similar to those enunciated by the ECtHR in the decision analysed in the previous Section have been used on multiple occasions by the Italian body responsible for ensuring the respect of the rules on processing personal data , namely the Guarantor for the personal data protection, as shown in multiple decisions of said body – such as decision 5408460/2016^[49], 5958296/2016^[50] and 8159221/2018^[51].

This last decision contains an explicit reference to the decision of the Grand Chamber in the case Bărbulescu v. Romania being the only one adopted after the judgement had been delivered by the European Court of Human Rights. In this instance, the Guarantor ruled that the processing of personal data from corporate e-mail accounts by a private company was unlawful for violation of several provisions of Legislative Decree 196/2003 (personal data protection code).

As for the facts of the case, a complaint had been filed to the Guarantor by the former employee of a private company who had been dismissed based on the playful tone and content of e-mails sent to colleagues. The company had deemed these e-mails as degrading of the company’s work and had considered the employee’s behaviour the source of a series of mistakes in the accountability department, where he was employed. The employee filed a complaint to the Guarantor alleging that the company had violated his right to privacy and that his dismissal had been illegitimate.

The Guarantor found that a violation of the Code had occurred for a variety of reasons.

Firstly, it emerged that even though the claimant (as well as the other employees) had been made aware of the possibility of a monitoring, they had not been adequately informed of the modality and finality of the data collection. An internal regulation only mentioned the possibility of “controls” to verify the employees’ compliance with the internal policy of not using company resources for not work-related purposes, but there was no mention of the possibility for the employer to access the content of their e-mails.

Secondly, internal regulations did not mention at all that data collected by monitoring corporate e-mail accounts would be stored for a certain amount of time. The Guarantor held that the systematic and massive collection and subsequent storage of all e-mails exchanged not only during the employment relation, but even after its interruption, went against the principles of proportionality and necessity of the processing. The private company had argued that such collection was necessary in order to guarantee the continuity and the smooth progress of the company activity, as well as for their use in possible future controversies. The Guarantor however objected that these goals could have easily been achieved through other less intrusive means and that processing of personal data for the purpose of defending one’s right in a judgement must be linked to actual controversies and not to the mere hypothesis or possibility of future controversies. In other words, the measures implemented by the company had not been necessary nor proportionate to the aims pursued.

Finally, the Guarantor noted that the activity of collection as a whole resulted in an unlimited, prolonged and massive control of the employees’ activity in violation of national rules on remote control of workers in the workplace (Art. 4 mentioned in the Sections above).

Taking all the above into consideration, we may say that evidence shows that the position taken by the Italian Guarantor for personal data protection with regards to employees’ e-mail control in the workplace closely mirrors that of the ECtHR in the case Bărbulescu v. Romania. The Court’s general position on workplace monitoring enshrined in this landmark case can be summarized as follows: monitoring is possible provided that certain conditions relating to transparency (communication of the start of the monitoring, of its nature and scope) and to proportionality and necessity (monitoring only for legitimate reasons and by the least intrusive method possible) are met. It is for the domestic courts to ensure their respect and, should they fail to do so, the State would incur in a violation of its positive obligations under Article 8.

This general approach by the Court can be applied to all the different forms that workplace monitoring is susceptible of taking: not only e-mail account control, but also any other monitoring of internet use and any audio and/or video recording. A case revolving around video surveillance of employees has recently been decided by the ECtHR and will be analysed in the following Section.

López Ribalda and Others v. Spain

As mentioned in Section 2, one of the simplest forms of remote control is the one carried out through cameras installed in the workplace. The ECtHR has tackled the problem of their use and the subsequent possible violation of the employees’ right to private life is the case López Ribalda and others v. Spain^[52], which has been decided by the Grand Chamber on the basis of the criteria developed in the case Bărbulescu v. Romania. In the case at hand, however, the result of their application was opposite: no violation of Article 8 was ultimately ascertained.

