1

Kontrolle der (privaten) Internetnutzung am Arbeitsplatz

WOLFGANGGORICNIK (SALZBURG)
EGMR 12.1.2016 61496/08Bărbulescu/Rumänien
  1. Das Verbot der Nutzung von Betriebsmitteln für private Zwecke ändert nichts daran, dass private Kommunikation am Arbeitsplatz dem Schutz des Art 8 Abs 1 EMRK hinsichtlich des Rechtes auf Achtung des Privatlebens und der Korrespondenz unterliegt.

  2. Aus Art 8 EMRK ergibt sich auch die Verpflichtung des Staates, durch entsprechende Maßnahmen den Schutz des Privatlebens auch im Verhältnis zwischen Privatpersonen zu gewährleisten, wobei der Staat dabei einen entsprechenden Wertungsspielraum zur Ausbalancierung widerstreitender Interessen genießt.

  3. Die staatlichen Gerichte haben einen gerechten Mittelweg zwischen dem Recht des AN auf Achtung seines Privatlebens und seiner Korrespondenz und den Interessen des AG an der Verwendung der Arbeitszeit für betriebliche Zwecke zu finden.

Procedure

1. The case originated in an application (no. 61496/08) against Romania lodged with the Court under Art 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (“the Convention’’) by a Romanian national, Mr Bogdan Mihai Bărbulescu (“the applicant’’), on 15 December 2008. [...]

3. The applicant alleged, in particular, that his employer’s decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence and that the domestic courts had failed to protect his right. [...]

The circumstances of the case

[...]

6. The applicant was employed by a private company (“the employer’’) as an engineer in charge of sales. At his employer’s request, he created a Yahoo Messenger account for the purpose of responding to clients’ enquiries.

7. On 13 July 2007 the employer informed the applicant that his Yahoo Messenger communications had been monitored from 5 to 13 July 2007 and that the records showed that he had used the Internet for personal purposes, contrary to internal regulations. The applicant replied in writing that he had only used Yahoo Messenger for professional purposes. When presented with a forty-five-19page transcript of his communications on Yahoo Messenger, the applicant notified his employer that, by violating his correspondence, they were accountable under the Criminal Code. The fortyfive pages contained transcripts of all the messages that the applicant had exchanged with his fiancée and his brother during the period when his communications had been monitored; they related to personal matters involving the applicant. The transcript also contained five short messages that the applicant had exchanged with his fiancée on 12 July 2007 using a personal Yahoo Messenger account; these messages did not disclose any intimate information.

8. On 1 August 2007 the employer terminated the applicant’s employment contract for breach of the company’s internal regulations which stated, inter alia:

“It is strictly forbidden to disturb order and discipline within the company’s premises and especially ... to use computers, photocopiers, telephones, telex and fax machines for personal purposes.’’

9. The applicant challenged his employer’s decision before the Bucharest County Court (“the County Court’’). He complained that this decision had been null and void since, by accessing his communications, his employer had violated his right to correspondence protected by the Romanian Constitution and the Criminal Code.

10. In a judgment of 7 December 2007 the County Court dismissed his complaint on the grounds that the employer had complied with the dismissal proceedings provided for by the Labour Code and noted that the applicant had been duly informed of the employer’s regulations that prohibited the use of company resources for personal purposes. The County Court’s judgment reads, in its relevant parts:

“The court takes the view that the monitoring of the (applicant)’s Yahoo Messenger communications from the company’s computer [...] during working hours – regardless of whether the employer’s actions were or were not illegal – cannot affect the validity of the disciplinary proceedings in the instant case [...]. However, since the (applicant) claimed during the disciplinary proceedings that he had not used Yahoo Messenger for personal purposes but rather for advising clients on the products offered by his employer, the court finds that checking the content of the (applicant)’s communications was the only method for the employer to verify the (applicant)’s line of defence.The employer’s right to monitor their employees’ use of the company’s computers in the workplace falls within the broad scope of the right to check the manner in which professional tasks are complete. As long as the employees’ attention [...] had been drawn to the fact that, not long before the applicant had received a disciplinary sanction, another colleague had been dismissed for having used the Internet, the telephone and the photocopiers for personal purposes and they had been warned that their activity was under surveillance (see notice no 2316 of 3 July 2007 that the applicant had signed [...]) it cannot be held against the employer that he had not proven transparency and that he had not been open with regard to his activities in monitoring the use of the computers by its employees.The Internet in the workplace must remain a tool at the employee’s disposal. It was granted by the employer for professional use and it is indisputable that the employer, by virtue of the right to monitor the employees’ activities, has the prerogative to keep personal use of the Internet monitored.Some of the reasons that make the employer’s checks necessary are the possibilities that through use of the Internet employees could damage the company’s IT systems, or engage in illicit activities in the company’s name, or reveal the company’s commercial secrets.“

11. The applicant appealed against this judgment. He claimed that e-mails were also protected by Art 8 of the Convention as pertaining to “private life’’ and “correspondence’’. He also complained that the County Court had not allowed him to call witnesses to prove that the employer had not suffered as a result of his actions.

