That approach is similar to existing law in the United States — which gives companies wide-ranging powers to monitor workplace communications — but the decision stirred unease in Europe, where privacy is viewed as a fundamental right.
In the new ruling, the Grand Chamber, effectively the final appellate division within the European Court of Human Rights, dialed that back.
In an 11 to 6 ruling, it found that Mr. Barbulescu’s privacy rights had been violated.
“Today’s ruling is fairly clear in how it outlines the parameters of monitoring employees,” said Stephen Ravenscroft, a London-based partner specializing in employment law at White & Case, a law firm. “It won’t be sufficient for employers to have a general policy permitting monitoring — the policy will need to be much more detailed, outlining why, how and where employees may be monitored and explaining how any information gathered through monitoring may be used.”
Although a colleague at the Romanian company had been fired for using her work computer, phone and photocopier for personal purposes, the court found that Mr. Barbulescu had “not been informed in advance of the extent and nature of his employer’s monitoring, or the possibility that the employer might have access to the actual contents of his messages,” it said in its ruling.
Furthermore, the chamber found, Romanian courts did not sufficiently examine the company’s need to read the entirety of Mr. Barbulescu’s messages, or the seriousness of the consequences of the monitoring, which resulted in dismissal.
It noted that only a few countries in Europe — Austria, Britain, Finland, Luxembourg, Portugal and Slovakia — have explicitly regulated the issue of workplace privacy through domestic legislation. Most countries in the region do, however, require employers to give prior notice of monitoring. In countries like Denmark, France, Germany, Italy and Sweden, employers may monitor emails marked by employees as “private,” but may not look at the content without permission.
The chamber ruled that countries should ensure that companies’ efforts to monitor employees’ communications are “accompanied by adequate and sufficient safeguards against abuse.”
The latest ruling in the case, Barbulescu v. Romania, applies to the 47 members of the Council of Europe, which includes nearly every country on the Continent, including Russia, Turkey and Ukraine. (The Council of Europe, which focuses on human rights, is separate from the European Union and is not to be confused with the European Council, one of the bloc’s governing bodies.)
In a dissent, six judges wrote that the Romanian courts had not violated Mr. Barbulescu’s right to privacy. They argued that the Romanian authorities had carried out a “careful balancing exercise between the interests at stake, taking into account both the applicant’s right to respect for his private life and the employer’s right to engage in monitoring, including the corresponding disciplinary powers, in order to ensure the smooth running of the company.”
In a statement, one of Mr. Barbulescu’s lawyers, Emeric Domokos-Hancu, said the court’s decision proved that “the right to privacy in the workplace does exist.”
And, he said, the court had “correctly ascertained that a large part of the social, human, professional and personal relations are in fact initiated in workplaces.”
The Romanian Ministry of Foreign Affairs, which represented the country in court, did not immediately respond to a request for comment.
This was the first case that the court had taken up concerning the monitoring of an employee’s electronic communication by a private employer.
When it comes to electronic surveillance, the court has focused mostly on government use and collection of personal data, often in the context of criminal law or health care, and not the conduct of private companies.
In 2007, the European Court of Human Rights found that Britain had violated the privacy of a secretary at a government-run college in Wales by monitoring her phone calls, email and internet use in 1999.
She had not been notified that her communications might be monitored, and the legal framework at the time wasn’t clear. Britain enacted regulations in 2000, giving employers broad power to record or monitor employees’ communications without consent, as long as they took reasonable steps to inform employees that their communications might be intercepted.
In a case that is still pending, an employee of the French national rail company, SNCF, has protested his firing. His employer had found pornography on his work computer, on a hard drive marked “personal data.”