Controle communicatie werknemers

 
Instantie
Europees Hof voor de Rechten van de Mens
Arbeidsrecht (V)
Brondocumenten en formele relaties
ECLI:CE:ECHR:2017:0905JUD006149608, Uitspraak, Europees Hof voor de Rechten van de Mens (Grote kamer), 05‑09‑2017
ECLI:CE:ECHR:2016:0112JUD006149608, Uitspraak, Europees Hof voor de Rechten van de Mens, 12‑01‑2016

Partij(en)

JUDGMENT
STRASBOURG
5 September 2017
In the case of Bărbulescu v. Romania,
The European Court of Human Rights, sitting as a Grand Chamber composed of:
Guido Raimondi, President,
Angelika Nußberger,
Mirjana Lazarova Trajkovska, judges,
Luis López Guerra, ad hoc judge,
Ledi Bianku,
Işıl Karakaş,
Nebojša Vučinić,
André Potocki,
Paul Lemmens,
Dmitry Dedov,
Jon Fridrik Kjølbro,
Mārtiņš Mits,
Armen Harutyunyan,
Stéphanie Mourou-Vikström,
Georges Ravarani,
Marko Bošnjak,
Tim Eicke, judges,
and Søren Prebensen, Deputy Grand Chamber Registrar,
Having deliberated in private on 30 November 2016 and on 8 June 2017,
Delivers the following judgment, which was adopted on the last-mentioned date:

Procedure


1.

The case originated in an application (no. 61496/08) against Romania lodged with the Court under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (‘the Convention’) by a Romanian national, Mr Bogdan Mihai Bărbulescu (‘the applicant’), on 15 December 2008.

2.

The applicant was represented by Mr E. Domokos-Hâncu and Mr O. Juverdeanu, lawyers practising in Bucharest. The Romanian Government (‘the Government’) were represented by their Agent, Ms C. Brumar, of the Ministry of Foreign Affairs.

3.

The applicant complained, in particular, that his employer's decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence as enshrined in Article 8 of the Convention and that the domestic courts had failed to comply with their obligation to protect that right.

4.

The application was allocated to the Fourth Section of the Court (Rule 52 § 1 of the Rules of Court). On 12 January 2016 a Chamber of that Section, composed of András Sajó, President, Vincent A. De Gaetano, Boštjan M. Zupančič, Nona Tsotsoria, Paulo Pinto de Albuquerque, Egidijus Kūris and Iulia Motoc, judges, and Fatoş Aracı, Deputy Section Registrar, unanimously declared the complaint concerning Article 8 of the Convention admissible and the remainder of the application inadmissible. It held, by six votes to one, that there had been no violation of Article 8 of the Convention. The dissenting opinion of Judge Pinto de Albuquerque was annexed to the Chamber judgment.

5.

On 12 April 2016 the applicant requested the referral of the case to the Grand Chamber in accordance with Article 43 of the Convention and Rule 73. On 6 June 2016 a panel of the Grand Chamber accepted the request.

6.

The composition of the Grand Chamber was determined in accordance with Article 26 §§ 4 and 5 of the Convention and Rule 24. Iulia Motoc, the judge elected in respect of Romania, withdrew from sitting in the case (Rule 28). Luis López Guerra was consequently appointed by the President to sit as an ad hoc judge (Article 26 § 4 of the Convention and Rule 29 § 1).

7.

The applicant and the Government each filed further written observations (Rule 59 § 1).

8.

In addition, third-party comments were received from the French Government and the European Trade Union Confederation, both having been given leave by the President to intervene in the written procedure (Article 36 § 2 of the Convention and Rule 44 § 3).

9.

A hearing took place in public in the Human Rights Building, Strasbourg, on 30 November 2016 (Rule 59 § 3).
There appeared before the Court:
(a)
for the Government
Ms C. BRUMAR, Agent,
Mr G.V. GAVRILĂ, member of the national legal service
seconded to the Department of the Government Agent, Counsel,
Ms L.A. RUSU, Minister Plenipotentiary, Permanent
Representation of Romania to the Council of Europe, Adviser;
(b)
for the applicant
Mr E. DOMOKOS-HÂNCU,
Mr O. JUVERDEANU, Counsel.
The Court heard addresses by Mr Domokos-Hâncu, Mr Juverdeanu, Ms Brumar and Mr Gavrilă, and also their replies to questions from judges.

The facts


I. The circumstances of the case


10.
The applicant was born in 1979 and lives in Bucharest.

11.
From 1 August 2004 to 6 August 2007 he was employed in the Bucharest office of S., a Romanian private company (‘the employer’), as a sales engineer. At his employer's request, for the purpose of responding to customers' enquiries, he created an instant messaging account using Yahoo Messenger, an online chat service offering real-time text transmission over the internet. He already had another personal Yahoo Messenger account.

12.
The employer's internal regulations prohibited the use of company resources by employees in the following terms:
Article 50
‘Any disturbance of order and discipline on company premises shall be strictly forbidden, in particular:
 
… personal use of computers, photocopiers, telephones or telex or fax machines.’

13.
The regulations did not contain any reference to the possibility for the employer to monitor employees' communications.

14.
It appears from documents submitted by the Government that the applicant had been informed of the employer's internal regulations and had signed a copy of them on 20 December 2006 after acquainting himself with their contents.

15.
On 3 July 2007 the Bucharest office received and circulated among all its employees an information notice that had been drawn up and sent by the Cluj head office on 26 June 2007. The employer asked employees to acquaint themselves with the notice and to sign a copy of it. The relevant parts of the notice read as follows:
‘1.
… Time spent in the company must be quality time for everyone! Come to work to deal with company and professional matters, and not your own personal problems! Don't spend your time using the internet, the phone or the fax machine for matters unconnected to work or your duties. This is what [elementary education], common sense and the law dictate! The employer has a duty to supervise and monitor employees' work and to take punitive measures against anyone at fault!
Your misconduct will be carefully monitored and punished!
2.
Because of repeated [disciplinary] offences vis-à-vis her superior, [as well as] her private use of the internet, the telephone and the photocopier, her negligence and her failure to perform her duties, Ms B.A. was dismissed on disciplinary grounds! Take a lesson from her bad example! Don't make the same mistakes!
3.
Have a careful read of the collective labour agreement, the company's internal regulations, your job description and the employment contract you have signed! These are the basis of our collaboration! Between employer and employee! …’

16.
It also appears from the documents submitted by the Government, including the employer's attendance register, that the applicant acquainted himself with the notice and signed it between 3 and 13 July 2007.

17.
In addition, it transpires that from 5 to 13 July 2007 the employer recorded the applicant's Yahoo Messenger communications in real time.

18.
On 13 July 2007 at 4.30 p.m. the applicant was summoned by his employer to give an explanation. In the relevant notice he was informed that his Yahoo Messenger communications had been monitored and that there was evidence that he had used the internet for personal purposes, in breach of the internal regulations. Charts were attached indicating that his internet activity was greater than that of his colleagues. At that stage, he was not informed whether the monitoring of his communications had also concerned their content. The notice was worded as follows:
‘Please explain why you are using company resources (internet connection, Messenger) for personal purposes during working hours, as shown by the attached charts.’

19.
On the same day, the applicant informed the employer in writing that he had used Yahoo Messenger for work-related purposes only.

20.
At 5.20 p.m. the employer again summoned him to give an explanation in a notice worded as follows:
‘Please explain why the entire correspondence you exchanged between 5 to 12 July 2007 using the S. Bucharest [internet] site ID had a private purpose, as shown by the attached forty-five pages.’

21.
The forty-five pages mentioned in the notice consisted of a transcript of the messages which the applicant had exchanged with his brother and his fiancée during the period when he had been monitored; the messages related to personal matters and some were of an intimate nature. The transcript also included five messages that the applicant had exchanged with his fiancée using his personal Yahoo Messenger account; these messages did not contain any intimate information.

22.
Also on 13 July, the applicant informed the employer in writing that in his view it had committed a criminal offence, namely breaching the secrecy of correspondence.

23.
On 1 August 2007 the employer terminated the applicant's contract of employment.

24.
The applicant challenged his dismissal in an application to the Bucharest County Court (‘the County Court’). He asked the court, firstly, to set aside the dismissal; secondly, to order his employer to pay him the amounts he was owed in respect of wages and any other entitlements and to reinstate him in his post; and thirdly, to order the employer to pay him 100,000 Romanian lei (approximately 30,000 euros) in damages for the harm resulting from the manner of his dismissal, and to reimburse his costs and expenses.

25.
As to the merits, relying on Copland v. the United Kingdom (no. 62617/00, §§ 43–44, ECHR 2007-I), he argued that an employee's telephone and email communications from the workplace were covered by the notions of ‘private life’ and ‘correspondence’ and were therefore protected by Article 8 of the Convention. He also submitted that the decision to dismiss him was unlawful and that by monitoring his communications and accessing their contents his employer had infringed criminal law.

26.
With regard specifically to the harm he claimed to have suffered, the applicant noted the manner of his dismissal and alleged that he had been subjected to harassment by his employer through the monitoring of his communications and the disclosure of their contents ‘to colleagues who were involved in one way or another in the dismissal procedure’.

27.
The applicant submitted evidence including a full copy of the transcript of his Yahoo Messenger communications and a copy of the information notice (see paragraph 15 above).

28.
In a judgment of 7 December 2007 the County Court rejected the applicant's application and confirmed that his dismissal had been lawful. The relevant parts of the judgment read as follows:
‘The procedure for conducting a disciplinary investigation is expressly regulated by the provisions of Article 267 of the Labour Code.
In the instant case it has been shown, through the written documents included in the file, that the employer conducted the disciplinary investigation in respect of the applicant by twice summoning him in writing to explain himself [and] specifying the subject, date, time and place of the interview, and that the applicant had the opportunity to submit arguments in his defence regarding his alleged acts, as is clear from the two explanatory notices included in the file (see copies on sheets 89 and 91).
The court takes the view that the monitoring of the internet conversations in which the employee took part using the Yahoo Messenger software on the company's computer during working hours — regardless of whether or not the employer's actions were illegal in terms of criminal law — cannot undermine the validity of the disciplinary proceedings in the instant case.
The fact that the provisions containing the requirement to interview the suspect (învinuitul) in a case of alleged misconduct and to examine the arguments submitted in that person's defence prior to the decision on a sanction are couched in imperative terms highlights the legislature's intention to make respect for the rights of the defence a prerequisite for the validity of the decision on the sanction.
In the present case, since the employee maintained during the disciplinary investigation that he had not used Yahoo Messenger for personal purposes but in order to advise customers on the products being sold by his employer, the court takes the view that an inspection of the content of the [applicant's] conversations was the only way in which the employer could ascertain the validity of his arguments.
The employer's right to monitor (monitoriza) employees in the workplace, [particularly] as regards their use of company computers, forms part of the broader right, governed by the provisions of Article 40 (d) of the Labour Code, to supervise how employees perform their professional tasks.
Given that it has been shown that the employees' attention had been drawn to the fact that, shortly before the applicant's disciplinary sanction, another employee had been dismissed for using the internet, the telephone and the photocopier for personal purposes, and that the employees had been warned that their activities were being monitored (see notice no. 2316 of 3 July 2007, which the applicant had signed [after] acquainting himself with it — see copy on sheet 64), the employer cannot be accused of showing a lack of transparency and of failing to give its employees a clear warning that it was monitoring their computer use.
Internet access in the workplace is above all a tool made available to employees by the employer for professional use, and the employer indisputably has the power, by virtue of its right to supervise its employees' activities, to monitor personal internet use.
Such checks by the employer are made necessary by, for example, the risk that through their internet use, employees might damage the company's IT systems, carry out illegal activities in cyberspace for which the company could incur liability, or disclose the company's trade secrets.
The court considers that the acts committed by the applicant constitute a disciplinary offence within the meaning of Article 263 § 2 of the Labour Code since they amount to a culpable breach of the provisions of Article 50 of S.'s internal regulations …, which prohibit the use of computers for personal purposes.
The aforementioned acts are deemed by the internal regulations to constitute serious misconduct, the penalty for which, in accordance with Article 73 of the same internal regulations, [is] termination of the contract of employment on disciplinary grounds.
Having regard to the factual and legal arguments set out above, the court considers that the decision complained of is well-founded and lawful, and dismisses the application as unfounded.’

29.
The applicant appealed to the Bucharest Court of Appeal (‘the Court of Appeal’). He repeated the arguments he had submitted before the first-instance court and contended in addition that that court had not struck a fair balance between the interests at stake, unjustly prioritising the employer's interest in enjoying discretion to control its employees' time and resources. He further argued that neither the internal regulations nor the information notice had contained any indication that the employer could monitor employees' communications.

30.
The Court of Appeal dismissed the applicant's appeal in a judgment of 17 June 2008, the relevant parts of which read:
‘The first-instance court has rightly concluded that the internet is a tool made available to employees by the employer for professional use, and that the employer is entitled to set rules for the use of this tool, by laying down prohibitions and provisions which employees must observe when using the internet in the workplace; it is clear that personal use may be refused, and the employees in the present case were duly informed of this in a notice issued on 26 June 2007 in accordance with the provisions of the internal regulations, in which they were instructed to observe working hours, to be present at the workplace [during those hours and] to make effective use of working time.
In conclusion, an employer who has made an investment is entitled, in exercising the rights enshrined in Article 40 § 1 of the Labour Code, to monitor internet use in the workplace, and an employee who breaches the employer's rules on personal internet use is committing a disciplinary offence that may give rise to a sanction, including the most serious one.
There is undoubtedly a conflict between the employer's right to engage in monitoring and the employees' right to protection of their privacy. This conflict has been settled at European Union level through the adoption of Directive no. 95/46/EC, which has laid down a number of principles governing the monitoring of internet and email use in the workplace, including the following in particular.
Principle of necessity: monitoring must be necessary to achieve a certain aim.
Principle of purpose specification: data must be collected for specified, explicit and legitimate purposes.
Principle of transparency: the employer must provide employees with full information about monitoring operations.
Principle of legitimacy: data-processing operations may only take place for a legitimate purpose.
Principle of proportionality: personal data being monitored must be relevant and adequate in relation to the specified purpose.
Principle of security: the employer is required to take all possible security measures to ensure that the data collected are not accessible to third parties.
In view of the fact that the employer has the right and the duty to ensure the smooth running of the company and, to that end, [is entitled] to supervise how its employees perform their professional tasks, and the fact [that it] enjoys disciplinary powers which it may legitimately use and which [authorised it in the present case] to monitor and transcribe the communications on Yahoo Messenger which the employee denied having exchanged for personal purposes, after he and his colleagues had been warned that company resources should not be used for such purposes, it cannot be maintained that this legitimate aim could have been achieved by any other means than by breaching the secrecy of his correspondence, or that a fair balance was not struck between the need to protect [the employee's] privacy and the employer's right to supervise the operation of its business.
Accordingly, having regard to the considerations set out above, the court finds that the decision of the first-instance court is lawful and well-founded and that the appeal is unfounded; it must therefore be dismissed, in accordance with the provisions of Article 312 § 1 of the C[ode of] Civ[il] Pr[ocedure].’

31.
In the meantime, on 18 September 2007 the applicant had lodged a criminal complaint against the statutory representatives of S., alleging a breach of the secrecy of correspondence. On 9 May 2012 the Directorate for Investigating Organised Crime and Terrorism (DIICOT) of the prosecutor's office attached to the Supreme Court of Cassation and Justice ruled that there was no case to answer, on the grounds that the company was the owner of the computer system and the internet connection and could therefore monitor its employees' internet activity and use the information stored on the server, and in view of the prohibition on personal use of the IT systems, as a result of which the monitoring had been foreseeable. The applicant did not avail himself of the opportunity provided for by the applicable procedural rules to challenge the prosecuting authorities' decision in the domestic courts.

II. Relevant domestic law


A. The Constitution

32.
The relevant parts of the Romanian Constitution provide:
Article 26
‘1.
The public authorities shall respect and protect intimate, family and private life.’
Article 28
‘The secrecy of letters, telegrams, other postal communications, telephone conversations and any other lawful means of communication is inviolable.’

B. The Criminal Code
33. The relevant parts of the Criminal Code as in force at the material time read as follows:
Article 195 — Breach of secrecy of correspondence
‘1.
Anyone who unlawfully opens somebody else's correspondence or intercepts somebody else's conversations or communication by telephone, by telegraph or by any other long-distance means of transmission shall be liable to imprisonment for between six months and three years.’

C. The Civil Code

34.
The relevant provisions of the Civil Code as in force at the time of the events were worded as follows:
Article 998
‘Any act committed by a person that causes damage to another shall render the person through whose fault the damage was caused liable to make reparation for it.’
Article 999
‘Everyone shall be liable for damage he has caused not only through his own acts but also through his failure to act or his negligence.’

D. The Labour Code

35.
As worded at the material time, the Labour Code provided:
Article 40
‘1.
The employer shall in principle have the following rights:
 
(d)
to supervise how [employees] perform their professional tasks;
 
2.
The employer shall in principle have the following duties:
 
(i)
to guarantee the confidentiality of employees' personal data.’

E. Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

36.
The relevant parts of Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘Law no. 677/2001’), which reproduces certain provisions of Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (see paragraph 45 below), provide:
Article 3 — Definitions
‘For the purposes of this Law:
(a)
‘personal data’ shall mean any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
 
…’
Article 5 — Conditions for the legitimacy of data processing
‘1.
Personal data … may not be processed in any way unless the data subject has explicitly and unambiguously consented to it.
2.
The consent of the data subject shall not be necessary in the following circumstances:
(a)
where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
 
(e)
where processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject;
 
3.
The provisions of paragraph 2 are without prejudice to the statutory provisions governing the public authorities' duty to respect and protect intimate, family and private life.’
Article 18 — Right to apply to the courts
‘1.
Data subjects shall be entitled, without prejudice to the possibility of lodging a complaint with the supervisory authority, to apply to the courts for protection of the rights safeguarded by this Act that have been infringed.
2.
Any person who has suffered damage as a result of the unlawful processing of his or her personal data may apply to the competent court for compensation [for the damage].
 
