We would not let our employer ransack our home and pry into our personal belongings so why should they be allowed to delve into our personal messages? There is something inherently unnerving about the recent decision from the European Court of Human Rights (ECHR) that justifies bosses snooping into personal messages sent through private messaging platforms during work hours. While it highlights the necessity of some level of control by the employer over the use of the internet and associated messaging platforms, this European decision is one that I predict would not sit well with the majority of New Zealanders were a similar outcome produced here.

On one hand, there are plenty of reasons for employers to monitor staff. Productivity suffers hugely when employees spend too much time on the internet using social networking sites or instant messaging. With the introduction of new communication apps and programs every day, we live in a world full of distractions. With this in mind, striking the balance between the necessity of employer supervision and the privacy rights of an employee can be tricky.

“If a policy clearly states that no personal internet use is permitted and that usage may be monitored or accessed by the employer, this may give an employer the right to view internet and email traffic, including personal communications.”

The European case

In a January 2016 decision, the ECHR ruled that a Romanian company’s actions had not breached their employee’s rights by monitoring his email account and then firing him for sending personal messages during work hours. The employee claimed that his right to respect for private and family life, the home and correspondence had been violated. The employer used evidence including transcripts of the employee’s messages to prove he had breached the company’s internal regulations that prohibited the use of company resources for personal purposes. These transcripts included conversations with his brother and with his fiancée, many of which contained deeply sensitive personal information. Most of the messages had been sent through the employee’s Yahoo Messenger account, which his employer had required him to create for the purposes of responding to clients. Five short messages had also been taken from a personal Yahoo Messenger account he had used during work hours.

In a January 2016 decision, the ECHR ruled that a Romanian company’s actions had not breached their employee’s rights by monitoring his email account and then firing him for sending personal messages during work hours. The employee claimed that his right to respect for private and family life, the home and correspondence had been violated. The employer used evidence including transcripts of the employee’s messages to prove he had breached the company’s internal regulations that prohibited the use of company resources for personal purposes. These transcripts included conversations with his brother and with his fiancée, many of which contained deeply sensitive personal information. Most of the messages had been sent through the employee’s Yahoo Messenger account, which his employer had required him to create for the purposes of responding to clients. Five short messages had also been taken from a personal Yahoo Messenger account he had used during work hours.

In the domestic Romanian Court, the employee’s complaint was dismissed on the grounds that he had been duly informed of the company’s regulations. The employee then took his employer’s actions to the ECHR, where the European Court also found for the employer. The ECHR found it was not unreasonable for an employer to want to verify that their employees were completing their professional tasks during working hours and noted that the employer had originally accessed the account to look for client communications. In a six to one ruling, the ECHR concluded that there was nothing to indicate that the domestic authorities failed to strike a fair balance between the applicant’s right to respect for his private life and his employer’s interests.

What is so alarming about this case is that it potentially opens up the floodgates for technological intrusion by employers throughout Europe. While the Court acknowledged that the case did not easily allow a straightforward answer, commentators are predicting the decision could extend to possibly include Facebook and other social media or communication platforms and even correspondence outside of work hours if it is made from a company device.

The complainant employee stated he had not been given prior notice regarding employer monitoring (the employer denied this) and that he felt reassured by his employer instructing him to protect his Yahoo Messenger account by choosing his own password. Passwords should not lead to a false sense of security, however, as many employers around the world are already using technology such as keystroke monitoring, webpage tracking and software that enables remote access to staff members’ screens, allowing for screengrabs of the employee’s activity.

What about the situation in New Zealand?

It is simply impossible for privacy and employment legislation to keep up with the demands and issues raised by the rapid progress of technology. Considering 10 years ago most of us had never even heard of Facebook, laws everywhere have struggled to adapt to the technology explosion of the 2000s that produced such platforms that we now consider to be integral parts of our lives. The current privacy legislation in New Zealand was enacted even before popular use of the internet took off and therefore leaves gaping holes in dealing with many basic technologies. Combined with the historical imbalance of power in the employee/employer relationship that often focuses on the employer being able to do whatever they need to in order to effectively run their business, this current situation seems to have the potential to create incredibly unjust and intrusive results.

In New Zealand case law, we have already seen that Facebook is generally treated as a public forum, and therefore employees’ comments on Facebook may be able to justify dismissal (see our previous blog Facebook and disciplinary issues in employment). But what about private messages within Facebook, personal emails or a similar communication function on another internet platform?

Privacy laws in New Zealand are chiefly governed by the Privacy Act 1993. However, the Privacy Act has played a relatively insignificant role so far in most cases regarding internet usage and monitoring. The limited case law instead seems to focus on fairness and due process when assessing the level of privacy rights afforded to an employee’s email or internet use. One area of particular concern that has been addressed under the Act in the New Zealand Privacy Commission is the use of keystroke logging. A case arose in 2012 involving an employer who used software to collect keystroke logs that identified an employee’s password to his personal email account. The employer then proceeded to use the password to access the email account and copy certain emails from it. In both the employment agreement and employee manual, the employer had clearly set out that work computers would be subject to monitoring, but the Commissioner held that the policies were not explicit enough to make staff aware that such detailed information was being collected. The keystroke issue was found to have breached principles 1, 3 and 4 of the Privacy Act. The Commissioner stated that “an individual’s personal email account attracts a high expectation of privacy and it would require exceptional circumstances to justify an employer directly accessing it”.

Due the gaps in our domestic law in this area, it seems to be individual company policies that will give the most guidance when identifying the requisite expectation of privacy in each specific case. If a policy states that employees may use the internet for reasonable personal use, an employee’s right to privacy is likely to be stronger than the rights of the employer. If a policy clearly states that no personal internet use is permitted and that usage may be monitored or accessed by the employer, this may give an employer the right to view internet and email traffic, including personal communications. The importance placed on company policy in deciding what is an acceptable level of access for an employer to have to their employees’ technologies shows the need for the parties to explicitly clarify this position from the outset of the relationship. As the Privacy Commission case shows, however, there does still seem to be an inherent level of rights in New Zealand that should not be breached when it comes to personal communications despite what a policy states. When in doubt, an employee should always err on the side of caution, refraining from sending anything that they would not want their boss to see within work hours or through a work device.