Dechert OnPoint: Workplace Privacy in Georgia
Dechert Georgia, through the contribution of partners Archil Giorgadze and Nicola Mariani, joined by senior associates Ruslan Akhalaia and Irakli Sokolovski, as well as Ana Kostava and Ana Kochiashvili, is partnering with Georgia Today on a regular section of the paper which will provide updated information regarding significant legal changes and developments in Georgia. In particular, we will highlight significant issues which may impact businesses operating in Georgia.
Dechert’s Tbilisi office combines local service and full corporate, tax and finance support with the global knowledge that comes with being part of a worldwide legal practice.
Dechert Georgia is the Tbilisi branch of Dechert LLP, a global specialist law firm that focuses on core transactional and litigation practices, providing world-class services to major corporations, financial institutions and private funds worldwide. With more than 900 Lawyers in our global practice groups working in 27 offices across Europe, the CIS, Asia, the Middle East and the United States, Dechert has the resources to deliver seamless, high quality legal services to clients worldwide. For more information, please visit www.dechert.com or contact Nicola Mariani at nicola.mariani@dechert.com.
INTRODUCTION
The European Court of Human Rights (the “ECHR”) 12 January 2016 judgment on the case Barbulescu v. Romania (#61496/08) promptly became a subject of discussion in the Georgian press, mainly due to misleading interpretations of the ruling. The ECHR held that in certain circumstances employers may monitor employee activity in the workplace for the purpose of establishing whether employees are fulfilling their duties; this can and must be done without breaching the right to privacy in the workplace.
This edition of OnPoint brings light to the workplace privacy issue from a Georgian law perspective, providing an overview of the controversial judgment, the European Union framework in view of protection of personal data, regulation of workplace privacy in Georgia and related Georgian case law.
EUROPEAN UNION FRAMEWORK
Generally, protection of personal data in the European Union (the “EU”) is guaranteed by Directive 95/46/EC adopted on 24 October 1995 (the “Directive”). The main purpose of the Directive is to balance the protection and free movement of personal data within the EU and to protect the right to privacy as recognized by Article 8 of the European Convention on Human Rights (“Article 8”) and the general principles of EU law. The Directive restricts the collection, storage and usage of personal data and obliges EU member states to establish an independent national entity for the purposes of personal data protection. The Directive does not specifically define the responsibilities of the employer. However, general principles of data protection do apply.
BARBULESCU v. ROMANIA JUDGMENT
The ECHR judgment dated 12 December 2016 (the “Judgment”) was issued in relation to application #61496/08 originated by a Romanian applicant (the “Applicant”) against Romania (the “Government”). The Applicant was employed by a private company (the “Employer”). At the Employer’s request, the Applicant created a Yahoo Messenger account for the purpose of responding to client enquiries. On 13 July 2007, the Employer informed the Applicant that his Yahoo Messenger communications had been monitored for the past nine days and records showed he had used the internet for personal purposes, contrary to internal regulations. The Applicant replied that he had only used the account for professional purposes. In response, the Employer presented a forty-five-page transcript of his communications on Yahoo Messenger containing transcripts of all messages related to personal matters the applicant had exchanged during the nine-day period, including messages exchanged between the Applicant and his fiancée using a personal Yahoo Messenger account. These messages did not disclose any intimate information.
The Employer terminated the Applicant’s employment contract for breach of the company’s internal regulations forbidding the use of office appliances for personal purposes. The Applicant challenged the Employer’s decision before the domestic courts and later the ECHR, complaining that the decision had been based on a breach of his right to respect of his private life and correspondence, and that the domestic courts had failed to protect his rights guaranteed under Article 8.
The ECHR held that, by accessing the Applicant’s communication and using it in proceedings before domestic courts, the case concerned the Applicant’s “private life” and “correspondence” under the definitions of Article 8. However, the ECHR noted that the Employer’s monitoring was both limited in scope and proportionate, and that the domestic authorities succeeded in striking a fair balance between the Applicant’s right to respect of his private life under Article 8 and the Employer’s disciplinary powers. Accordingly, no violation of Article 8 had occurred.
GEORGIAN APPROACH
The Constitution of Georgia and the Law of Georgia on Personal Data Protection (the “Law”) are the main tools regulating the collection, storage and usage of personal data in Georgia. For the purposes of the Law, personal data means any information connected to an identified or identifiable natural person. Data processing is any operation performed in relation to such data by automated, semi-automatic or non-automatic means; in particular the collection, recording, photographing, audio recording, video recording, organization, storage, alteration, restoration, request for access to, use or disclosure, grouping or combination, locking, deletion or destruction of such data.
An employer’s request for access to an employee’s personal communications is regarded as data processing under the Law. Such processing is only permissible if the grounds for data processing envisaged in the Law exist. These include the employee’s consent and protection of the legitimate interests of the data processor or relevant third party, etc.
It is required that an employer protect the general principles of data protection. In particular, the processing of data for purposes incompatible with the original purpose is not allowed. Furthermore, the data processed by the employer must be adequate and proportionate for the purpose for which it is processed.
Neither the Labor Code of Georgia nor the Law of Georgia on Public Service provide for any specific regulations for employers. However, the Office of the Personal Data Protection Inspector (the “Office of the Inspector”) has adopted recommendations regarding protection of personal data in labor relations (the “Recommendation”). The Recommendation notes that in certain circumstances the employer is entitled to monitor an employee’s e-mail correspondence and the employee shall be informed of such activity. The Office of the Inspector states that the employer is responsible for separating private and work-related correspondence and only the latter may be subject to monitoring.
In addition to the Recommendation, the Personal Data Protection Inspector (the “Inspector”) delivered a decision on 8 May 2015 regarding workplace privacy (the “Decision”). The Decision states that monitoring of workplace e-mail is legally justified for the purpose of presenting e-mail correspondence as evidence in court. The Inspector underlined two important criteria for the legality of such interference: (1) separation of private and work-related correspondence; and (2) the employee’s awareness about the possibility of monitoring.
While Georgian case law remains silent regarding workplace privacy, the Supreme Court of Georgia issued a ruling in line with the approach adopted above in its decision on case #ას-1155-1101-2014, dated 4 May 2015. In particular, the Supreme Court held that all individuals shall have the right to hold personal communications without fear that the records will be used without or contrary to their consent. However, the privacy of personal communications is not subject to absolute protection and may be limited in cases prescribed by legislation to constitute a legitimate purpose and prevailing public interest.
CONCLUSION
As a final note, it can be observed that both Georgian and EU legislation fail to provide any specific regulations regarding workplace privacy. However, general principles of personal data protection apply. The above analysis of Georgian legislation demonstrates that an employee’s private correspondence shall be protected by ensuring their awareness and requiring their consent to potential monitoring and by limiting the employer’s right to process personal data only to the extent necessary to achieve legitimate interests.
* * *
Note: this article does not constitute legal advice. You are responsible for consulting with your own professional legal advisors concerning specific circumstances for your business.