itechlaw 9th international asian conference

7/28/2019 ItechLaw 9th International Asian Conference

1/68

ITechLaw 9th InternationalAsian Conference

Privacy Issues Relating toEmployee Data

February 14 and 15, 2013


2/68

Introduction

EU Directive on Data Protection and Privacy as itapplies to employee data

Compliance with the EU Directive from a German

perspective and in a global environment when

employee data often crosses borders in cyberspace)

BYOD - Legal Barriers for BYOD Strategies - A Holistic

Approach to Legal Compliance and Security with an

additional focus on employee data A brief overview of the Indian perspective

Panel discussion

Audience Q & A

Contd.


3/68

Laws that regulate the collection, use and handling ofan employees personal data in India, France andGermany

Restrictions on the acquisition, use and maintenanceof employee data

Period of retention of employee data

Transfer of employees' data to third parties and/or

overseas Consequences of breaching the regulations

Introduction


4/68

Employee data protection issues:Privacy issues relating to

employees

ITECHLAW BENGALORE CONFERENCE

14th and 15th February 2013


5/68

1. Overview of the Europeanregulations


6/68

In Europe common legal basis is:

Directive 95/46 of 24th October 1995

Purpose of this Regulation :

strengthen citizens' rights of privacy and,

modernize the existing legal framework to take

into account new challenges of the development of

new technologies and the effect of globalization.

Overview

1


7/68

Overview

EU countries may locally implement other rules as

long as they respect the minimum provisions of the

EU Directive.

Such 1995 Directive should be replaced probably in

2014-2016 by a Regulation that will be automatically

and identically applicable in each European countries.

2


8/68

2. Scope of the Directive


9/68

Scope of the Directive

WHICH PERSONAL DATA IS CONCERNED?

The notion of personal data is very wide:

It may involve important data: social security number, family status, etc., as much as

innocuous data, such as the name, the date of birth, the address of the employee, etc.

Definition of" personal data " by the Directive: personal information relating to anidentified or identifiable person, directly or indirectly, by reference to an identification

number or to one or more specific factors (physical, physiological, mental, economic,

cultural or social identity).

Employee s data collected by employers are most often needed in the daily

management of employees within a company (social security number, surname, name,

date of birth, address, etc.)

The employer can not generally collect sensitive data i.e. data relating to racial or ethnic

origin, political opinions, religious or philosophical beliefs, trade union membership,

health or sexual life. 3


10/68

WHICH PROCESSING OF FILE OF EMPLOYEES DATA IS CONCERNED?

ANY AUTOMATED PROCESSING of personal data contained on ANY FILE is likely

to be concerned by the Directive.

Examples:

Excel file: any data base ;

Word file: any list (eg. employees career record) ;

Online business directory ;

Any type of file on computers, phone or any electronic device ;

GPS ; Biometric systems ;

Video recording;

Etc.

Scope of the Directive

4


11/68

General rule: ANYONE can not collect ANYTHING.

For employees data the employer, called the controller, is required to to

proceed with the formalities.

Role: controller determines the purposes and means of personal data

processing.

Liabilities: controller is in charge of the compliance with the EU Directivesprovisions.

5


12/68

HOW ARE THESE DATA COLLECTED AND PROCESSED?

Principle of proportionality and purpose

Protection of the legitimate interests.

Proportionality to the goals.

6


13/68

Principles of privacy and security

The employer, as a controller, is bound by an obligation of safety. He must

take the necessary measures to ensure the confidentiality of data and

prevent its disclosure to unauthorized third parties.

7


14/68

EMPLOYEES RIGHTS

Right to information

Right of access and rectification

Right of objection: Except if local laws request the employer to collect and use it,

Objection must be lead by valid reasons.

8


15/68

WHICH FORMALITIES?

Notification to the Data Protection Authority prior to the implementation of

a processing of personal data.

Exemptions or simplifications of notification can be defined by Member

States.

9


16/68

3. Maximum period ofconservation of employees

personal data

ITECHLAW BENGALORE CONFERENCE

February 14 and 15, 2013


17/68

Maximum period of conservation of employees personal

data

EU: for no longer than necessary to achieve the purposes for which datasare collected or processed.

France: period of conservation depends on the purpose of each file.

10


18/68

Maximum period of conservation of employees

personal data

Type of personal data Period of conservation

Human ressources and

managment data (social

security number, name,surname, DOB, address,

personnal situation of the

employee)

No longer after the

termination of employement

contract

Video recordings Few days to 1 month

maximum after recording

Recruitment, candidates

data

No longer that 2 years after

the last contact with the

person

GSM/GPS data Usually 2 months

11!! Burden of proof and status of limitation


19/68

4. RESTRICTION OF INTERNATIONALTRANSFER OF EMPLOYEESPERSONAL DATA


20/68

International transfer of employees data

IS THERE ANY RESTRICTION TO AN INTERNATIONAL TRANSFER OF PERSONAL

DATA?

