Post on 08-May-2015
description
Understanding ‘BYOD’ Legal Issues
under European Privacy and Data
Protection Law
Johan Vandendriessche
Lawyer
© TechTarget
BYOD / BYOT
• ‘Bring your own device’ (BYOD) and ‘Bring your own
technology’ (BYOT)
• Legal issues
– Privacy and data protection
– Electronic communications
– Labor law issues
– Intellectual property rights / data ownership and recovery
– Cybercrime
– Tax law issues
– Insurance
• Main concern: (technical) security issue
2 © TechTarget
Information Security
• Information Security – Availability and integrity of information
– Exclusivity, confidentiality and protection of information
• IT & Information security law? – No consolidated set of laws and regulations
• Data Protection
• Cybercrime
• Secrecy of (electronic) communications
• Intellectual Property Rights (copyright, patents, …)
• General regulations (SOX, Wassenaar Arrangements)
• Sector-based or specific regulations (e.g. HIPAA, PCI DSS, MiFiD, …)
– General due diligence and care obligation in civil law countries
• (Indirect) Compliance obligation
• (Indirect) Obligation to ensure information security?
• Large contractual scope: NDAs, SLAs, IP contracts, IT policies, self-regulation, …
3 © TechTarget
Privacy
• What is privacy?
• Various sources
– European Convention on Human Rights
– Treaty on the Functioning of the European Union (TFEU)
– Charter of Fundamental Rights of the EU
– National (constitutional) legislation
• Privacy at work in the EU?
– Telephone calls
– E-mail / Use of Internet and online technology
• Principle of privacy at work has been confirmed by ECHR
and Article 29 Working Party
– National laws implement privacy at work differently
4 © TechTarget
Data Protection
• Limitations in relation to the processing of personal
data
– Personal data: “any information in relation to an identified or
identifiable physical person […]”
• Very large legal interpretation to the concept of personal data
• Not necessarily sensitive information (although stricter rules
apply to special categories of personal data)
– Processing: “any operation or set of operations which is
performed upon personal data […]”
• Purpose: impose strict (civil and criminal) liability to the
entity that is processing the personal data
– Data controller
– Data processor (“service provider”)
5 © TechTarget
Data Protection Principles
• Processing of personal data is prohibited, unless allowed
by the law
• The data processing must comply with specific principles
• Proportionality
• Purpose limitation
• Limited in time
• (Individual and collective) Transparency
• Data quality
• Data security
• (Individual and collective) Enforcement measures
• No export of personal data to non-EEA countries, unless
adequate protection is offered
6 © TechTarget
Security Obligation
• General security obligation
– implement appropriate technical and organizational
measures
• Appropriate level
• Measures are interchangeable
– Unlawful processing
• accidental or unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access, in particular where the
processing involves the transmission of data over a network,
and against all other unlawful forms of processing.
– Assessment
• the state of the art and the cost of implementation
• risks represented by the processing and the nature of the data
to be protected
7 © TechTarget
Security Obligation
• Specific security obligations
– Confidentiality
– Some national legislation imposes additional security
obligations
• Data processor related obligations
– Data processing agreement
• In writing or in equivalent
– Impose general security obligation onto the processor
– Compliance verification
8 © TechTarget
Future Data Protection rules
• Draft Regulations – COM(2012) 11final
• EU-wide application
– One legal instrument for all EU Member States
– ‘Direct effect’ – no implementation required
– Substantial delegation to the European Commission
• Additional compliance measures
– Compliance program
– Data protection by design and by default
– Data breach notification
– Data protection impact assessment
– Data protection officer
9 © TechTarget
Compliance Program
• Key principle: accountability
• Ensure and be able to demonstrate compliance
– Adopt policies
– Implement appropriate measures
• Documentation
• Implementing data security requirements
• Performing data protection impact assessment
• Prior authorization or consultation (where required)
• Data protection officer (DPO)
– Implement mechanisms to verify effectiveness
– Verification by independent internal or external auditors,
where proportionate
10 © TechTarget
Data Breach Notification
• Data breach notification duty
– Data controller and data processor
– Notification to supervisory authorities
• Detailed information
• Without undue delay and at the latest within 24 hours after
becoming aware of the breach
• If not within 24 hours, reasoned justification for the delay
• Standard format is likely
• Document data breach for verification purposes
– Notification to data subjects
• Likelihood of adversely impacting a data subject
• Encryption may provide exemption
• May be imposed by supervisory authorities
11 © TechTarget
Data Protection Impact Assessment
• When?
