News, insights and resources for data protection, privacy and cyber security leaders

GDPR Drives Stronger Privacy in the Workplace

As May 2018 – kick off date for the General Data Protection Regulation (GDPR) – draws nearer, issues surrounding privacy in the workplace have taken the fore yet again. This time the European Court of Human Rights’ decision in a case between Barbulescu and Romania is providing the lift.

Privacy in the workplace, the extent to which employers monitor and collect data on the activities, electronic communications and private lives of workers, is an increasingly controversial legal topic. And the debate will only get hotter as technology is being deployed more and more in the workplace.

While employers need to monitor the actions of employees in the bid to ensure efficient use of their organisation’s resources, the question of just how far they can go without violating the individual’s right to privacy, a fundamental right guaranteed by law, remains salient.

The tension between employer monitoring and employee privacy in the workplace is not an entirely new phenomenon. Following numerous national and international consultations over the years, data protection principles have been devised in countries around the world to address this pressure. The GDPR is the European Union’s way of addressing the same tension.

But just what does this tension look like?

 

Win for privacy in the workplace

On September 5, 2017, the Grand Chamber of the Court of Human Rights ruled that “the Article 8 rights of an employee was breached when his employer monitored his personal communications on Yahoo Messenger”.

Bodgan Mihai Barbulescu, a Romanian man, is the employee. He was fired, August 2007, after his employer found him to have breached company policies which prohibited the use of computers for personal purposes. Barbulescu, after initially denying the allegation, was confronted with a week’s worth of chat transcripts in which he talked with his brother and fiancée about personal matters. The transcripts were from a Yahoo Messenger account he had set up, at his employer’s request, to respond to customer’s enquiries.

But Barbulescu didn’t agree with his employer. Instead, he argued that his employer had committed a criminal offence by breaching the secrecy of his correspondence as provided for by Article 8 of the European Convention on Human Rights (ECHR). Having seen his legal complaint dismissed in Romanian courts, he went to the continent in search of justice.

In ruling in Barbulescu’s favour, The Grand Chamber noted that the notion of “private life” may include professional activities e.g. office emails. The court added that, going forward, employers can only monitor employees’ correspondence if they have been informed of the exercise and its modalities in advance. The court’s stance on legal consent sets the tone for privacy in the workplace for the future GDPR regime.

 

Should wearable technology companies be scared?

This latest ruling represents bad news of sorts to wearable technology companies. It comes three months after a European Union Advisory panel recommended a ban on employers from issuing workers with fitness trackers and other health monitoring devices, the employees’ consent notwithstanding. These wearable tech companies’ business is based on the prospect of improved health and lower medical insurance premiums which they offer by collecting health data from employees via their devices. Therefore, it is quite inconceivable for them not to closely monitor cases related to privacy in the workplace like Barbulescu’s.

 

Impact on employee consent

Although the case has created quite a stir, this latest ruling does little to impact on employee contest. It remains an insufficient, though necessary, basis for employers to process employee data. This, according to the ECHR, is because of the imbalance of power between employers and employees in the workplace which makes it difficult for employees to exercise freedom in the giving and withdrawing of consent.

Going forward, the GDPR will significantly raise the stakes for employers to ensure that their monitoring systems stay on the right side of the privacy. You can be sure that the regulators will be watching.

 

 

Sarah Meyer

Staff Writer at CPO Magazine
Sarah Meyer is a technology writer for more than 10 years. She writes on public policy issues with a focus on cybersecurity and personal data protection. Sarah has previously worked for large multinational cybersecurity companies in the areas of government relations and public policy engagement.

Leave A Reply

Your email address will not be published.

Subscribe and Get 50% Off 6-Hour Workshop Video

PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

Thanks for subscribing!

Pin It on Pinterest

Share This