NicosiaNicosiaLimassol Mon - Fri 08:00-18:00 +357 22 261 777 Mon - Fri 09:00-18:00 +357 25 261 777
info@vrikislegal.com

Cyprus – Personal Data Protection in the Work Environment

As daily life is becoming more and more integrated with the digital world, invariably the business and work environment has followed suit. Under Cyprus Law, personal data is safeguarded and protected under the Processing of Personal Data (Protection of the Individual) Law of 2001 (as amended). The main aim of this Law is to address privacy issues arising out of the collection, storage, processing and use of personal data. The Law was amended in 2003 in order to harmonise Cyprus legislation with the Directive of the European Union (95/46) on the protection of individuals with regard to the processing of personal data.

In a time when technology has blurred the diving line between work life and private life, and some employers allow the use of company-owned equipment for employees’ personal purposes, others allow employees to use their own equipment for work-related matters and still other employers permit both, the employer’s right to maintain a compliant workplace and the employee’s obligation to complete his or her professional tasks adequately does not justify unfettered control of the employee’s expression on the Internet.

Case Law Analysis

Guidance can be sought in judgements issued by the European Court of Human Rights (hereinafter “ECHR”), one of the most recent ones being the case of BĂRBULESCU v. ROMANIA (Application Number 61496/08), which was issued in January 2016.  In the said case, the applicant alleged, in particular, that his employer’s decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence and that the domestic courts had failed to protect his right.

In brief, the facts of the case where that Mr. Barbulescu, at his employer’s request, created a Yahoo Messenger account for the purpose of responding to clients’ enquiries. The employer informed the applicant that his Yahoo Messenger communications had been monitored from 5 to 13 July 2007 and that the records showed that he had used the Internet for personal purposes, contrary to internal regulations. The applicant replied in writing that he had only used Yahoo Messenger for professional purposes. When presented with a forty-five-page transcript of his communications on Yahoo Messenger, the applicant notified his employer that, by violating his correspondence, they were accountable under the Criminal Code. The forty‑five pages contained transcripts of all the messages that the applicant had exchanged with his fiancée and his brother during the period when his communications had been monitored; they related to personal matters involving the applicant.

The transcript also contained five short messages that the applicant had exchanged with his fiancée on 12 July 2007 using a personal Yahoo Messenger account; these messages did not disclose any intimate information.

Given the above, the employer proceeded with terminating Mr. Barbulescu’s employment for breach of the company’s internal regulations which stated, inter alia:

It is strictly forbidden to disturb order and discipline within the company’s premises and especially … to use computers, photocopiers, telephones, telex and fax machines for personal purposes.”

Mr Barbulescu subsequently brought employment claims in the Romanian courts alleging that his dismissal was void since the employer had breached his right to privacy by accessing his private communications. Mr Barbulescu was unsuccessful before the Romanian courts but his case was brought before the ECHR. Mr Barbulescu’s argument was that Romania had failed to protect properly his Article 8 right to respect for his private and family life, his home and correspondence.

The Decision of the ECHR

The first key point made by the ECHR was confirmation that Article 8 is engaged to protect employees who use their employer’s telecommunications systems for private purposes. In other words, employees have a reasonable expectation of privacy at work. Nonetheless, this right is not absolute. The question in this case was whether Romania had struck the right balance between protecting the right of Mr Barbulescu to privacy at work with that of his employer to manage its resources effectively.

The ECHR found against Mr Barbulescu in this regard. It noted that:

  • the employer had a clear policy regarding the private use of the employer’s telecommunications systems;
  • it had not been unreasonable for the employer to want to verify that its employees were engaged on professional tasks during working hours;
  • monitoring was the only effective way of ensuring that telecommunications were being used for work-related purposes;
  • when the employer accessed the Yahoo Messenger account, it did so in the belief that the account contained only employment-related messages, this being the basis on which the account had been set up; and
  • the employer had not gone beyond examining the Yahoo Messenger account to checking any other documents or data on his computer.

Therefore, the employer’s monitoring was limited in scope and proportionate.