…’

III. International law and practice


A. United Nations standards

37.
The Guidelines for the regulation of computerized personal data files, adopted by the United Nations General Assembly on 14 December 1990 in Resolution 45/95 (A/RES/45/95), lay down the minimum guarantees that should be provided for in national legislation. The relevant principles read as follows:

‘1. Principle of lawfulness and fairness
Information about persons should not be collected or processed in unfair or unlawful ways, nor should it be used for ends contrary to the purposes and principles of the Charter of the United Nations.

2. Principle of accuracy
Persons responsible for the compilation of files or those responsible for keeping them have an obligation to conduct regular checks on the accuracy and relevance of the data recorded and to ensure that they are kept as complete as possible in order to avoid errors of omission and that they are kept up to date regularly or when the information contained in a file is used, as long as they are being processed.

3. Principle of purpose specification
The purpose which a file is to serve and its utilization in terms of that purpose should be specified, legitimate and, when it is established, receive a certain amount of publicity or be brought to the attention of the person concerned, in order to make it possible subsequently to ensure that:
(a)
All the personal data collected and recorded remain relevant and adequate to the purposes so specified;
(b)
None of the said personal data is used or disclosed, except with the consent of the person concerned, for purposes incompatible with those specified;
(c)
The period for which the personal data are kept does not exceed that which would enable the achievement of the purposes so specified.

4. Principle of interested-person access
Everyone who offers proof of identity has the right to know whether information concerning him is being processed and to obtain it in an intelligible form, without undue delay or expense, and to have appropriate rectifications or erasures made in the case of unlawful, unnecessary or inaccurate entries and, when it is being communicated, to be informed of the addressees. Provision should be made for a remedy, if need be with the supervisory authority specified in principle 8 below. The cost of any rectification shall be borne by the person responsible for the file. It is desirable that the provisions of this principle should apply to everyone, irrespective of nationality or place of residence.

6. Power to make exceptions
Departures from principles 1 to 4 may be authorized only if they are necessary to protect national security, public order, public health or morality, as well as, inter alia, the rights and freedoms of others, especially persons being persecuted (humanitarian clause) provided that such departures are expressly specified in a law or equivalent regulation promulgated in accordance with the internal legal system which expressly states their limits and sets forth appropriate safeguards.
…’

38.
The International Labour Office (ILO) issued a Code of Practice on the Protection of Workers' Personal Data (‘the ILO Code of Practice’) in 1997, laying down the following principles:

‘5. General principles

5.1.
Personal data should be processed lawfully and fairly, and only for reasons directly relevant to the employment of the worker.

5.2.
Personal data should, in principle, be used only for the purposes for which they were originally collected.

5.3.
If personal data are to be processed for purposes other than those for which they were collected, the employer should ensure that they are not used in a manner incompatible with the original purpose, and should take the necessary measures to avoid any misinterpretations caused by a change of context.

5.4.
Personal data collected in connection with technical or organizational measures to ensure the security and proper operation of automated information systems should not be used to control the behaviour of workers.

5.5.
Decisions concerning a worker should not be based solely on the automated processing of that worker's personal data.

5.6.
Personal data collected by electronic monitoring should not be the only factors in evaluating worker performance.

5.7.
Employers should regularly assess their data processing practices:
(a)
to reduce as far as possible the kind and amount of personal data collected; and
(b)
to improve ways of protecting the privacy of workers.

5.8.
Workers and their representatives should be kept informed of any data collection process, the rules that govern that process, and their rights.

5.13.
Workers may not waive their privacy rights.’

39.
With regard to the more specific issue of monitoring of workers, the ILO Code of Practice states as follows:

‘6. Collection of personal data

6.1.
All personal data should, in principle, be obtained from the individual worker.

6.14.
(1)
If workers are monitored they should be informed in advance of the reasons for monitoring, the time schedule, the methods and techniques used and the data to be collected, and the employer must minimize the intrusion on the privacy of workers.
(2)
Secret monitoring should be permitted only:
(a)
if it is in conformity with national legislation; or
(b)
if there is suspicion on reasonable grounds of criminal activity or other serious wrongdoing.
(3)
Continuous monitoring should be permitted only if required for health and safety or the protection of property.’

40.
The ILO Code of Practice also includes an inventory of workers' individual rights, particularly as regards information about the processing of personal data, access to such data and reviews of any measures taken. The relevant parts read as follows:

‘11. Individual rights

11.1.
Workers should have the right to be regularly notified of the personal data held about them and the processing of that personal data.

11.2.
Workers should have access to all their personal data, irrespective of whether the personal data are processed by automated systems or are kept in a particular manual file regarding the individual worker or in any other file which includes workers' personal data.

11.3.
The workers' right to know about the processing of their personal data should include the right to examine and obtain a copy of any records to the extent that the data contained in the record includes that worker's personal data.

11.8.
Employers should, in the event of a security investigation, have the right to deny the worker access to that worker's personal data until the close of the investigation and to the extent that the purposes of the investigation would be threatened. No decision concerning the employment relationship should be taken, however, before the worker has had access to all the worker's personal data.

11.9.
Workers should have the right to demand that incorrect or incomplete personal data, and personal data processed inconsistently with the provisions of this code, be deleted or rectified.

11.13.
In any legislation, regulation, collective agreement, work rules or policy developed consistent with the provisions of this code, there should be specified an avenue of redress for workers to challenge the employer's compliance with the instrument. Procedures should be established to receive and respond to any complaint lodged by workers. The complaint process should be easily accessible to workers and be simple to use.’

41.
In addition, on 18 December 2013 the United Nations General Assembly adopted Resolution no. 68/167 on the right to privacy in the digital age (A/RES/68/167), in which, inter alia, it called upon States:
‘(a)
To respect and protect the right to privacy, including in the context of digital communication;
(b)
To take measures to put an end to violations of those rights and to create the conditions to prevent such violations, including by ensuring that relevant national legislation complies with their obligations under international human rights law;
(c)
To review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law;
(d)
To establish or maintain existing independent, effective domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and the collection of personal data[.]’

B. Council of Europe standards

42.
The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981, ETS no. 108), which came into force in respect of Romania on 1 June 2002, includes the following provisions in particular:
Article 2 — Definitions
‘For the purposes of this Convention:
(a)
‘personal data’ means any information relating to an identified or identifiable individual (‘data subject’);
 
(c)
‘automatic processing’ includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination;
 
…’
Article 3 — Scope
‘1.
The Parties undertake to apply this Convention to automated personal data files and automatic processing of personal data in the public and private sectors.
 
…’
Article 5 — Quality of data
‘Personal data undergoing automatic processing shall be:
(a)
obtained and processed fairly and lawfully;
(b)
stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
(c)
adequate, relevant and not excessive in relation to the purposes for which they are stored;
(d)
accurate and, where necessary, kept up to date;
(e)
preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.’
Article 8 — Additional safeguards for the data subject
‘Any person shall be enabled:
(a)
to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;
(b)
to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form;
 
(d)
to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b and c of this article is not complied with.’
Article 9 — Exceptions and restrictions
 
‘…
2.
Derogation from the provisions of Articles 5, 6 and 8 of this Convention shall be allowed when such derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of:
(a)
protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences;
(b)
protecting the data subject or the rights and freedoms of others;
 
…’
Article 10 — Sanctions and remedies
‘Each Party undertakes to establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to the basic principles for data protection set out in this chapter.’

43.
Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment, which was adopted on 1 April 2015, states in particular:

‘4. Application of data processing principles

4.1.
Employers should minimise the processing of personal data to only the data necessary to the aim pursued in the individual cases concerned.

6. Internal use of data

6.1.
Personal data collected for employment purposes should only be processed by employers for such purposes.

6.2.
Employers should adopt data protection policies, rules and/or other instruments on internal use of personal data in compliance with the principles of the present recommendation.

10. Transparency of processing

10.1.
Information concerning personal data held by employers should be made available either to the employee concerned directly or through the intermediary of his or her representatives, or brought to his or her notice through other appropriate means.

10.2.
Employers should provide employees with the following information:
the categories of personal data to be processed and a description of the purposes of the processing;
the recipients, or categories of recipients of the personal data;
the means employees have of exercising the rights set out in principle 11 of the present recommendation, without prejudice to more favourable ones provided by domestic law or in their legal system;
any other information necessary to ensure fair and lawful processing.

10.3.
A particularly clear and complete description must be provided of the categories of personal data that can be collected by ICTs, including video surveillance and their possible use. This principle also applies to the particular forms of processing provided for in Part II of the appendix to the present recommendation.

10.4.
The information should be provided in an accessible format and kept up to date. In any event, such information should be provided before an employee carries out the activity or action concerned, and made readily available through the information systems normally used by the employee.

14. Use of Internet and electronic communications in the workplace

14.1.
Employers should avoid unjustifiable and unreasonable interferences with employees' right to private life. This principle extends to all technical devices and ICTs used by an employee. The persons concerned should be properly and periodically informed in application of a clear privacy policy, in accordance with principle 10 of the present recommendation. The information provided should be kept up to date and should include the purpose of the processing, the preservation or back-up period of traffic data and the archiving of professional electronic communications.

14.2.
In particular, in the event of processing of personal data relating to Internet or Intranet pages accessed by the employee, preference should be given to the adoption of preventive measures, such as the use of filters which prevent particular operations, and to the grading of possible monitoring on personal data, giving preference for non-individual random checks on data which are anonymous or in some way aggregated.

14.3.
Access by employers to the professional electronic communications of their employees who have been informed in advance of the existence of that possibility can only occur, where necessary, for security or other legitimate reasons. In case of absent employees, employers should take the necessary measures and foresee the appropriate procedures aimed at enabling access to professional electronic communications only when such access is of professional necessity. Access should be undertaken in the least intrusive way possible and only after having informed the employees concerned.

14.4.
The content, sending and receiving of private electronic communications at work should not be monitored under any circumstances.

14.5.
On an employee's departure from an organisation, the employer should take the necessary organisational and technical measures to automatically deactivate the employee's electronic messaging account. If employers need to recover the contents of an employee's account for the efficient running of the organisation, they should do so before his or her departure and, when feasible, in his or her presence.’

IV. European union law


44.
The relevant provisions of the Charter of Fundamental Rights of the European Union (2007/C 303/01) are worded as follows:
Article 7 — Respect for private and family life
‘Everyone has the right to respect for his or her private and family life, home and communications.’
Article 8 — Protection of personal data
‘1.
Everyone has the right to the protection of personal data concerning him or her.
2.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3.
Compliance with these rules shall be subject to control by an independent authority.’

45.
Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘Directive 95/46/EC’) states that the object of national laws on the processing of personal data is notably to protect the right to privacy, as recognised both in Article 8 of the Convention and in the general principles of Community law. The relevant provisions of Directive 95/46/EC read as follows:
Article 2 — Definitions
‘For the purposes of this Directive:
(a)
‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
 
…’
Article 6
‘1.
Member States shall provide that personal data must be:
(a)
processed fairly and lawfully;
(b)
collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes . Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c)
adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d)
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e)
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2.
It shall be for the controller to ensure that paragraph 1 is complied with.’
Article 7
‘Member States shall provide that personal data may be processed only if:
(a)
the data subject has unambiguously given his consent; or
(b)
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c)
processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d)
processing is necessary in order to protect the vital interests of the data subject; or
(e)
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f)
processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).’
Article 8 — The processing of special categories of data
‘1.
Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
2.
Paragraph 1 shall not apply where:
(a)
the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or
(b)
processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or
(c)
processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or
 
(e)
the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.
 
4.
Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.’

46.
A Working Party on Data Protection (‘the Working Party’) has been set up under Article 29 of the Directive and, in accordance with Article 30, is empowered to:
‘(a)
examine any question covering the application of the national measures adopted under this Directive in order to contribute to the uniform application of such measures;
(b)
give the Commission an opinion on the level of protection in the Community and in third countries;
(c)
advise the Commission on any proposed amendment of this Directive, on any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any other proposed Community measures affecting such rights and freedoms;
(d)
give an opinion on codes of conduct drawn up at Community level.’
The Working Party is an independent advisory body of the European Union. It issued an opinion in September 2001 on the processing of personal data in an employment context (opinion 8/2001), which summarises the fundamental data-protection principles: finality, transparency, legitimacy, proportionality, accuracy, security and staff awareness. In the opinion, which it adopted in conformity with its role of contributing to the uniform application of national measures adopted under Directive 95/46/EC, the Working Party pointed out that the monitoring of email involved the processing of personal data, and expressed the view that any monitoring of employees had to be
‘a proportionate response by an employer to the risks it faces taking into account the legitimate privacy and other interests of workers.’

47.
In May 2002 the Working Party produced a working document on surveillance and monitoring of electronic communications in the workplace (‘the working document’), in which it expressly took into account the provisions of Directive 95/46/EC read in the light of the provisions of Article 8 of the Convention. The working document asserts that the simple fact that a monitoring activity or surveillance is considered convenient to serve an employer's interest cannot in itself justify an intrusion into workers' privacy, and that any monitoring measure must satisfy four criteria: transparency, necessity, fairness and proportionality.

48.
Regarding the technical aspect, the working document states:
‘Prompt information can be easily delivered by software such as warning windows, which pop up and alert the worker that the system has detected and/or has taken steps to prevent an unauthorised use of the network.’

49.
More specifically, with regard to the question of access to employees' emails, the working document includes the following passage:
‘It would only be in exceptional circumstances that the monitoring of a worker's [e]mail or Internet use would be considered necessary. For instance, monitoring of a worker's email may become necessary in order to obtain confirmation or proof of certain actions on his part. Such actions would include criminal activity on the part of the worker insofar as it is necessary for the employer to defend his own interests, for example, where he is vicariously liable for the actions of the worker. These activities would also include detection of viruses and in general terms any activity carried out by the employer to guarantee the security of the system.
It should be mentioned that opening an employee's email may also be necessary for reasons other than monitoring or surveillance, for example in order to maintain correspondence in case the employee is out of office (e.g. due to sickness or leave) and correspondence cannot be guaranteed otherwise (e.g. via auto reply or automatic forwarding).’

50.
The Court of Justice of the European Union has interpreted the provisions of Directive 95/46/EC in the light of the right to respect for private life, as guaranteed by Article 8 of the Convention, in the case of Österreichischer Rundfunk and Others (C-465/00, C-138/01 and C-139/01, judgment of 20 May 2003, ECLI:EU:C:2003:294, paragraphs 71 et seq.).

51.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), published in OJ 2016 L 119/1, entered into force on 24 May 2016 and will repeal Directive 95/46/EC with effect from 25 May 2018 (Article 99). The relevant provisions of the Regulation read as follows:
Article 30 — Records of processing activities
‘1.
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a)
the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
(b)
the purposes of the processing;
(c)
a description of the categories of data subjects and of the categories of personal data;
(d)
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e)
where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(f)
where possible, the envisaged time limits for erasure of the different categories of data;
(g)
where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
2.
Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
(a)
the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
(b)
the categories of processing carried out on behalf of each controller;
(c)
where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
(d)
where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
3.
The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4.
The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
5.
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.’
Article 47 — Binding corporate rules
‘1.
The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:
(a)
are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
(b)
expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
(c)
fulfil the requirements laid down in paragraph 2.
2.
The binding corporate rules referred to in paragraph 1 shall specify at least:
(a)
the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
(b)
the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
(c)
their legally binding nature, both internally and externally;
(d)
the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;
(e)
the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
(f)
the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;
(g)
how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;
(h)
the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
(i)
the complaint procedures;
(j)
the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;
(k)
the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
(l)
the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);
(m)
the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
(n)
the appropriate data protection training to personnel having permanent or regular access to personal data.
3.
The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).’
Article 88 — Processing in the context of employment
‘1.
Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
2.
Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.
3.
Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.'

V. Comparative law


52.
The documents available to the Court concerning the legislation of the Council of Europe member States, in particular a study of thirty-four of them, indicate that all the States concerned recognise in general terms, at constitutional or statutory level, the right to privacy and to secrecy of correspondence. However, only Austria, Finland, Luxembourg, Portugal, Slovakia and the United Kingdom have explicitly regulated the issue of workplace privacy, whether in labour laws or in special legislation.

53.
With regard to monitoring powers, thirty-four Council of Europe member States require employers to give employees prior notice of monitoring. This may take a number of forms, for example notification of the personal data-protection authorities or of workers' representatives. The existing legislation in Austria, Estonia, Finland, Greece, Lithuania, Luxembourg, Norway, Poland, Slovakia and the former Yugoslav Republic of Macedonia requires employers to notify employees directly before initiating the monitoring.

54.
In, Austria, Denmark, Finland, France, Germany, Greece, Italy, Portugal and Sweden, employers may monitor emails marked by employees as ‘private’, without being permitted to access their content. In Luxembourg employers may not open emails that are either marked as ‘private’ or are manifestly of a private nature. The Czech Republic, Italy and Slovenia, as well as the Republic of Moldova to a certain extent, also limit the extent to which employers may monitor their employees' communications, according to whether the communications are professional or personal in nature. In Germany and Portugal, once it has been established that a message is private, the employer must stop reading it.

The law


I. Alleged violation of Article 8 of the Convention


55.
The applicant submitted that his dismissal by his employer had been based on a breach of his right to respect for his private life and correspondence and that, by not revoking that measure, the domestic courts had failed to comply with their obligation to protect the right in question. He relied on Article 8 of the Convention, which provides:
‘1.
Everyone has the right to respect for his private and family life, his home and his correspondence.
2.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.'

A. The Chamber's findings

56.
In its judgment of 12 January 2016 the Chamber held, firstly, that Article 8 of the Convention was applicable in the present case. Referring to the concept of reasonable expectation of privacy, it found that the present case differed from Copland (cited above, § 41) and Halford v. the United Kingdom (25 June 1997, § 45, Reports of Judgments and Decisions 1997-III) in that the applicant's employer's internal regulations in the present case strictly prohibited employees from using company computers and resources for personal purposes. The Chamber had regard to the nature of the applicant's communications and the fact that a transcript of them had been used as evidence in the domestic court proceedings, and concluded that the applicant's right to respect for his ‘private life' and ‘correspondence' was at stake.

57.
Next, the Chamber examined the case from the standpoint of the State's positive obligations, since the decision to dismiss the applicant had been taken by a private-law entity. It therefore determined whether the national authorities had struck a fair balance between the applicant's right to respect for his private life and correspondence and his employer's interests.

