The GDPR Balancing Act: Employer’s Interests and Employee’s Privacy
A company collects the data of its employees
throughout the employees’ lifecycle — beginning with
recruitment and concluding with resignation, termination, or retirement. The
data is collected and processed at all stages. Many organizations are deploying
new digital HR technologies to better manage and support the entire employment
life cycle, including in the cloud to analyse data that can lead to HR
improvements.
The rapid adoption of new technologies in the workplace has
been useful in detecting the loss of intellectual property or data breaches by an
employee. What’s more, there are now predictive analytics and location data
from smart devices that improve employee productivity. However, these technological
developments are sometimes seen as intrusive and pervasive ways of cheaper monitoring
and have raised concerns and challenges about employee privacy and data
protection.
Such technology does not give unfettered powers to employers
in name of legitimate interest under the new EU General Data Protection Regulations (GDPR). In many cases, monitoring every
online activity of an employee’s communication has been held to be disproportionate
and unreasonable when compared to employer’s interest to protect the company’s
IT systems from being damaged or liability being incurred by the company for
online illegal activities.
For example, the Bărbulescu v. Romania[1]
case reviewed the dismissal of an employee of a private company after
monitoring his electronic communications and accessing his content without
providing any prior notice of monitoring. The European Court of Human Rights (ECHR)
found that there had been a violation
of Article 8 (right to respect for private and family life, the home, and
correspondence) of the European Convention on Human Rights. Furthermore,
they decided that the Romanian authorities had not adequately protected the
applicant’s right to respect for his private life and correspondence. The authorities
had failed to strike a fair balance between the interests at stake.
In this case, the ECHR noted that an employer’s
instructions could not reduce private social life in the workplace to zero, or the
right to respect for private life and the privacy of correspondence continued
to exist, even if these policies might be restricted insofar as it is
reasonable and there exist legitimate reasons to justify monitoring.
Though in Romania’s case, the ECHR has curtailed
the powers of employers monitoring their employees’ communication after making
an assessment of the legitimate interest and finding it excessive. In another
recent case, ECHR held that the scope of monitoring and the degree of intrusion
into an employee’s privacy was reasonable and within the legitimate interest of
the employer.
In the latter case on a decision by ECHR (reported
in BBC News)[2],
an employee was fired by SNCF, France’s national rail company, on the basis of
a search in the employees’ computer in his absence, wherein SNCF found
pornographic images and videos, as well as forged certificates. In its ruling,
ECHR held that there had been no breach of Article 8 of the EU Convention on
Human Rights and that the domestic courts had examined the employee’s right to
respect for private life and did not exceed the ‘margin of appreciation’
available to them. ECHR agreed that the files had not been identified as
private and SNCF had been legitimately ensuring that its computer was being
used in line with contractual obligations and the applicable regulations and
found the employee committing a serious breach of the SNCF professional code of
ethics.
These two cases provide guidance to an organization
that the dismissal of its employees to be justified on the basis of an employee’s
monitoring will depend on both the nature of the conduct and how it will
materially affect employee’s employment under the GDPR.
Many companies use social media to recruit
prospective candidates and assume that since the profiles are publicly
available, such as LinkedIn, Facebook, or Twitter, then they are allowed to
process those data for their background checks. It is possible in countries
like India and Singapore to use personal data that is publicly available.
However, for employees covered under the new GDPR, a legal ground is required
for processing even publicly available data in social media such as legitimate
interest. For example, if the employer wants to assess risks regarding
candidates for a specific function, then the candidates must be informed of any
such processing before they engage in the recruitment process.
Under the existing European Union Directive
95/46/EC, the employer must follow the fundamental data protection principles
when processing personal data in the employment context, namely necessity,
purpose specification, transparency, legitimacy, proportionality, and security.
These fundamental principles are further strengthened with additional requirements
under the new GDPR and the employer must now comply with the following
principles before processing the data of an employee:
1.
Legal
basis:
Working Party 29 in its opinion 8/2001 and 2/2017
has clearly mentioned that consent cannot be the legal basis of processing data
of employees as consent cannot be freely given due to the nature of the
relationship of employer and employee. Hence, obtaining consent in the
employment contract for processing employees’ data and monitoring the
employees’ communication may not be valid unless a specific and informed
indication of the employee’s consent is obtained. A legal basis will be when processing
is necessary for the performance of an
employment contract to meet obligations such as protecting the safety of
business assets or intellectual property rights or complying with legal obligations like paying
salaries, tax calculation, social security payments etc.
2. Legitimate
interest: To determine the
legitimate interest of the employer, the employees’ data processing should be
strictly necessary for a legitimate purpose and proportionate to the business
needs. When deploying technologies for monitoring or tracking employees, the
organization must first consider the specific reasons justifying the
introduction of the monitoring measures; second, whether the employer could
have used measures entailing less intrusion into the applicant’s private life
and correspondence; and third, whether the communications might have been
accessed without the employee’s knowledge.[3]
3. Transparency: It is important for companies to follow
transparency principles by informing the employees of the existence of any monitoring, the purpose of monitoring, and
any other information for fair processing, such as implementing an employee
monitoring policy or providing prior notices to the employees about the nature
and extent of the monitoring.
4. Privacy by design: GDPR requires
employers to implement privacy by design at the time of development of
workplace technologies in order to determine the degree of intrusion of
employee’s privacy and to consider data minimization.
5. Privacy impact assessment: GDPR requires
employers to carry out the impact assessment when deploying new technologies to
determine whether the monitoring is reasonable and fair. For example, when an employer
deploys mobile device management to locate devices in real time, an assessment
should be made to ensure that the data processing complies with the principles
of proportionality and subsidiarity.
Today’s
organizations are using cloud applications to manage employee data with data
centers located outside of the European Union, and are thus required to comply
with the GDPR regulations. In such cases, the organization is required to
ensure that adequate level of protection for transfer of data outside of the European
Union and subsequent access by other entities within the group remain limited to
the minimum necessary for the limited purpose. Similarly, if a company is using
online office applications that process personal data, it should allow
employees to save their personal data in a folder marked as ‘Private’ and shall
not access such files without prior written notice and in presence of the
employee[4].
Under the GDPR, authorities have stressed prevention over detection, and have clarified on many occasions that employers should deter misuse (e.g., blocking certain websites) rather than detect misuse (e.g., continuously monitoring all communication). The latter would be considered disproportionate and not a legal ground under legitimate interest. As such, in-house counsel should prioritize prevention in order to protect their interests without encroaching on their employees’ privacy.
About the Author
Kavitha Gupta is on the steering committee of
ACC India Corporate Counsel Forum and senior legal counsel in Aviation
Industry. She has nearly 15 years of experience in the technology industry and
was previously with Hitachi Consulting as their senior legal counsel while overseeing
the legal, risk management, and corporate governance aspects of the company’s
business for the APAC region.She also worked with Wipro Ltd. handling global compliances
for Americas and commercial IT contracts. She’s a certified privacy professional
(CIPP/A) from IAPP.
Ref; This article first published in ACCdocket.
ReplyDeleteThank you for sharing an amazing blog. I have come across an excellent employee privacy blog