European courts ruled that Bogdan Mihai Bărbulescu, a Romainian man, had been terminated inappropriately after his employer read his email and discovered he had been having personal conversations using Yahoo Messenger (the dismissal was made a decade ago). After reviewing the decision by a lower court, the Grand Chamber of the European Court of Human Rights found that his employer had not adequately protected his privacy.
That doesn’t mean that European employers can’t monitor employees at all, though, but workers there start in a fundamentally better place than those in United States. We reached out to attorneys on both sides of the Atlantic at the firm Morrison & Foerster to understand the differences between the privacy rights of employees in the two parts of the world.
“I think what is a fundamental principle from a European perspective is that privacy is a human right,” Alex van der Wolk told the Observer in a phone call from Europe. “Workers in the EU have an expectation of privacy in the workplace.”
This has been true for a very long time, Wolk emphasized. Nothing about EU law has changed, but this recent assertion of employee rights in the workplace provides an opportunity to explore a fundamentally different attitude to privacy on the two continents.
In the U.S., there’s no larger guiding principle. As new technology and new ways of working have come about, we’ve created different laws governing how much privacy a worker can expect when using such tools.
“In the U.S., it is much more a concept of a reasonable expectation of privacy,” Christine Lyon from the Palo Alto office explained. As long as an employer gives notice here, it’s generally within their rights to review data stored by the employer, generated using employer resources.
But everything depends on the particular case in both places.
“What most employers do any more is have a technologies policy,” Lyon said. So this means that when employees start they get notice in trainings or their employee manual or perhaps even after logging into a computer system that says the employer might monitor what they do.
That said, there are times when employees are protected. It’s unlikely that anyone would stop an employer from blocking GMail, for example, but that doesn’t mean an employer could read an employee’s private messages on the service. Many employees, for example, log in to sites like GMail, Twitter and Facebook and just leave those sites up on their work computer. If the employee is fired or leaves, an employer could find those accounts open and accessible. That doesn’t mean the law would protect them for looking around inside them, though.
“I think in the US people tend to say ‘employees don’t really have an expectation of privacy in the workplace,’ but when you drill down, there are rules,” Lyon said. “U.S. employers have to be careful in this area too.”
In Europe, courts will look at a series of criteria to decide whether or not a particular practice is too invasive. For example, if an employer is concerned about an employee’s use of a particular service, then they should block a service rather than monitoring how the employee uses it.
One big area where the two attorneys saw a real divergence was in monitoring. For example, it’s not quite the same thing to read an employee’s work email as it is to monitor how much time he or she spends using it. It’s possible, for example, to put software on a network that reports on how much time each employee spends doing what.
In Europe, “I think that’s generally going to be frowned upon,” Wolk said, while acknowledging that the larger question is what’s done with that information. A European regulator would likely ask why it’s necessary to monitor an employee’s use of websites or software when the employer could just track productivity. If an employee seems to goof off a lot but makes just as many widgets as everyone else, does it really matter?
While in the U.S., that kind of monitoring is a lot more common. “There’s some really cutting edge technologies out there keeping pretty close track of how long do you spend doing this or that,” Lyon said.
It’s not always entirely about monitoring. It can also be used to help elevate high priority issues, track customer relationships or improve broader organizational efficiency, beyond any one employee. Still, Lyon acknowledged it’s often done just to make sure they are doing the work they should be doing.
As firms grow here, they struggle with learning slightly different laws from state to state. Then if a U.S. firm expands to Europe, it has to confront a fundamentally different approach. They definitely can’t assume that notices given in the U.S. will be adequate overseas.
But European workers shouldn’t assume that employers can’t watch them at all, either. Here are summaries of the criteria the European court delineated for for determining if monitoring has been appropriate:
- Notification of the employee,
- The intrusiveness of the surveillance,
- How realistic the employer’s justification is,
- Whether less intrusive methods could work as well to meet an employer’s goals,
- The consequences of monitoring and
- Whether intrusive monitoring has sufficient safeguards to protect employees against unnecessary monitoring.
In this particular case, the court found that the lower court had not investigated many of these criteria well enough.
At the heart though, Europeans have a right to privacy. “It applies notwithstanding the fact that they are in the bosses’ building and using the boss’s equipment,” Wolk said.
It tends to get more nuanced here, blending with employment law and law around technology.
In both parts of the world, the issues still have to be worked out. “Right now I’d say the monitoring and recording of telephone calls is an area where there’s a lot of litigation,” Lyon said.
She also pointed to real time monitoring of communications, a cutting edge technology that can improve customer service and prevent data loss, but might also be too intrusive at times.
“There are loads of tools out there that are aimed to help the company but at the same time involve processing the employee’s information,” Wolk agreed. “In the current landscape where cyberthreats are as real as the sun coming up, it may be a difficult area to navigate.”
In the end, the law always has a hard time keeping up with engineers. “Trying to address older laws in the context of newer technologies is always a challenge,” Lyon said.