12. In a final decision of 17 June 2008, the Bucharest Court of Appeal (“the Court of Appeal’’) dismissed his appeal and upheld the judgment rendered by the County Court. Relying on EU Directive 95/46/EC, the Court of Appeal ruled that the employer’s conduct had been reasonable and that the monitoring of the applicant’s communications had been the only method of establishing if there had been a disciplinary breach. With regard to his procedural rights, the Court of Appeal dismissed the applicant’s arguments, stating that the evidence already before it was sufficient. The Court of Appeal’s decision reads, in its relevant parts:

In view of the fact that the employer has the right and the obligation to ensure the functioning of the company and, to this end, (the right) to check the manner in which its employees complete their professional tasks, and of the fact that (the employer) holds the disciplinary power of which it can legitimately dispose and which (entitled it) to monitor and to transcribe the communications on Yahoo Messenger that the employee denied having had for personal purposes, after having been, together with his other colleagues, warned against using the company’s resources for personal purposes, it cannot be held that the violation of his correspondence was not the only manner to achieve this legitimate aim and that the proper balance between the need to protect his private life and the right of the employer to supervise the functioning of its business was not struck.’’ [...]

Alleged Violation of Art 8 of the Convention

23. The applicant complained that his employer’s decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence and that the domestic courts had failed to protect his right; he relied on Art 8 of the Convention. [...]

The parties’ submissions

24. The Government submitted that Art 8 of the Convention was not applicable in the present case. They noted that the applicant had set up the Yahoo Messenger account for professional use and20 he furthermore claimed that he had only used it for this purpose; the Government inferred that the applicant could not claim an “expectation of privacy’’ while at the same time denying any private use. [...]

29. The applicant contested the Government’s submissions and claimed that his communications on Yahoo Messenger had had a private character and therefore fell within the scope of Art 8 of the Convention. Referring to the State’s positive obligations according to Art 8, he argued that this provision was applicable on account of the Romanian State’s failure to protect his private sphere from interference by his employer. He pointed out that he had consistently raised this argument before the domestic authorities.

30. In the applicant’s opinion, it could not be disputed that the data intercepted by his employer represented both “personal data’’ and “sensitive personal data’’ within the meaning of Law no. 677/2001 and EU Directive 95/46/EC; the information related to identified persons (the applicant, his fiancée and his brother) and concerned sensitive issues (such as the applicant’s health and sex life). The applicant did not explain why he had used Yahoo Messenger for personal purposes, but suggested that at the material time the prices for mobile phones had been very high and that the requests for his professional services, as an engineer charged with selling heating equipment, had been very low in July 2007.

31. The applicant also complained that his employer had also accessed his personal Yahoo Messenger account, which had a different ID from the one he had registered for professional purposes. More over, the transcript of his communications had been made available to his colleagues who had discussed it publicly. [...]

33. The applicant insisted that the Yahoo Messenger software was by its nature designed for personal use and that the nature of the instant messaging service had entitled him to expect that his communications would be private. Had he not expected privacy, he would have refrained from disclosing intimate information. He had felt reassured by his employer instructing him to protect his Yahoo Messenger account by choosing his own password. He denied having been given proper prior notice of his employer’s monitoring; he argued that the general prohibition in the employer’s internal regulations could not have amounted to prior notice of monitoring. He believed that the notice of 3 July 2007 had been identified after the facts; he submitted a copy of this notice which however does not bear the employees’ signatures.

34. The applicant found the Government’s submissions that he had initially asserted that he had used that account for professional purposes artificial; irrespective of his initial position, the fact that the actual use of the instant messaging service had been for personal purposes remains undisputed. He concluded that an employee’s right to establish and develop personal relationships during business hours could not be suppressed at the discretion or by a decision of their employer.

The Court’s assessment

[...]

36. Thus, according to the Court’s case-law, telephone calls from business premises are prima facie covered by the notions of “private life’’ and “correspondence’’ for the purposes of Art 8 § 1 (see Halford v. the United Kingdom, § 44, and Amann v. Switzerland [GC], no. 27798/95, § 43). The Court further held that e-mails sent from work should be similarly protected under Art 8, as should information derived from the monitoring of personal Internet usage (see Copland v. the United Kingdom, no. 62617/00, § 41).

37. In the absence of a warning that one’s calls would be liable to monitoring, the applicant had a reasonable expectation as to the privacy of calls made from a work telephone (see Halford, § 45) and the same expectation should apply in relation to an applicant’s e-mail and Internet usage (see Copland, § 41). In a case in which the applicant’s workspace at a prosecutor’s office had been searched and some of his belongings had been seized (Peev v. Bulgaria, no. 64209/01), the Court held that the search amounted to an interference with the applicant’s “private life’’; the Court found that the applicant had a reasonable expectation of privacy with regard to the personal belongings that he kept in his office (ibid., § 39). The Court further held that:

“39. ... such an arrangement is implicit in habitual employer-employee relations and there is nothing in the particular circumstances of the case – such as a regulation or stated policy of the applicant’s employer discouraging employees from storing personal papers and effects in their desks or filing cabinets – to suggest that the applicant’s expectation was unwarranted or unreasonable’’.