58.
The Chamber noted that the applicant had been able to bring his case and raise his arguments before the labour courts. The courts had found that he had committed a disciplinary offence by using the internet for personal purposes during working hours, and to that end they had had regard to the conduct of the disciplinary proceedings, in particular the fact that the employer had accessed the contents of the applicant's communications only after the applicant had declared that he had used Yahoo Messenger for work-related purposes.

59.
The Chamber further noted that the domestic courts had not based their decisions on the contents of the applicant's communications and that the employer's monitoring activities had been limited to his use of Yahoo Messenger.

60.
Accordingly, it held that there had been no violation of Article 8 of the Convention.

B. Scope of the case before the Grand Chamber

61.
The Court notes that in the proceedings before the Chamber the applicant alleged that his employer's decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence as enshrined in Article 8 of the Convention and that, by not revoking that measure, the domestic courts had failed to comply with their obligation to protect the right in question. The Chamber declared this complaint admissible on 12 January 2016.

62.
The Court reiterates that the case referred to the Grand Chamber is the application as it has been declared admissible by the Chamber (see K. and T. v. Finland [GC], no. 25702/94, §§ 140-41, ECHR 2001-VII; D.H. and Others v. the Czech Republic [GC], no. 57325/00, § 109, ECHR 2007-IV; and Blokhin v. Russia [GC], no. 47152/06, § 91, ECHR 2016).

63.
In his observations before the Grand Chamber, the applicant complained for the first time about the rejection in 2012 of the criminal complaint filed by him in connection with an alleged breach of the secrecy of correspondence (see paragraph 90 below).

64.
This new complaint was not mentioned in the decision of 12 January 2016 as to admissibility, which defines the boundaries of the examination of the application. It therefore falls outside the scope of the case as referred to the Grand Chamber, which accordingly does not have jurisdiction to deal with it and will limit its examination to the complaint that was declared admissible by the Chamber.

C. Applicability of Article 8 of the Convention

1. The parties' submissions

(a) The Government

65.
The Government argued that the applicant could not claim any expectation of ‘privacy’ as regards the communications he had exchanged via an instant messaging account created for professional use. With reference to the case-law of the French and Cypriot courts, they submitted that messages sent by an employee using the technical facilities made available to him by his employer had to be regarded as professional in nature unless the employee explicitly identified them as private. They noted that it was not technically possible using Yahoo Messenger to mark messages as private; nevertheless, the applicant had had an adequate opportunity, during the initial stage of the disciplinary proceedings, to indicate that his communications had been private, and yet had chosen to maintain that they had been work-related. The applicant had been informed not only of his employer's internal regulations, which prohibited all personal use of company resources, but also of the fact that his employer had initiated a process for monitoring his communications.

66.
The Government relied on three further arguments in contending that Article 8 of the Convention was not applicable in the present case. Firstly, there was no evidence to suggest that the transcript of the applicant's communications had been disclosed to his work colleagues; the applicant himself had produced the full transcript of the messages in the proceedings before the domestic courts, without asking for any restrictions to be placed on access to the documents concerned. Secondly, the national authorities had used the transcript of the messages as evidence because the applicant had so requested, and because the prosecuting authorities had already found that the monitoring of his communications had been lawful. Thirdly, the information notice had contained sufficient indications for the applicant to have been aware that his employer could monitor his communications, and this had rendered them devoid of any private element.

(b) The applicant

67.
The applicant did not make any submissions as to the applicability of Article 8 of the Convention, but repeatedly maintained that his communications had been private in nature.

68.
He further argued that, since he had created the Yahoo Messenger account in question and was the only person who knew the password, he had had a reasonable expectation of privacy regarding his communications. He also asserted that he had not received prior notification from his employer about the monitoring of his communications.

2. The Court's assessment

69.
The Court notes that the question arising in the present case is whether the matters complained of by the applicant fall within the scope of Article 8 of the Convention.

70.
At this stage of its examination it considers it useful to emphasise that ‘private life' is a broad term not susceptible to exhaustive definition (see Sidabras and Džiautas v. Lithuania, nos. 55480/00 and 59330/00, § 43, ECHR 2004-VIII). Article 8 of the Convention protects the right to personal development (see K.A. and A.D. v. Belgium, nos. 42758/98 and 45558/99, § 83, 17 February 2005), whether in terms of personality (see Christine Goodwin v. the United Kingdom [GC], no. 28957/95, § 90, ECHR 2002-VI) or of personal autonomy, which is an important principle underlying the interpretation of the Article 8 guarantees (see Pretty v. the United Kingdom, no. 2346/02, § 61, ECHR 2002-III). The Court acknowledges that everyone has the right to live privately, away from unwanted attention (see Smirnova v. Russia, nos. 46133/99 and 48183/99, § 95, ECHR 2003-IX (extracts)). It also considers that it would be too restrictive to limit the notion of ‘private life’ to an ‘inner circle' in which the individual may live his or her own personal life as he or she chooses, thus excluding entirely the outside world not encompassed within that circle (see Niemietz v. Germany, 16 December 1992, § 29, Series A no. 251-B). Article 8 thus guarantees a right to ‘private life’ in the broad sense, including the right to lead a ‘private social life’, that is, the possibility for the individual to develop his or her social identity. In that respect, the right in question enshrines the possibility of approaching others in order to establish and develop relationships with them (see Bigaeva v. Greece, no. 26713/05, § 22, 28 May 2009, and Özpınar v. Turkey, no. 20999/04, § 45 in fine, 19 October 2010).

71.
The Court considers that the notion of ‘private life' may include professional activities (see Fernández Martínez v. Spain [GC], no. 56030/07, § 110, ECHR 2014 (extracts), and Oleksandr Volkov v. Ukraine, no. 21722/11, §§ 165-66, ECHR 2013), or activities taking place in a public context (see Von Hannover v. Germany (no. 2) [GC], nos. 40660/08 and 60641/08, § 95, ECHR 2012). Restrictions on an individual's professional life may fall within Article 8 where they have repercussions on the manner in which he or she constructs his or her social identity by developing relationships with others. It should be noted in this connection that it is in the course of their working lives that the majority of people have a significant, if not the greatest, opportunity to develop relationships with the outside world (see Niemietz, cited above, § 29).

72.
Furthermore, as regards the notion of ‘correspondence’, it should be noted that in the wording of Article 8 this word is not qualified by any adjective, unlike the term ‘life’. And indeed, the Court has already held that, in the context of correspondence by means of telephone calls, no such qualification is to be made. In a number of cases relating to correspondence with a lawyer, it has not even envisaged the possibility that Article 8 might be inapplicable on the ground that the correspondence was of a professional nature (see Niemietz, cited above, § 32, with further references). Furthermore, it has held that telephone conversations are covered by the notions of ‘private life’ and ‘correspondence’ within the meaning of Article 8 (see Roman Zakharov v. Russia [GC], no. 47143/06, § 173, ECHR 2015). In principle, this is also true where telephone calls are made from or received on business premises (see Halford, cited above, § 44, and Amann v. Switzerland [GC], no. 27798/95, § 44, ECHR 2000-II). The same applies to emails sent from the workplace, which enjoy similar protection under Article 8, as does information derived from the monitoring of a person's internet use (see Copland, cited above, § 41 in fine).

73.
It is clear from the Court's case-law that communications from business premises as well as from the home may be covered by the notions of ‘private life' and ‘correspondence' within the meaning of Article 8 of the Convention (see Halford, cited above, § 44; and Copland, cited above, § 41). In order to ascertain whether the notions of ‘private life’ and ‘correspondence' are applicable, the Court has on several occasions examined whether individuals had a reasonable expectation that their privacy would be respected and protected (ibid.; and as regards ‘private life’, see also Köpke v. Germany (dec.), no. 420/07, 5 October 2010). In that context, it has stated that a reasonable expectation of privacy is a significant though not necessarily conclusive factor (see Köpke, cited above).

74.
Applying these principles in the present case, the Court first observes that the kind of internet instant messaging service at issue is just one of the forms of communication enabling individuals to lead a private social life. At the same time, the sending and receiving of communications is covered by the notion of ‘correspondence’, even if they are sent from an employer's computer. The Court notes, however, that the applicant's employer instructed him and the other employees to refrain from any personal activities in the workplace. This requirement on the employer's part was reflected in measures including a ban on using company resources for personal purposes (see paragraph 12 above).

75.
The Court further notes that with a view to ensuring that this requirement was met, the employer set up a system for monitoring its employees' internet use (see paragraphs 17 and 18 above). The documents in the case file, in particular those relating to the disciplinary proceedings against the applicant, indicate that during the monitoring process, both the flow and the content of the applicants' communications were recorded and stored (see paragraphs 18 and 20 above).

76.
The Court observes in addition that despite this requirement on the employer's part, the applicant exchanged messages of a personal nature with his fiancée and his brother (see paragraph 21 above). Some of these messages were of an intimate nature (ibid.).

77.
The Court considers that it is clear from the case file that the applicant had indeed been informed of the ban on personal internet use laid down in his employer's internal regulations (see paragraph 14 above). However, it is not so clear that he had been informed prior to the monitoring of his communications that such a monitoring operation was to take place. Thus, the Government submitted that the applicant had acquainted himself with the employer's information notice on an unspecified date between 3 and 13 July 2007 (see paragraph 16 above). Nevertheless, the domestic courts omitted to ascertain whether the applicant had been informed of the monitoring operation before the date on which it began, given that the employer recorded communications in real time from 5 to 13 July 2007 (see paragraph 17 above).

78.
In any event, it does not appear that the applicant was informed in advance of the extent and nature of his employer's monitoring activities, or of the possibility that the employer might have access to the actual contents of his communications.

79.
The Court also takes note of the applicant's argument that he himself had created the Yahoo Messenger account in question and was the only person who knew the password (see paragraph 68 above). In addition, it observes that the material in the case file indicates that the employer also accessed the applicant's personal Yahoo Messenger account (see paragraph 21 above). Be that as it may, the applicant had created the Yahoo Messenger account in issue on his employer's instructions to answer customers' enquiries (see paragraph 11 above), and the employer had access to it.

80.
It is open to question whether — and if so, to what extent — the employer's restrictive regulations left the applicant with a reasonable expectation of privacy. Be that as it may, an employer's instructions cannot reduce private social life in the workplace to zero. Respect for private life and for the privacy of correspondence continues to exist, even if these may be restricted in so far as necessary.

81.
In the light of all the above considerations, the Court concludes that the applicant's communications in the workplace were covered by the concepts of ‘private life’ and ‘correspondence’. Accordingly, in the circumstances of the present case, Article 8 of the Convention is applicable.

D. Compliance with Article 8 of the Convention

1. The parties' submissions and third-party comments

(a) The applicant

82.
In his written observations before the Grand Chamber, the applicant submitted that the Chamber had not taken sufficient account of certain factual aspects of the case. Firstly, he emphasised the specific features of Yahoo Messenger, which was designed for personal use. His employer's decision to use this tool in a work context did not alter the fact that it was essentially intended to be used for personal purposes. He thus considered himself to be the sole owner of the Yahoo Messenger account that he had opened at his employer's request.

83.
Secondly, the applicant argued that his employer had not introduced any policy on internet use. He had not had any warning of the possibility that his communications might be monitored or read; nor had he given any consent in that regard. If such a policy had been in place and he had been informed of it, he would have refrained from disclosing certain aspects of his private life on Yahoo Messenger.

84.
Thirdly, the applicant contended that a distinction should be drawn between personal internet use having a profit-making purpose and ‘a small harmless private conversation’ which had not sought to derive any profit and had not caused any damage to his employer; he pointed out in that connection that during the disciplinary proceedings against him, the employer had not accused him of having caused any damage to the company. The applicant highlighted developments in information and communication technologies, as well as in the social customs and habits linked to their use. He submitted that contemporary working conditions made it impossible to draw a clear dividing line between private and professional life, and disputed the legitimacy of any management policy prohibiting personal use of the internet and of any connected devices.

85.
From a legal standpoint, the applicant submitted that the Romanian State had not fulfilled its positive obligations under Article 8 of the Convention. More specifically, the domestic courts had not overturned his dismissal despite having acknowledged that there had been a violation of his right to respect for his private communications.

86.
Firstly, he submitted that the Chamber had incorrectly distinguished the present case from Copland (cited above, § 42). In his view, the decisive factor in analysing the case was not whether the employer had tolerated personal internet use, but the fact that the employer had not warned the employee that his communications could be monitored. In that connection, he contended that his employer had first placed him under surveillance and had only afterwards given him the opportunity to specify whether his communications were private or work-related. The Court had to examine both whether an outright ban on personal internet use entitled the employer to monitor its employees, and whether the employer had to give reasons for such monitoring.

87.
Secondly, the applicant submitted that the Chamber's analysis in relation to the second paragraph of Article 8 was not consistent with the Court's case-law in that it had not sought to ascertain whether the interference with his right to respect for his private life and correspondence had been in accordance with the law, had pursued a legitimate aim and had been necessary in a democratic society.

88.
With regard to the jurisdiction of the labour courts, the applicant contended that they were competent to carry out a full review of the lawfulness and justification of the measure referred to them. It was for the courts to request the production of the necessary evidence and to raise any relevant factual or legal issues, even where they had not been mentioned by the parties. Accordingly, the labour courts had extensive jurisdiction to examine any issues relating to a labour-law dispute, including those linked to respect for employees' private life and correspondence.

89.
However, in the applicant's case the domestic courts had pursued a rigid approach, aimed simply at upholding his employer's decision. They had performed an incorrect analysis of the factual aspects of the case and had failed to take into account the specific features of communications in cyberspace. The violation of the applicant's right to respect for his private life and correspondence had thus been intentional and illegal and its aim had been to gather evidence enabling his contract to be terminated.

90.
Lastly, the applicant complained for the first time in the proceedings before the Grand Chamber of the outcome of the criminal complaint he had lodged in 2007: in 2012 the department of the prosecutor's office with responsibility for investigating organised crime and terrorism (DIICOT) had rejected the complaint without properly establishing the facts of the case.

91.
At the hearing before the Grand Chamber the applicant stated, in reply to a question from the judges, that because his employer had only made a single printer available to employees, all his colleagues had been able to see the contents of the forty-five-page transcript of his Yahoo Messenger communications.

92.
The applicant urged the Grand Chamber to find a violation of Article 8 of the Convention and to take the opportunity to confirm that monitoring of employees' correspondence could only be carried out in compliance with the applicable legislation, in a transparent manner and on grounds provided for by law, and that employers did not have discretion to monitor their employees' correspondence.

(b) The Government

93.
The Government stated that the employer had recorded the applicant's communications from 5 to 13 July 2007 and had then given him an opportunity to account for his internet use, which was more substantial than that of his colleagues. They pointed out that since the applicant had maintained that the contents of his communications were work-related, the employer had investigated his explanations.

94.
The Government argued that in his appeal against the decision of the first-instance court the applicant had not challenged the court's finding that he had been informed that his employer was monitoring internet use. In that connection, they produced a copy of the information notice issued by the employer and signed by the applicant. On the basis of the employer's attendance register, they observed that the applicant had signed the notice between 3 and 13 July 2007.

95.
The Government further submitted that the employer had recorded the applicant's communications in real time. There was no evidence that the employer had accessed the applicant's previous communications or his private email.

96.
The Government indicated their agreement with the Chamber's conclusions and submitted that the Romanian State had satisfied its positive obligations under Article 8 of the Convention.

97.
They observed firstly that the applicant had chosen to raise his complaints in the domestic courts in the context of a labour-law dispute. The courts had examined all his complaints and weighed up the various interests at stake, but the main focus of their analysis had been whether the disciplinary proceedings against the applicant had been compliant with domestic law. The applicant had had the option of raising before the domestic courts his specific complaint of a violation of his right to respect for his private life, for example by means of an action under Law no. 677/2001 or an action in tort, but he had chosen not to do so. He had also filed a criminal complaint, which had given rise to a decision by the prosecuting authorities to take no further action on the grounds that the monitoring by the employer of employees' communications had not been unlawful.

98.
Referring more specifically to the State's positive obligations, the Government submitted that approaches among Council of Europe member States varied greatly as regards the regulation of employee monitoring by employers. Some States included this matter within the wider scope of personal data processing, while others had passed specific legislation in this sphere. Even among the latter group of States, there were no uniform solutions regarding the scope and purpose of monitoring by the employer, prior notification of employees or personal internet use.

99.
Relying on Köpke (cited above), the Government maintained that the domestic courts had performed an appropriate balancing exercise between the applicant's right to respect for his private life and correspondence and his employer's right to organise and supervise work within the company. In the Government's submission, where communications were monitored by a private entity, an appropriate examination by the domestic courts was sufficient for the purposes of Article 8 and there was no need for specific protection by means of a legislative framework.

100.
The Government further submitted that the domestic courts had reviewed the lawfulness and the necessity of the employer's decision and had concluded that the disciplinary proceedings had been conducted in accordance with the legislation in force. They attached particular importance to the manner in which the proceedings had been conducted, especially the opportunity given to the applicant to indicate whether the communications in question had been private. If he had made use of that opportunity, the domestic courts would have weighed up the interests at stake differently.

101.
In that connection, the Government noted that in the proceedings before the domestic authorities the applicant himself had produced the full transcripts of his communications, without taking any precautions; he could instead have disclosed only the names of the relevant accounts or submitted extracts of his communications, for example those that did not contain any intimate information. The Government also disputed the applicant's allegations that his communications had been disclosed to his colleagues and pointed out that only the three-member disciplinary board had had access to them.

102.
The Government further contended that the employer's decision had been necessary, since it had had to investigate the arguments raised by the applicant in the disciplinary proceedings in order to determine whether he had complied with the internal regulations.

103.
Lastly, the Government argued that a distinction should be made between the nature of the communications and their content. They observed, as the Chamber had, that the domestic courts had not taken the content of the applicant's communications into account at all but had simply examined their nature and found that they were personal.

