On 8 June 2017 the Working Party established under Article 29 of Directive 95/46/EC (“WP29”, being an independent European advisory body on data protection and privacy) published a revised opinion (the “Opinion”) which makes a new assessment of the balance between the legitimate interests of employers and employees’ reasonable expectation of privacy by indicating the risks posed by new technologies and undertaking an assessment of proportionality.
Surveillance of internet use at work is not at the discretion of the employer.
At a time when technology has blurred the boundary between working and private life and when some employers allow the use of company equipment for their employees’ personal use, others allow employees to use their own devices for work, whilst other employers allow both, the right of employers to maintain a proper working environment, and the employee’s obligation to perform their proper duties, does not justify the unfettered review of electronic communication by employers.
Specific rules to ensure the protection of rights and freedoms in respect of processing employees’ personal data in the context of employment
WP29 has provided guidelines for the legitimate use of new technology in a number of specific situations, detailing suitable and specific measures to safeguard human dignity, legitimate interests and fundamental rights of employees.
According to these, employers must comply with the fundamental principles of data protection and also must take note of the following when processing personal data in the employment context:
- Fundamental rights – the fact that an employer owns the electronic devices does not exclude the right of employees to secrecy of their electronic communications and correspondence and also related location data. Tracking the location of employees through their self-owned or company-issued devices should be limited to where it is strictly necessary for a legitimate purpose.
The European Court of Human Rights (the “ECHR”) stated in 2016 in Barbulescu v. Romania that “the delicate character of the present case is significantly heightened by the nature of certain of the applicant’s messages. They referred to the sexual health problems affecting the applicant and his fiancée. This subject pertains to the core of the applicant’s private life and requires the most intense protection under Article 8.
Other than this sensitive data, the messages also dealt with other personal information, such as his uneasiness with the hostile working environment. The employer accessed not only the professional Yahoo Messenger account created by the applicant, but also his own personal account. The employer had no proprietary rights over the employee’s Yahoo messenger account, notwithstanding the fact that the computer used by the employee belonged to the employer. Furthermore, the employer was aware that some of the communications exchanged by the applicant were directed to an account entitled “Andra loves you”, which could evidently have no relationship with the performance of the applicant’s professional tasks. Yet the employer accessed the content of this communication and made transcripts of it against the applicant’s explicit will and without a court order”.
The Opinion states that in principle, in order to avoid this type of intrusions into the private life of employees, those sections of a device which are presumed to be only used for private usage (e.g. the folder storing photos taken with the device) should not be accessed;
- Consent – given the dependent relation between employees and their employer, employees are almost never in a position to give, refuse or revoke their consent freely. This unequal position gives rise to exceptional situations where employees give free consent only when there are no consequences whatsoever connected to acceptance or rejection of the offer;
- Legitimate interest – the Opinion states that the legitimate interest of employers can sometimes be invoked as a legal ground, but only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity.
For example, the ECHR considers that the implementation of the internet use policy at the workplace must be guided by the principles of necessity and proportionality in order to avoid the situation where personal data collected in connection with legitimate organisational or information-technology policies are used to check employee behaviour. Prior to implementing any specific monitoring measure, the employer should assess whether the benefits of the measure outweigh the negative impact on the right to privacy of employees and of third parties with whom they communicate.
Data collection, access to and analysis of conversations, including metadata, without employee consent may only be permitted with exceptional judicial authorisation, since employees suspected of violating policy in disciplinary or civil proceedings should not be treated less correctly than those who are suspects in criminal proceedings.
Only well-founded surveillance of well-founded suspicions of policy violations is admissible. Unrestricted general monitoring is clearly excessive in investigating employees – the least intrusive monitoring techniques should be preferred. Since blocking communications on the internet is a last resort, filtering mechanisms can be considered to be more appropriate. The data collected cannot be used for any purpose other than the original one, and must be protected against alteration, unauthorised access and other forms of abuse. For example, the data collected should not be made available to other non-targeted employees. When no longer needed, personal data collected must be deleted.