38. The Court must therefore examine whether in the present case the applicant had a reasonable expectation of privacy when communicating from the Yahoo Messenger account that he had registered at his employer’s request. In this connection, it notes that it is not disputed that the applicant’s employer’s internal regulations strictly prohibited employees from using the company’s computers and resources for personal purposes (see § 8 above).

39. It follows that the case is different, as suggested by the Government, from the Halford and Copland cases (cited above), in which the personal use of an office telephone was allowed or, at least, tolerated. The case must also be distinguished from the Peev case (cited above), in which the employer’s regulations did not forbid employees to keep personal belongings in their professional office.

40. The Court notes that the applicant chose to raise before the domestic courts his complaint under Art 8 of the Convention within the framework of labour law proceedings. The main object of his case before the domestic courts was indeed his dismissal and the fact that his dismissal had resulted from a breach of his right to respect of his private life was the argument he used in order to prove the nullity of his employer’s decision.

[...]21

42. The Court must therefore determine whether, in view of the general prohibition imposed by his employer, the applicant retained a reasonable expectation that his communications would not be monitored. In this regard, the Court takes notice that the Data Protection Convention sets up clear principles applying to automatic data processing in order to enable an individual to establish the existence of an automated personal data file and its main purposes (see Art 5 and 8 of the Data Protection Convention). The relevant EU law goes in the same direction, notably in the field of surveillance of electronic communications in the workplace.

43. In the instant case, the Court notes that the elements in the file do not easily allow a straightforward answer. Indeed, the parties dispute whether the applicant had been given prior notice that his communications could have been monitored and their content accessed and eventually disclosed. The Government claimed that the applicant had been given proper prior notice that his employer could have monitored his communications, but the applicant denied having received such specific prior notice (see § 33). The Court notes that the Government did not provide a signed copy of the employer’s notice of 3 July 2007 and that the copy provided by the applicant does not bear any signatures (see § 33).

44. The Court attaches importance to the fact that the employer accessed the applicant’s Yahoo messenger account and that the transcript of his communications was further used as a piece of evidence in the domestic labour court proceedings. It also notes that, according to applicant’s submissions, that the Government did not explicitly dispute, the content of his communications with his fiancée and his brother was purely private, and related to, among other things, very intimate subjects such as the applicant’s health or sex life (see §§ 7 and 30). It is also mindful of the applicant’s argument that his employer had also accessed his personal Yahoo Messenger account (see §§ 7 and 31).

45. Having regard to these circumstances, and especially to the fact that the content of the applicant’s communications on Yahoo messenger was accessed and that the transcript of these communications was further used in the proceedings before the labour courts, the Court is satisfied that the applicant’s “private life’’ and “correspondence’’ within the meaning of Art 8 § 1 were concerned by these measures (mutatis mutandis, Köpke v. Germany, (dec.), no. 420/07). It therefore finds that Art 8 § 1 is applicable in the present case.

46. The Court further notes that this complaint is not manifestly ill-founded within the meaning of Art 35 § 3 (a) of the Convention and that it is not inadmissible on any other grounds. It must therefore be declared admissible. [...]

52. The Court reiterates that although the purpose of Art 8 is essentially to protect an individual against arbitrary interference by the public authorities, it does not merely compel the State to abstain from such interference: in addition to this primarily negative undertaking, there may be positive obligations inherent in an effective respect for private life. These obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves (see Von Hannover v. Germany (no. 2) [GC], nos. 40660/08 and 60641/08, § 57, and Benediksdóttir v. Iceland (dec.), no. 38079/06). The boundary between the State’s positive and negative obligations under Art 8 does not lend itself to precise definition. In both contexts regard must be had to the fair balance that has to be struck between the competing interests – which may include competing private and public interests or Convention rights (see Evans v. the United Kingdom [GC], no. 6339/05, §§ 75 and 77) – and in both contexts the State enjoys a certain margin of appreciation (see Von Hannover and Jeunesse v. the Netherlands [GC], no. 12738/10, § 106).

53. In the instant case, the Court finds that the applicant’s complaint must be examined from the standpoint of the State’s positive obligations since he was employed by a private company, which could not by its actions engage State responsibility under the Convention. The Court’s findings in the case of Oleksandr Volkov v. Ukraine (no. 21722/11), which concerned the dismissal of a judge, are therefore not applicable in the present case, as suggested by the applicant.

54. Therefore, the Court has to examine whether the State, in the context of its positive obligations under Art 8, struck a fair balance between the applicant’s right to respect for his private life and correspondence and his employer’s interests.

55. In this regard, the Court refers to its findings as to the scope of the complaint which is limited to the monitoring of the applicant’s communications within the framework of disciplinary proceedings (see §§ 40 and 41 above).

56. The Court notes that the applicant was able to raise his arguments related to the alleged breach of his private life and correspondence by his employer before the domestic courts. It further notes that they duly examined his arguments and found that the employer had acted in the context of the disciplinary powers provided for by the Labour Code (see §§ 10 and 15 above). The domestic courts also found that the applicant had used Yahoo Messenger on the company’s computer and that he had done so during working hours; his disciplinary breach was thus established (see § 12 above).