104.
The Government thus concluded that the applicant's complaint under Article 8 of the Convention was ill-founded.

(c) Third parties

(i) The French Government

105.
The French Government referred, in particular, to their conception of the scope of the national authorities' positive obligation to ensure respect for employees' private life and correspondence. They provided a comprehensive overview of the applicable provisions of French civil law, labour law and criminal law in this sphere. In their submission, Article 8 of the Convention was only applicable to strictly personal data, correspondence and electronic activities. In that connection, they referred to settled case-law of the French Court of Cassation to the effect that any data processed, sent and received by means of the employer's electronic equipment were presumed to be professional in nature unless the employee designated them clearly and precisely as personal.

106.
The French Government submitted that States had to enjoy a wide margin of appreciation in this sphere since the aim was to strike a balance between competing private interests. The employer could monitor employees' professional data and correspondence to a reasonable degree, provided that a legitimate aim was pursued, and could use the results of the monitoring operation in disciplinary proceedings. They emphasised that employees had to be given advance notice of such monitoring. In addition, where data clearly designated as personal by the employee were involved, the employer could ask the courts to order investigative measures and to instruct a bailiff to access the relevant data and record their content.

(ii) The European Trade Union Confederation

107.
The European Trade Union Confederation submitted that it was crucial to protect privacy in the working environment, taking into account in particular the fact that employees were structurally dependent on employers in this context. After summarising the applicable principles of international and European law, it stated that internet access should be regarded as a human right and that the right to respect for correspondence should be strengthened. The consent, or at least prior notification, of employees was required, and staff representatives had to be informed, before the employer could process employees' personal data.

2. The Court's assessment

(a) Whether the case concerns a negative or a positive obligation

108.
The Court must determine whether the present case should be examined in terms of the State's negative or positive obligations. It reiterates that by Article 1 of the Convention, the Contracting Parties ‘shall secure to everyone within their jurisdiction the rights and freedoms defined in … [the] Convention’. While the essential object of Article 8 of the Convention is to protect individuals against arbitrary interference by public authorities, it may also impose on the State certain positive obligations to ensure effective respect for the rights protected by Article 8 (see, among other authorities, X and Y v. the Netherlands, 26 March 1985, § 23, Series A no. 91; Von Hannover (no. 2), cited above, § 98; and Hämäläinen v. Finland [GC], no. 37359/09, § 62, ECHR 2014).

109.
In the present case the Court observes that the measure complained of by the applicant, namely the monitoring of Yahoo Messenger communications, which resulted in disciplinary proceedings against him followed by his dismissal for infringing his employer's internal regulations prohibiting the personal use of company resources, was not taken by a State authority but by a private commercial company. The monitoring of the applicant's communications and the inspection of their content by his employer in order to justify his dismissal cannot therefore be regarded as ‘interference’ with his right by a State authority.

110.
Nevertheless, the Court notes that the measure taken by the employer was accepted by the national courts. It is true that the monitoring of the applicant's communications was not the result of direct intervention by the national authorities; however, their responsibility would be engaged if the facts complained of stemmed from a failure on their part to secure to the applicant the enjoyment of a right enshrined in Article 8 of the Convention (see, mutatis mutandis, Obst v. Germany, no. 425/03, §§ 40 and 43, 23 September 2010, and Schüth v. Germany, no. 1620/03, §§ 54 and 57, ECHR 2010).

111.
In the light of the particular circumstances of the case as described in paragraph 109 above, the Court considers, having regard to its conclusion concerning the applicability of Article 8 of the Convention (see paragraph 81 above) and to the fact that the applicant's enjoyment of his right to respect for his private life and correspondence was impaired by the actions of a private employer, that the complaint should be examined from the standpoint of the State's positive obligations.

112.
While the boundaries between the State's positive and negative obligations under the Convention do not lend themselves to precise definition, the applicable principles are nonetheless similar. In both contexts regard must be had in particular to the fair balance that has to be struck between the competing interests of the individual and of the community as a whole, subject in any event to the margin of appreciation enjoyed by the State (see Palomo Sánchez and Others v. Spain [GC], nos. 28955/06 and 3 others, § 62, ECHR 2011).

(b) General principles applicable to the assessment of the State's positive obligation to ensure respect for private life and correspondence in an employment context

113.
The Court reiterates that the choice of the means calculated to secure compliance with Article 8 of the Convention in the sphere of the relations of individuals between themselves is in principle a matter that falls within the Contracting States' margin of appreciation. There are different ways of ensuring respect for private life, and the nature of the State's obligation will depend on the particular aspect of private life that is at issue (see Söderman v. Sweden [GC], no. 5786/08, § 79, ECHR 2013, with further references).

114.
The Court's task in the present case is therefore to clarify the nature and scope of the positive obligations that the respondent State was required to comply with in protecting the applicant's right to respect for his private life and correspondence in the context of his employment.

115.
The Court observes that it has held that in certain circumstances, the State's positive obligations under Article 8 of the Convention are not adequately fulfilled unless it secures respect for private life in the relations between individuals by setting up a legislative framework taking into consideration the various interests to be protected in a particular context (see X and Y v. the Netherlands, cited above, §§ 23, 24 and 27, and M.C. v. Bulgaria, no. 39272/98, § 150, ECHR 2003-XII, both concerning sexual assaults of minors; see also K.U. v. Finland, no. 2872/02, §§ 43 and 49, ECHR 2008, concerning an advertisement of a sexual nature placed on an internet dating site in the name of a minor; Söderman, cited above, § 85, concerning the effectiveness of remedies in respect of an alleged violation of personal integrity committed by a close relative; and Codarcea v. Romania, no. 31675/04, §§ 102-04, 2 June 2009, concerning medical negligence).

116.
The Court accepts that protective measures are not only to be found in labour law, but also in civil and criminal law. As far as labour law is concerned, it must ascertain whether in the present case the respondent State was required to set up a legislative framework to protect the applicant's right to respect for his private life and correspondence in the context of his professional relationship with a private employer.

117.
In this connection it considers at the outset that labour law has specific features that must be taken into account. The employer-employee relationship is contractual, with particular rights and obligations on either side, and is characterised by legal subordination. It is governed by its own legal rules, which differ considerably from those generally applicable to relations between individuals (see Saumier v. France, no. 74734/14, § 60, 12 January 2017).

118.
From a regulatory perspective, labour law leaves room for negotiation between the parties to the contract of employment. Thus, it is generally for the parties themselves to regulate a significant part of the content of their relations (see, mutatis mutandis, Wretlund v. Sweden (dec.), no. 46210/99, 9 March 2004, concerning the compatibility with Article 8 of the Convention of the obligation for the applicant, an employee at a nuclear plant, to undergo drug tests; with regard to trade-union action from the standpoint of Article 11, see Gustafsson v. Sweden, 25 April 1996, § 45, Reports 1996-II, and, mutatis mutandis, Demir and Baykara v. Turkey [GC], no. 34503/97, §§ 140-46, ECHR 2008, for the specific case of civil servants). It also appears from the comparative-law material at the Court's disposal that there is no European consensus on this issue. Few member States have explicitly regulated the question of the exercise by employees of their right to respect for their private life and correspondence in the workplace (see paragraph 52 above).

119.
In the light of the above considerations, the Court takes the view that the Contracting States must be granted a wide margin of appreciation in assessing the need to establish a legal framework governing the conditions in which an employer may regulate electronic or other communications of a non-professional nature by its employees in the workplace.

120.
Nevertheless, the discretion enjoyed by States in this field cannot be unlimited. The domestic authorities should ensure that the introduction by an employer of measures to monitor correspondence and other communications, irrespective of the extent and duration of such measures, is accompanied by adequate and sufficient safeguards against abuse (see, mutatis mutandis, Klass and Others v. Germany, 6 September 1978, § 50, Series A no. 28, and Roman Zakharov, cited above, §§ 232-34).

121.
The Court is aware of the rapid developments in this area. Nevertheless, it considers that proportionality and procedural guarantees against arbitrariness are essential. In this context, the domestic authorities should treat the following factors as relevant:
(i)
whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence and other communications, and of the implementation of such measures. While in practice employees may be notified in various ways depending on the particular factual circumstances of each case, the Court considers that for the measures to be deemed compatible with the requirements of Article 8 of the Convention, the notification should normally be clear about the nature of the monitoring and be given in advance;
(ii)
the extent of the monitoring by the employer and the degree of intrusion into the employee's privacy. In this regard, a distinction should be made between monitoring of the flow of communications and of their content. Whether all communications or only part of them have been monitored should also be taken into account, as should the question whether the monitoring was limited in time and the number of people who had access to the results (see Köpke, cited above). The same applies to the spatial limits to the monitoring;
(iii)
whether the employer has provided legitimate reasons to justify monitoring the communications and accessing their actual content (see paragraphs 38, 43 and 45 above for an overview of international and European law in this area). Since monitoring of the content of communications is by nature a distinctly more invasive method, it requires weightier justification;
(iv)
whether it would have been possible to establish a monitoring system based on less intrusive methods and measures than directly accessing the content of the employee's communications. In this connection, there should be an assessment in the light of the particular circumstances of each case of whether the aim pursued by the employer could have been achieved without directly accessing the full contents of the employee's communications;
(v)
the consequences of the monitoring for the employee subjected to it (see, mutatis mutandis, the similar criterion applied in the assessment of the proportionality of an interference with the exercise of freedom of expression as protected by Article 10 of the Convention in Axel Springer AG v. Germany [GC], no. 39954/08, § 95, 7 February 2012, with further references); and the use made by the employer of the results of the monitoring operation, in particular whether the results were used to achieve the declared aim of the measure (see Köpke, cited above);
(vi)
whether the employee had been provided with adequate safeguards, especially when the employer's monitoring operations were of an intrusive nature. Such safeguards should in particular ensure that the employer cannot access the actual content of the communications concerned unless the employee has been notified in advance of that eventuality.
In this context, it is worth reiterating that in order to be fruitful, labour relations must be based on mutual trust (see Palomo Sánchez and Others, cited above, § 76).

122.
Lastly, the domestic authorities should ensure that an employee whose communications have been monitored has access to a remedy before a judicial body with jurisdiction to determine, at least in substance, how the criteria outlined above were observed and whether the impugned measures were lawful (see Obst, cited above, § 45, and Köpke, cited above).

123.
In the present case the Court will assess how the domestic courts to which the applicant applied dealt with his complaint of an infringement by his employer of his right to respect for his private life and correspondence in an employment context.

(c) Application of the above general principles in the present case

124.
The Court observes that the domestic courts held that the interests at stake in the present case were, on the one hand, the applicant's right to respect for his private life, and on the other hand, the employer's right to engage in monitoring, including the corresponding disciplinary powers, in order to ensure the smooth running of the company (see paragraphs 28 and 30 above). It considers that, by virtue of the State's positive obligations under Article 8 of the Convention, the national authorities were required to carry out a balancing exercise between these competing interests.

125.
The Court observes that the precise subject of the complaint brought before it is the alleged failure of the national courts, in the context of a labour-law dispute, to protect the applicant's right under Article 8 of the Convention to respect for his private life and correspondence in an employment context. Throughout the proceedings the applicant complained in particular, both before the domestic courts and before the Court, about his employer's monitoring of his communications via the Yahoo Messenger accounts in question and the use of their contents in the subsequent disciplinary proceedings against him.

126.
As to whether the employer disclosed the contents of the communications to the applicant's colleagues (see paragraph 26 above), the Court observes that this argument is not sufficiently substantiated by the material in the case file and that the applicant did not produce any further evidence at the hearing before the Grand Chamber (see paragraph 91 above).

127.
It therefore considers that the complaint before it concerns the applicant's dismissal based on the monitoring carried out by his employer. More specifically, it must ascertain in the present case whether the national authorities performed a balancing exercise, in accordance with the requirements of Article 8 of the Convention, between the applicant's right to respect for his private life and correspondence and the employer's interests. Its task is therefore to determine whether, in the light of all the circumstances of the case, the competent national authorities struck a fair balance between the competing interests at stake when accepting the monitoring measures to which the applicant was subjected (see, mutatis mutandis, Palomo Sánchez and Others, cited above, § 62). It acknowledges that the employer has a legitimate interest in ensuring the smooth running of the company, and that this can be done by establishing mechanisms for checking that its employees are performing their professional duties adequately and with the necessary diligence.

128.
In the light of the above considerations, the Court will first examine the manner in which the domestic courts established the relevant facts in the present case. Both the County Court and the Court of Appeal held that the applicant had had prior notification from his employer (see paragraphs 28 and 30 above). The Court must then ascertain whether the domestic courts observed the requirements of the Convention when considering the case.

129.
At this stage, the Court considers it useful to reiterate that when it comes to establishing the facts, it is sensitive to the subsidiary nature of its task and must be cautious in taking on the role of a first-instance tribunal of fact, where this is not rendered unavoidable by the circumstances of a particular case (see Mustafa Tunç and Fecire Tunç v. Turkey [GC], no. 24014/05, § 182, 14 April 2015). Where domestic proceedings have taken place, it is not the Court's task to substitute its own assessment of the facts for that of the domestic courts and it is for the latter to establish the facts on the basis of the evidence before them (see, among other authorities, Edwards v. the United Kingdom, 16 December 1992, § 34, Series A no. 247-B). Though the Court is not bound by the findings of domestic courts and remains free to make its own assessment in the light of all the material before it, in normal circumstances it requires cogent elements to lead it to depart from the findings of fact reached by the domestic courts (see Giuliani and Gaggio v. Italy [GC], no. 23458/02, § 180, ECHR 2011 (extracts), and Aydan v. Turkey, no. 16281/10, § 69, 12 March 2013).

130.
The evidence produced before the Court indicates that the applicant had been informed of his employer's internal regulations, which prohibited the personal use of company resources (see paragraph 12 above). He had acknowledged the contents of the document in question and had signed a copy of it on 20 December 2006 (see paragraph 14 above). In addition, the employer had sent all employees an information notice dated 26 June 2007 reminding them that personal use of company resources was prohibited and explaining that an employee had been dismissed for breaching this rule (see paragraph 15 above). The applicant acquainted himself with the notice and signed a copy of it on an unspecified date between 3 and 13 July 2007 (see paragraph 16 above). The Court notes lastly that on 13 July 2007 the applicant was twice summoned by his employer to provide explanations as to his personal use of the internet (see paragraphs 18 and 20 above). Initially, after being shown the charts indicating his internet activity and that of his colleagues, he argued that his use of his Yahoo Messenger account had been purely work-related (see paragraphs 18 and 19 above). Subsequently, on being presented fifty minutes later with a forty-five-page transcript of his communications with his brother and fiancée, he informed his employer that in his view it had committed the criminal offence of breaching the secrecy of correspondence (see paragraph 22 above).

131.
The Court notes that the domestic courts correctly identified the interests at stake — by referring explicitly to the applicant's right to respect for his private life — and also the applicable legal principles (see paragraphs 28 and 30 above). In particular, the Court of Appeal made express reference to the principles of necessity, purpose specification, transparency, legitimacy, proportionality and security set forth in Directive 95/46/EC, and pointed out that the monitoring of internet use and of electronic communications in the workplace was governed by those principles (see paragraph 30 above). The domestic courts also examined whether the disciplinary proceedings had been conducted in an adversarial manner and whether the applicant had been given the opportunity to put forward his arguments.

132.
It remains to be determined how the national authorities took the criteria set out above (see paragraph 121) into account in their reasoning when weighing the applicant's right to respect for his private life and correspondence against the employer's right to engage in monitoring, including the corresponding disciplinary powers, in order to ensure the smooth running of the company.

133.
As to whether the applicant had received prior notification from his employer, the Court observes that it has already concluded that he did not appear to have been informed in advance of the extent and nature of his employer's monitoring activities, or of the possibility that the employer might have access to the actual content of his messages (see paragraph 78 above). With regard to the possibility of monitoring, it notes that the County Court simply observed that ‘the employees' attention had been drawn to the fact that, shortly before the applicant's disciplinary sanction, another employee had been dismissed’ (see paragraph 28 above) and that the Court of Appeal found that the applicant had been warned that he should not use company resources for personal purposes (see paragraph 30 above). Accordingly, the domestic courts omitted to determine whether the applicant had been notified in advance of the possibility that the employer might introduce monitoring measures, and of the scope and nature of such measures. The Court considers that to qualify as prior notice, the warning from the employer must be given before the monitoring activities are initiated, especially where they also entail accessing the contents of employees' communications. International and European standards point in this direction, requiring the data subject to be informed before any monitoring activities are carried out (see paragraphs 38 and 43 above; see also, for a comparative-law perspective, paragraph 53 above).

134.
As regards the scope of the monitoring and the degree of intrusion into the applicant's privacy, the Court observes that this question was not examined by either the County Court or the Court of Appeal (see paragraphs 28 and 30 above), even though it appears that the employer recorded all the applicant's communications during the monitoring period in real time, accessed them and printed out their contents (see paragraphs 17 and 21 above).

135.
Nor does it appear that the domestic courts carried out a sufficient assessment of whether there were legitimate reasons to justify monitoring the applicant's communications. The Court is compelled to observe that the Court of Appeal did not identify what specific aim in the present case could have justified such strict monitoring. Admittedly, this question had been touched upon by the County Court, which had mentioned the need to avoid the company's IT systems being damaged, liability being incurred by the company in the event of illegal activities in cyberspace, and the company's trade secrets being disclosed (see paragraph 28 above). However, in the Court's view, these examples can only be seen as theoretical, since there was no suggestion that the applicant had actually exposed the company to any of those risks. Furthermore, the Court of Appeal did not address this question at all.

136.
In addition, neither the County Court nor the Court of Appeal sufficiently examined whether the aim pursued by the employer could have been achieved by less intrusive methods than accessing the actual contents of the applicant's communications.

137.
Moreover, neither court considered the seriousness of the consequences of the monitoring and the subsequent disciplinary proceedings. In this respect the Court notes that the applicant had received the most severe disciplinary sanction, namely dismissal.

138.
Lastly, the Court observes that the domestic courts did not determine whether, when the employer summoned the applicant to give an explanation for his use of company resources, in particular the internet (see paragraphs 18 and 20 above), it had in fact already accessed the contents of the communications in issue. It notes that the national authorities did not establish at what point during the disciplinary proceedings the employer had accessed the relevant content. In the Court's view, accepting that the content of communications may be accessed at any stage of the disciplinary proceedings runs counter to the principle of transparency (see, to this effect, Recommendation CM/Rec(2015)5, cited in paragraph 43 above; for a comparative-law perspective, see paragraph 54 above).