– Specific risk to rights and freedoms of data subject
• Nature
• Scope
• Purpose
– General description
– Consultation of data subjects
12 © TechTarget
Data Protection Officer
• Who?
– Public authority
– Large companies (>250 employees)
• Groups of companies may designate a single DPO
– Companies with data processing as ‘core business’
• Regular and systematic monitoring of employees
• Specific guarantees for the DPO
• Tasks
– Advice
– Monitor compliance
– Contact Point
13 © TechTarget
Right to be forgotten and to erasure
• Right of the data subject to obtain erasure of personal
data
• Personal data on employee devices
– Employee is part of data controller circle
– Personal data must be removed from devices
• Personal data made public
– Reasonable steps, including technical measures, to inform
third parties
– Data controller is responsible for publication
14 © TechTarget
BYOD Policies
• Private device used for professional purposes vs.
corporate device used for private purposes
• Policies are a major instrument in both cases
– Raise awareness (instruct)
– Ensure policy enforceability (enforce)
– Governing privacy expectations
• Combine HR, IT and security
• Contents
– Scope/ eligibility (who, what, when?)
– Rights and obligations of the parties involved
• During contract (AUP & security)
• Upon and after termination (data!)
15 © TechTarget
BYOD Policies
• Data breach related clauses
– Encryption
– Access to device
• Data retrieval
• Data wiping
• Access without consent may qualify as ‘hacking’
• Privacy at work related clauses
– Managing privacy expectations
– Implementing compliant monitoring
16 © TechTarget
BYOD vs corporate only devices
• Legal ownership of the device is generally not relevant for
data protection purposes
– Controller: determination of purpose and means
– Devices owned by third parties can be used
– Technology used and ownership thereof can have impact
on security obligations
• Security assessment
– Proliferation of devices and data
– Data recovery
– Less security in case of private devices?
– Increased management effort / risk?
– Loss of control?
17 © TechTarget
BYOD – the necessity of encryption
• Non-BYOD precedents provide guidance for BYOD
• Fine of 2.275.000 £ imposed by FSA on a UK company
due to data loss by service provider (outsourced data
processing)
– Data loss related to 46.000 clients due to an unencrypted
backup tape
– No evidence that the data had been misused or
compromised, but it was clear that there were no effective
data protection systems in place or systems to manage the
risks to the security of customer data resulting from the
outsourcing arrangement
18 © TechTarget
BYOD – the necessity of encryption
• Data loss is a serious risk in most cases of BYOD
– theft and loss of portable devices is very common
– Security is generally less advanced on personal devices in
comparison with corporate devices
– Compared with (a limited number of) routine back-up tapes,
the risk is higher as a result of the higher number of devices
• The fine related to the absence of adequate security
measures
– Stolen or lost portable devices are generally re-used, rather
than stolen for their data contents
– The absence of encryption of the tapes was envisaged in
the decision, not the loss as such
• Future legal framework: mitigated data breach notification 19 © TechTarget
BYOD – the necessity of respecting
privacy
• Fines for illegal screening and monitoring of employees
– Fine of 1.100.000 EUR imposed by Berlin DPA on a German
company
• Screening of employee and supplier data to combat corruption
• Monitoring communication sent via external e-mail accounts
by employees
– Combined fine of approx. 1.500.000 EUR imposed by twelve
German state DPAs on a German company for ‘spying’ on
employees
– Monitoring employees is regulated in a different manner in
the EU member states
• Generally based on transparency and proportionality
• Involvement of Worker’s Representatives
• Infringement may lead to illegally obtained evidence 20 © TechTarget
BYOD – the necessity of respecting
privacy
• Any monitoring of employees should be implemented in
accordance with applicable law
• Policies are a paramount instrument
– Privacy expectations may be influenced / defined
• Monitoring is particularly sensitive in case of BYOD, as
the devices have a dual purpose (professional / private)
– Monitoring, if any, should be restricted to use of the device
within the employment context
• Restrictions continue to apply in this context
– Monitoring use of the device outside the employment
context is disproportional
21 © TechTarget
Conclusion
• BYOD policy is a must
– Raise awareness
– Ensure enforceability of rules by supplementing
(employment) contracts with policies
– Covering legal & liability risks
• Key data protection and privacy issues
– Security
– Future compliance and data breach notification duty
– Monitoring employees (privacy at work)
22 © TechTarget
Thank you for attention!
© TechTarget 23