57. In this context, the Court notes that both the County Court and the Court of Appeal attached particular importance to the fact that the employer had accessed the applicant’s Yahoo Messenger account in the belief that it had contained professional messages, since the latter had initially claimed that he had used it in order to advise clients (see §§ 10 and 12 above). It follows that the employer acted within its disciplinary powers since, as the domestic courts found, it had accessed the Yahoo Messenger account on the assumption that the information in question had been related to professional activities and that such access had therefore been legitimate. The Court sees no reason to question these findings.22

58. As to the use of the transcript of the applicant’s communications on Yahoo Messenger as evidence before the domestic courts, the Court does not find that the domestic courts attached particular weight to it or to the actual content of the applicant’s communications in particular. The domestic courts relied on the transcript only to the extent that it proved the applicant’s disciplinary breach, namely that he had used the company’s computer for personal purposes during working hours. There is, indeed, no mention in their decisions of particular circumstances that the applicant communicated; the identity of the parties with whom he communicated is not revealed either. Therefore, the Court takes the view that the content of the communications was not a decisive element in the domestic courts’ findings.

59. While it is true that it had not been claimed that the applicant had caused actual damage to his employer (compare and contrast Pay v. United Kingdom, (dec.), no. 32792/05, where the applicant was involved outside work in activities that were not compatible with his professional duties, and Köpke (cited above), where the applicant had caused material losses to her employer), the Court finds that it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours.

60. In addition, the Court notes that it appears that the communications on his Yahoo Messenger account were examined, but not the other data and documents that were stored on his computer. It therefore finds that the employer’s monitoring was limited in scope and proportionate (compare and contrast Wieser and Bicos Beteiligungen GmbH v. Austria, no. 74336/01, §§ 59 and 63, and Yuditskaya and Others v. Russia, no. 5678/06, § 30).

61. Furthermore, the Court finds that the applicant has not convincingly explained why he had used the Yahoo messenger account for personal purposes (see § 30 above).

62. Having regard to the foregoing, the Court concludes in the present case that there is nothing to indicate that the domestic authorities failed to strike a fair balance, within their margin of appreciation, between the applicant’s right to respect for his private life under Art 8 and his employer’s interests.

63. There has accordingly been no violation of Art 8 of the Convention. [...]

For these reasons, the Court

1. Declares, unanimously, the complaint concerning Art 8 of the Convention admissible and the remainder of the application inadmissible;

2. Holds, by six votes to one, that there has been no violation of Art 8 of the Convention. [...]

In accordance with Art 45 § 2 of the Convention and Rule 74 § 2 of the Rules of Court, the separate opinion of Judge Pinto de Albuquerque is annexed to this judgment.

Partly dissenting opinion ofJudge Pinto de Albuquerque

1. Bărbulescu v. Romania concerns the surveillance of Internet usage in the workplace. The majority accept that there has been an interference with the applicant’s right to respect for private life and correspondence within the meaning of Art 8 of the European Convention on Human Rights (“the Convention’’), but conclude that there has been no violation of this Article, since the employer’s monitoring was limited in scope and proportionate. I share the majority’s starting point, but I disagree with their conclusion. I have no reservations in joining the majority in finding the Art 6 complaint inadmissible.

2. The case presented an excellent occasion for the European Court of Human Rights (“the Court’’) to develop its case-law in the field of protection of privacy with regard to employees’ Internet communications. The novel features of this case concern the non-existence of an Internet surveillance policy, duly implemented and enforced by the employer, the personal and sensitive nature of the employee’s communications that were accessed by the employer, and the wide scope of disclosure of these communications during the disciplinary proceedings brought against the employee. These facts should have impacted on the manner in which the validity of the disciplinary proceedings and the penalty was assessed. Unfortunately, both the domestic courts and the Court’s majority overlooked these crucial factual features of the case. [...]

14. Breaches of the internal usage policy expose both the employer and the employee to sanctions. Penalties for an employee’s improper Internet usage should start with a verbal warning, and increase gradually to a written reprimand, a financial penalty, demotion and, for serious repeat offenders, termination of employment. If the employer’s Internet monitoring breaches the internal data protection policy or the relevant law or collective agreement, it may entitle the employee to terminate his or her employment and claim constructive dismissal, in addition to pecuniary and non-pecuniary damages.

15. Ultimately, without such a policy, Internet surveillance in the workplace runs the risk of being abused by employers acting as a distrustful Big Brother lurking over the shoulders of their employees, as though the latter had sold not only their labour, but also their personal lives to employers. In order to avoid such commodification of the worker, employers are responsible for putting in place and implementing consistently a policy on Internet use along the lines set out above. In so doing, they will be acting in accordance with the principled international-law approach to Internet freedom as a human right.

