Ing. Salih CAVKIC
Editor in Chief
PRIVACY I(N)T CONTEXT
doc. dr. Jasna Cosabic
right to privacy, or the right to respect for private life, as the
European Convention on Human Rights guarantees it, has been affected
by the IT growth era. Privacy has long been protected, but will face
a new dimension of protection for the generations to come. The right
to respect for private life is not an absolute one, and may have a
different feature in different context.
By Niemitz v. Germany judgment (1992) the European Court on Human
Rights ('the ECtHR') included the right to connect with other
individuals into the notion of private life, saying that it would be
too restrictive to limit the notion of an 'inner circle' to personal
life and exclude therefrom entirely the outside world not
encompassed within that circle. The right to communicate was thus
inscerted into the the privacy context.
But the extent of communication and technologies which enable it
signifficantly changed since.
Few decades ago, it mainly consisted of personal communication,
communication by conventional letters and phone communication. At
the time the Convention was adopted in the mid last century, there
was no internet, not even mobile/cell phones, nor personal computers.
The feature of privacy protection was much more simple then today.
Now, when we approach the rule of IoT (internet of things)
communication, not only do people communicate, but 'things' as well.
The subject of that 'non-human' communication may also be private
data of individuals. At the same time, the individual, human
communication became more simple, available at any time, and
versatile by its means.
New society digital evolution becomes a special challenge when
speaking of the protection of privacy. Availability of every person
not only in physical life but in cyber life as well, upgrades the
privacy to a new sphere. If we do ourselves chose to use social
networking, Skype, Instagram, Twitter, Yahoo Messenger, Linkedin,
Facebook, the later being ‘the most powerful database of persons
ever on internet’ as rightfully noted by prof. Bajrektareviæ, in his
book ‘Is there life after Facebook?’ as well as other internet
features, we must be aware that our privacy may come into the open.
If we add to that e-context a physical surrounding of a working
place, under certain conditions, the feature of privacy changes, i.e.
it becomes less protected then in the context of an earthbound
private circle, the surrounding which was in mind of lawmakers when
adopting for instance the European Convention on Human Rights in
Recently, at the table of the ECtHR was the case of Barbulescu v.
Romania (judgment enacted in January 2016), where the question arose
of whether an employer is entitled to look into his employer’s
private messages at Yahoo Messenger. The messages were written by
the employee during the working time, at the computer owned by the
employer. The employer monitored and made transcript of messages
made at the Yahoo Messenger account that was created at the
employer’s request for the purposes of contacts with clients, but
the transcript also contained five short messages that Mr.
Barbulescu exchanged with his fiancée using a personal Yahoo
The ECtHR found no violation of the right to respect the private
life by such actions of the employer.
The ECtHR noted that the employer did not warn the employee of the
possibility of checks of the Yahoo Messenger. However, the company
where Mr. Barbulescu worked did adopt internal rules according to
which it was strictly forbidden to use computers, photocopiers,
telephones, telex and fax machines for personal purposes. Can that
be seen as a warning? Does it give an employer a right to monitor
personal messages of an employee?
We may wonder if the ECtHR gave the advantage to a market economy
and profit growth, versus privacy? Did it give to employer the right
to control the employee even if that would mean invading his privacy?
This, under certain conditions, like internal policy rules or
warning, gives the employers the right to rule the employees space,
of course, during work hours, and their right to monitor the job
done by his employees may be stronger then their right to privacy.
However one should be careful in concluding that all employers may
now freely snoop into their employees’ e-mails, tweets, messages
The ECtHR took into consideration the ‘expectation of privacy’,
which Mr. Barbulescu, the employee, had regarding his communications.
The internal rules of the employer which strictly prohibited the use
of computers for private purposes, made the decisive shift towards
ruling in favor of non violation. He probably should not have
expected to have his privacy respected in such circumstances. But in
the absence of such rules and in the absence of warning, any such
intruding into employees’ private communication would rise an issue
of privacy protection.
With the fast development of society and technology, the privacy is
much more vulnerable, and it apparently affects its legal protection.
Almost two decades ago in the case of Halford v. UK the same ECtHR
decided that tapping of Ms. Halford’s phone at the office did
constitute a violation of her right to respect of her private life.
Without being warned that one's calls would be liable to monitoring
the person would have reasonable expectation that his privacy is
protected (Halford v. UK 1997). In Amann v. Switzerland ECtHR
judgment (2000) telephone calls from business premises pursue to be
clearly covered by 'private life' notion.
