The European Court of Human Rights (ECHR) has ruled in favour of the employer in a case concerning a Romanian sales engineer whose employment was terminated following discovery by his employer that he was sending private messages using a Yahoo account during work hours.

The employee set up the Yahoo account at the employer’s request for the purpose of responding to client queries. Company rules made it clear that computers were not to be used for personal reasons. However, the employee used the account to send personal messages to his brother and fiancée, including about his health and sex life. The question for the ECHR was whether the employer acted lawfully in accessing the individual’s private messages on a business account.

The key point of the ECHR ruling was that there had been no violation of Article 8 of the European Convention on Human Rights (the right to respect for private life, home and correspondence). It held that “it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours” and “the employer’s monitoring was limited in scope and proportionate.”

This decision has created a lot of publicity and media coverage. Some commentary suggests that employers now have free rein to read employees’ private messages. That is not the case. In the UK, employers have been able to review employee emails when carrying out disciplinary investigations and the employment tribunals have accepted evidence obtained in that way. The key issue is often whether, on the facts, the employee has a reasonable expectation of privacy. A balance must be struck between an employee’s right to respect for private life and the employer’s interests.

This case does not alter previous case law on the reasonable expectation of privacy, nor does it override existing legislation, which places key limitations on an employer’s power to monitor employees’ private communications. It does, however, serve as a helpful reminder of how employers can and should lawfully monitor employee communications.

It is now, more than ever, important to ensure that your business has in place a clear and comprehensive policy setting out what is considered acceptable use of company IT systems, that such systems may be monitored and the extent and purpose of such monitoring. Policies need to be clearly communicated to employees and made readily available. Any investigation or action taken against an employee for an alleged misuse of company IT systems should be consistent, reasonable and proportionate.

Multinational companies should be aware that restrictions on employee monitoring may differ considerably across different European jurisdictions. There may also be limitations and, under general and sector-specific data protection, telecommunication and employment laws that need to be considered prior to undertaking any employee monitoring. For example, in the UK, the Regulation of Investigatory Powers Act 2000 prohibits the interception of communication, including emails, except with the prior consent of both the sender and the recipient.