European court decision highlights issues around workplace privacy

Monitoring email among challenges for employers

European court decision highlights issues around workplace privacy
The European Court of Human Rights in Strasbourg, France. Credit: Botond Horvath (Shutterstock)




A recent court decision out of Europe made waves recently in stating companies must tell employees in advance if their work email accounts are being monitored.

The European Court of Human Rights concluded that Romanian courts failed to protect an employee’s private correspondence because his employer had not given him prior notice it was monitoring his communications.

Bogdan Barbulescu was fired in 2007 after his employer discovered he was engaging in personal conversations with his brother and fiancée using a Yahoo Messenger account he had set up for the company’s business-related use. He was dismissed “for breach of the company’s internal regulations that prohibited the use of company resources for personal purposes,” according to the court.

But the top court said Barbulescu had not been informed in advance about the extent and nature of his employer’s monitoring, or the possibility the employer might have access to the actual contents of his messages.

In addition, the lower courts had not sufficiently examined whether the employer could have used less intrusive methods.

“Although it was questionable whether Mr. Barbulescu could have had a reasonable expectation of privacy in view of his employer’s restrictive regulations on internet use, of which he had been informed, an employer’s instructions could not reduce private social life in the workplace to zero. The right to respect for private life and for the privacy of correspondence continued to exist, even if these might be restricted in so far as necessary,” said the Sept. 5 decision.

Right to privacy

Even though some monitoring is expected and can be justified by employers, employees still have a reasonable expectation of privacy, according to Canadian experts.

“The employee’s right to privacy in the workplace is still alive and well,” said Sara Kauder, a lawyer at Minken Employment Lawyers in Markham, Ont.

“If you are given a work-related device and if the understanding and the expectation of the parties is there’s going to be some blurring where you can use it for personal uses, then I think there’s going to be a greater expectation of privacy,” she said.

“If an employee is given a device and they are told ‘This is for work purposes only, everything you do on here is going to be monitored, do not use it for personal use,’ I think there’s going to be a lesser expectation of privacy.”

Workers should expect their employer will act reasonably, said Lyndsay Wasser, lawyer and co-chair of McMillan’s privacy and data protection group and cybersecurity group in Toronto.

When monitoring any kind of correspondence, an employer should not be looking at the specific personal content of an email or internet conversation, even if it was created on the company’s hardware or software, she said.

“Once you see that it’s a personal email, you shouldn’t read on from there: That’s enough information for you, unless there is some reason to delve into the context; for example, if there was a harassment claim and you were looking at the content of the email to see if it was relevant to the harassment claim,” said Wasser.

“If all you are doing — as with the case in the European decision — is trying to determine if the employee is using the email or the text messaging for personal purposes when they are not supposed to be, you don’t need to read the full text of the email for that.”

Court decisions

In Canada, the rules of workplace privacy are more advanced than Europe, according to Bradley Weldon, acting deputy commissioner at the Office of the Information and Privacy Commissioner for British Columbia in Victoria, who said the European ruling “catches them up to where we are already at in Canada.”

“It’s unlikely you could come up with a situation where the employer would be authorized to just review every single piece of personal information that they sent out on the company’s IT resources,” he said.

B.C. is one of three provincial jurisdictions in Canada (along with Alberta and Quebec) that has legislation governing privacy in the workplace.

For those in the public sector, FIPPA (Freedom of Information and Protection of Privacy Act) applies, whereas those working in the private sector are governed by PIPA (Personal Information Protection Act) — unless the business is federally regulated, said Weldon. And an employer can collect a certain amount of personal information from an employee, but monitoring a worker’s private correspondence while on the job must not be taken lightly.

“Generally speaking, an employer collecting the personal information of an employee can only do so in the public sector if it’s necessary for managing the employment relationship, which is quite a high threshold,” he said.

“In the private sector, the employer can collect personal information if it’s reasonable for maintaining, establishing or terminating the employment relationship.”

In Ontario, there are common-law precedents that govern the privacy relationship between companies and workers, said Wasser.

“If a claim was to be made in Ontario, that would have to be the basis for it because we do have that statutory gap.”

Unions have the arbitration system when it comes to privacy complaints, but for non-unionized workers, “the only real protection or recourse an employee would have would have to be under the common law,” said Wasser, citing the 2012 case in Ontario, Jones v. Tsige, that created a new “intrusion upon seclusion” tort that established a “common-law right to privacy” for workers. The case involved a bank employee accessing the banking records of her spouse’s ex-wife.

Another tort was established in the 2012 Supreme Court of Canada case R. v. Cole in which a teacher’s laptop was found to contain pornography. A court ruled the teacher should expect a level of privacy, even though the computer was the school board’s property.

“The court said that employees do have a reasonable expectation of privacy in the workplace and in company property, and the amount of privacy that is reasonable to expect depends on the totality of the circumstances,” said Kauder. “If it’s owned by the employer, there’s still some expectation — it doesn’t totally extinguish the expectation of privacy.”

“Those cases definitely took a step towards protection of employee privacy in the workplace,” she said, and they “tilted definitely toward employee privacy.”

Workplace policies matter

So, how can employers balance employees’ right to privacy with legitimate business needs?

“Employers cannot, with impunity, do anything they want but, on the other hand, organizations are generally entitled to manage their resources and investigate compliance with its policies — including ‘acceptable use’ policies such as policies that would say that you’re not supposed to be using your email for excessive personal use,” said Wasser.

And employers would do well to advise employees that they intend to monitor certain aspects of their internet use, and then apply a reasonableness test, she said.

“This is good practice in all jurisdictions because I think it also helps with a potential ‘intrusion-upon-seclusion’ claim.”

Having clear policies drafted and implemented at the time new employees are hired is the best way to do it, said Kauder, and “making sure that it is crystal clear is the best way for employers and HR people to protect their companies.”

But policies won’t help if they are not regularly followed up by the company, she said.

“Employers can have wonderful policies in place and have employees sign off, but if they are not enforcing it when they want to rely on it later on, they may be faced with challenges where a court may say, ‘Look, you can’t pick and choose when you are going to enforce this, and because you have a history of letting things slide and not enforcing, we’re not going to rely on it in this instance,’” said Kauder. “A policy is only good if it’s being enforced.”


More intrusive surveillance

Nothing in terms of monitoring is “strictly prohibited” but the use of video surveillance is generally considered “intrusive” and its implementation requires “more careful analysis,” according to Lyndsay Wasser, lawyer and co-chair of McMillan’s privacy and data protection group and cybersecurity group in Toronto.

“The employer would want to give careful thought to whether it is really necessary or if it’s being carried out in a reasonable manner,” she said. “When considering how you are going to implement anything that may have privacy implications, it’s always important to consider whether a third party is likely to view what you are doing as reasonable, and whether there are other alternatives that may be less privacy-invasive.”

Hidden cameras, for example, may face more scrutiny for why they were hidden and how they were used, “but that doesn’t mean hidden cameras are never allowed,” said Wasser.

In British Columbia, the use of hidden cameras must be cautiously justified, according to Bradley Weldon, acting deputy commissioner at the Office of the Information and Privacy Commissioner for British Columbia in Victoria.

“The only situation where covert surveillance would be authorized is where an argument could be made that overt surveillance would result in the evidence being not reliable or unavailable.”

If theft is occurring and the employer has already raised the issue with employees, and nothing has changed, the employer could make the argument this type of observation is reasonable, said Weldon.

“Generally speaking, covert surveillance would not be authorized in an ongoing matter-of-course; you would have to have a specific reason and it would have to be pursuant to a specific investigation, and it could only be used for that purpose.”

Latest stories