Comments on the Spanish Supreme Court judgment of 8 February 2018 regarding employers’ monitoring of employees’ IT resources

Written on 22 Mar 2018

The particular importance of this judgment lies in the fact that it is the first ruling of the Supreme Court following the Judgement of the European Court of Human Rights of 5 September 2017 (the “Barbulescu case“).

Following an analysis of the factual situation in light of the doctrine of the European Court of Human Rights (ECHR), the Supreme Court has concluded that this doctrine is substantially in line with that provided by our Constitutional Court and the Supreme Court itself in repeated previous rulings.

According to this doctrine, when courts analyse the legality of an employer accessing an employee’s e-mail, they must carry out an adequate deliberation of the conflicting rights and interests. Therefore, in order for the measure to be declared lawful, it must pass the threefold test of suitability, necessity and proportionality required by our Constitutional Court. In each specific case, the courts will have to analyse and respond to different questions such as:

  • the extent to which the employer interferes in the employee’s private sphere;
  • whether or not there are legitimate reasons for the monitoring;
  • the existence of other less intrusive means;
  • the intended purpose of the results of the monitoring and;
  • the existence of guarantees for the employee.

In this manner, an employer intending to monitor an employee’s IT resources must analyse whether the measures comply with the established requirements. The risk of the employer’s action not passing the threefold test is that the documents or evidence found may be inadmissible, as they are considered to be the result of a violation of a fundamental right.

The case analysed by the Supreme Court in its Judgment of 8 February 2018 relates to whether or not certain evidence obtained from the employee’s company e-mail is admissible. Both the Labour Court and the Court of Justice of Galicia qualified the dismissal as lawful, but rejected the e-mails as they considered that the monitoring of the e-mail infringed the employee’s right to privacy. This ruling was appealed by both parties: the employee for the qualification of the dismissal and the company for the declaration of nullity of the e-mails.

The Supreme Court finally declared the e-mails as valid, considering that during the monitoring of the employee’s e-mail “the relevant requirements of constitutional jurisprudence have been scrupulously complied with and the tests of suitability, necessity and proportionality have been passed“.

In this specific case, the Court highlights the following as key points:

  • the employee’s company e-mail is accessed, not their personal e-mail;
  • the company has a policy on the use of computer resources that expressly prohibits the use of the company e-mail for personal business;
  • employees, when accessing the system on a daily basis, must first accept the guidelines set out in this policy and are reminded of the company’s right to adopt measures to monitor and control the correct use of IT tools;
  • the company does not monitor the mail as a first control measure, or without prior suspicion, but acts on a complaint from another employee, who happens to find documents in the communal printer evidencing the non-compliance;
  • the company does not access the employee’s e-mail through his or her computer or any other personal device, but does so through the server where all the e-mails are stored;
  • the inspection of the e-mail is carried out by searching for keywords and using the time proximity of the events reflected in the documents found in the printer, avoiding indiscriminate access to all e-mails.

For this reason, the Supreme Court concludes that the company’s actions are carried out in accordance with both the classical doctrine of the Court and the requirements established by the ECHR in the “Barbulescu case”, so that “it effortlessly passes the screening requirements which the European High Court imposes in order to attribute the legality of the monitoring activity.

Finally, the Court analyses whether it is necessary for the e-mails to be screened in the presence of the employee in question or a notary, concluding that “although the presence of third party guarantors is appropriate (notary, legal representative of the employees, another employee or the interested party), their absence does not affect the validity of the monitoring in any way whatsoever”.

In view of the foregoing, we can identify two key moments in which companies must be particularly cautious in order to guarantee that company monitoring is carried out in accordance with the fundamental rights of employees: first, by establishing an internal policy for the adequate use of e-mail in accordance with legal requirements, by ensuring that employees are aware of and comply with the regulations and, when applying monitoring measures, by verifying the fulfilment of all the guarantees.

We are, therefore, facing a judgement on legality that expressly depends on the circumstances of the specific case in question and it is, therefore, essential to have proper legal guidance in order to guarantee the validity of the evidence obtained by these means.