The absence of a workplace policy on Internet use

16. The Government argue that the company’s internal regulations provided for a prohibition on the use of computers for personal purposes. Although true, the argument is not relevant, since the given internal regulations omitted any reference to an Internet surveillance policy being implemented in the workplace. In this context, it should not be overlooked that the Government also refer to notice 2316 of 3 July 2007, which “highlighted that another employee had been let go on disciplinary grounds, specifically due to personal use of the23 company’s Internet connection and phones’’ and “reiterated that the employer verifies and monitors the employees’ activity, specifically stating that they should not use the Internet, phones or faxes for issues unrelated to work’’, in other words, which “reiterated’’ the existence of a policy of Internet surveillance in the company. Also according to the Government, the employees had been informed about this notice, and it had even been signed by the applicant. The applicant disputes these facts. The majority themselves acknowledge that it is contested whether the company’s Internet surveillance policy had been notified to the applicant prior to the interference with his Internet communications. Unfortunately, the majority did not elaborate further on this crucial fact.

17. Since the existence of prior notice was alleged by the Government and disputed by the applicant, the Government had the burden of providing evidence to that effect, which they did not. Moreover, the only copy of the notice 2316 available in the Court’s file is not even signed by the employee. In other words, there is not sufficient evidence in the file that the company’s employees, and specifically the applicant, were aware that monitoring software had been installed by the employer and recorded in real time the employees’ communications on the company’s computers, produced statistical records of each employee’s Internet use and transcripts of the content of the communications exchanged by them, and could block their communication (Anm des Bearbeiters: FN 49: The employer used IMFirewall Software – Wfilter to intercept the applicant’s communications, which is characterised by real time recording and the possibility to block messages). [...]

The personal and sensitive nature of the employee’s communications

19. The delicate character of the present case is significantly heightened by the nature of certain of the applicant’s messages. They referred to the sexual health problems affecting the applicant and his fiancée. This subject pertains to the core of the applicant’s private life and requires the most intense protection under Art 8. Other than this sensitive data, the messages also dealt with other personal information, such as his uneasiness with the hostile working environment. The employer accessed not only the professional Yahoo Messenger account created by the applicant, but also his own personal account. The employer had no proprietary rights over the employee’s Yahoo messenger account, notwithstanding the fact that the computer used by the employee belonged to the employer. Furthermore, the employer was aware that some of the communications exchanged by the applicant were directed to an account entitled “Andra loves you’’, which could evidently have no relationship with the performance of the applicant’s professional tasks. Yet the employer accessed the content of this communication and made transcripts of it against the applicant’s explicit will and without a court order.

The lack of necessity of the employer’s interference

20. In addition, the employer’s interference had wide adverse social effects, since the transcripts of the messages were made available to the applicant’s colleagues and even discussed by them. Even if one were to accept that the interference with the applicant’s right to respect for private life was justified in this case, which it was not, the employer did not take the necessary precautionary measures to ensure that the highly sensitive messages were restricted to the disciplinary proceedings. In other words, the employer’s interference went far be yond what was necessary.

21. Having said that, the termination of the applicant’s employment relationship with the company could not be based on evidence that did not meet the Convention standards of protection of employees’ privacy. In ratifying the employer’s dismissal decision, the domestic courts accepted as legal evidence of the breach of the applicant’s professional duties records of private communications which merited Convention protection and had nonetheless been accessed, used and publicised by the employer, in violation of the Convention standard (Anm des Bearbeiters: FN 59: In other words, the interference with the employee’s right to privacy, especially with regard to the sensitive data collected, was so intolerable that it tainted the evidence collected and hence the Schenk standard does not apply here [Schenk v. Switzerland, no. 10862/84]. A similar approach was taken by the Portuguese Constitutional Court, in its judgment no. 241/2002, on the nullity of evidence collected in a dismissal case on the basis of the labour court’s request to Telepac and Portugal Telecom for traffic data and billing information concerning the employee’s home phone line). Moreover, the termination of the applicant’s employment contract can hardly be said to be proportionate in itself, bearing in mind that it was not proven that the applicant had caused actual damage to his employer, or that he had adopted the same pattern of behaviour for a considerable period of time.

Conclusion

22. “Workers do not abandon their right to privacy and data protection every morning at the doors of the workplace.’’ (Anm des Bearbeiters: FN 61: Art 29 Working Party Working document on surveillance and monitoring of electronic communications in the workplace, page 4). New technologies make prying into the employee’s private life both easier for the employer and harder for the employee to detect, the risk being aggravated by the connatural inequality of the employment relationship. A human-rights centred approach to Internet usage in the workplace warrants a transparent internal regulatory framework, a consistent implementation policy and a proportionate enforcement strategy by employers. Such a regulatory framework, policy and strategy were totally absent in the present case. The interference with the applicant’s right to privacy was the result of a dismissal decision taken on the basis of an ad hoc Internet surveillance measure by the applicant’s employer, with drastic spill-over effects on the applicant’s social life. The employee’s disciplinary24 punishment was subsequently confirmed by the domestic courts, on the basis of the same evidence gathered by the above-mentioned contested surveillance measure. The clear impression arising from the file is that the local courts willingly condoned the employer’s seizure upon the Internet abuse as an opportunistic justification for removal of an unwanted employee whom the company was unable to dismiss by lawful means.