139.
Having regard to the foregoing, the Court finds that the Court of Appeal's conclusion that a fair balance was struck between the interests at stake (see paragraph 30 above) is questionable. Such an assertion appears somewhat formal and theoretical. The Court of Appeal did not explain the specific reasons linked to the particular circumstances of the applicant and his employer that led it to reach that finding.

140.
That being so, it appears that the domestic courts failed to determine, in particular, whether the applicant had received prior notice from his employer of the possibility that his communications on Yahoo Messenger might be monitored; nor did they have regard either to the fact that he had not been informed of the nature or the extent of the monitoring, or to the degree of intrusion into his private life and correspondence. In addition, they failed to determine, firstly, the specific reasons justifying the introduction of the monitoring measures; secondly, whether the employer could have used measures entailing less intrusion into the applicant's private life and correspondence; and thirdly, whether the communications might have been accessed without his knowledge (see paragraphs 120 and 121 above).

141.
Having regard to all the above considerations, and notwithstanding the respondent State's margin of appreciation, the Court considers that the domestic authorities did not afford adequate protection of the applicant's right to respect for his private life and correspondence and that they consequently failed to strike a fair balance between the interests at stake. There has therefore been a violation of Article 8 of the Convention.

II. Application of Article 41 of the Convention


142.
Article 41 of the Convention provides:
‘If the Court finds that there has been a violation of the Convention or the Protocols thereto, and if the internal law of the High Contracting Party concerned allows only partial reparation to be made, the Court shall, if necessary, afford just satisfaction to the injured party.’

A. Damage

1. Pecuniary damage

143.
Before the Chamber, the applicant claimed 59,976.12 euros (EUR) in respect of the pecuniary damage he had allegedly sustained. He explained that this amount represented the current value of the wages to which he would have been entitled if he had not been dismissed. At the hearing before the Grand Chamber, the applicant's representatives stated that they maintained their claim for just satisfaction.

144.
In their observations before the Chamber, the Government stated that they were opposed to any award in respect of the pecuniary damage alleged to have been sustained. In their submission, the sum claimed was based on mere speculation and there was no link between the applicant's dismissal and the damage alleged.

145.
The Court observes that it has found a violation of Article 8 of the Convention in that the national courts failed to establish the relevant facts and to perform an adequate balancing exercise between the applicant's right to respect for his private life and correspondence and the employer's interests. It does not discern any causal link between the violation found and the pecuniary damage alleged, and therefore dismisses this claim.

2. Non-pecuniary damage

146.
Before the Chamber, the applicant also claimed EUR 200,000 in respect of the non-pecuniary damage he had allegedly sustained as a result of his dismissal. He stated that because of the disciplinary nature of the dismissal, he had been unable to find another job, that his standard of living had consequently deteriorated, that he had lost his social standing and that as a result, his fiancée had decided in 2010 to end their relationship.

147.
The Government submitted in reply that the finding of a violation could in itself constitute sufficient just satisfaction. In any event, they submitted that the sum claimed by the applicant was excessive in the light of the Court's case-law in this area.

148.
The Court considers that the finding of a violation constitutes sufficient just satisfaction for any non-pecuniary damage that may have been sustained by the applicant.

B. Costs and expenses

149.
Before the Chamber, the applicant also claimed 3,310 Romanian lei (RON) (approximately EUR 750) in respect of the costs and expenses incurred in the domestic courts, and RON 500 (approximately EUR 115) for the fees of the lawyer who had represented him in the domestic proceedings. He claimed a further EUR 500 for the fees of the lawyers who had represented him before the Court. He produced the following in support of his claim:
copies of the legal-aid agreement and of the receipt for payment of the sum of RON 500, corresponding to his lawyer's fees in the domestic proceedings;
documents proving that he had paid his employer the sums of RON 2,700 and RON 610.30 in respect of costs and expenses;
a copy of the receipt for payment of the sum of RON 2,218.64, corresponding to the fees of one of the lawyers who had represented him before the Court.
The applicant did not seek the reimbursement of the expenses incurred in connection with the proceedings before the Grand Chamber.

150.
In their observations before the Chamber, the Government requested the Court to award the applicant only those sums that were necessary and corresponded to duly substantiated claims. In that connection, they submitted that the applicant had not proved that he had paid EUR 500 in fees to the lawyers who had represented him before the Court, and that the receipt for payment of a sum of RON 500 in fees to the lawyer who had represented him in the domestic courts had not been accompanied by any supporting documents detailing the hours worked.

151.
According to the Court's case-law, an applicant is entitled to the reimbursement of costs and expenses only in so far as it has been shown that these have been actually and necessarily incurred and are reasonable as to quantum (see Lupeni Greek Catholic Parish and Others v. Romania [GC], no. 76943/11, § 187, ECHR 2016 (extracts)). In the present case, having regard to the documents in its possession and to its case-law, the Court considers it reasonable to award the applicant the sum of EUR 1,365 covering costs under all heads.

C. Default interest

152.
The Court considers it appropriate that the default interest rate should be based on the marginal lending rate of the European Central Bank, to which should be added three percentage points.

For these reasons, the Court


1.

Holds, by eleven votes to six, that there has been a violation of Article 8 of the Convention;

2.

Holds, by sixteen votes to one, that the finding of a violation constitutes in itself sufficient just satisfaction for the non-pecuniary damage sustained by the applicant;

3.

Holds, by fourteen votes to three,
(a)
that the respondent State is to pay the applicant, within three months, EUR 1,365 (one thousand three hundred and sixty-five euros) in respect of costs and expenses, to be converted into the currency of the respondent State at the rate applicable at the date of settlement, plus any tax that may be chargeable to the applicant;
(b)
that from the expiry of the above-mentioned three months until settlement simple interest shall be payable on the above amount at a rate equal to the marginal lending rate of the European Central Bank during the default period plus three percentage points;

4.

Dismisses, unanimously, the remainder of the applicant's claim for just satisfaction.
Done in English and French, and delivered at a public hearing in the Human Rights Building, Strasbourg, on 5 September 2017.
Søren Prebensen
Deputy to the Registrar
Guido Raimondi
President
In accordance with Article 45 § 2 of the Convention and Rule 74 § 2 of the Rules of Court, the following separate opinions are annexed to this judgment:
(a)
partly dissenting opinion of Judge Karakaş;
(b)
joint dissenting opinion of Judges Raimondi, Dedov, Kjølbro, Mits, Mourou-Vikström and Eicke.
G.R.
S.C.P.

Partly dissenting opinion of judge karakaş


(Translation)

I agree entirely with the majority's finding of a violation of Article 8 of the Convention.
However, I do not share the majority's opinion that the finding of a violation constitutes sufficient just satisfaction for the non-pecuniary damage sustained by the applicant.
It is obvious that under Article 41 the Court decides to award a certain amount in respect of non-pecuniary damage if it considers it ‘necessary’ to afford redress. As it has considerable latitude to determine in which cases such an award should be made to the applicants, the Court sometimes concludes that the finding of a violation constitutes sufficient just satisfaction and that no monetary award is required (see, among many other authorities, Nikolova v. Bulgaria, no. 31195/96, § 76, ECHR 1999-II; Vinter and Others v. the United Kingdom [GC], nos. 66069/09 and 2 others, ECHR 2013 (extracts); and Murray v. the Netherlands [GC], no. 10511/10, ECHR 2016). In order to arrive at that conclusion, the Court will have regard to all the facts of the case, including the nature of the violations found and any special circumstances pertaining to the context of the case (see, for example, Vinter and Others, cited above, and the joint partly dissenting opinion of Judges Spielmann, Sajó, Karakaş and Pinto de Albuquerque in the case of Murray, cited above). Where this is warranted by the circumstances of the case, as in McCann and Others v. the United Kingdom (27 September 1995, § 219, Series A no. 324), in which the Court declined to make any award in respect of non-pecuniary damage in view of the fact that the three terrorist suspects who had been killed had been intending to plant a bomb in Gibraltar, or by the nature of the violation found, as in the case of Tarakhel v. Switzerland ([GC], no. 29217/12, ECHR 2014 (extracts)), the Court rules that the finding of a violation in itself affords sufficient just satisfaction for any non-pecuniary damage. In other words, it is only in very exceptional cases that the Court decides not to make any award in respect of non-pecuniary damage.
There may also be instances in which the Court decides to award a lower sum than that awarded in other cases relating to the Article concerned, again taking into consideration the particular features of the context. For example, in A. and Others v. the United Kingdom ([GC], no. 3455/05, ECHR 2009), in the context of terrorism, the Court gave detailed reasons (§ 252; see also Del Río Prada v. Spain [GC], no. 42750/09, § 145, ECHR 2013) explaining why it had awarded a significantly lower sum than in other previous cases concerning unlawful detention.
In the present case, the domestic courts did not ensure adequate protection of the applicant's right to respect for his private life and correspondence: the applicant was seriously affected by the disciplinary proceedings against him, since he was dismissed from his post.
This violation of Article 8 undoubtedly caused non-pecuniary damage to the applicant, who cannot be satisfied with the mere finding that such damage was sustained. For that reason, I was in favour of granting an award, even of a modest amount, by way of just satisfaction for the non-pecuniary damage sustained by the applicant.

Joint dissenting opinion of judges raimondi, dedov, kjølbro, mits, mourou-vikström and eicke


Introduction


1.
We agree with the majority, some of us with some hesitation, that, even in a context where on the facts before the Court it is difficult to see how the applicant could have had a ‘reasonable expectation of privacy’ (see below), Article 8 is applicable in the circumstances of this case (see paragraphs 69 to 81 of the judgment). With Article 8 having been found to be applicable, we also agree that this applicant's complaint falls to be examined from the standpoint of the State's positive obligations (see paragraph 111 of the judgment). Subject to what follows, we also agree with the general principles applicable to the assessment of the State's positive obligation, as set out in paragraphs 113 to 122 of the judgment.

2.
However, for the reasons set out below, we respectfully disagree with the majority in relation to the correct approach to the State's positive obligation in the context of this case and their ultimate conclusion that the ‘domestic authorities', by which the majority means only the employment courts, ‘did not afford adequate protection of the applicant's right to respect for his private life and correspondence and that they consequently failed to strike a fair balance between the interests at stake’ (see paragraph 141 of the judgment).

Principle


3.
In light of the fact that there is common ground that the present application is to be considered by reference to the State's positive obligation under Article 8, the appropriate starting point is provided by the Court's case-law defining the content and reach of the concept of ‘positive obligations’ under Article 8. The relevant principles were most recently summarised by the Grand Chamber, in the context of the positive obligation to protect the applicant's physical and psychological integrity from other persons, in Söderman v. Sweden ([GC], no. 5786/08, §§ 78–85, ECHR 2013). There the Court made clear that:
(a)
the object of Article 8 is essentially that of protecting the individual against arbitrary interference by the public authorities. However, this provision does not merely compel the State to abstain from such interference: in addition to this primarily negative undertaking, there are positive obligations inherent in an effective respect for private or family life. These obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves (see, inter alia, Airey v. Ireland, 9 October 1979, § 32, Series A no. 32) (Söderman, cited above, § 78);
(b)
the choice of the means calculated to secure compliance with Article 8 of the Convention in the sphere of the relations of individuals between themselves is in principle a matter that falls within the Contracting States' margin of appreciation, whether the obligations on the State are positive or negative. There are different ways of ensuring respect for private life and the nature of the State's obligation will depend on the particular aspect of private life that is in issue (see, for example, Von Hannover v. Germany (no. 2) [GC], nos. 40660/08 and 60641/08, § 104, ECHR 2012; Odièvre v. France [GC], no. 42326/98, § 46, ECHR 2003-III; Evans v. the United Kingdom [GC], no. 6339/05, § 77, ECHR 2007-I; and Mosley v. the United Kingdom, no. 48009/08, § 109, 10 May 2011) (Söderman, cited above, § 79); and
(c)
in respect of less serious acts between individuals, which may violate psychological integrity, the obligation of the State under Article 8 to maintain and apply in practice an adequate legal framework affording protection does not always require that an efficient criminal-law provision covering the specific act be in place. The legal framework could also consist of civil-law remedies capable of affording sufficient protection (see, mutatis mutandis, X and Y v. the Netherlands, 26 March 1985, §§ 24 and 27, Series A no. 91, and K.U. v. Finland, no. 2872/02, § 47, ECHR 2008). The Court notes, for example, that in some previous cases concerning the protection of a person's picture against abuse by others, the remedies available in the member States have been of a civil-law nature, possibly combined with procedural remedies such as the granting of an injunction (see, inter alia, Von Hannover, cited above; Reklos and Davourlis v. Greece, no. 1234/05, 15 January 2009; and Schüssel v. Austria (dec.), no. 42409/98, 21 February 2002) (Söderman, cited above, § 85).

4.
The facts of this case, as the majority at least implicitly accepts (see paragraph 80 of the judgment), are, of course, a million miles away from the seriousness of the cases considered in Söderman. After all, in that case the Court was concerned with allegations of the violation of a person's physical or psychological integrity by another person.

5.
Nevertheless, even in that context, it is clear, firstly, that the choice of measures designed to secure respect for private life under Article 8, even in the sphere of the relations of individuals between themselves, is primarily for the Contracting States; a choice in relation to which they enjoy a wide margin of appreciation (see paragraph 119 of the judgment; narrowing where, unlike in the present case, a particularly important facet of an individual's existence or identity is at stake, or where the activities at stake involve a most intimate aspect of private life). This conclusion is underlined by the fact that there is no European consensus on this matter and only six out of thirty-four surveyed Council of Europe member States have explicitly regulated the issue of the workplace privacy (see paragraphs 52 and 118 of the judgment). Secondly, the ‘measures’ adopted by the State under Article 8 should in principle take the form of an adequate ‘legal framework’ affording protection to the victim. Article 8 does not necessarily require that an efficient criminal-law provision covering the specific act be in place. The legal framework could also consist of civil-law remedies capable of affording sufficient protection.

6.
This, of course, applies mutatis mutandis in the present case where, as the majority identify, the Court is at best concerned with the protection of a core or minimum level of private life and correspondence in the work place against interference by a private law employer.

The focus of the enquiry


7.
Having identified some of the principles set out above, the majority, in paragraph 123, unjustifiably in our view, narrowed its enquiry to the question ‘how the domestic courts to which the applicant applied dealt with his complaint of an infringement by his employer of his right to respect for private life and correspondence in an employment context’.

8.
Although recognising that ‘protective measures are not only to be found in labour law, but also in civil and criminal law’ (see paragraph 116 of the judgment), the majority in fact sidelined and avoided the real question that falls to be answered, namely: did the High Contracting Party maintain and apply an adequate ‘legal framework’ providing at least civil-law remedies capable of affording sufficient protection to the applicant?

9.
As the respondent Government submitted, and the majority accepts, the relevant ‘legal framework’ in Romania consisted not only of the employment courts, before which the applicant raised his complaint, but also included inter alia:
(a)
the criminal offence of ‘breach of secrecy of correspondence’ under Article 195 of the Criminal Code (see paragraph 33 of the judgment); incidentally, a remedy which the applicant engaged by lodging a criminal complaint but, following a decision by the prosecutor that there was no case to answer, failed to exhaust by not challenging that decision in the domestic courts: paragraph 31 of the judgment;
(b)
the provisions of Law no. 677/2001 ‘on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ (see paragraph 36 of the judgment), which, in anticipation of Romania's accession to the EU, reproduces certain provisions of Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This Law expressly provides, in Article 18, for a right to (i) lodge a complaint with the supervisory authority and, in the alternative or subsequently, (ii) apply to the competent courts for protection of the data protection rights safeguarded by the Act, including a right to seek compensation in relation to any damage suffered; and
(c)
the provisions of the Civil Code (Articles 998 and 999; paragraph 34 of the judgment) enabling a claim in tort to be brought with a view to obtaining reparation for the damage caused, whether deliberately or through negligence.

10.
Other than the criminal complaint which was not pursued any further, none of the domestic remedies was ever engaged by the applicant. Instead, the applicant only applied to the employment courts to challenge not primarily the interference by his employer with his private life/correspondence but his dismissal. As the majority note in paragraph 24:
‘He asked the court, firstly, to set aside the dismissal; secondly, to order his employer to pay him the amounts he was owed in respect of wages and any other entitlements and to reinstate him in his post; and thirdly, to order the employer to pay him 100,000 Romanian lei (approximately 30,000 euros) in damages for the harm resulting from the manner of his dismissal, and to reimburse his costs and expenses.'

11.
It was only in the context of these dismissal proceedings that, relying on the judgment of this Court in Copland v. the United Kingdom (no. 62617/00, §§ 43–44, ECHR 2007-I), he argued that the decision to dismiss him was unlawful and that by monitoring his communications and accessing their contents his employer had infringed criminal law.

12.
The fact that the applicant's focus was primarily, if not exclusively, on the legality of his dismissal, rather than the interference by his employer with his right to respect for private life/correspondence, is also reflected in the way his case was presented before this Court. As the judgment notes at paragraph 55, the applicant's complaint was that ‘his dismissal by his employer had been based on a breach of his right to respect for his private life and correspondence and that, by not revoking that measure, the domestic courts had failed to comply with their obligation to protect the right in question’.

13.
As a consequence, one cannot help but note (if only in passing) that, if the respondent Government had raised this as a preliminary objection, there might have been some question as to whether, by applying to the employment courts on the basis he did, the applicant had, in fact, exhausted those domestic remedies ‘that relate to the breaches alleged and which are at the same time available and sufficient’ (see Aquilina v. Malta [GC], no. 25642/94, § 39, ECHR 1999-III). After all, there is no material before the Court to suggest that any of the three remedies identified above, and, in particular, a complaint to the specialist data protection supervisory authority and/or an action for damages under Law no. 677/2001 before the competent courts were ‘bound to fail’ (see Davydov and Others v. Russia, no. 75947/11, § 233, 30 May 2017).

