Skip to content

Employees and their right to privacy with emails and messages

Browse this blog post

Employees travelling into work today will no doubt be concerned to read the headline that “Bosses win the right to check all your personal communications; nothing is safe, not email, not Facebook, nothing!”. As is often the case with headlines, when the context and back story are factored into the mix, the take-away is less sensationalist.

The right to monitor is not new

Companies have always had the right to monitor emails and other communications, usually justified on the basis of checking compliance with policies, procedures and regulatory requirements. Employers do need to notify their staff that monitoring is taking place and the reasons for doing so, and it would be standard practice to include this notification in the handbook and on the intranet. Further, any monitoring must be proportionate and an impact assessment valuing the individual’s right to privacy against the potential benefit to the employee should be undertaken in order to comply with data protection laws.

What’s all the fuss about?

So why is the European Court of Human Rights case (Barbulescu v Romania) fuelling this frenzy? The story is an employee’s worst nightmare. B set up a Yahoo account at his employer’s request, for the purpose of responding to client enquiries. Messages sent during working hours between B and his fiancée discussing their sex life, and other private conversations, were discovered by his employer. The company rules strictly prohibited the use of company computers and resources for personal purposes, and had notified the staff that monitoring would be taking place. Initially, the employer approached B to inform him the records showed he had used the internet for personal purposes contrary to the rules but  B responded that he had only used it professionally. On the basis that all the messages were business-related, the employer accessed the account for verification purposes and then discovered the intimate personal messages.

B was dismissed for breaching company rules.  He pursued his case through the domestic courts and ultimately to the ECHR claiming his Human Rights Convention Article 8 rights (respect for private and family life) had been violated.  The Court dealt with the situation by asking whether B had a reasonable expectation of privacy when communicating via Yahoo Messenger. It concluded that B did not and, instead, the Company had the right to take steps to reassure itself that employees were doing the work they were paid to do. In striking a balance between the employee’s right to privacy and the employer’s interest, the Court found that the following factors:
•the company rules prohibited personal use;
•advance notification of monitoring was given to employees;
•the Yahoo account had been set up on the request of the employer for business purposes; and
•the Yahoo account had been accessed on the assumption that the information in question related to professional activities,

all tipped the balance in favour of the employer, meaning there was no expectation of privacy and, therefore, no breach of Article 8.


For most UK employers, the situation is less clear cut as it is common practice to have “reasonable use policies”, whereby personal communications are permitted within reason. Also employees rarely have to resort to company equipment as they have personal smart phones to access the internet and various communication channels. Does this change the dynamic?  In a nutshell, it is down to the employer to set the privacy expectations.

Below are some things to think about when setting expectations:
•Don’t assume employees know what to expect - the professional/personal divide is not always obvious
•Educate employees on what they can and can’t do and the consequences of non- compliance
•Bring policies to life with frequent reminders about expectations
•Are your employees aware that their emails may be monitored for specific purposes?
•If personal communications are allowed, can these be tagged as personal?
•If business/personal devices are combined, what are the rules around use?
•Is there a clear policy on BYOD and how does monitoring work in relation to personal devices used for business?
•Employees need to know that privacy in the workplace is not absolute, that conditions are attached
•Employees need to be reminded that they have a responsibility for their privacy – if they don’t want others to see it, don’t bring it into the workplace.