The ECtHR further spread the privacy protection to e-mails sent from
work in the Copland v. United Kingdom judgment (2007). In this case
it also decided that monitoring of telephone usage in the way of
analysis of business telephone bills, telephone numbers called, the
dates and times of the calls, duration and cost, constituted
“integral element of the communications made by telephone”, and made
an interference into the privacy. Moreover, the ECtHR was of the
view that the storing of personal data relating to the private life
of an individual also fell under the protection of the Article 8,
being irrelevant whether it was or was not disclosed or used against
the person. It further held that that 'e-mails sent from work should
be similarly protected under Article 8, as should information
derived from the monitoring of personal Internet usage' like
analysing the websites visited.
In Halford and Copland case the personal use of an office telephone
or e-mail or was either expressly or tacitly allowed by the employer.
Accordingly the ECtHR found a violation of privacy when the employer
intruded therein. In Barbulescu, on the other hand, due to the
internal regulations that forbid the private use of computers, the
ECtHR did not consider a monitoring by employer to be a violation of
his privacy, although the intrudment happened in the form of making
the transcript of employee's messages and keeping that transcript.
The ECtHR considered that ‘broad reading of Article 8 does not mean,
however, that it protects every activity a person might seek to
engage in with other human beings in order to establish and develop
such relationships' (Barbulescu para 35)
We can see that the position of employer towards allowing or non
allowing phone, e-mail, or internet usage, made a difference as to
the employee’s expectation of privacy. But can we add to that the
more open communication, as a reason of lowering the level of the
‘expectation of privacy’?
It still remains up to the individual how he/she shall expose his/her
privacy. The means of multiple communication, are now in everyone’s
pocket, and a person does not have to use a land phone line, in
order to call home. By simple touching the screen he/she may
communicate, share, like, tweet, comment. If it is done during
working hours, it gives, under certain conditions, a possibility to
employers to look into that ‘share’, ‘like’, ‘tweet’, ‘comment’ and
still not to invade anyone’s privacy.
The more open the conversation is, its protection gets more
demanding and complicated. So the protection of privacy remains a
big test for the future.
The European Commission has launched an EU Data Protection Reform in
2012, in order to 'make the Europe fit for the digital age.'
Strenghtening citizens' fundamental rights, Digital Single Market,
are the areas that need special attention. Currently in force
Directive 95/46/EC of the European Parliament and of the Council of
the EU of 1995, provides that personal data is 'any information
relating to an identified or identifiable natural person'.
Article 29 Data Protection Working Party ('DPWP'), in 2002 adopted a
Working Document on the Surveillance and the Monitoring of
Electronic Communications in the workplace. According to that
Document the mere fact that monitoring serves an employer's interest
could not justify an intrusion into workers' privacy. Monitoring,
according to the DPWP, must pass four tests: transparency, necessity,
fairness and proportionality.
'Workers do not abandon their right to privacy and data protection
every morning at the doors of the workplace' provides the Document,
however, 'this right must be balanced with other legitimate rights
and interests of the employer, in particular the employer's right to
run his business efficiently to a certain extent'.
Under Directive 2002/58/EC concerning the processing of personal
data and the protection of privacy in the electronic communications
sector (Directive on Privacy and Electronic Communications) of 2002
'Member States shall ensure the confidentiality of communications
and the related traffic data by means of a public communications
network and publicly available electronic communications services,
through national legislation.' It provides for the prohibition of 'listening,
tapping, storage or other kinds of interception or surveillance of
communications and the related traffic data by persons other then
users without the consent of the users concerned'. Exceptions may be
made, inter alia, for the interests of national security,
prevention of criminal offences or of unauthorized use of the
electronic communication system etc.
Data protection of citizens will be a big challenge in future. The
judge Pinto de Albuquerque in his partly dissenting opinion in
Barbulescu case has criticized the ECtHR's majority in missing the
chance to develop its case-law in the field of protection of privacy
with regard to Internet communications and for overlooking, inter
alia, some important features like sensitivity of the employee's
communication and non-existence of Internet surveillance policy duly
followed by the employer (apart from the above mentioned internal
regulations forbidding the use of computers).
On one hand there is a request for privacy protection, while on the
other hand, there is a request from the market economy/employers
that the job be done. The interests of the two must always be fairly
balanced, but with the speedy development of technology and the
internet interaction, the danger of exposing private data rises.
That is why the legal creators have a big responsibility to act
ahead of time, which, in the IT context, is running at the light
doc. dr. Jasna Čošabić
professor of IT law and EU law at Banja Luka College,
Bosnia and Herzegovina
April 18, 2016