14.
Our doubts about the effectiveness of the employment courts in this context (and the appropriateness of the Court restricting its analysis to the adequacy of the analysis by those employment courts) is further underlined by the fact that, in line with this Court's jurisprudence under Article 6 of the Convention, regardless of whether or not the employer's actions were illegal that fact could not per se undermine the validity of the disciplinary proceedings in the instant case. After all, as this Court confirmed most recently in Vukota-Bojić v. Switzerland (no. 61838/10, §§ 94–95, 18 October 2016):
‘… the question whether the use as evidence of information obtained in violation of Article 8 rendered a trial as a whole unfair contrary to Article 6 has to be determined with regard to all the circumstances of the case, including respect for the applicant's defence rights and the quality and importance of the evidence in question (compare, inter alia, Khan, cited above, §§ 35–40; P.G. and J.H. v. the United Kingdom, cited above, §§ 77–79; and Bykov v. Russia [GC], no. 4378/02, §§ 94–98, 10 March 2009, in which no violation of Article 6 was found).
In particular, it must be examined whether the applicant was given an opportunity to challenge the authenticity of the evidence and to oppose its use. In addition, the quality of the evidence must be taken into consideration, as must the circumstances in which it was obtained and whether these circumstances cast doubts on its reliability or accuracy. Finally, the Court will attach weight to whether the evidence in question was or was not decisive for the outcome of the proceedings (compare, in particular, Khan, cited above, §§ 35 and 37).'

15.
In any event, the above alternative domestic remedies, some of which are more obviously suitable to the protection of an individual's private life/correspondence in the private workplace, were plainly relevant to the assessment whether the ‘legal framework’ created by Romania was capable of providing ‘adequate’ protection to the applicant against an unlawful interference with his right to respect for private life/correspondence under Article 8 by another private individual (in this case, his employer).

16.
By not including them, sufficiently or at all, in their analysis, the majority failed to have regard to important factors relevant to the question posed by this case and failed to give due weight to the acknowledged wide margin of appreciation enjoyed by High Contracting Parties in determining what measures to take and what remedies to provide for in compliance with their positive obligation under Article 8 to put in place an adequate ‘legal framework’. Absent any evidence to suggest that the domestic remedies either individually or cumulatively were not sufficiently available or effective to provide the protection required under Article 8, it seems to us that there is no basis on which the Court could find a violation of Article 8 in the circumstances of the present case.

17.
Before leaving this question of the appropriate focus for the enquiry, we would want to express our sincere hope that the majority judgment should not be read as a blanket requirement under the Convention that, where more appropriate remedies are available within the domestic legal framework (such as e.g. those required to be put in place under the relevant EU data protection legislation), the domestic employment courts, when confronted with a case such as that brought by the applicant, are required to duplicate the functions of any such, more appropriate, specialist remedy.

The analysis by the domestic employment courts


18.
However, even if, contrary to the above, the majority's focus only on the analysis by the domestic employment courts were the appropriate approach, we also do not agree that, in fact, that analysis is defective so as to lead to a finding of a violation under Article 8.

19.
In considering the judgments of the County Court and the Bucharest Court of Appeal, we note that both domestic courts took into consideration the employer's internal regulations, which prohibited the use of company resources for personal purposes (see paragraphs 12, 28 and 30 of the judgment). We further observe that the applicant had been informed of the internal regulations, since he had acquainted himself with them and signed a copy of them on 20 December 2006 (see paragraph 14 of the judgment). The domestic courts interpreted the provisions of that instrument as implying that it was possible that measures might be taken to monitor communications, an eventuality that was likely to reduce significantly the likelihood of any reasonable expectation on the applicant's part that the privacy of his correspondence would be respected (contrast Halford v. the United Kingdom, 25 June 1997, § 45, Reports of Judgments and Decisions 1997-III, and Copland, cited above, § 42). We therefore consider that the question of prior notification should have been examined against this background.

20.
In this context, it is clear on the evidence before the Court that the domestic courts did indeed consider this question. Both the County Court and the Court of Appeal attached a certain weight to the information notice which the applicant had signed, and their decisions indicate that a signed copy of the notice was produced in the proceedings before them (see paragraphs 28 and 30 of the judgment). The County Court observed, among other things, that the employer had warned its employees that their activities, including their computer use, were being monitored, and that the applicant himself had acknowledged the information notice (see paragraph 28 of the judgment). The Court of Appeal further confirmed that ‘personal use [of company resources could] be refused … in accordance with the provisions of the internal regulations’, of which the employees had been duly informed (see paragraph 30 of the judgment). Accordingly, the domestic courts found, on the basis of the documents in their possession, that the applicant had received sufficient warning that his activities, including his use of the computer made available to him by his employer, could be monitored. We can see no basis for departing from their decisions, and consider that the applicant could reasonably have expected his activities to be monitored.

21.
Next, we note that the national authorities carried out a careful balancing exercise between the interests at stake, taking into account both the applicant's right to respect for his private life and the employer's right to engage in monitoring, including the corresponding disciplinary powers, in order to ensure the smooth running of the company (see paragraphs 28 and 30 of the judgment; see also, mutatis mutandis, Obst v. Germany, no. 425/03, § 49, 23 September 2010, and Fernández Martínez v. Spain [GC], no. 56030/07, § 151, ECHR 2014 (extracts). The Court of Appeal, in particular, citing the provisions of Directive 95/46/EC, noted that there had been a conflict in the present case between ‘the employer's right to engage in monitoring and the employees' right to protection of their privacy’ (see paragraph 30 of the judgment).

22.
We also note that, on the basis of the material in their possession, the domestic courts found that the legitimate aim pursued by the employer in engaging in the monitoring of the applicant's communications had been to exercise ‘the right and the duty to ensure the smooth running of the company’ (see the Court of Appeal as quoted at paragraph 30 of the judgment). While the domestic courts attached greater weight to the employer's right to ensure the smooth running of the company and to supervise how employees performed their tasks in the context of their employment relationship than to the applicant's right to respect for his private life and correspondence, we consider that it is not unreasonable for an employer to wish to check that its employees are carrying out their professional duties when making use in the workplace and during working hours of the equipment which it has made available to them. The Court of Appeal found that the monitoring of the applicant's communications was the only way for the employer to achieve this legitimate aim, prompting it to conclude that a fair balance had been struck between the need to protect the applicant's private life and the employer's right to supervise the operation of its business (see paragraph 30 of the judgment).

23.
In our view, the choice of the national authorities to give the employer's interests precedence over those of the employee is not capable in itself of raising an issue under the Convention (see, mutatis mutandis, Obst, cited above, § 49). We would reiterate that where they are required to strike a balance between several competing private interests, the authorities enjoy a certain discretion (see Hämäläinen v. Finland [GC], no. 37359/09, § 67 in fine, ECHR 2014, and further references). In the present case, therefore, it is our view that the domestic courts acted within Romania's margin of appreciation.

24.
We further note that the monitoring to which the applicant was subjected was limited in time, and that the evidence before the Court indicates that the employer only monitored the applicant's electronic communications and internet activity. Indeed, the applicant did not allege that any other aspect of his private life, as enjoyed in a professional context, had been monitored by his employer. Furthermore, on the evidence before the Court, the results of the monitoring operation were used solely for the purposes of the disciplinary proceedings against the applicant and only the persons involved in those proceedings had access to the content of the applicant's communications (for a similar approach see Köpke v. Germany (dec.), no. 420/07, 5 October 2010). In this connection, it is observed that the majority agree that the applicant did not substantiate his allegations that the content in question had been disclosed to other colleagues (see paragraph 126 of the judgment).

25.
Lastly, we note that in their examination of the case, the national authorities took into account the attitude displayed by the applicant in the course of his professional activities in general, and during the disciplinary proceedings against him in particular. Thus, the County Court found that he had committed a disciplinary offence by breaching his employer's internal regulations, which prohibited the use of computers for personal purposes (see paragraph 28 of the judgment). The domestic authorities attached significant weight in their analysis to the applicant's attitude in the disciplinary proceedings, during which he had denied using his employer's resources for personal purposes and had maintained that he had used them solely for work-related purposes, which was incorrect (see paragraphs 28 and 30 of the judgment). They were plainly entitled to do so. This was confirmed when the applicant asserted before this Court that, despite the fact that he knew that private use of his work computer was prohibited, it would only have been an awareness of monitoring by the employer which would have led him not to engage in private use of the employer's computer; he did not deny that he was informed about the monitoring, but could not remember when he had received the information notice alerting him to the monitoring.

26.
After all, as the majority also stress (see paragraph 121 of the judgment), in order to be fruitful, employment relations must be based on mutual trust (see Palomo Sánchez and Others v. Spain [GC], nos. 28955/06 and 3 others, § 76, ECHR 2011). Accordingly, it is our view that within their margin of appreciation, the domestic (employment) courts were entitled, when weighing up the interests at stake, to take into account the attitude displayed by the applicant, who had broken the bond of trust with his employer.

27.
Having regard to all the foregoing considerations and in contrast to the majority, we conclude that there has been no failure to protect the applicant's right to respect for his private life and correspondence and that there has, therefore, been no violation of Article 8 of the Convention.

Uitspraak 12‑01‑2016

András Sajó, Vincent A. De Gaetano, Boštjan M. Zupančič, Nona Tsotsoria, Paulo Pinto de Albuquerque, Egidijus Kūris, Iulia Antoanella Motoc

Partij(en)

JUDGMENT
STRASBOURG
12 January 2016
In the case of Bărbulescu v. Romania,
The European Court of Human Rights (Fourth Section), sitting as a Chamber composed of:
András Sajó, President,
Vincent A. De Gaetano,
Boštjan M. Zupančič,
Nona Tsotsoria,
Paulo Pinto de Albuquerque,
Egidijus Kūris,
Iulia Antoanella Motoc, judges,
and Fatoş Aracı, Deputy Section Registrar,
Having deliberated in private on 1 December 2015,
Delivers the following judgment, which was adopted on that date:

Procedure


1.

The case originated in an application (no. 61496/08) against Romania lodged with the Court under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (‘the Convention’) by a Romanian national, Mr Bogdan Mihai Bărbulescu (‘the applicant’), on 15 December 2008.

2.

The applicant was represented by Mr D. Costinescu and Mr O. Juverdeanu, lawyers practising in Bucharest. The Romanian Government (‘the Government’) were represented by their Agent, Ms C. Brumar, of the Ministry of Foreign Affairs.

3.

The applicant alleged, in particular, that his employer's decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence and that the domestic courts had failed to protect his right.

4.

On 18 December 2012 the application was communicated to the Government.

The facts


I. The circumstances of the case


5.
The applicant was born in 1979 and lives in Bucharest.

6.
From 1 August 2004 to 6 August 2007, he was employed by a private company (‘the employer’) as an engineer in charge of sales. At his employer's request, he created a Yahoo Messenger account for the purpose of responding to clients' enquiries.

7.
On 13 July 2007 the employer informed the applicant that his Yahoo Messenger communications had been monitored from 5 to 13 July 2007 and that the records showed that he had used the Internet for personal purposes, contrary to internal regulations. The applicant replied in writing that he had only used Yahoo Messenger for professional purposes. When presented with a forty-five-page transcript of his communications on Yahoo Messenger, the applicant notified his employer that, by violating his correspondence, they were accountable under the Criminal Code. The forty-five pages contained transcripts of all the messages that the applicant had exchanged with his fiancée and his brother during the period when his communications had been monitored; they related to personal matters involving the applicant. The transcript also contained five short messages that the applicant had exchanged with his fiancée on 12 July 2007 using a personal Yahoo Messenger account; these messages did not disclose any intimate information.

8.
On 1 August 2007 the employer terminated the applicant's employment contract for breach of the company's internal regulations which stated, inter alia:
‘It is strictly forbidden to disturb order and discipline within the company's premises and especially … to use computers, photocopiers, telephones, telex and fax machines for personal purposes.’

9.
The applicant challenged his employer's decision before the Bucharest County Court (‘the County Court’). He complained that this decision had been null and void since, by accessing his communications, his employer had violated his right to correspondence protected by the Romanian Constitution and the Criminal Code.

10.
In a judgment of 7 December 2007, the County Court dismissed his complaint on the grounds that the employer had complied with the dismissal proceedings provided for by the Labour Code and noted that the applicant had been duly informed of the employer's regulations that prohibited the use of company resources for personal purposes. The County Court's judgment reads, in its relevant parts:
‘The court takes the view that the monitoring of the [applicant]'s Yahoo Messenger communications from the company's computer … during working hours — regardless of whether the employer's actions were or were not illegal (îmbracă sau nu forma ilicitului penal) — cannot affect the validity of the disciplinary proceedings in the instant case…
However, since the [applicant] claimed during the disciplinary proceedings that he had not used Yahoo Messenger for personal purposes but rather for advising clients on the products offered by his employer, the court finds that checking the content of the [applicant]'s communications was the only method for the employer to verify the [applicant]'s line of defence.
The employer's right to monitor their employees' use of the company's computers in the workplace falls within the broad scope of the right to check the manner in which professional tasks are complete.
As long as the employees' attention … had been drawn to the fact that, not long before the applicant had received a disciplinary sanction, another colleague had been dismissed for having used the Internet, the telephone and the photocopiers for personal purposes and they had been warned that their activity was under surveillance (see notice no 2316 of 3 July 2007 that the applicant had signed …) it cannot be held against the employer that he had not proven transparency and that he had not been open with regard to his activities in monitoring the use of the computers by its employees.
The Internet in the workplace must remain a tool at the employee's disposal. It was granted by the employer for professional use and it is indisputable that the employer, by virtue of the right to monitor the employees' activities, has the prerogative to keep personal use of the Internet monitored.
Some of the reasons that make the employer's checks necessary are the possibilities that through use of the Internet employees could damage the company's IT systems, or engage in illicit activities in the company's name, or reveal the company's commercial secrets.’

11.
The applicant appealed against this judgment. He claimed that e-mails were also protected by Article 8 of the Convention as pertaining to ‘private life’ and ‘correspondence’. He also complained that the County Court had not allowed him to call witnesses to prove that the employer had not suffered as a result of his actions.

12.
In a final decision of 17 June 2008, the Bucharest Court of Appeal (‘the Court of Appeal’) dismissed his appeal and upheld the judgment rendered by the County Court. Relying on EU Directive 95/46/EC, the Court of Appeal ruled that the employer's conduct had been reasonable and that the monitoring of the applicant's communications had been the only method of establishing if there had been a disciplinary breach. With regard to his procedural rights, the Court of Appeal dismissed the applicant's arguments, stating that the evidence already before it was sufficient. The Court of Appeal's decision reads, in its relevant parts:
‘In view of the fact that the employer has the right and the obligation to ensure the functioning of the company and, to this end, [the right] to check the manner in which its employees complete their professional tasks, and of the fact that [the employer] holds the disciplinary power of which it can legitimately dispose and which [entitled it] to monitor and to transcribe the communications on Yahoo Messenger that the employee denied having had for personal purposes, after having been, together with his other colleagues, warned against using the company's resources for personal purposes, it cannot be held that the violation of his correspondence (violarea secretului corespondenţei

II. Relevant domestic law


13.
The Romanian Constitution guarantees the right to the protection of intimate, private and family life (Article 26) as well as private correspondence (Article 28).

14.
Article 195 of the Criminal Code provides that:
‘Anyone who unlawfully opens somebody else's correspondence or intercepts somebody else's conversations or communication by telephone, by telegraph or by any other long distance means of transmission shall be liable to imprisonment for between six months to three years.’

15.
The Labour Code in force at the time of events provided in Article 40(1)(d) that the employer had the right to monitor the manner in which the employees completed their professional tasks. Article 40(2)(i) provided that the employer had a duty to guarantee the confidentiality of the employees' personal data.

16.
Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of personal data (‘Law no. 677/2001’) applies the provisions of EU Directive 95/46/EC (see paragraph 18 below). It defines ‘personal data’ as ‘any data related to an identified or identifiable individual’ (Article 3(a)). It provides that data can only be processed if the person concerned consented to it and it sets out a list of exceptions when consent is not necessary. Exceptions refer, among other situations, to the completion of a contract to which the concerned individual is a party and to securing a legitimate interest of the data operator (Article 5(2)(a and e)). It also provides that when processing data, public authorities remain under the obligation to protect the individuals' intimate, private and family life (Article 5(3)). Lastly, anyone who suffered prejudice as a result of illegal processing of his/her personal data can ask the courts to allow him/her reparation (Article 18(2)).

II. Relevant international law

A. Council of Europe instruments

17.
The 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (‘the Data Protection Convention’) defines ‘personal data’ as ‘any information relating to an identified or identifiable individual’. The Convention provides, inter alia, as follows:
Article 2 — Definitions
‘For the purposes of this Convention:
 
(…)
(c)
‘automatic processing’ includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination …’
Article 3 — Scope
‘(1)
The Parties undertake to apply this Convention to automated personal data files and automatic processing of personal data in the public and private sectors.’
(…)
Article 5 — Quality of data
‘Personal data undergoing automatic processing shall be:
(a)
obtained and processed fairly and lawfully;
(b)
stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
(c)
adequate, relevant and not excessive in relation to the purposes for which they are stored;
(d)
accurate and, where necessary, kept up to date;
(e)
preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.’
(…)
Article 8 — Additional safeguards for the data subject
‘Any person shall be enabled:
(a)
to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;
(b)
to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form (…)’

B. European Union instruments

18.
Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data provides that the object of national laws in this area is notably to protect the right to privacy as recognised both in Article 8 of the Convention and the general principles of EU law. The Directive defines personal data as ‘any information relating to an identified or identifiable natural person’ (Article 2(a)) and asks for the Member States to prohibit processing of personal data concerning, among other things, ‘health or sex life’ (Article 8(1)).

19.
A Data Protection Working Party (‘the Working Party’) was established under Article 29 of the Directive in order to examine the issue of surveillance of electronic communications in the workplace and to evaluate the implications of data protection for employees and employers. It is an independent EU advisory body. The Working Party issued in September 2001 opinion 8/2001 on the processing of personal data in an employment context, which summarises the fundamental data protection principles: finality, transparency, legitimacy, proportionality, accuracy, security and staff awareness. With regard to monitoring of employees, it suggested that it should be:
‘A proportionate response by an employer to the risks it faces taking into account the legitimate privacy and other interests of workers’.

20.
In May 2002 the Working Party produced the ‘Working document on the surveillance and the monitoring of electronic communications in the workplace’ (‘the working document’). This working document asserts that the simple fact that monitoring or surveillance conveniently serves an employer's interest could not justify an intrusion into workers' privacy. The document suggests that any monitoring measure must pass a list of four tests: transparency, necessity, fairness and proportionality.