23. Convention rights and freedoms have a horizontal effect, insofar as they are not only directly binding on public entities in the Contracting Parties to the Convention, but also indirectly binding on private persons or entities, the Contracting State being responsible for preventing and remedying Convention violations by private persons or entities. This is an obligation of result, not merely an obligation of means. The domestic courts did not meet this obligation in the present case when assessing the legality of the employer’s dismissal decision, adopted in the disciplinary proceedings against the employee. Although they could have remedied the violation of the applicant’s right to respect for private life, they opted to confirm that violation. This Court did not provide the necessary relief either. For that reason, I dissent.

ANMERKUNG

Die besprechungsgegenständliche E des Europäischen Gerichtshofes für Menschenrechte (EGMR) befasst sich mit einer Entlassung wegen privater Kommunikation über die betriebliche IT-Infrastruktur während der Arbeitszeit, wobei die Inhalte dieser Kommunikation zum Beweis dieses Vergehens vor den rumänischen Gerichten dienten.

Besonders ist hervorzuheben, dass es sich um einen privaten und keinen staatlichen AG gehandelt hat, sodass die staatsgerichtete E von der Struktur der EMRK her nicht direkt über das Verhalten des AG abzusprechen hatte, sondern darüber, ob die staatlichen Gerichte einen allenfalls nicht gerechtfertigten Eingriff eines privaten AG in das Konventionsrecht des Art 8 in ihren Entscheidungen (rechtsfolgenmäßig) ausreichend berücksichtigt hatten; das ist auch ein wesentlicher Unterschied zu den unter Pkt 2. zitierten Vorjudikaten des EGMR, wo es um staatliche AG gegangen war. Insofern lässt sich den Aussagen des EGMR fallbedingt nur indirekt etwas über die Konventionskonformität der Überwachung privater Kommunikation am Arbeitsplatz entnehmen (pointiert formuliert wurde nicht der Zugriff des AG auf den Account des beschwerdeführenden AN gebilligt, sondern wurde die Billigung des Zugriffes durch die rumänischen Gerichte vom EGMR gebilligt). Dennoch befriedigen weder das Ergebnis der E noch deren argumentative Tiefe.

1.
Einleitung

Vorauszuschicken ist, dass die besprechungsgegenständliche E der Kammer der 4. Sektion des EGMR (bestehend aus sieben Richtern) nicht rechtskräftig ist, da die Rechtssache am 6.6.2016 auf Antrag des beschwerdeführenden AN an die Große Kammer des EGMR (bestehend aus 17 Richtern) verwiesen wurde.

Schon das nicht endgültige Urteil hat aber bereits viel Verbreitung (im Internet) gefunden, da das Thema des Schutzes der Privatsphäre am Arbeitsplatz vor Kontrollen des AG klarerweise den Nerv einer Zeit berührt, in der die Vornahme privater Kommunikation am Arbeitsplatz angesichts der Vielfalt neuer Medien (iVm einem auch daraus resultierenden gesellschaftlich stark gestiegenem Kommunikationsbedürfnis) mehrheitlich als selbstverständlich angesehen wird (zB http://www.socialmediarecht.de/2016/02/19/privateinternetnutzung-am-arbeitsplatz-erlaubt-der-egmraz-6149608-den-arbeitgebern-wirklich-das-lesenprivater-nachrichten-von-arbeitnehmern-und-wieist-eigentlich-die-rechtslage-in-deutschla-2/; http://eulawanalysis.blogspot.co.at/2016/01/is-workplace-privacy-dead-comments-on.html; https://www.rt.com/news/328755-echr-employee-messages-snooping/, jeweils abgerufen am 31.7.2016). Daneben sind für Österreich die bereits publizierten lesenswerten Besprechungsaufsätze von Felten (Kontrolle der Internetnutzung am Arbeitsplatz, Auswirkungen der neueren EGMR-Rechtsprechung, jusIT 2016/43) und Haidinger (Überwachung von Kommunikationsdaten des Arbeitnehmers – alles beim Alten oder Trendwende nach dem EGMR-Urteil Bărbulescu?Dako 2016/37) ua wegen der Darstellung von ableitbaren Auswirkungen auf das österreichische Arbeitsrecht hervorzuheben.

Last, but not least ist darauf hinzuweisen, dass der portugiesische Richter Pinto de Albuquerque gem Art 45 Abs 2 EMRK eine umfangreiche Dissenting Opinion (zur Verletzung des Art 8 EMRK) dargelegt hat, in der er die Überwachungsmaßnahme insb deshalb als unverhältnismäßig angesehen hat, weil keine transparente Internet Policy (samt einem verhältnismäßigen Überprüfungsrahmen mit einem abgestuften Sanktionskatalog) des AG vorgelegen hatte. Anderenfalls würde eben eine entsprechende Kontrollmaßnahme Gefahr laufen, dergestalt missbraucht zu werden, dass der AG als „misstrauischer Big Brother“ den AN menschenrechtswidrig über die Schulter lugt (Pinto de Albuquerque, Rz 15). Fallgegenständlich habe auch die Verwertung der Protokolle der privaten Kommunikation angesichts der Datensensibilität (über Gesundheit und Sexualleben) wegen deren intolerierbarer Verletzung des Persönlichkeitsrechtes ihrerseits zu einem konventionswidrigen Vorgehen der nationalen Gerichte geführt, maW hätten die nationalen Gerichte von einem diesbezüglichen Beweisverwertungsverbot ausgehen müssen (Pinto de Albuquerque, Rz 21 iVm FN 59).

