Understanding ‘BYOD’ Legal Issues

under European Privacy and Data

Protection Law

Johan Vandendriessche

Lawyer

© TechTarget

BYOD / BYOT

• ‘Bring your own device’ (BYOD) and ‘Bring your own

technology’ (BYOT)

• Legal issues

– Privacy and data protection

– Electronic communications

– Labor law issues

– Intellectual property rights / data ownership and recovery

– Cybercrime

– Tax law issues

– Insurance

• Main concern: (technical) security issue

2 © TechTarget

Information Security

• Information Security – Availability and integrity of information

– Exclusivity, confidentiality and protection of information

• IT & Information security law? – No consolidated set of laws and regulations

• Data Protection

• Cybercrime

• Secrecy of (electronic) communications

• Intellectual Property Rights (copyright, patents, …)

• General regulations (SOX, Wassenaar Arrangements)

• Sector-based or specific regulations (e.g. HIPAA, PCI DSS, MiFiD, …)

– General due diligence and care obligation in civil law countries

• (Indirect) Compliance obligation

• (Indirect) Obligation to ensure information security?

• Large contractual scope: NDAs, SLAs, IP contracts, IT policies, self-regulation, …

3 © TechTarget

Privacy

• What is privacy?

• Various sources

– European Convention on Human Rights

– Treaty on the Functioning of the European Union (TFEU)

– Charter of Fundamental Rights of the EU

– National (constitutional) legislation

• Privacy at work in the EU?

– Telephone calls

– E-mail / Use of Internet and online technology

• Principle of privacy at work has been confirmed by ECHR

and Article 29 Working Party

– National laws implement privacy at work differently

4 © TechTarget

Data Protection

• Limitations in relation to the processing of personal

data

– Personal data: “any information in relation to an identified or

identifiable physical person […]”

• Very large legal interpretation to the concept of personal data

• Not necessarily sensitive information (although stricter rules

apply to special categories of personal data)

– Processing: “any operation or set of operations which is

performed upon personal data […]”

• Purpose: impose strict (civil and criminal) liability to the

entity that is processing the personal data

– Data controller

– Data processor (“service provider”)

5 © TechTarget

Data Protection Principles

• Processing of personal data is prohibited, unless allowed

by the law

• The data processing must comply with specific principles

• Proportionality

• Purpose limitation

• Limited in time

• (Individual and collective) Transparency

• Data quality

• Data security

• (Individual and collective) Enforcement measures

• No export of personal data to non-EEA countries, unless

adequate protection is offered

6 © TechTarget

Security Obligation

• General security obligation

– implement appropriate technical and organizational

measures

• Appropriate level

• Measures are interchangeable

– Unlawful processing

• accidental or unlawful destruction or accidental loss, alteration,

unauthorized disclosure or access, in particular where the

processing involves the transmission of data over a network,

and against all other unlawful forms of processing.

– Assessment

• the state of the art and the cost of implementation

• risks represented by the processing and the nature of the data

to be protected

7 © TechTarget

Security Obligation

• Specific security obligations

– Confidentiality

– Some national legislation imposes additional security

obligations

• Data processor related obligations

– Data processing agreement

• In writing or in equivalent

– Impose general security obligation onto the processor

– Compliance verification

8 © TechTarget

Future Data Protection rules

• Draft Regulations – COM(2012) 11final

• EU-wide application

– One legal instrument for all EU Member States

– ‘Direct effect’ – no implementation required

– Substantial delegation to the European Commission

• Additional compliance measures

– Compliance program

– Data protection by design and by default

– Data breach notification

– Data protection impact assessment

– Data protection officer

9 © TechTarget

Compliance Program

• Key principle: accountability

• Ensure and be able to demonstrate compliance

– Adopt policies

– Implement appropriate measures

• Documentation

• Implementing data security requirements

• Performing data protection impact assessment

• Prior authorization or consultation (where required)

• Data protection officer (DPO)

– Implement mechanisms to verify effectiveness

– Verification by independent internal or external auditors,

where proportionate

10 © TechTarget

Data Breach Notification

• Data breach notification duty

– Data controller and data processor

– Notification to supervisory authorities

• Detailed information

• Without undue delay and at the latest within 24 hours after

becoming aware of the breach

• If not within 24 hours, reasoned justification for the delay

• Standard format is likely

• Document data breach for verification purposes

– Notification to data subjects

• Likelihood of adversely impacting a data subject

• Encryption may provide exemption

• May be imposed by supervisory authorities

11 © TechTarget

Data Protection Impact Assessment

• When?