It is worth noting that the Romanian Court of Appeal used the following wording, which was later approved by the ECHR:
In view of the fact that the employer has the right and the obligation to ensure the functioning of the company and, to this end, [the right] to check the manner in which its employees complete their professional tasks, and of the fact that [the employer] holds the disciplinary power of which it can legitimately dispose and which [entitled it] to monitor and to transcribe the communications on Yahoo Messenger that the employee denied having had for personal purposes, after having been, together with his other colleagues, warned against using the company’s resources for personal purposes, it cannot be held that the violation of his correspondence was not the only manner to achieve this legitimate aim and that the proper balance between the need to protect his private life and the right of the employer to supervise the functioning of its business was not struck.”

European Union Instruments

Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data provides that the object of national laws in this area is notably to protect the right to privacy as recognised both in Article 8 of the Convention and the general principles of EU law.

The Directive defines personal data as “any information relating to an identified or identifiable natural person” (Article 2(a)) and asks for the Member States to prohibit processing of personal data concerning, among other things, “health or sex life” (Article 8(1)).

A Data Protection Working Party (“the Working Party”) was established under Article 29 of the Directive in order to examine the issue of surveillance of electronic communications in the workplace and to evaluate the implications of data protection for employees and employers. It is an independent EU advisory body. The Working Party issued in September 2001 opinion 8/2001 on the processing of personal data in an employment context, which summarises the fundamental data protection principles: finality, transparency, legitimacy, proportionality, accuracy, security and staff awareness. With regard to monitoring of employees, it suggested that it should be:

“A proportionate response by an employer to the risks it faces taking into account the legitimate privacy and other interests of workers”.

In May 2002 the Working Party produced the “Working document on the surveillance and the monitoring of electronic communications in the workplace”

(“the working document”). This working document asserts that the simple fact that monitoring or surveillance conveniently serves an employer’s interest could not justify an intrusion into workers’ privacy. The document suggests that any monitoring measure must pass a list of four tests: transparency, necessity, fairness and proportionality.

From a technical point of view, the working document indicates that:

“Prompt information can be easily delivered by software such as warning windows, which pop up and alert the worker that the system has detected and/or has taken steps to prevent an unauthorised use of the network.”

More specifically, with regard to the question of access to an employee’s e-mails, the working document holds that:

“Opening an employee’s e-mail may also be necessary for reasons other than monitoring or surveillance, for example in order to maintain correspondence in case the employee is out of office (for example due to sickness or leave) and correspondence cannot be guaranteed otherwise (for example via an autoreply or automatic forwarding).”

Further ECHR Case Law

The Court has consistently held that the notion of private life is a broad concept (see, E.B. v. France [GC], no. 43546/02, 22 January 2008, and Bohlen v. Germany, no. 53495/09, 19 February 2015). It encompasses, for example, the right to establish and develop relationships with other human beings, and the right to identity and personal development (Fernández Martínez v. Spain [GC], no. 56030/07,) A broad reading of Article 8 does not mean, however, that it protects every activity a person might seek to engage in with other human beings in order to establish and develop such relationships. It will not, for example, protect interpersonal relations of such broad and indeterminate scope that there can be no conceivable direct link between the action or inaction of a State and a person’s private life (see, mutatis mutandisBotta v. Italy, 24 February 1998, Reports of Judgments and Decisions 1998‑I).

Thus, according to the Court’s case-law, telephone calls from business premises are prima facie covered by the notions of “private life” and “correspondence” for the purposes of Article 8 § 1 (see Halford v. the United Kingdom (25 June 1997, Reports of Judgments and Decisions 1997‑III, where one of the landlines of the office had been designated for the applicant’s personal use), and Amann v. Switzerland [GC], no. 27798/95, ECHR 2000‑II). The Court further held that e-mails

sent from work should be similarly protected under Article 8, as should information derived from the monitoring of personal Internet usage (see Copland v. the United Kingdom (no. 62617/00, ECHR 2007‑I, where personal use was allowed and the  surveillance aimed to determine whether the applicant had made “excessive use” of the facilities).