Während sich der Rezensent diesen Ausführungen der Dissenting Opinion von Pinto de Albuquerque vollinhaltlich anschließt, vermisst er im eigentlichen Urteil insb Feststellungen darüber (und eine daraus abgeleitete rechtliche Bewertung), wie der AG zu den Chat-Protokollen gelangt ist; diese über den Anlassfall hinausgehende Thematik soll im Anschluss (unter Pkt 3.) an eine kurze Anmerkung zur Urteilsbegründung näher beleuchtet werden.25

2.
Der „rote Faden“ der Urteilsbegründung

Die schmal gehaltene Begründung des Urteiles setzt sich vor allem mit der „reasonable expectation of privacy“ des beschwerdeführenden AN hinsichtlich seiner Kommunikation über den Messenger Account auseinander. Im Gegensatz zu den Rs Halford (EGMR 25.6.1997, 20605/92, Halford/UK) und Copland (EGMR 3.4.2007, 62617/00, Copland/UK) habe es nämlich weder eine Erlaubnis zur privaten Kommunikation über die Betriebsmittel des AG gegeben, noch sei solches toleriert worden, vielmehr habe es diesbezüglich ein generelles Verbot gegeben.

Angesichts des privaten Inhaltes der Kommunikation und der Verwendung der entsprechenden Transkripte als Beweise im arbeitsgerichtlichen Verfahren ging die Kammer (trotz des allgemeinen Verbotes der Privatnutzung der betrieblichen Kommunikationsmittel) davon aus, dass die entsprechende Überwachung und die Verwendung der Transkripte vom Schutz des Privatlebens und der Korrespondenz iSd Art 8 Abs 1 EMRK umfasst wurde und damit dessen Anwendbarkeit auf den gegenständlichen Fall zu bejahen sei.

Bekräftigt wird, dass sich aus Art 8 EMRK auch die Pflicht des Staates ergibt, den Schutz des Privatlebens auch im Verhältnis zwischen Privatpersonen durchzusetzen (vgl dazu auch Meyer-Ladewig, Europäische Menschenrechtskonvention2 [2006] Art 8 Rz 2c). Angesichts des den Staaten dabei einzuräumenden Wertungsspielraumes habe der Staat in Form einer sorgfältigen Prüfung und Abwägung durch die nationalen Gerichte eine gerechte Balance zwischen den Persönlichkeitsrechten gem Art 8 EMRK einerseits und den Interessen des AG andererseits getroffen. Deshalb habe keine Verletzung von Art 8 EMRK stattgefunden.

Diese Argumentation ist in sich schlüssig, berücksichtigt aber wesentliche Aspekte des gegenständlichen Falles nicht, so beispielsweise die (unter Pkt 1.) schon ausgeführte Datensensibilität. Ebenso wenig geht die Argumentation auf den wesentlichen Aspekt ein, dass und wie der AG zum Inhalt der privaten Kommunikation des AN (sohin nicht nur zum Browserverlauf) gelangt ist.

3.
Ermittlung und weitere Verwendung privater Kommunikationsdaten
3.1.
Technischer Aspekt

Auf Aufforderung des AG eröffnete der beschwerdeführende AN einen Yahoo Messenger Account, um Kundenanfragen beantworten zu können. Im Monat vor der Entlassung wurde die Kommunikation (vom Arbeitsplatzrechner aus) über diesen, aber auch über einen rein privat eröffneten (!) Yahoo Messenger Account eine gute Woche lang lückenlos (während der Arbeitszeit) überwacht und wurden davon 45 Seiten Protokolle angefertigt.

„Yahoo! Messenger“ ist ein kostenloser Instant-Messaging-Dienst (ua für Textnachrichten/Chatten) des Unternehmens Yahoo. Die zugehörige Software ist kostenlos und kann grundsätzlich mit einem gültigen Yahoo-Zugang heruntergeladen und installiert werden.

Dabei fällt frappierend auf, dass bis dato davon ausgegangen wurde, dass die Kommunikation über den Server eines Internet-Diensteanbieters, zB einen Webmail-Server oder fallgegenständlich über Yahoo-Server zum Angebot von Chat-Diensten (und nicht über den betriebseigenen E-Mail-Server) inhaltlich „abhörsicher“ (iS von technisch geschützt) vor dem AG sei: Der AN sei mit zB einer eigenen privaten Web-E-Mail-Adresse am Arbeitsplatz (sofern gestattet) am besten beraten, da dadurch verhindert werden könne, dass der AG, der keine spezielle Spyware (Spionagesoftware) verwendet, private E-Mails mitliest (mutatis mutandis auf Web-Chat-Dienste zu übertragen).

