1. What is BYOD ?
BYOD comes in “different shades of grey”.
2. Employee – Employer relationship
If the user is an employee (not self-employed or contractor) one must bear in mind the classical principles of labour law, such as:
3. Employee Privacy
Is the company allowed to access personal e-mails and text messages (SMS) on a personal smartphone or tablet used for work?
The same goes for browsing history, installed software and other data?
There is a large regulatory framework in this area, including the Data Protection Act of 1992, some opinions of the Privacy Commission, and Collective Bargaining Agreement 81 protecting the privacy of employees relative to controls on electronic online communications in the private sector workplace. The latter allows employers to carry out certain controls on their employees’ Internet and e-mail use. It is not permitted to consult the content of such use. In the workplace, the employer may oversee Internet and e-mail use in order to accomplish four objectives:
Only in the first 3 cases the employer can focus his investigation on a particular employee to check who is in breach. In the 4th case, the employer must first notify the staff with a general warning. Only if one finds that there’s been an abuse, it is allowed to identify the employee but the party concerned must be confronted in private first before receiving a sanction or being fired.
Here also, there are several regulatory requirements that you must take into account:
A breach of IT-security could easily also cause a breach of internal (financial and reporting) control. The Data Protection Directive of 1995 imposes an explicit obligation for adequate security on every company that processes personal data (data about physical persons, such as names, addresses, financial data, etc.). Pursuant to this obligation, the controllers and processors of such personal data should take 'appropriate' security measures.
'Appropriate' or 'adequacy' in this context is measured according to 4 criteria:
- the measures should be 'state-of-the-art'
- the nature of the data has to be taken into account (stricter for financial data, health data, etc. compared to mere contact data)
- the measures should be in line with the potential risks (financial institutions are often a target for hackers)
- the investments have to be proportional to the potential of the controller or the processor.
If companies provide publicly available communications services over public networks (internet, mobile payments via cellular phones etc.) there are similar legal security obligations that are contained in the EU Electronic Communications Directive.
Every person and every company have a general duty of care. If the lack of appropriate security measures leads to damages for third parties, the liability of the company which omitted to apply best practices may be involved. Contrary to the specific legal security obligations described above in the specific laws, the general liability can to a certain extent be reduced by liability disclaimers that have to be carefully drafted.
On 25 January 2012, the European Commission has officially released its proposal for a comprehensive reform of the 1995 data protection rules on personal data processing. The proposed Regulation has been published on the European Commission’s website. Should the proposed Regulation ultimately be adopted, it would then become directly applicable across the whole European Union’s territory after a transition period of two years.
Theoretically the proposed Regulation would not only be applicable to data controllers established in the EU. As with the current Directive, it also extends its scope of application to the processing of personal data of data subjects residing in the EU by a controller who is not established in the EU.
5. Data breaches
In the newly envisaged European data protection regulation, the security breach notification introduced for public network operators and service providers by a European directive of 2009 would be extended to all data controllers:
Companies can try to protect themselves by taking security measures (identity and access control, encrypt data, allow remote wipe, password-protection, company wide imposed measures against viruses and malware, deleting temporary files, …).
Having a BYOD policy featuring those measures will help protect information and allow the organisation to defend itself against claims if a data breach does occur. Moreover it is advisable to embed technical measures in a carefully balanced BYOD-policy, certainly when dealing with employees (labour law and employee privacy issues).
6. Tax and social security
For tax purposes (under Belgian law) BYOD could be considered under the umbrella of “extralegal advantages”. Financial compensation for the use of the own device may under certain conditions be considered as a "cost proper to the employer" implying that no tax or social security are due.
7. Supplier license issues
An important aspect that may not be forgotten is the impact of BYOD on your existing IT-supplier contracts, including issues such as:
It is likely that some software licenses and also hardware and software support contracts must be adapted to suit the BYOD needs.
8. Company’s liability for employee activity
In principle the liability of an employee is limited. The employer is held liable for damage caused to third parties by the employee during the execution of the employment contract. However the employer can claim back from the employee the compensation it paid if the damage caused by the employee is caused by fraud, a serious fault or a ‘frequently occurring minor fault’. Without a clear BYOD-policy, the employer may find it challenging to gather proof of unacceptable, or even illegal, employee activity.
In addition, during the course of an investigation or monitoring because of a work-related issue, one may come across illegal personal content. It should be clear for the company’s IT department what they should do in that case in order not to engage the company’s liability.
9. Exiting employees
An employee is legally obligated to respect the company’s secrets, business secrets etc and to keep them confidential even after termination of his employment contract. If he doesn’t, he may even face criminal charges.
In addition, companies often require employees, and freelancers or contractors, to sign confidentiality agreements (NDA’s) to keep them from taking trade secrets, lists of sales leads and other proprietary data to competitors or to start their own competing business. Enforcing all this and gathering proof of a breach of confidentiality, becomes a challenge when people store proprietary information on their own personal smartphones or tablets. Therefore, a BYOD policy should require employees to let the company inspect their device when they leave the company to ensure that all of confidential information has been deleted.
10. Regulated sectors
If your company is active in a regulated sector, such as banking, & finance, insurance, or in the pharmaceutical or health sector, there may be specific requirements related to data confidentiality and security.
11. Best Practices
It is advisable to draft a carefully balanced policy that can be enforced against the employee. Just as in an Internet policy or social media policy the BYOD policy should warn employees about what might be monitored and what action will be taken in case an infringement is suspected.
Policies should be well balanced and not contain any illegal monitoring or controlling mechanism or disproportionate sanctions. Otherwise, there’s a danger that any evidence gathered might be excluded in court. This means that any evidence for an immediate dismissal (“motif grave” / “dringende reden”) is unusable. Obviously, BYOD can be integrated into already existing policies e.g. Acceptable Use Policies (not only for internet and email, but also for mobile devices etc.), Social Media policy, Internet-policy.
Don’t hesitate to contact us for more info or legal advice about BYOD, social media, email & Internet use of employees etc.