From one European Country to another European Country : YES

From an European Country to a non European Country : NO

Exception: if an adequate level of protection is granted.

In any case, the employee must have given prior consent to the international

transfer of his/her personnals data.

12


21/68

5. CONTROL OF COLLECTION ANDPROCESSING OF EMPLOYEESPERSONAL DATA


22/68

By the local Data Protection Authority.

By a designated person who ensures the process is carried out

lawfully (other than the controller). This appointement is not

mandatory in each Member State.

By the employee.

Control of collection and processing of

employees data

13


23/68

6. SANCTIONS FOR VIOLATION OFTHE EMPLOYERS OBLIGATIONS


24/68


25/68

Specific sanctions provided by French Labor law:

Inadmissibility of evidence obtained

Cancellation of the disciplinary sanction imposed

Abusive dismissal

Offence of obstruction if employees representative organization are

not informed and consulted

Possible civil action of a union / elected employees

15


26/68

Thank you for your attention!

Frdrique David

Partner - TLD Legal

[email protected]
mailto:[email protected]:[email protected]


27/68

Privacy Issues relating

to Employee Data in GermanyEU Employee Data Protection

Roland Falder

Bird & Bird LLP

Munich

Bangalore, February 14th, 2013


28/68

page 28

General Concepts of Privacy

Historical background

Government/State Private Individuals/

companies

Right to determine

which information

is available

about

Individual


29/68

page 29

Art. 12 Universal Declaration of

Human Rights:

No one shall be subjected to arbitrary interference with his

privacy, family, home or correspondence, nor to attacks upon his

honor and reputation. Everyone has the right to the protection of

the law against such interference or attacks.

Government/State:Europe: Fascism, Communism

UK/US: Cold War, War on Terror

Authoritarian Regimes

Private Individuals/Companies:

Free market approach vs. consumer protection approach


30/68

page 30

Current legal situation in EU

Data Protection Directive (Directive 95/46/EC)

Requires member states to enact laws that observe the limits set

by the Directive

National Data Protection Laws

Directive itself only marginally relevant for employee data

protection


31/68

page 31

New Proposal

Data Protection Regulation January 25th, 2012

Replaces and supersedes EU-Directive

Self-executing (directly applicable in member states)

but: special rules for employee data in national laws possible

(Art. 82 Draft Regulation)

Previous initiative 2011/2002 for employee Data

Protection Directive abandoned


32/68

page 32

General Purpose and Highlights

a) Harmonization of the rules throughout EU to make compliance easier forNon-EU-countries

but: stricter compliance regime with severe penalties

b) - Extended scope: if personal data of EU-residents areprocessed outside EU

-European Data Protection board coordinates DPAs (of which only oneis responsible for each company)

- New rules on Privacy by design and default, Data Protection impactassessments, Data Protection Officers

-Consent base approach (Employment law exemptions)

-Heavy fines (up to 2 % of annual global sales revenue)


33/68

page 33

- Right to be forgotten

- Data Portability

Time schedule:First vote in April/May 2013

Negotiations

Final Vote in 2014

Implementation 2015


34/68

page 34

Germany

Date Protection Law (since 1978) without specific rules for employee databefore: 1st data protection law (worldwide) 1970 in Hessen

2008/2009 Surveillance scandal at Deutsche Bahn and Deutsche Telekom

=> 01.09.2009 additional Article 32 restricted employer access to

employee data

New draft for specific employee data protection postponed, but a

number of issues already clarified by court decisions


35/68

page 35

Issues in Germany

Consent and Shop Agreements Control of Telecommunication at work place/private us

Video Surveillance

Transfer of employee data

Co-Determination by works council

BYOD


36/68

page 36

Outlook

Globalisation

Borders no barrier for information flow

legal challenges


37/68

Thank you

Roland Falder

Bird & Bird LLP

Munich

Bangalore, February 14th, 2013


38/68

We make ICT strategies work

Legal Barriers for BYOD Strategies

A Holistic Approach to

Legal Compliance and Security

With a focus on Employee Data

Martin Wiechers

Detecon International GmbH


39/68

Introduction

Frame Template Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security

BYOD Introduction and Overview

Detecon 39PRESENTATION_BYOD_MARTIN_WIECHERS_DETECON - FINAL.PPTX

Bring Your Own Device: Permitting employees to use personally owned devices to

perform official tasks

Consumerization of IT has reshaped traditional IT landscape

Traditional lines between work and personal life blur Trailblazer for BYOD: Intel in 2009

Significant number of employees worldwide already uses own devices for work

Businesses simply can't block the trend.