Neueste Firewall-Software (eine „Next-Generation Firewall“) ist demgegenüber aber sehr wohl imstande, auch diese – über den Login auf eine Website im Internet abgewickelte – transportverschlüsselte („https [HyperText Transfer Protocol Secure]“–)Kommunikation (unbemerkt) aufzubrechen, um grundsätzlich das dadurch mögliche Einschleusen von Malware in das Firmennetzwerk zu verhindern, was als Nebeneffekt (deshalb liegt auch keine grundsätzlich verbotene Spyware vor) aber eben auch eine entsprechende inhaltliche Kontrolle durch den AG ermöglicht. Um auch „SSL [Transport Layer Security]“-verschlüsselte Verbindungen auf Viren und Schadsoftware überprüfen zu können, gibt sich der Proxy als Client gegenüber dem Webserver im Internet aus (sogenannte „Manin-the-Middle“-Interception), sodass die gesamten Daten der Kommunikation schon auf Ebene der Firewall entschlüsselt werden können.

Fallgegenständlich wurde ebendiese Software der neuesten Generation eingesetzt (Dissenting Opinion Pinto de Albuquerque, FN 49).

3.2.
Rechtlicher Aspekt

Die aus Sicht des Rezensenten relevante (aber von der Mehrheit der Richter leider nicht erörterte) Fragestellung ist sohin: Ist es zur Aufrechterhaltung der betrieblichen IT-Systemfunktionalität tatsächlich notwendig, verschlüsselten Internet-Verkehr derart „aufzubrechen“ (über eine SSL-Interception), dass softwaregestützt entsprechende private Kommunikation (gegebenenfalls auch von den IT-Mitarbeitern und vom AG) mitgelesen werden kann, oder reicht technisch nicht der Einsatz von Firewalls mit (rein maschinellen) entsprechenden Filter- bzw Blockierungs-Einstellungen dafür aus?

Diese Fragestellung ist (nach Rücksprache mit IT-Experten, besonderer Dank gebührt dabei Riesenecker-Caba) zu verneinen (dh rein maschinelle Filter- bzw Blockierungs-Einstellungen reichen dafür aus).

Damit war aber die Überwachungsmaßnahme des AG fallgegenständlich (auch vor dem Hintergrund von Art 8 EMRK) jedenfalls unverhältnismäßig und hätten die nationalen Gerichte zur entsprechenden Ahndung dieser Rechtsverletzung auf die Unrechtmäßigkeit der daraus abgeleiteten Entlassung des beschwerdeführenden AN erkennen müssen, eben-26so wie die Kammer der 4. Sektion des EGMR, was bedauerlicherweise aber nicht geschah. Das bemängelt auch Pinto de Albuquerque mit ebendieser Begründung (Rz 22 f).

4.
Resümee

Hätte sich der Fall in Österreich zugetragen, hätte selbst der Abschluss einer BV gem § 96 Abs 1 Z 3 ArbVG bzw (im Betrieb ohne BR) eine Zustimmung des einzelnen AN gem § 10 AVRAG zur Kontrolle der Internetnutzung nichts an der Rechtswidrigkeit der fallgegenständlichen Überwachungsmaßnahme geändert, da durch die Ermittlung und weitere Verarbeitung von Inhaltsdaten (offensichtlich) privater Kommunikation jedenfalls ein Verstoß gegen die öffentlich-rechtlichen datenschutz- bzw telekommunikationsrechtlichen Bestimmungen der §§ 7 DSG 2000 und 93 Abs 3 TKG vorgelegen hätte (dazu näher Goricnik in

Grünanger/Goricnik
, Arbeitnehmer-Datenschutz und Mitarbeiterkontrolle [2014] 153 f mwN; so im Ergebnis wohl auch Haidinger, Dako 2016/37, 60).

Der diesbezügliche Ansatz des EGMR, die geschützte Sphäre des AN maßgeblich nach dessen „reasonable expectation of privacy“, also nach dessen vernünftiger und daher berechtigter Erwartung von Privatheit am Arbeitsplatz, auszumessen, trifft dabei jedenfalls auf das (europäische und österreichische) Datenschutzrecht nicht zu, das einen materiellen Schutzstandard verwirklicht, indem es maßgeblich auf die Erforderlichkeit und Verhältnismäßigkeit der (durchaus auch bekannten) Kontrolle (am Arbeitsplatz) abstellt (so auch Rebhahn, Mitarbeiterkontrolle am Arbeitsplatz [2009] 29 ff mit näheren Ausführungen zu beiden Ansätzen).

Insofern wird von großem Interesse sein, zu welchen Aussagen ein mögliches Urteil des EuGH über ein entsprechendes Vorabentscheidungsersuchen (zur Auslegung von Art 8 GRC oder einzelner Bestimmungen der Datenschutz-RL 95/46/EG ABl L 1995/281, 31 bzw der ab 25.5.2018 anwendbaren Datenschutz-Grund-VO [EU] 2016/679 ABl L 2016/119, 1) im Zuge einer gerichtlich ausgetragenen Streitigkeit aus oder im Zusammenhang mit einer arbeitgeberseitigen Kontrolle privater Internetnutzung eines AN am Arbeitsplatz gelangen wird.