Académique Documents
Professionnel Documents
Culture Documents
Introduction
EU Directive on Data Protection and Privacy as it applies to employee data Compliance with the EU Directive from a German perspective and in a global environment when employee data often crosses borders in cyberspace) BYOD - Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security with an additional focus on employee data A brief overview of the Indian perspective Panel discussion Audience Q & A
Contd.
Introduction
Laws that regulate the collection, use and handling of an employees personal data in India, France and Germany Restrictions on the acquisition, use and maintenance of employee data Period of retention of employee data Transfer of employees' data to third parties and/or overseas Consequences of breaching the regulations
Overview In Europe common legal basis is: Directive 95/46 of 24th October 1995 Purpose of this Regulation :
strengthen citizens' rights of privacy and, modernize the existing legal framework to take into account new challenges of the development of new technologies and the effect of globalization.
Overview
EU countries may locally implement other rules as long as they respect the minimum provisions of the EU Directive.
Such 1995 Directive should be replaced probably in 2014-2016 by a Regulation that will be automatically and identically applicable in each European countries.
For employees data the employer, called the controller, is required to to proceed with the formalities.
Role: controller determines the purposes and means of personal data processing. Liabilities: controller is in charge of the compliance with the EU Directives provisions.
The employer, as a controller, is bound by an obligation of safety. He must take the necessary measures to ensure the confidentiality of data and prevent its disclosure to unauthorized third parties.
EMPLOYEES RIGHTS
Right to information Right of access and rectification Right of objection: Except if local laws request the employer to collect and use it, Objection must be lead by valid reasons.
WHICH FORMALITIES? Notification to the Data Protection Authority prior to the implementation of a processing of personal data. Exemptions or simplifications of notification can be defined by Member States.
EU: for no longer than necessary to achieve the purposes for which datas are collected or processed. France: period of conservation depends on the purpose of each file.
10
Type of personal data Human ressources and managment data (social security number, name, surname, DOB, address, personnal situation of the employee) Video recordings Recruitment, candidates data GSM/GPS data
Few days to 1 month maximum after recording No longer that 2 years after the last contact with the person Usually 2 months 11
From an European Country to a non European Country : NO Exception: if an adequate level of protection is granted.
In any case, the employee must have given prior consent to the international transfer of his/her personnals data.
12
By a designated person who ensures the process is carried out lawfully (other than the controller). This appointement is not mandatory in each Member State.
By the employee.
13
Sanctions
Civil sanctions: the employer s liability is incurred and compensation for damages suffered may be seeked by the employee. Criminal sanctions: the Directive refers to Member States to provide criminal sanctions.
14
Specific sanctions provided by French Labor law: Inadmissibility of evidence obtained Cancellation of the disciplinary sanction imposed Abusive dismissal Offence of obstruction if employees representative organization are not informed and consulted Possible civil action of a union / elected employees
15
Individual
page 28
page 29
page 30
New Proposal
Data Protection Regulation January 25th, 2012
Replaces and supersedes EU-Directive Self-executing (directly applicable in member states) but: special rules for employee data in national laws possible (Art. 82 Draft Regulation) Previous initiative 2011/2002 for employee Data Protection Directive abandoned
page 31
page 32
Time schedule:
First vote in April/May 2013 Negotiations Final Vote in 2014 Implementation 2015
page 33
Germany
Date Protection Law (since 1978) without specific rules for employee data before: 1st data protection law (worldwide) 1970 in Hessen 2008/2009 Surveillance scandal at Deutsche Bahn and Deutsche Telekom => 01.09.2009 additional Article 32 restricted employer access to employee data New draft for specific employee data protection postponed, but a number of issues already clarified by court decisions
page 34
Issues in Germany
Consent and Shop Agreements Control of Telecommunication at work place/private us Video Surveillance Transfer of employee data Co-Determination by works council BYOD
page 35
Outlook
Globalisation
Borders no barrier for information flow legal challenges
page 36
Thank you
Roland Falder Bird & Bird LLP Munich
Bangalore, February 14th, 2013
Legal Barriers for BYOD Strategies A Holistic Approach to Legal Compliance and Security With a focus on Employee Data
Frame Legal Template Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Bring Your Own Device: Permitting employees to use personally owned devices to perform official tasks Consumerization of IT has reshaped traditional IT landscape Traditional lines between work and personal life blur Trailblazer for BYOD: Intel in 2009 Significant number of employees worldwide already uses own devices for work
Detecon
39
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Detecon
40
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
IT Leaders Opinion
Detecon
41
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
IT Leaders Opinion
Detecon