40/68

Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security

BYOD as Worldwide TrendingTopic


BYOD

BYOD M k t O i d



41/68

Devices Used to Access Business Applications

BYOD Market Overview and

Perception


IT Leaders Opinion Company IT Support for Employee-Owned Devices

Global Internet Device Sales



42/68

Frame Template



Perception



Global Internet Device Sales Global Internet Device Sales

l



43/68

Frame Template



Perception




F T l



44/68

Frame Template



Perception



Global Internet Device Sales Devices Used to Access Business Applications



45/68



Perception




Frame Template

k d



46/68

Frame Template



Perception




IT Leaders Opinion

Frame Template

k i d Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security


47/68

Frame Template



Perception




Frame Template

BYOD M k O i d



48/68

Frame Template



Perception




Company IT Support for Employee-Owned Devices



49/68

Detecon 49

BYOD The Pros and Cons


+ Reduced Capital Expenditure (CAPEX)+ Lower administration costs / management efforts+ Familiarity with Device = Increased employee acceptance+ Productivity increase: Willingness to use device in spare time (risk: claims for overtime compensation)

+ Access to business applications independent from employees location

Possible Advantages

- Increase in operational expenditure (OPEX)- Incompatibilities due to heterogeneous device landscape- Security risks- Taxation issues- Works council involvement- Germany / EU: Company remains responsible entity for data processing; technical and organizational measures

difficult to establish on device

- Germany / EU: Access restrictions due to secrecy of telecommunications and data protection

Possible Disadvantages


D i i BYOD S i I i i l


50/68

Designing BYOD-Strategies Initial

Thoughts


Legal Framework

ManagementGoals

Internal

Compliance

Security

Requirements

ITRequirements

Frame Template



51/68

Frame Template

BYOD-Strategies have a Multitude of Legal Implications

BYOD A Legal Minefield?


BYOD

Data Protection Issues

e.g. access to employees personal data

Copyright Infringements

e.g. use of unlicensed Apps for work

Labor Law

e.g. overtime, involvement of works council

Retention Periods

e.g. storage of business documents on device

Recovery of Possession

e.g. audit or suspicions of offences

Device Replacement

e.g. defect occuring during work

Legal Barriers for BYOD Strategies A Holistic Approach to Legal Compliance and Security

?



52/68

Detecon 52

BYOD vs. Employee Data Protection Employer

Access to Data from Different Spheres

Personal Data

vs Company Data

Photos

Account Info

& Passwords

Browser

History

Chat

Protocolls

Spare TimeLocation

Data

PrivateEmail

PersonalData

CompanyData

Business

Secrets

Account Info

& Passwords

Sensitive

Documents

Business

Email

Frame Template



53/68

German Data Protection in a Nutshell

p

BYOD vs. Employee Data Protection Basic

Systematics of German Data Protection


Sec. 3 para.1 BDSG (Federal Data Protection Act):

Personal data shall mean any information concerning the personal or material

circumstances of an identified or identifiable natural person (data subject).

Sec. 4 para. 1 BDSG: Processing of personal data only if

Permitted directly by statutory law

Approval from affected person, Sec. 4a BDSG

Everything is prohibited unless expressly allowed.

Frame Template

BYOD E l D P i S ifi



54/68

BYOD generally affects Personal Data

p

BYOD vs. Employee Data Protection Specific

Provisions on Employee Data Protection are

Generally Affected


Generally every private device contains personal data

Personal data affected by most IT-adminstrative tasks

Specific Provision for employment relationship Sec. 32 para. 1 BDSG:

An employees personal data may be collected, processed or used for employment-

related purposes where necessary for hiring decisions or, after hiring, for carrying

out or terminating the employment contract.

Every state of employment relationship covered:

Assessments of performance and behaviour

Measures to prevent criminal offences and other violations of law

Frame Template

BYOD E l D t P t ti



55/68


p

BYOD vs. Employee Data Protection

Employees Consent Required

Detecon 55PRESENTATION_BYOD_MARTIN_WIECHERS

_DETECON - FINAL.PPTX

Necessity:

Collection/processing/use of personal data permitted ifdirectly necessary for

employment relationship

Narrow interpretation of necessity: Task impossible without data

Consequence:

BYOD processing of personal data is mostly not necessary in legal sense

Generally consent of employee required to perform IT admin tasks on device

Violation of personal data is

no acceptable collateral damage ofBYOD!