21.
From a technical point of view, the working document indicates that:
‘Prompt information can be easily delivered by software such as warning windows, which pop up and alert the worker that the system has detected and/or has taken steps to prevent an unauthorised use of the network.’

22.
More specifically, with regard to the question of access to an employee's e-mails, the working document holds that:
‘Opening an employee's e-mail may also be necessary for reasons other than monitoring or surveillance, for example in order to maintain correspondence in case the employee is out of office (for example due to sickness or leave) and correspondence cannot be guaranteed otherwise (for example via an autoreply or automatic forwarding).’

The law


I. Alleged violation of article 8 of the convention


23.
The applicant complained that his employer's decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence and that the domestic courts had failed to protect his right; he relied on Article 8 of the Convention, which reads as follows:
‘1.
Everyone has the right to respect for his private and family life, his home and his correspondence.
2.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.’

A. Admissibility

1. The parties' submissions

24.
The Government submitted that Article 8 of the Convention was not applicable in the present case. They noted that the applicant had set up the Yahoo Messenger account for professional use and he furthermore claimed that he had only used it for this purpose; the Government inferred that the applicant could not claim an ‘expectation of privacy’ while at the same time denying any private use.

25.
They further submitted that a number of Council of Europe member States required an assertion of the private nature of the communication for which the protection of privacy was sought; they relied, among other things, on the case-law of the French Court of Cassation that held that e-mails sent by an employee with means put at his disposal by his employer should be deemed to have a professional character and be accessible to the employer unless expressly identified as private.

26.
Taking into consideration the differences between e-mail and instant messaging (the latter lacks a subject field), the Government argued that an assertion of the private character of the communication was essential for it to fall within the scope of Article 8. Thus, they pointed out that the applicant had been given an opportunity to claim that the use he had made of Yahoo Messenger had been, at least in part, private, and he had clearly stated that this had not been the case as he had declared that he had only communicated with clients on behalf of his employer.

27.
The Government inferred that the applicant had been given proper prior notice that his employer could monitor his communications; they relied on the employer's notice of 3 July 2007 and on the findings of the County Court that the applicant had not challenged in his appeal. They did not submit a copy of the notice.

28.
Finally, the Government pointed out that the present case was different from the cases of Halford v. the United Kingdom (25 June 1997, Reports of Judgments and Decisions 1997-III, where one of the landlines of the office had been designated for the applicant's personal use), and Copland v. the United Kingdom (no. 62617/00, ECHR 2007-I, where personal use was allowed and the surveillance aimed to determine whether the applicant had made ‘excessive use’ of the facilities); in the instant case, the employer's regulations explicitly prohibited all personal use of company facilities, including computers and Internet access.

29.
The applicant contested the Government's submissions and claimed that his communications on Yahoo Messenger had had a private character and therefore fell within the scope of Article 8 of the Convention. Referring to the State's positive obligations according to Article 8, he argued that this provision was applicable on account of the Romanian State's failure to protect his private sphere from interference by his employer. He pointed out that he had consistently raised this argument before the domestic authorities.

30.
In the applicant's opinion, it could not be disputed that the data intercepted by his employer represented both ‘personal data’ and ‘sensitive personal data’ within the meaning of Law no. 677/2001 and EU Directive 95/46/EC; the information related to identified persons (the applicant, his fiancée and his brother) and concerned sensitive issues (such as the applicant's health and sex life). The applicant did not explain why he had used Yahoo Messenger for personal purposes, but suggested that at the material time the prices for mobile phones had been very high and that the requests for his professional services, as an engineer charged with selling heating equipment, had been very low in July 2007.

31.
The applicant also complained that his employer had also accessed his personal Yahoo Messenger account, which had a different ID from the one he had registered for professional purposes. Moreover, the transcript of his communications had been made available to his colleagues who had discussed it publicly.

32.
Relying on the case of Niemietz v. Germany (16 December 1992, Series A no. 251-B), the applicant contended that denying the protection of Article 8 on the grounds that the measure complained of related only to professional activities could lead to inequality of treatment in that such protection would be available only to persons whose professional and non-professional activities were so intermingled that they could not be distinguished. With reference to the case of Chappell v. the United Kingdom (30 March 1989, Series A no. 152-A), he argued that the Court had not excluded the applicability of Article 8 of the Convention in the case of a search of the business premises.

33.
The applicant insisted that the Yahoo Messenger software was by its nature designed for personal use and that the nature of the instant messaging service had entitled him to expect that his communications would be private. Had he not expected privacy, he would have refrained from disclosing intimate information. He had felt reassured by his employer instructing him to protect his Yahoo Messenger account by choosing his own password. He denied having been given proper prior notice of his employer's monitoring; he argued that the general prohibition in the employer's internal regulations could not have amounted to prior notice of monitoring. He believed that the notice of 3 July 2007 had been identified after the facts; he submitted a copy of this notice which however does not bear the employees' signatures.

34.
The applicant found the Government's submissions that he had initially asserted that he had used that account for professional purposes artificial; irrespective of his initial position, the fact that the actual use of the instant messaging service had been for personal purposes remains undisputed. He concluded that an employee's right to establish and develop personal relationships during business hours could not be suppressed at the discretion or by a decision of their employer.

2. The Court's assessment

35.
The Court has consistently held that the notion of private life is a broad concept (see, E.B. v. France [GC], no. 43546/02, § 43, 22 January 2008, and Bohlen v. Germany, no. 53495/09, § 45, 19 February 2015). It encompasses, for example, the right to establish and develop relationships with other human beings, and the right to identity and personal development (Niemietz, cited above, § 29, and Fernández Martínez v. Spain [GC], no. 56030/07, § 126, ECHR 2014 (extracts)). A broad reading of Article 8 does not mean, however, that it protects every activity a person might seek to engage in with other human beings in order to establish and develop such relationships. It will not, for example, protect interpersonal relations of such broad and indeterminate scope that there can be no conceivable direct link between the action or inaction of a State and a person's private life (see, mutatis mutandis, Botta v. Italy, 24 February 1998, § 35, Reports of Judgments and Decisions 1998-I).

36.
Thus, according to the Court's case-law, telephone calls from business premises are prima facie covered by the notions of ‘private life’ and ‘correspondence’ for the purposes of Article 8 § 1 (see Halford, cited above, § 44, and Amann v. Switzerland [GC], no. 27798/95, § 43, ECHR 2000-II). The Court further held that e-mails sent from work should be similarly protected under Article 8, as should information derived from the monitoring of personal Internet usage (see Copland, cited above, § 41).

37.
In the absence of a warning that one's calls would be liable to monitoring, the applicant had a reasonable expectation as to the privacy of calls made from a work telephone (see Halford, cited above, § 45) and the same expectation should apply in relation to an applicant's e-mail and Internet usage (see Copland, cited above, § 41). In a case in which the applicant's workspace at a prosecutor's office had been searched and some of his belongings had been seized (Peev v. Bulgaria, no. 64209/01, 26 July 2007), the Court held that the search amounted to an interference with the applicant's ‘private life’; the Court found that the applicant had a reasonable expectation of privacy with regard to the personal belongings that he kept in his office (ibid., § 39). The Court further held that:
‘39.
… such an arrangement is implicit in habitual employer-employee relations and there is nothing in the particular circumstances of the case — such as a regulation or stated policy of the applicant's employer discouraging employees from storing personal papers and effects in their desks or filing cabinets — to suggest that the applicant's expectation was unwarranted or unreasonable’.

38.
The Court must therefore examine whether in the present case the applicant had a reasonable expectation of privacy when communicating from the Yahoo Messenger account that he had registered at his employer's request. In this connection, it notes that it is not disputed that the applicant's employer's internal regulations strictly prohibited employees from using the company's computers and resources for personal purposes (see paragraph 8 above).

39.
It follows that the case is different, as suggested by the Government, from the Halford and Copland cases (cited above), in which the personal use of an office telephone was allowed or, at least, tolerated. The case must also be distinguished from the Peev case (cited above), in which the employer's regulations did not forbid employees to keep personal belongings in their professional office.

40.
The Court notes that the applicant chose to raise before the domestic courts his complaint under Article 8 of the Convention within the framework of labour law proceedings. The main object of his case before the domestic courts was indeed his dismissal and the fact that his dismissal had resulted from a breach of his right to respect of his private life was the argument he used in order to prove the nullity of his employer's decision.

41.
It follows that the object of his complaint before the Court is limited to the monitoring of his communications within the framework of disciplinary proceedings; the employer's decision to terminate the applicant's contract was not based on either the actual content of his communications nor on the fact of their eventual disclosure. In this regard, the Court notes that the applicant did not argue that he had had no other fora in which to bring these arguments separately before the domestic courts. The domestic law in force at the time of events provided for other remedies designed principally to protect private life (such as a criminal complaint based on Article 195 of the Criminal Code or a complaint based on Article 18(2) of Law no. 677/2001; see paragraphs 14 and 16 above), and the applicant did not claim that they were ineffective.

42.
The Court must therefore determine whether, in view of the general prohibition imposed by his employer, the applicant retained a reasonable expectation that his communications would not be monitored. In this regard, the Court takes notice that the Data Protection Convention sets up clear principles applying to automatic data processing in order to enable an individual to establish the existence of an automated personal data file and its main purposes (see Articles 5 and 8 of the Data Protection Convention in paragraph 17 above). The relevant EU law goes in the same direction, notably in the field of surveillance of electronic communications in the workplace (see paragraphs 18, 19 and 20 above).

43.
In the instant case, the Court notes that the elements in the file do not easily allow a straightforward answer. Indeed, the parties dispute whether the applicant had been given prior notice that his communications could have been monitored and their content accessed and eventually disclosed. The Government claimed that the applicant had been given proper prior notice that his employer could have monitored his communications (see paragraph 27 above), but the applicant denied having received such specific prior notice (see paragraph 33 above). The Court notes that the Government did not provide a signed copy of the employer's notice of 3 July 2007 (see paragraph 27 above) and that the copy provided by the applicant does not bear any signatures (see paragraph 33 above).

44.
The Court attaches importance to the fact that the employer accessed the applicant's Yahoo messenger account and that the transcript of his communications was further used as a piece of evidence in the domestic labour court proceedings. It also notes that, according to applicant's submissions, that the Government did not explicitly dispute, the content of his communications with his fiancée and his brother was purely private, and related to, among other things, very intimate subjects such as the applicant's health or sex life (see paragraphs 7 and 30 above). It is also mindful of the applicant's argument that his employer had also accessed his personal Yahoo Messenger account (see paragraphs 7 and 31 above).

45.
Having regard to these circumstances, and especially to the fact that the content of the applicant's communications on Yahoo messenger was accessed and that the transcript of these communications was further used in the proceedings before the labour courts, the Court is satisfied that the applicant's ‘private life’ and ‘correspondence’ within the meaning of Article 8 § 1 were concerned by these measures (mutatis mutandis, Köpke v. Germany, (dec.), no. 420/07, 5 October 2010). It therefore finds that Article 8 § 1 is applicable in the present case.

46.
The Court further notes that this complaint is not manifestly ill-founded within the meaning of Article 35 § 3 (a) of the Convention and that it is not inadmissible on any other grounds. It must therefore be declared admissible.

B. Merits

1. The parties' submissions

47.
The applicant took the view that there had been an interference with his private life and correspondence within the meaning of Article 8 of the Convention, and that this interference had not been justified under the second paragraph of Article 8. He submitted that this interference had not been in accordance with the law, as the applicable legislation, namely the Labour Code, lacked sufficient foreseeability; in this connection, he claimed that the Court's findings in the case of Oleksandr Volkov v. Ukraine (no. 21722/11, ECHR 2013) were applicable to the present case. He pointed out that neither the Labour Code nor Law no. 677/2001 provided procedural safeguards as regards the surveillance of an employee's electronic communications.

48.
He further argued that the interference had not been proportionate to the legitimate aim pursued. He refuted the findings of the domestic courts that his employer had had no other choice than to intercept his communications, and complained that no alternative means had been sought so that less damage to his fundamental rights would have been caused whilst fulfilling the same aim. He also mentioned that he had had a tense relationship with his employer and referred to another set of labour law proceedings in which the domestic courts had found in his favour.

49.
The Government argued that the State authorities had met their positive obligations required by Article 8 of the Convention. They submitted that a wide variety of approaches existed among Council of Europe member States with regard to the regulation of monitoring of employees by an employer, and that there was no European consensus on the personal use of the Internet in the workplace.

50.
They contended that in the instant case the authorities had allowed the applicant sufficient protection because of effective domestic court scrutiny of his case. Relying on the findings of the domestic courts, they noted that the applicant's denial of any personal use of his computer had made it necessary for the employer to ascertain the content of the communications. He had thus been presented with the transcripts of his communications for a limited period, that is to say those messages between 5 and 13 July 2007, which demonstrated that he had been blatantly wasting time. The Government further argued that the courts would have proceeded to a different balancing act if the applicant had asserted from the beginning that he had used Yahoo Messenger for personal purposes.

51.
The Government also submitted that the ban on personal use of the company's resources was explicitly contained in the company regulations, and that both its enforcement and consequences had been known to the employees. They concluded that the domestic courts had struck a fair balance between the applicant's rights and his employer's legitimate interests.

2. The Court's assessment

52.
The Court reiterates that although the purpose of Article 8 is essentially to protect an individual against arbitrary interference by the public authorities, it does not merely compel the State to abstain from such interference: in addition to this primarily negative undertaking, there may be positive obligations inherent in an effective respect for private life. These obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves (see Von Hannover v. Germany (no. 2) [GC], nos. 40660/08 and 60641/08, § 57, ECHR 2012, and Benediksdóttir v. Iceland (dec.), no. 38079/06, 16 June 2009). The boundary between the State's positive and negative obligations under Article 8 does not lend itself to precise definition. In both contexts regard must be had to the fair balance that has to be struck between the competing interests — which may include competing private and public interests or Convention rights (see Evans v. the United Kingdom [GC], no. 6339/05, §§ 75 and 77, ECHR 2007-I) — and in both contexts the State enjoys a certain margin of appreciation (see Von Hannover, cited above; and Jeunesse v. the Netherlands [GC], no. 12738/10, § 106, 3 October 2014).

53.
In the instant case, the Court finds that the applicant's complaint must be examined from the standpoint of the State's positive obligations since he was employed by a private company, which could not by its actions engage State responsibility under the Convention. The Court's findings in the case of Oleksandr Volkov (cited above), which concerned the dismissal of a judge, are therefore not applicable in the present case, as suggested by the applicant (see paragraph 47 above).

54.
Therefore, the Court has to examine whether the State, in the context of its positive obligations under Article 8, struck a fair balance between the applicant's right to respect for his private life and correspondence and his employer's interests.

55.
In this regard, the Court refers to its findings as to the scope of the complaint which is limited to the monitoring of the applicant's communications within the framework of disciplinary proceedings (see paragraphs 40 and 41 above).

56.
The Court notes that the applicant was able to raise his arguments related to the alleged breach of his private life and correspondence by his employer before the domestic courts. It further notes that they duly examined his arguments and found that the employer had acted in the context of the disciplinary powers provided for by the Labour Code (see paragraphs 10 and 15 above). The domestic courts also found that the applicant had used Yahoo Messenger on the company's computer and that he had done so during working hours; his disciplinary breach was thus established (see paragraph 12 above).

57.
In this context, the Court notes that both the County Court and the Court of Appeal attached particular importance to the fact that the employer had accessed the applicant's Yahoo Messenger account in the belief that it had contained professional messages, since the latter had initially claimed that he had used it in order to advise clients (see paragraphs 10 and 12 above). It follows that the employer acted within its disciplinary powers since, as the domestic courts found, it had accessed the Yahoo Messenger account on the assumption that the information in question had been related to professional activities and that such access had therefore been legitimate. The Court sees no reason to question these findings.

58.
As to the use of the transcript of the applicant's communications on Yahoo Messenger as evidence before the domestic courts, the Court does not find that the domestic courts attached particular weight to it or to the actual content of the applicant's communications in particular. The domestic courts relied on the transcript only to the extent that it proved the applicant's disciplinary breach, namely that he had used the company's computer for personal purposes during working hours. There is, indeed, no mention in their decisions of particular circumstances that the applicant communicated; the identity of the parties with whom he communicated is not revealed either. Therefore, the Court takes the view that the content of the communications was not a decisive element in the domestic courts' findings.

59.
While it is true that it had not been claimed that the applicant had caused actual damage to his employer (compare and contrast Pay v. United Kingdom, (dec.), no. 32792/05, 16 September 2008 where the applicant was involved outside work in activities that were not compatible with his professional duties, and Köpke (cited above), where the applicant had caused material losses to her employer), the Court finds that it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours.

60.
In addition, the Court notes that it appears that the communications on his Yahoo Messenger account were examined, but not the other data and documents that were stored on his computer. It therefore finds that the employer's monitoring was limited in scope and proportionate (compare and contrast Wieser and Bicos Beteiligungen GmbH v. Austria, no. 74336/01, §§ 59 and 63, ECHR 2007-IV, and Yuditskaya and Others v. Russia, no. 5678/06, § 30, 12 February 2015).

61.
Furthermore, the Court finds that the applicant has not convincingly explained why he had used the Yahoo messenger account for personal purposes (see paragraph 30 above).

62.
Having regard to the foregoing, the Court concludes in the present case that there is nothing to indicate that the domestic authorities failed to strike a fair balance, within their margin of appreciation, between the applicant's right to respect for his private life under Article 8 and his employer's interests.

63.
There has accordingly been no violation of Article 8 of the Convention.

II. Alleged violation of article 6 of the convention


64.
Relying on Article 6 of the Convention, the applicant also complained that the proceedings before the domestic courts had been unfair, in particular as he had not been allowed to present witnesses as part of his case.

65.
The Court notes that the applicant was able to raise these arguments before the Court of Appeal, which ruled, in a sufficiently reasoned decision, that hearing additional witnesses was not relevant to the case (see paragraph 12 above). Such a decision was delivered in a public hearing conducted in an adversarial manner and does not seem arbitrary (see García Ruiz v. Spain [GC], no. 30544/96, §§ 28–29, ECHR 1999-I).