Prior to the use of any monitoring tool, a proportionality assessment should be made to consider whether all data are necessary, whether this processing outweighs the general privacy rights that employees also have in the workplace and what measures must be taken to ensure that infringement on the right to private life and the right to secrecy of communications are limited to the minimum extent necessary;
- Transparency – Policies and rules concerning legitimate monitoring must be clear and readily accessible. Employees should be informed about data which the employer collects about them and the purpose of any processing of this data which is envisaged or carried out;
- Proportionality and data minimisation – Any intrusion on employees’ privacy must be a proportionate response to the risks faced by an employer. The information should be stored for the minimum amount of time needed and whenever information is no longer needed, it should be deleted.
What are the risks?
Given the fact that nowadays modern technologies enable employees to be tracked over time, in workplaces and their homes, through many different devices such as smartphones, desktops, tablets, vehicles and wearables, there is a high risk that the legitimate interest of employers in the improvement of efficiency and the protection of company assets will turn into unjustifiable and intrusive monitoring.
It may not have been widely appreciated that new technologies and the evolution of existing technologies have the potential to result in severe risks to the privacy of employees, even in simple and familiar situations such as those described below.
Processing operations during the recruitment process and in-employment screening
Employers should not assume that, merely because an individual’s social media profile is publicly available, they may process such data for their own purposes. Prior to the inspection of a social media profile, the employer should take into account whether the social media profile of the applicant related to business or to private life. The employer should collect and process personal data relating only to job applicants to the extent that the collection of such data is necessary and relevant to the performance of the job for which the applicant has applied.
Employers should refrain from requiring an employee or a job applicant to give access to information (i.e. information regarding friends, opinions, beliefs, interests, habits, whereabouts, attitudes and behaviours) that the employee shares with others through social networking, even though employers have (or can obtain) the technical ability to screen employees very easily through social media.
Monitoring ICT usage at the workplace
Employers monitors electronic communications in the workplace for the purpose of detecting potential data breaches, data loss prevention and other risks or potential infringements. However, simply because employees are expected to use online applications made available by their employer which process personal data, this does not mean that employers are permitted to collect information regarding employees without their consent.
In the absence of a proper internal policy on the use of the Internet in relation to work, internet surveillance at work “runs the risk of being abused by employers acting as a distrustful Big Brother lurking over the shoulders of their employees, as though the latter had sold not only their labour, but also their personal lives to employers. In order to avoid such commodification of the worker, employers are responsible for putting in place and implementing consistently a policy on Internet use along the lines set out above. In so doing, they will be acting in accordance with the principled international law approach to Internet freedom as a human right” [Barbulescu v. Romania case – ECHR].
Monitoring of home and remote working
Nowadays it is very common for employers to offer employees the option to work remotely, from home and in transit. This involves the employer issuing ICT equipment or software to the employees which, once installed in their home on their own devices, may enable them to have the same level of access to the employer’s network, systems and resources that they would have if they were in the workplace.
Given this, employers may think there is a justification for using software to log keystrokes and mouse movements, screen captures (either random or at set intervals), applications used and to enable devices such as webcams and collect footage therefrom. The processing involved in such technologies is however disproportionate and an employer will need to demonstrate a well-grounded legitimate business interest (e.g. preventing breaches of data security) for monitoring and recording an employee’s keystroke and mouse movements.
The Barbulescu v. Romania case presents an important view of the European Court of Human Rights, which clarifies in detail the limits within which employees can be monitored at work. In this sense, employers must be able to justify and express a legitimate reason and interest for monitoring.
Employers must be extremely careful about how they respect the fundamental rights and privacy of their employees and also about how they obtain employee consent.
But moreover from the legal point of view, employers need to focus on reviewing their employment contracts, in order to ensure that employee consent can be given unconditionally and, equally, that such consent can be freely revoked.
This paper has been prepared for information purposes only and on the basis of legislation in force at the time of writing. It does not constitute professional advice. Any decision to take or to refrain from taking any action should on specific written professional advice.
Neil McGregor is the managing partner of McGregor & Partners. He may be contacted at email@example.com