The case revolved around the covert video surveillance of a Spanish supermarket’s employees. At the time of the events, the five applicants were all employed in a Spanish supermarket whose manager detected inconsistencies between stock level and sale figures, and therefore economic losses. In the attempt to verify the ensuing suspicions of theft, the manager installed CCTV cameras, some visible and others hidden. The footage recorded by the hidden cameras revealed that thefts of goods had indeed been occurring and it was mainly based on this video material that a number of employees, including the five applicants, were dismissed. The applicants subsequently brought proceedings for unfair dismissal before the Spanish Employment Tribunal asserting that video material had been obtained in breach of their right to privacy and therefore could not be admitted in evidence. The Employment Tribunal ruled that the applicants’ dismissals had been fair and so did the High Court of Justice of Catalonia before which the applicants appealed. Both domestic courts found that, even though the obligation to inform employees had been violated, the employer had adopted proportional measures with a legitimate aim. Further appeal brought by the applicants to the Supreme and later the Constitutional Court were ruled inadmissible.

In its Chamber judgement the Court, examining the matter from the standpoint of the State’s positive obligations, set out to verify whether or not the Spanish courts had struck a fair balance between the rights at stake, that is the employer’s property rights and the applicants’ right to privacy, and found that a violation of Article 8 of the Convention had occurred. The Chamber ruled that, while the aim pursued had been legitimate, the measures taken had not been proportionate for several reasons: the obligation under domestic law to inform of the measures had been violated, the scope of the monitoring had been wider than needed and, lastly, the employer’s rights could have been safeguarded, if not fully at least to a certain degree, by other means – namely by informing the applicants, even in a general manner, of the installation of a video surveillance system.

On the request of the Spanish Government the case was referred to the Grand Chamber, which ultimately found that no violation of Article 8 of the European Convention on Human Rights had taken place.

Just like the Chamber had done, the Grand Chamber considered Article 8 applicable[53] and deemed it necessary to examine the matter from the standpoint of the State’s positive obligations[54]. As mentioned, it heavily relied for its decision on the principles it had previously enucleated in the case Bărbulescu v. Romania, having considered them transposable, with due adaptations, to the circumstances of the case, that is the implementation of video-surveillance measures in the workplace[55].

The Court found that domestic courts had correctly identified the conflicting interests at stake: on one hand the applicants’ right to respect for their private life, and on the other the employer’s interest to the smooth running of the company and the protection of its property. The question was whether a fair balance between them had been struck.

When conducting this evaluation, the Court upheld the domestic courts’ reasoning that the extent of the monitoring and the subsequent degree of intrusion in the employees’ private life had been proportionate and it did not attain a high degree of seriousness. The Court based its conclusion on several reasons.

Firstly, with regards to the temporal and spatial extent of the surveillance, it had lasted only for the span of time strictly necessary in order to verify the suspicion of theft and to identify the employees responsible and it had been limited to the areas where the losses were likely to be taking place[56]. Secondly, the monitoring had been carried out in a place open to the general public and therefore one where the employees’ expectation of privacy was very low. In fact, when assessing the proportionality of measures, the place where the monitoring took place is crucial as the expectation of privacy greatly varies depending on the place: while it is very high in places such as cloakrooms, it is considerably lower in other areas[57]. Lastly, the recordings had been viewed by a very small number of people before the applicants had been informed of their existence[58].

The Grand Chamber acknowledged that, in breach of national regulations, no prior notice of the monitoring had been given. This notwithstanding, the judges reasoned that, given the circumstances of the case (suspicion of serious misconduct not by a few, but by several employees and the extent of the losses) notifying the employees of the monitoring, even if imposed by domestic law, could have nullified the purpose of the monitoring itself[59]. Also, the Court recalled that the prior information is only one of the many criteria that need to be taken into account in the judgement of proportionality as outlined in the case Bărbulescu v. Romania[60], even though the Court specified that only a preponderant public or private interest can justify the lack of prior information[61]. On the matter of the consequences of the monitoring, the Court noted that they had undoubtedly been significant, since they had led to the dismissal of the applicants, but no further use of the recordings had been made by the employer other than to identify the thieves and then bring disciplinary procedures against them[62]. The Court shared the domestic courts’ view that in this specific case the measures taken by the employer had been justified by a legitimate aim – that of protecting the employer’s rights when faced with a suspicion of theft[63] – and necessary, in the sense that no other less intrusive measure could have been used to fulfil the legitimate aim pursued[64].