66.
It follows that this complaint is manifestly ill-founded and must be rejected in accordance with Article 35 §§ 3 (a) and 4 of the Convention.

For these reasons, the court


1.

Declares, unanimously, the complaint concerning Article 8 of the Convention admissible and the remainder of the application inadmissible;

2.

Holds, by six votes to one, that there has been no violation of Article 8 of the Convention;
Done in English, and notified in writing on 12 January 2016, pursuant to Rule 77 §§ 2 and 3 of the Rules of Court.
Fatoş Aracı
Deputy Registrar
András Sajó
President
In accordance with Article 45 § 2 of the Convention and Rule 74 § 2 of the Rules of Court, the separate opinion of Judge Pinto de Albuquerque is annexed to this judgment.
A.S.
F.A.

Partly dissenting opinion of judge pinto de albuquerque


1.

Bărbulescu v. Romania concerns the surveillance of Internet usage in the workplace. The majority accept that there has been an interference with the applicant's right to respect for private life and correspondence within the meaning of Article 8 of the European Convention on Human Rights (‘the Convention’), but conclude that there has been no violation of this Article, since the employer's monitoring was limited in scope and proportionate. I share the majority's starting point, but I disagree with their conclusion. I have no reservations in joining the majority in finding the Article 6 complaint inadmissible.

2.

The case presented an excellent occasion for the European Court of Human Rights (‘the Court’) to develop its case-law in the field of protection of privacy with regard to employees' Internet communications1.. The novel features of this case concern the non-existence of an Internet surveillance policy, duly implemented and enforced by the employer, the personal and sensitive nature of the employee's communications that were accessed by the employer, and the wide scope of disclosure of these communications during the disciplinary proceedings brought against the employee. These facts should have impacted on the manner in which the validity of the disciplinary proceedings and the penalty was assessed. Unfortunately, both the domestic courts and the Court's majority overlooked these crucial factual features of the case.

Access to the Internet as a human right


3.
As the Court's Grand Chamber recently stated, user-generated expressive activity on the Internet provides an unprecedented platform for the exercise of freedom of expression2.. In the light of its accessibility and capacity to store and communicate vast amounts of information, the Internet also plays an important role in enhancing the public's access to news and facilitating the dissemination of information in general3.. Along the same line of reasoning, the French Constitutional Council has affirmed that ‘in the current state of means of communication and given the generalised development of public online communication services and the importance of the latter for the participation in democracy and the expression of ideas and opinions, this right (to freedom of expression) implies freedom to access such services.’4. Thus, States have a positive obligation to promote and facilitate universal Internet access, including the creation of the infrastructure necessary for Internet connectivity5.. In the case of private communications on the Internet, the obligation to promote freedom of expression is coupled with the obligation to protect the right to respect for private life. States cannot ensure that individuals are able to freely seek and receive information or express themselves without also respecting, protecting and promoting their right to privacy. At the same time, the risk of harm posed by Internet communications to the exercise and enjoyment of human rights and freedoms, particularly the right to respect for private life, is certainly higher than that posed by the press6.. For example, States should counter racial or religious discrimination or hate speech over the Internet7.. In other words, situations may emerge where the freedom of expression of the content provider, protected by Article 10, may collide with the right to respect for private life of others enshrined in Article 8, or where both the freedom of expression and the right to respect for private life of those involved in Internet communications may conflict with the rights and freedoms of others. The present case pertains to this second type of situation.

Protection of employees' Internet communications in international law


4.
Internet surveillance in the workplace is not at the employer's discretionary power. In a time when technology has blurred the diving line between work life and private life, and some employers allow the use of company-owned equipment for employees' personal purposes, others allow employees to use their own equipment for work-related matters and still other employers permit both, the employer's right to maintain a compliant workplace and the employee's obligation to complete his or her professional tasks adequately does not justify unfettered control of the employee's expression on the Internet8.. Even where there exist suspicions of cyberslacking, diversion of the employer's IT resources for personal purposes, damage to the employer's IT systems, involvement in illicit activities or disclosure of the employer's trade secrets, the employer's right to interfere with the employee's communications is not unrestricted. Given that in modern societies Internet communication is a privileged form of expression, including of private information, strict limits apply to an employer's surveillance of Internet usage by employees during their worktime and, even more strictly, outside their working hours, be that communication conducted through their own computer facilities or those provided by the employer.

5.
The Convention principle is that Internet communications are not less protected on the sole ground that they occur during working hours, in the workplace or in the context of an employment relationship, or that they have an impact on the employer's business activities or the employee's performance of contractual obligations9.. This protection includes not only the content of the communications, but also the metadata resulting from the collection and retention of communications data, which may provide an insight into an individual's way of life, religious beliefs, political convictions, private preferences and social relations10.. In the absence of a warning from the employer that communications are being monitored, the employee has a ‘reasonable expectation of privacy’11.. Any interference by the employer with the employee's right to respect for private life and freedom of expression, including the mere storing of personal data related to the employee's private life, must be justified in a democratic society by the protection of certain specific interests covered by the Convention12., namely the protection of the rights and freedoms of the employer or other employees (Article 8 § 2)13. or the protection of the reputation or rights of the employer or other employees and the prevention of the disclosure of information received by the employee in confidence (Article 10 § 2)14.. Hence, the pursuit of maximum profitability and productivity from the workforce is not per se an interest covered by Article 8 § 2 and Article 10 § 2, but the purpose of ensuring the fair fulfilment of contractual obligations in an employment relationship may justify certain restrictions on the above-mentioned rights and freedoms in a democratic society15..

6.
Other than the Court's case-law, the international standards of personal data protection both in the public and private sectors have been set out in the 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data16.. In this Convention the protection of personal data was for the first time guaranteed as a separate right granted to an individual. Specific rules for data protection in employment relations are contained in the Council of Europe Committee of Ministers Recommendation Rec(89)2 to member states on the protection of personal data used for employment purposes, 18 January 1989, recently replaced by Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment. Also extremely valuable in this context are Recommendation No.R(99) 5 for the protection of privacy on the Internet, adopted on 23 February 1999, and Recommendation CM/Rec(2010)13 on the protection of individuals with regard to automatic processing of personal data in the context of profiling, adopted on 23 November 2010.

7.
In the legal framework of the European Union (EU), respect for private life and protection of personal data have been recognised as separate fundamental rights in Articles 7 and 8 of the EU Charter of Fundamental Rights. The central piece of EU legislation is Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Employment relations are specifically referred to only in the context of the processing of sensitive data. Regulation (EC) No 45/2001 lays down the same rights and obligations at the level of the EC institutions and bodies. It also establishes an independent supervisory authority with the task of ensuring that the Regulation is complied with. Directive 2002/58/EC concerns the processing of personal data and the protection of privacy in the electronic communications sector, regulating issues like confidentiality, billing and traffic data and spam. The confidentiality of communications is protected by Article 5 of the Directive, which imposes on Member States an obligation to ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular they are to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so. The interception of communications over private networks, including e-mails, instant messaging services, and phone calls, and generally private communications, are not covered, as the Directive refers to publicly available electronic communications services in public communication networks. Also relevant is Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, which specifies that Member States may not impose general monitoring obligations on providers of internet/email services, because such an obligation would constitute an infringement of freedom of information as well as of the confidentiality of correspondence (Article 15). Within the former third pillar of the EU, Framework Decision 2008/977/JHA dealt with the protection of personal data processed in the framework of police and judicial co-operation in criminal matters. Finally, Article 29 Working Party Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 200117., the Working Document on the surveillance and the monitoring of electronic communications in the workplace, adopted on 29 May 200218., the Working Document on a common interpretation of Article 26(1) of Directive 95/46/EC, adopted on 25 November 200519., and Article 29 Working Party Opinion 2/2006 on privacy issues related to the provision of email screening services, adopted on 21 February 200620., are also important for setting the standards of data protection applicable to employees in the EU. In its 2005 annual report, the Working Party affirmed that ‘[i]t is not disputed that an e-mail address assigned by a company to its employees constitutes personal data if it enables an individual to be identified’21..

8.
Finally, both the 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data22., and the International Labour Office's 1997 Code of Practice on the protection of workers' personal data, provide important soft-law guidance to employers, employees and courts.

9.
From this international legal framework, a consolidated, coherent set of principles can be drawn for the creation, implementation and enforcement of an Internet usage policy in the framework of an employment relationship23.. Any information related to an identified or identifiable employee that is collected, held or used by the employer for employment purposes, including with regard to private electronic communications, must be protected in order to respect the employee's right to privacy and freedom of expression24.. Consequently, any processing of personal data for the purposes of recruitment, fulfilment or breach of contractual obligations, staff management, work planning and organisation and termination of an employment relationship in both the public and private sectors must be regulated either by law, collective agreement or contract25.. Particular forms of personal data processing, for example of the employees' usage of Internet and electronic communications in the workplace, warrant detailed regulation26..

10.
Hence, a comprehensive Internet usage policy in the workplace must be put in place, including specific rules on the use of email, instant messaging, social networks, blogging and web surfing. Although policy may be tailor-made to the needs of each corporation as a whole and each sector of the corporation infrastructure in particular, the rights and obligations of employees should be set out clearly, with transparent rules on how the Internet may be used, how monitoring is conducted, how data is secured, used and destroyed, and who has access to it27..

11.
A blanket ban on personal use of the Internet by employees is inadmissible28., as is any policy of blanket, automatic, continuous monitoring of Internet usage by employees29.. Personal data relating to racial origin, political opinions or religious or other beliefs, as well as personal data concerning health, sexual life or criminal convictions are considered as ‘sensitive data’ requiring special protection30..

12.
Employees must be made aware of the existence of an Internet usage policy in force in their workplace, as well as outside the workplace and during out-of-work hours, involving communication facilities owned by the employer, the employee or third parties31.. All employees should be notified personally of the said policy and consent to it explicitly32.. Before a monitoring policy is put in place, employees must be aware of the purposes, scope, technical means and time schedule of such monitoring33.. Furthermore, employees must have the right to be regularly notified of the personal data held about them and the processing of that personal data, the right to access all their personal data, the right to examine and obtain a copy of any records of their own personal data and the right to demand that incorrect or incomplete personal data and personal data collected or processed inconsistently with corporation policy be deleted or rectified34.. In event of alleged breaches of Internet usage policy by employees, opportunity should be given to them to respond to such claims in a fair procedure, with judicial oversight.

13.
The enforcement of an Internet usage policy in the workplace should be guided by the principles of necessity and proportionality, in order to avoid a situation where personal data collected in connection with legitimate organisational or information-technology policies is used to control employees' behaviour35.. Before implementing any concrete monitoring measure, the employer should assess whether the benefits of that measure outweigh the adverse impact on the right to privacy of the concerned employee and of third persons who communicate with him or her36.. Unconsented collection, access and analysis of the employee's communications, including metadata, may be permitted only exceptionally, with judicial authorisation, since employees suspected of policy breaches in disciplinary or civil proceedings must not be treated less fairly than presumed offenders in criminal procedure. Only targeted surveillance in respect of well-founded suspicions of policy violations is admissible, with general, unrestricted monitoring being manifestly excessive snooping on employees37.. The least intrusive technical means of monitoring should be preferred38.. Since blocking Internet communications is a measure of last resort39., filtering mechanisms may be considered more appropriate, if at all necessary, to avoid policy infringements40.. The collected data may not be used for any purpose other than that originally intended, and must be protected from alteration, unauthorised access and any other form of misuse41.. For example, the collected data must not be made available to other employees who are not concerned by it. When no longer needed, the collected personal data should be deleted42..

14.
Breaches of the internal usage policy expose both the employer and the employee to sanctions. Penalties for an employee's improper Internet usage should start with a verbal warning, and increase gradually to a written reprimand, a financial penalty, demotion and, for serious repeat offenders, termination of employment43.. If the employer's Internet monitoring breaches the internal data protection policy or the relevant law or collective agreement, it may entitle the employee to terminate his or her employment and claim constructive dismissal, in addition to pecuniary and non-pecuniary damages.

15.
Ultimately, without such a policy, Internet surveillance in the workplace runs the risk of being abused by employers acting as a distrustful Big Brother lurking over the shoulders of their employees, as though the latter had sold not only their labour, but also their personal lives to employers. In order to avoid such commodification of the worker, employers are responsible for putting in place and implementing consistently a policy on Internet use along the lines set out above. In so doing, they will be acting in accordance with the principled international-law approach to Internet freedom as a human right44..

The absence of a workplace policy on Internet use


16.
The Government argue that the company's internal regulations provided for a prohibition on the use of computers for personal purposes. Although true, the argument is not relevant, since the given internal regulations omitted any reference to an Internet surveillance policy being implemented in the workplace. In this context, it should not be overlooked that the Government also refer to notice 2316 of 3 July 2007, which ‘highlighted that another employee had been let go on disciplinary grounds, specifically due to personal use of the company's Internet connection and phones’ and ‘reiterated that the employer verifies and monitors the employees' activity, specifically stating that they should not use the Internet, phones or faxes for issues unrelated to work’, in other words, which ‘reiterated’ the existence of a policy of Internet surveillance in the company45.. Also according to the Government, the employees had been informed about this notice, and it had even been signed by the applicant. The applicant disputes these facts. The majority themselves acknowledge that it is contested whether the company's Internet surveillance policy had been notified to the applicant prior to the interference with his Internet communications46.. Unfortunately, the majority did not elaborate further on this crucial fact.

17.
Since the existence of prior notice was alleged by the Government and disputed by the applicant, the Government had the burden of providing evidence to that effect, which they did not47.. Moreover, the only copy of the notice 2316 available in the Court's file is not even signed by the employee48.. In other words, there is not sufficient evidence in the file that the company's employees, and specifically the applicant, were aware that monitoring software had been installed by the employer and recorded in real time the employees' communications on the company's computers, produced statistical records of each employee's Internet use and transcripts of the content of the communications exchanged by them, and could block their communication49..

18.
Even assuming that notice 2316 did exist and was indeed notified to the employees, including the applicant, prior to the events in question, this would not suffice to justify the termination of his contract, given the extremely vague character of the notice. A mere communication by the employer to employees that ‘their activity was under surveillance’50. is manifestly insufficient to provide the latter with adequate information about the nature, scope and effects of the Internet surveillance programme implemented51.. Such a poorly-drafted ‘policy’, if existent, offered precious little protection to employees. In spite of its crucial importance for the outcome of the case, the majority did not care to consider the terms of the notice on the company's alleged Internet surveillance policy. Taking into account the evidence before the Court, I cannot but consider that the notice did not identify the minimum elements of an Internet usage and surveillance policy, including the specific misconduct being monitored, the technical means of surveillance and the employee's rights regarding the monitored materials.

The personal and sensitive nature of the employee's communications


19.
The delicate character of the present case is significantly heightened by the nature of certain of the applicant's messages. They referred to the sexual health problems affecting the applicant and his fiancée52.. This subject pertains to the core of the applicant's private life and requires the most intense protection under Article 8. Other than this sensitive data, the messages also dealt with other personal information, such as his uneasiness with the hostile working environment. The employer accessed not only the professional Yahoo Messenger account created by the applicant, but also his own personal account53.. The employer had no proprietary rights over the employee's Yahoo messenger account, notwithstanding the fact that the computer used by the employee belonged to the employer54.. Furthermore, the employer was aware that some of the communications exchanged by the applicant were directed to an account entitled ‘Andra loves you’, which could evidently have no relationship with the performance of the applicant's professional tasks55.. Yet the employer accessed the content of this communication and made transcripts of it against the applicant's explicit will and without a court order56..

The lack of necessity of the employer's interference


20.
In addition, the employer's interference had wide adverse social effects, since the transcripts of the messages were made available to the applicant's colleagues and even discussed by them57.. Even if one were to accept that the interference with the applicant's right to respect for private life was justified in this case, which it was not, the employer did not take the necessary precautionary measures to ensure that the highly sensitive messages were restricted to the disciplinary proceedings. In other words, the employer's interference went far beyond what was necessary58..

21.
Having said that, the termination of the applicant's employment relationship with the company could not be based on evidence that did not meet the Convention standards of protection of employees' privacy. In ratifying the employer's dismissal decision, the domestic courts accepted as legal evidence of the breach of the applicant's professional duties records of private communications which merited Convention protection and had nonetheless been accessed, used and publicised by the employer, in violation of the Convention standard59.. Moreover, the termination of the applicant's employment contract can hardly be said to be proportionate in itself, bearing in mind that it was not proven that the applicant had caused actual damage to his employer, or that he had adopted the same pattern of behaviour for a considerable period of time60..

Conclusion


22.

‘Workers do not abandon their right to privacy and data protection every morning at the doors of the workplace.’61. New technologies make prying into the employee's private life both easier for the employer and harder for the employee to detect, the risk being aggravated by the connatural inequality of the employment relationship. A human-rights centred approach to Internet usage in the workplace warrants a transparent internal regulatory framework, a consistent implementation policy and a proportionate enforcement strategy by employers. Such a regulatory framework, policy and strategy were totally absent in the present case. The interference with the applicant's right to privacy was the result of a dismissal decision taken on the basis of an ad hoc Internet surveillance measure by the applicant's employer, with drastic spill-over effects on the applicant's social life. The employee's disciplinary punishment was subsequently confirmed by the domestic courts, on the basis of the same evidence gathered by the above-mentioned contested surveillance measure. The clear impression arising from the file is that the local courts willingly condoned the employer's seizure upon the Internet abuse as an opportunistic justification for removal of an unwanted employee whom the company was unable to dismiss by lawful means.

23.

Convention rights and freedoms have a horizontal effect, insofar as they are not only directly binding on public entities in the Contracting Parties to the Convention, but also indirectly binding on private persons or entities, the Contracting State being responsible for preventing and remedying Convention violations by private persons or entities. This is an obligation of result, not merely an obligation of means. The domestic courts did not meet this obligation in the present case when assessing the legality of the employer's dismissal decision, adopted in the disciplinary proceedings against the employee. Although they could have remedied the violation of the applicant's right to respect for private life, they opted to confirm that violation. This Court did not provide the necessary relief either. For that reason, I dissent.

bedrijf aanklagen, persoon aanklagen, werkgever aanklagen