In the absence of a warning that one’s calls would be liable to monitoring, the applicant had a reasonable expectation as to the privacy of calls made from a work telephone (see Halford, cited above) and the same expectation should apply in relation to an applicant’s e-mail and Internet usage (see Copland, cited above). In a case in which the applicant’s workspace at a prosecutor’s office had been searched and some of his belongings had been seized (Peev v. Bulgaria, no. 64209/01, 26 July 2007), the Court held that the search amounted to an interference with the applicant’s “private life”; the Court found that the applicant had a reasonable expectation of privacy with regard to the personal belongings that he kept in his office. The Court further held that:

“… such an arrangement is implicit in habitual employer-employee relations and there is nothing in the particular circumstances of the case – such as a regulation or stated policy of the applicant’s employer discouraging employees from storing personal papers and effects in their desks or filing cabinets – to suggest that the applicant’s expectation was unwarranted or unreasonable”.
The Court must therefore examine whether in the present case the applicant had a reasonable expectation of privacy when communicating from the telecommunication means provided by his employer.

Does the Employer need to prove Actual Damage?

In the case of Pay v. United Kingdom, (dec.), no.32792/05, 16 September 2008 where the applicant was involved outside work in activities that were not compatible with his professional duties, and damage was proven from such actions of the employee to the employer, and Köpke v. Germany, (dec.), no. 420/07, 5 October 2010, where the applicant had caused material losses to her employer), in the case of BĂRBULESCU v. ROMANIA  the Court found that it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours.

Complexity of Issues

One needs to be careful and review the merits on a case-by-case basis. By way of example, in the case of Malone v. the United Kingdom, 2 August 1984, Series A no. 82, the Court affirmed in Copland, cited above, that, even if the monitoring is limited to “information relating to the date and length of telephone conversations and in particular the numbers dialed”, as well as to e-mail and Internet usage, and without

access to the content of the communications, it still violates Article 8 of the Convention. The same point was made by the Court of Justice of the European Union, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, Judgment of 8 April 2014, paragraphs 26-27, and 37, and the Report of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age, 30 June 2014, paragraph 19 (A/HRC/27/37).

The “Ownership Argument” & the “Working Time Argument”

The ownership argument (that the Employer is the owner of all telecommunication equipment of the office and thus allowed to monitor how it is being used) is not lacking in logical appeal, but it should be approached with caution. It can be questioned whether it is appropriate to approach the matter in black-or-white reasoning, arguing that the employee no longer has any expectation of privacy whenever he or she uses IT facilities belonging to the employer, and, conversely, the employer has such an expectation whenever he or she uses his or her own IT facilities.

A more nuanced approach is necessary, as emerges from the Article 29 Working Party Working document on surveillance and monitoring of electronic communications in the workplace, page 20:

In any case, the location and ownership of the electronic means used do not rule out secrecy of communications and correspondence as laid down in fundamental legal principles and constitutions.”

Recently, the Canadian Supreme Court underscored the same idea, asserting the employee’s reasonable expectation of privacy over his personal information stored in company-owned equipment (R. v. Cole, (2012) SCC 53).

By the same token, the working time argument, which claims that an individual at work is not on “private time” and that therefore no right to privacy applies in the workplace, is also misleading. As per the judgment issued by Justice Blackmun writing for the minority in O’Connor v. Ortega 480 US 709 (1983), “the reality of work in modern time, whether done by public or private employees, reveals why a public employee’s expectation of privacy in the workplace should be carefully safeguarded and not lightly set aside. It is, unfortunately, all too true that the workplace has become another home for most working Americans. Many employees spend the better part of their days and much of their evenings at work … As a result, the tidy distinctions (to which the plurality alludes) between the workplace and professional affairs, on the one hand, and personal possessions and private activities, on the other, do not exist in reality.”

Finding the Right Balance

Find the right balance between monitoring of employees and the protection of personal data is a delicate task, which will also depend on the specific situation and facts of each case. However, in general, if monitoring is to take place:

  • Make sure that this is clearly stated in a policy that it brought to the attention of all affected employees. The policy should state which communications may be monitored and in what circumstances. This will set the expectations of employees as to the circumstances in which their communications may be monitored.
  • Limit the number of individuals within your firm who may undertake monitoring and set out clear ground rules about the monitoring that can take place which are consistent with company policy.
  • Is monitoring is really required in a particular situation?
  • Act proportionately – if your concern is, for example, the volume of private emails being sent, it is usually not necessary to read the contents of those emails to establish the point.

 View as PDF