Global menu

Our global pages


A changing landscape for employee monitoring – what this means for you?

  • United Kingdom
  • Technology, Media and Telecoms - General



The recent developments on employee monitoring has emphasised the need for employers to be cautious when implementing systems to monitor employees. The European Court of Human Rights (“ECtHR”) confirmed on 5 September 2017 that employers can monitor their employees’ activities provided appropriate steps are taken to limit their expectation to privacy. The ECtHR decision in the case of Bărbulescu v Romania, provides employers with important guidance on monitoring in the workplace, and while such monitoring is not necessarily unlawful, it serves as a timely reminder of the importance of clear communication to employees about permitted use of corporate systems and devices, and the access to and monitoring of those tools which may occur.


Mr Bărbulescu created a Yahoo account to respond to client queries at his employer's request. The employer's internal policies prohibited any personal use of the account, along with the company IT systems. Mr Bărbulescu was notified of the policy and even acknowledged the policy in writing. However, it was not specifically clear in the policy that his use of the company IT systems could be monitored by the employer.

Back in 2007 the employer informed Mr Bărbulescu that his communications had been monitored, and that the employer was aware that he had been using the instant messaging account for personal purposes, in breach of the company’s policy. The employer provided Mr Bărbulescu with a 45 page transcript containing details of messages which he had exchanged with his fiancée and brother, which were clearly of a personal nature. His employment was subsequently terminated by the company, and his claims in respect of his dismissal were unsuccessful in the Romanian domestic courts. He brought a further claims in the ECtHR, alleging infringement of his right to privacy under Article 8 of the European Convention on Human Rights.

So What?

The ECtHR's decision

In the ECtHR’s previous decisions it had consistently held that employees had a reasonable expectation of privacy in their communications unless they had been warned about the possibility of monitoring. However, in the current ECtHR case, it was disputed between the parties as to whether Mr Bărbulescu had been warned about potential monitoring. The ECtHR looked at whether Mr Bărbulescu could have a reasonable expectation of privacy when he was on notice that personal use of the IT systems was prohibited. The ECtHR was persuaded in its latest decision by the fact that the domestic courts had assessed the employer's monitoring as legitimate as it had been conducted in the belief that the instant messaging account was being used for professional purposes. The ECtHR concluded that the courts had struck a fair balance between the employee's right to respect for his private life under Article 8 and his employer's interests.

What does this mean for you?

In the UK, it is legally permissible for employers to conduct minimal and proportionate monitoring of communications sent using an employer’s IT systems during business hours for specified business purposes i.e. checking the employee’s compliance with the company’s internal IT policies (and subject to various safeguards). Employers who run (or plan to run) employee monitoring activities should be cautious to the privacy risks associated with such monitoring. The key risks that an employer needs to consider are as follows:

• maintaining a balance between employer and employee interests;

• maintaining a distinction between the employee’s professional and private capacity;

• informing the employee of the monitoring; and

• complying with the requirements of applicable data protection laws (including the GDPR from 25 May 2018).

It is important that employers assess whether its aims could be achieved with less intrusive methods – any monitoring should therefore be limited to what is strictly necessary to achieve the employer’s legitimate aims (e.g. prevention of damage to its IT systems). Employers also need to bear in mind, the imbalance in the relationship between employer and employee, i.e. employers who, in the past, have relied on employee consent in relation to monitoring activities, should be aware that consent cannot always be relied on as it difficult to show that the consent from the employee was “freely given”. Therefore, it is recommended that employers instead rely on a legitimate interest.

Maintaining a distinction between the employee’s professional and private life has also become more difficult with the advancement of technology and employers should ensure that they do not inadvertently monitor private activities of its employees in which it has no legitimate interest. Employers should be particularly cautious where it has a “Bring Your Own Device” policy.

The ECtHR judgment underlines the importance of having appropriate and lawful employee monitoring policies in place and making sure both that they are communicated to employees and that they are adhered to by the employer.

Global employers should take the time to review all communications policies to check they include clear usage statements, which comply with local laws. Unfortunately, employers cannot necessarily assume that restricting all employees’ private use from corporate systems and devices will be permitted in all jurisdictions. Employers also need to ensure that they take all necessary steps to implement the policies and, where relevant, engage with employee representative bodies to ensure such policies can be enforced against employees.