Taking into consideration all the factors listed above, the Court concluded that the domestic courts were able, without overstepping their margin of appreciation, to take the view that the interference with the applicants’ privacy was proportionate. In other words, the balance struck had been fair and the State had fulfilled its positive obligation. Lastly the Court noted that domestic law had made other remedies available to the applicants, but they had chosen not to use them.

Conclusions

In the context of the employment relation, employees’ right to private life has to be balanced with the employer’s rights and this results in a restriction that can never, however, result in a complete suppression. Not only must the right in question be protected anyway, but such protection has become especially crucial today, since modern technologies have made workplace monitoring indiscriminate, more pervasive than ever, and less and less transparent. National and international courts have in many instances been called upon to determine whether workplace monitoring had resulted in a breach of employees’ right to privacy. With specific regard to the ECtHR case law, the case Bărbulescu v. Romania represents a step in the right direction, that of strengthening the protection of workers’ privacy: by separating the applicability of Article 8 from the reasonable expectation of privacy, the Court established that there is an irreducible core to the right to private life at work. It also outlined clear criteria for verifying States’ compliance with their positive obligations under Article 8. The case López Ribalda and others v. Spain, in which those criteria have been applied, on the other hand, could potentially weaken employees’ protection due to its statement that a clear and prior notice of the monitoring could in selected cases be avoided.

***

[1] A. INGRAO, “Potere di controllo e di indagine del datore di lavoro, diritto alla privacy del lavoratore e social network”, 2015, p.16.

[2] See Section 3.2 below.

[3] Many of them have been decided by the European Court of Human Rights. See Section 3.

[4] A. INGRAO, op. cit., p. 9.

[5] Ibid., pp. 36-37.

[6] The case López Ribalda and others v. Spain, that will be examined in Section 3.3, revolves around their use.

[7] G. ZICCARDI, “Il controllo delle attività informatiche e telematiche del lavoratore: alcune considerazioni informatico-giuridiche”, pp. 55-57.

[8] Ibid., pp. 55-56.

[9] G. ZICCARDI, op. cit., p. 57.

[10] Ibid., p. 58.

[11] Ibid.

[12] For the main case law of the ECtHR on the subject see its Factsheet on workplace surveillance, available at https://www.echr.coe.int/Documents/FS_Workplace_surveillance_ENG.pdf.

[13] S. STANEV, “Monitoring of employees’ personal communications at work”, 2018, pp. 95-96; ECtHR Guide on article 8 of the European Convention on Human Rights, available at https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf, pp. 21-23.

[14] C.E.M. JERVIS, “Barbulescu v. Romania: Why There is no Room for Complacency When it comes to Privacy Rights in the Workplace”, 2018, pp. 442-443.

[15] C.E.M. JERVIS, op. cit., p. 442.

[16] Principle first stated in Niemietz v. Germany, no. 13710/88, ECtHR 16 December 1992, § 29 and later reiterated in various decisions among which Denisov v. Ukraine [GC], no. 76639/11, ECtHR 25 September 2018, § 96 and Fernández Martínez v. Spain [GC], no. 56030/07, ECtHR 12 June 2014, § 109.

[17] In Niemietz v. Germany § 29 the Court stated: “Respect for private life must also comprise to a certain degree the right to establish and develop relationships with other human beings”. See also the ECtHR Guide on article 8, pp. 23-26.

[18] See for instance Bărbulescu v. Romania § 71.