– Specific risk to rights and freedoms of data subject

• Nature

• Scope

• Purpose

– General description

– Consultation of data subjects

12 © TechTarget

Data Protection Officer

• Who?

– Public authority

– Large companies (>250 employees)

• Groups of companies may designate a single DPO

– Companies with data processing as ‘core business’

• Regular and systematic monitoring of employees

• Specific guarantees for the DPO

• Tasks

– Advice

– Monitor compliance

– Contact Point

13 © TechTarget

Right to be forgotten and to erasure

• Right of the data subject to obtain erasure of personal

data

• Personal data on employee devices

– Employee is part of data controller circle

– Personal data must be removed from devices

• Personal data made public

– Reasonable steps, including technical measures, to inform

third parties

– Data controller is responsible for publication

14 © TechTarget

BYOD Policies

• Private device used for professional purposes vs.

corporate device used for private purposes

• Policies are a major instrument in both cases

– Raise awareness (instruct)

– Ensure policy enforceability (enforce)

– Governing privacy expectations

• Combine HR, IT and security

• Contents

– Scope/ eligibility (who, what, when?)

– Rights and obligations of the parties involved

• During contract (AUP & security)

• Upon and after termination (data!)

15 © TechTarget

BYOD Policies

• Data breach related clauses

– Encryption

– Access to device

• Data retrieval

• Data wiping

• Access without consent may qualify as ‘hacking’

• Privacy at work related clauses

– Managing privacy expectations

– Implementing compliant monitoring

16 © TechTarget

BYOD vs corporate only devices

• Legal ownership of the device is generally not relevant for

data protection purposes

– Controller: determination of purpose and means

– Devices owned by third parties can be used

– Technology used and ownership thereof can have impact

on security obligations

• Security assessment

– Proliferation of devices and data

– Data recovery

– Less security in case of private devices?

– Increased management effort / risk?

– Loss of control?

17 © TechTarget

BYOD – the necessity of encryption

• Non-BYOD precedents provide guidance for BYOD

• Fine of 2.275.000 £ imposed by FSA on a UK company

due to data loss by service provider (outsourced data

processing)

– Data loss related to 46.000 clients due to an unencrypted

backup tape

– No evidence that the data had been misused or

compromised, but it was clear that there were no effective

data protection systems in place or systems to manage the

risks to the security of customer data resulting from the

outsourcing arrangement

18 © TechTarget

BYOD – the necessity of encryption

• Data loss is a serious risk in most cases of BYOD

– theft and loss of portable devices is very common

– Security is generally less advanced on personal devices in

comparison with corporate devices

– Compared with (a limited number of) routine back-up tapes,

the risk is higher as a result of the higher number of devices

• The fine related to the absence of adequate security

measures

– Stolen or lost portable devices are generally re-used, rather

than stolen for their data contents

– The absence of encryption of the tapes was envisaged in

the decision, not the loss as such

• Future legal framework: mitigated data breach notification 19 © TechTarget

BYOD – the necessity of respecting

privacy

• Fines for illegal screening and monitoring of employees

– Fine of 1.100.000 EUR imposed by Berlin DPA on a German

company

• Screening of employee and supplier data to combat corruption

• Monitoring communication sent via external e-mail accounts

by employees

– Combined fine of approx. 1.500.000 EUR imposed by twelve

German state DPAs on a German company for ‘spying’ on

employees

– Monitoring employees is regulated in a different manner in

the EU member states

• Generally based on transparency and proportionality

• Involvement of Worker’s Representatives

• Infringement may lead to illegally obtained evidence 20 © TechTarget

BYOD – the necessity of respecting

privacy

• Any monitoring of employees should be implemented in

accordance with applicable law

• Policies are a paramount instrument

– Privacy expectations may be influenced / defined

• Monitoring is particularly sensitive in case of BYOD, as

the devices have a dual purpose (professional / private)

– Monitoring, if any, should be restricted to use of the device

within the employment context

• Restrictions continue to apply in this context

– Monitoring use of the device outside the employment

context is disproportional

21 © TechTarget

Conclusion

• BYOD policy is a must

– Raise awareness

– Ensure enforceability of rules by supplementing

(employment) contracts with policies

– Covering legal & liability risks

• Key data protection and privacy issues

– Security

– Future compliance and data breach notification duty

– Monitoring employees (privacy at work)

22 © TechTarget

Thank you for attention!

© TechTarget 23