GENEVA– Earlier this month, the World Health Organization (WHO) released its “Summaries of Outcomes of Substantiated Investigations” for 2024, where we learn, with reference to investigation report IR2024/19, that a WHO staff member was sanctioned for sending one or more derogatory WhatsApp messages about a colleague to another co-worker – not to the individual who was the subject of the remarks.

 According to the May 13 summary of the case, the staff member received a written censure and a one-month salary fine for alleged harassment, involving name-calling that offended the affected person, even as a non-recipient. Although the specific location of the incident is not mentioned in the Report, with WHO’s headquarters located in Geneva, with most of its workforce stationed there, the most likely scenario is that the event occurred in a territory under the jurisdiction of the Swiss Federation.

 Indeed, assuming this is the case the whole matter could be subject to the Swiss Federal Act on Data Protection (FADP) and, if applicable, the EU’s General Data Protection Regulation (GDPR) where, in particular, the alleged offender was actually an EU Resident,thus triggering GDPR extraterritorial scope under Article 3(2). It must be noted that, although WHO enjoys functional immunity as an international organization, its Headquarters Agreement with Switzerland still requires good-faith respect for Swiss law – a scenario reinforced by WHO’s own Code of Ethics, which stresses compliance with local standards.

 Private messaging apps like WhatsApp are protected as part of personal life under both GDPR and FADP. Specifically, GDPR Article 6 demands a lawful basis for processing personal data, while Article 5 emphasizes fairness and minimisation. The FADP mirrors GDPR’s approach, with express requirements for proportionality and transparency. Accordingly, accessing a private WhatsApp message for disciplinary use without consent, or voluntary disclosure, likely constitutes a breach of these rules. For instance, in a 2019 Zurich court ruling, accessing private WhatsApp messages without permission was held to breach Article 13 of the Federal Constitution and Article 328 of the Swiss Code of Obligations[1].

 There are further EU and UN-system precedents suggesting that the approach taken in IR2024/19 may be legally questionable from all these perspectives. Specifically, the European Court of Human Rights, in Barbulescu v. Romania (2017), ruled that employers must notify staff in advance about any communication monitoring, or they risk violating Article 8 (right to private life). Moreover, UN Tribunals have consistently affirmed that evidence in disciplinary cases must be obtained lawfully. For example, in UNDT/2020/097, the UN Dispute Tribunal excluded secretly recorded conversations as inadmissible; in 2023-UNAT-1348, the UNAT acknowledged that evidence gathered in breach of privacy may be inadmissible depending on context; in Judgment No. 4310, the ILOAT held that arbitrary or secret access to staff data constitutes unlawful interference with privacy. All these precedents collectively reinforce that lawfulness and procedural fairness are prerequisites for admissible disciplinary evidence.

 Notwithstanding this, the approach taken by WHO in IR2024/19 appears contradictory even to the organisation’s own internal rules and regulations. In fact, WHO’s 2022 Code of Ethics acknowledges staff privacy, permitting sanctions for off-duty conduct only when this constitutes a harm to the organisation’s reputation as a whole. Yet, any such peculiar cases must naturally be balanced with fair process and legal compliance. If WHO accessed the WhatsApp messages through coercion or without the staff member’s authorization, the organisation may have crossed privacy lines, especially where the reputational harm to the organisation is not proven. In any case, WHO’s Acceptable Use Policy and Misconduct Guidelines cannot simply disregard or override the transparency, necessity and proportionality requirements of host state law in breach of WHO’s Code of Ethics.

 Legal aspects aside, it must be underscored that the approach taken in IR2024/19 raises the spectre of internal surveillance dynamics reminiscent of authoritarian regimes: encouraging staff to report private conversations turns colleagues into potential informants, fostering only mistrust and fear.

 The mere possibility that off-duty remarks exchanged in private may be used one day as evidence against a staff member can have a chilling effect on personal expression. Staff might self-censor even off-duty, blurring thus the line between professional accountability and personal freedom. Such a scenario evidently threatens not just individual rights of staff members, but also the very integrity of the international civil service, which should champion dignity and mutual respect, as well as those basic human rights values, that the UN system claims to globally uphold.

  (Article provided by "NOMOS Consulting" (www.nomoslaw.it) 

 jf