42
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
IT Leaders Opinion
Detecon
43
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
IT Leaders Opinion
Detecon
44
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
IT Leaders Opinion
Detecon
45
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
IT Leaders Opinion
Detecon
46
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
IT Leaders Opinion
Detecon
47
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
IT Leaders Opinion
Detecon
48
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Possible Advantages
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Internal Compliance
Security Requirements
IT Requirements
Legal Framework
Detecon
50
Frame Legal Template Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Copyright Infringements
e.g. use of unlicensed Apps for work
Labor Law
e.g. overtime, involvement of works council
Retention Periods
e.g. storage of business documents on device
BYOD
Detecon
51
Recovery of Possession
e.g. audit or suspicions of offences
Device Replacement
e.g. defect occuring during work PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
BYOD vs. Employee Data Protection Employer Access to Data from Different Spheres
Private Email Account Info & Passwords Company Data Personal Data Browser History Photos Chat Protocolls Spare Time Location Data
Detecon 52
Business Email Account Info & Passwords Sensitive Documents Business Secrets
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
BYOD vs. Employee Data Protection Basic Systematics of German Data Protection
German Data Protection in a Nutshell
Personal data shall mean any information concerning the personal or material circumstances of an identified or identifiable natural person (data subject). Permitted directly by statutory law
Detecon
53
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
BYOD vs. Employee Data Protection Specific Provisions on Employee Data Protection are Generally Affected
BYOD generally affects Personal Data
Generally every private device contains personal data Personal data affected by most IT-adminstrative tasks Specific Provision for employment relationship Sec. 32 para. 1 BDSG:
An employees personal data may be collected, processed or used for employmentrelated purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract. Assessments of performance and behaviour Measures to prevent criminal offences and other violations of law
Detecon
54
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
Necessity:
Consequence:
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Frame Template
Issues:
Voluntariness in employment relationship questionable Employees freedom of choice de facto limited by existential meaning of employment relationship Presumption that consent of employee is seldom voluntary Employee will not provide consent as extensive access rights to private device are not favourable
PRESENTATION_BYOD_MARTIN_WIECHERS _DETECON - FINAL.PPTX 56
Detecon
Legal Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
The works council shall have the following general duties: 1. to see that effect is given to Acts, ordinances, safety regulations, collective agreements and works agreements for the benefit of the employees; *+
(1) The works council shall have a right of co-determination in the following matters in so far as they are not prescribed by legislation or collective agreement: 2. the commencement and termination of the daily working hours including breaks and the distribution of working hours among the days of the week; 6. the introduction and use of technical devices designed to monitor the behavior or performance of the employees;
Detecon
57
Frame Legal Template Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
BYOD vs. Employee Data Protection Special Case: Private Email Use
Private Email Use
If private use is permitted/tolerated employer is Provider of telecommunication services Consequence: telecommunications secrecy applies regarding email account Access can be criminal offence (Sec. 206 Criminal Code) Telecommunications secrecy protects all communication partners
Sender (internal and external) and receiver Control of private communication Death, illness, absence, leave of absence, dismissal
Problems:
Detecon
58
Frame Legal Template Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Container Solution:
Business related applications in dedicated container on device, business data only stored in this shell
Only this container can be accessed and administrated by employer E.g. Blackberry 10
Frame Legal Template Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Client Solution:
Cloud/client-server-based solution with mobile device as client Device is only used as interface for access to network No business related data is stored permanently on device After disconnecting from server all data is wiped E.g. Hewlett Packard Permission to participate in BYOD should depend on signing respective policy and giving respective consents
Detecon
60
Frame Legal Template Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Technical Solution minimizes risk of access to employees personal data In case of container solution private use of device has to be prohibited for container
Permission to participate in BYOD should depend on signing respective policy and giving respective consents
Detecon
61
Frame Legal Template Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
BYOD does not rise genuinely new legal issues Multinational Enterprises: Strategy should be adjusted to weakest link
Detecon
62
Contact Legal sheet Barriers for BYOD Strategies - A Holistic Approach to Legal Compliance and Security
Detecon
63
Panel Discussion
Audience Q & A
Thank You