Frame Template



56/68



but Consent Unlikely to be granted



Prerequisites of a valid consent (Sec. 4a BDSG):

Declaration of the affected individual that is

voluntary

for the specific case

Is given in complete awareness of the individual circumstance

Issues:

Voluntariness in employment relationship questionable

Employees freedom of choice de facto limited by existential meaning of

employment relationship

Presumption that consent of employee is seldom voluntary

Employee will not provide consent as extensive access rights to private device are

not favourable



57/68

Implementing BYOD Strategies Works

Council Involvement



Works Council has Right to Participate

Right to Control according to Sec. 80 BetrVG (Works Constitution Act):

The works council shall have the following general duties:

1. to see that effect is given to Acts, ordinances, safety regulations, collective

agreements and works agreements for the benefit of the employees; *+

Right of co-determination according to Sec. 87 para. 1 no. 2 & no. 6 BetrVG:

(1) The works council shall have a right of co-determination in the following matters

in so far as they are not prescribed by legislation or collective agreement:

2. the commencement and termination of the daily working hours including breaks

and the distribution of working hours among the days of the week;

6. the introduction and use of technical devices designed to monitor the behavior or

performance of the employees;

Frame Template



58/68

Private Email Use


Special Case: Private Email Use



If private use is permitted/tolerated employer is Provider of telecommunication

services

Consequence: telecommunications secrecy applies regarding email account

Access can be criminal offence (Sec. 206 Criminal Code)

Telecommunications secrecy protects all communication partners

Sender (internal and external) and receiver

Problems:

Control of private communication

Death, illness, absence, leave of absence, dismissal

Frame Template



59/68

Combination of Technical and Policy Solution Preferable

Container Solution:

Business related applications in dedicated container on device, business data only

stored in this shell

Only this container can be accessed and administrated by employer

E.g. Blackberry 10

Succesful Implementation Requires Holistic Approach

Based on Applicable Legal Framework



Private Apps

and Data

Work Apps

and Data

Strict technical separation between

different working environments

Frame Template



60/68


Client Solution:

Cloud/client-server-based solution with mobile device as client

Device is only used as interface for access to network

No business related data is stored permanently on device

After disconnecting from server all data is wiped

E.g. Hewlett Packard

Permission to participate in BYOD should depend on signing respective policy and

giving respective consents

Succesful Implementation Requires Holistic

Approach Based on Applicable Legal Framework



Frame Template



61/68


Technical Solution minimizes risk of access to employees personal data

In case of container solution private use of device has to be prohibited for container

Employer retains full control and access rights

Permission to participate in BYOD should depend on signing respective policy and

giving respective consents

Succesful Implementation Requires Holistic Approach

Based on Applicable Legal Framework



Frame Template



62/68

Conclusion

International perspective: BYOD is todays reality

Legal framework must be basis for strategy development

Security, Internal Compliance, IT and Business has to align

BYOD does not rise genuinely new legal issues Multinational Enterprises: Strategy should be adjusted to weakest link

Implementation requires multidisciplinary knowledge/team

Good Understanding ofbig picture opens potential for massive increase of revenues

for legal advisory

BYOD Strategies: Conclusion



Contact sheet



63/68

Thank you very much!



Martin Wiechers

Detecon International GmbH

Sternengasse 14-16

50676 Cologne (Germany)

Phone: +49 221 9161-1899

Mobile: +49 151 46718873

[email protected]


64/68

India does not have specific laws to protect anindividuals privacy including data privacy

Courts have upheld privacy rights under Article 21 ofthe Indian Constitution vis--vis the government

The Information Technology Act, 2000 provides someprotection for electronic data

Consumer courts have upheld privacy rights againstindividuals and entities

No specific laws to protect employee data

The Indian Scenario


65/68

No need for employers to issue a privacy policyapplicable to employee data

Employers should retain employee data for at leastthree years laws of limitation

Income Tax (IT) laws allow the IT department to initiateproceedings within 7 years of a relevant assessmentyear so companies usually retain employee data for8 years

No restriction on transferring data to third parties oroverseas

Courts have sometimes placed restrictions on thetransfer of health related employee data

The Indian Scenario


66/68

Employees could make tort claims for breach of dataprivacy

Employees could also stake a claim for breach of datain electronic records under the Information Technology

Act, 2000 Last year the Shah Committee, appointed by the

Indian Government released its report on privacy.

The Shah Committee Report recommends some

significant changes which may be implemented inlaws to come

The Indian Scenario


67/68

Panel Discussion

Audience Q & A


68/68

Thank You