[19] In Niemietz v. Germany § 29 the Court stated for the first time: “There appears, furthermore, to be no reason of principle why this understanding of the notion of “private life” should be taken to exclude activities of a professional or business nature”. It has then consistently reiterated this principle in its jurisprudence, see the case law referred to in § 81 and 82 of the ECtHR Guide on art. 8.

[20] First affirmed in Niemietz v. Germany § 29 and later reiterated, see § 82 of the ECtHR Guide on art. 8.

[21] See Section 3.2.

[22] ECtHR Guide on article 8, p. 105.

[23] See for instance Bărbulescu v. Romania § 72.

[24] C.E.M. JERVIS, op. cit., pp. 442-443.

[25] The reasonable expectation of privacy test first appeared Halford v. UK and Copland v. UK and was later consistently used.

[26] P.G. and J.H v. United Kingdom, no. 44787/98, 25 September 2001, § 57, Perry v. UK, no. 63737/00, 17 July 2003, § 37 and Köpke v. Germany (dec.), no. 420/07.

[27]J. ATKINSON, “Workplace monitoring and the right to private life at work”, 2018, p. 696.

[28] Ibid., pp. 696-697.

[29] Ibid.

[30] Bărbulescu v. Romania [GC], no. 61496/08, ECtHR 5 September 2017. Full judgement available at https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-177082%22]} .

[31] See also the case Libert v. France (no. 588/13, ECtHR 22 February 2018) in which the ECtHR deemed that there had not been a violation of art 8 of the Convention.

[32] Such case law was recalled by the Grand Chamber in § 70 to 73 of Bărbulescu v. Romania.

[33] S. STANEV, op. cit., pp. 96-97; J. ATKINSON, op. cit., pp. 8-11; Bărbulescu v. Romania § 108 to 123; López Ribalda and others v. Spain § 109 to 114.

[34] Bărbulescu v. Romania § 113.

[35] Bărbulescu v. Romania § 118-119.

[36] Ibid., § 108-111.

[37] J. ATKINSON, op. cit., pp. 11-12.

[38] See footnote 40 below, Bărbulescu v. Romania § 80 and C.E.M. JERVIS, op. cit., pp. 444-445.

[39] Bărbulescu v. Romania § 80.

[40] Mr. Bărbulescu acquainted himself with the notice and signed it in an unspecified date between 3 and 13 July 2007 and the monitoring of his e-mails took place from 5 to 13 July 2007, therefore it was not possible to ascertain whether the applicant had known of the monitoring before it started or only after. See Bărbulescu v. Romania § 16-17 and 77. Either way the applicant had not been informed of the extent and nature of the monitoring.

[41] Bărbulescu v. Romania § 121.

[42] Ibid., § 122 (i) and (ii).

[43] Ibid., § 122 (iii). The notification may happen in different ways depending on the factual circumstances of the specific case, but it must always happen in a clear fashion. Weightier justifications will be needed when monitoring not only the flow of communications, but also their content.

[44] Ibid., § 122 (iv). This verification will have to be made in light of the specific circumstances of each case.

[45] Ibid., § 122 (v).

[46] Ibid., § 122 (vi). An important safeguard is that the employer must not be able to access the communications unless the employee has been notified in advance o such an eventuality.

[47] Ibid., § 122.

[48] Ibid., § 132 to 138 and 140.

[49] Available at https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/5408460.

[50] Available at https://garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/5958296.

[51] Available at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9215890.

[52] López Ribalda and others v. Spain [GC], applications nos. 1874/13 and 8567/13, ECtHR 17 October 2019. Available at

https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22Lopez%20Ribalda%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-197098%22]} .

[53] Again, on the basis of the consolidated jurisprudence of the Court recalled in paragraph 3.1. López Ribalda and others v. Spain § 87-88.

[54] Ibid., § 111.

[55] Ibid., § 116.

[56] Ibid., § 126 and 124 respectively.

[57] Ibid., § 125.