EU GENERAL EUROPEAN RULES ON PRIVACY AT WORK Privacy and secrecy of correspondence Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms. ECHR 23 November 1992, Niemitz v. Germany; ECHR 27 May 1997, Halford v. the United Kingdom: o Private life includes professional life, o Secrecy of correspondence applies to all forms of communications at or from workplace (letters on paper and electronic communications).
EU GENERAL EUROPEAN RULES ON PRIVACY AT WORK Protection of personal data (Directive 95/46/CE) (i) When is the Directive applicable? A processing… … of personal data… …determined by an entity established in a Member State or using equipment located in a Member State.
EU GENERAL EUROPEAN RULES ON PRIVACY AT WORK (ii) What are the main principles laid down by the Directive? o Legitimacy of processing o Quality of personal data processed o Security of the personal data o Information of the data subject o Formalities with national data protection authorities (“DPA”) o Sanctions
EU GENERAL EUROPEAN RULES ON PRIVACY AT WORK (iii) Special focus on employee’s personal data processing o Consent of the employees is not a legitimate ground the processing of employees’ personal data o The monitoring of the use of electronic devices in the workplace is strictly regulated o Transfer of employees’ personal data outside the EU (and especially to US non safe-Harbour companies) is not free and must generally receive prior authorisation from a European DPA.
U.S. GENERAL PROTECTION OF EMPLOYEE INFORMATION Protection of data through regulation has generally fallen into three categories: o Industry specific statutes directed towards consumers (i.e. financial institutions) o Statutes protecting health related information o HIPAA, GINA, ADAAA, FMLA, drug testing. o Personally identifiable information “PII” (identity theft statutes).
U.S. GENERAL PROTECTION OF EMPLOYEE INFORMATION: IDENTITY THEFT STATUTES o PII: typically name or first initial and last name in combination with social security #, driver’s license #, date of birth, credit card #, bank account number with access data. Statutes generally require reasonable measures to protect data and notification to person of data breach; Federal Fair Credit Reporting Act – employers who have third party perform background checks on employees must make reasonable measures to ensure proper disposal of consumer information from credit report to prevent unauthorized access or use.
Electronic Communications Privacy Act, Computer Fraud & Abuse Act, N.C.G.S. § 15A-287 (NC electronic surveillance law), N.C.G.S. § 14-458 (NC Computer Trespass Act), Tex. Penal Code § § 16.02 & 16.04 (Tex. Electronic surveillance and stored communications laws). Constitutional right to privacy in some states, i.e., Cal. Constitution Art. 1, §. 1. Common law invasion of privacy claims and “intrusion into seclusion” claims – cf., Hall v. Post, 85 N.C. App. 610, 615 (intrusion claims include “invading a person’s home or other private place, eavesdropping by wiretapping..., peering through windows,... and opening personal mail”) U.S. GENERAL PROTECTION OF EMPLOYEE INFORMATION: OTHER LEGAL PROTECTIONS
Generally, employer can monitor U.S. employee communications, obtain device access and copy/delete company communications, provided that: o Employer has reasonable business justification for monitoring & device inspection activity. o Employees voluntary granted consent to the monitoring / inspection activity. o Employer monitoring/review does not exceed scope of employees’ consent. EXCEPTION #1: social media protection laws – cannot require or request that employee provide password or access to personal accounts. EXCEPTION #2: National Labor Relations Act: Cannot target certain groups (i.e., video camera focused only on certain employees) U.S. PRACTICAL ADVICE
US – EU Safe Harbor Voluntary self-certification with US Dept. of Commerce Seven principles Certain entities (such as banks/insurance companies) not covered Similar certification under US-Swiss Safe Harbor Framework Recent EU criticism of Safe Harbor framework Model Clauses Binding Corporate Rules Express Consent
U.S. SOCIAL MEDIA IN HIRING - RISKS May reject (or hire) based on incorrect information. Applicant can assert that employer considered improper information (e.g., protected class status) Some U.S. states prohibit employers from discriminating against employees/applicants for lawful use of lawful products during nonworking hours (NC, NY, Colorado, others) May run afoul of legislation prohibiting request for social media passwords.
U.S. PRACTICAL ADVICE: USING SOCIAL MEDIA IN HIRING Think twice before doing it. Think twice before requesting a password, and then check with your attorney. Include release/authorization in applications (if permitted by law). Check terms and conditions of website being accessed. No Pretext (do not falsify, impersonate, retrieve keystrokes to get access). Focus on job-relatedness of information. Only give decisionmaker relevant information. Retain information used for hire/no-hire decision. Be consistent (don’t discriminate)
U.S. PASSWORD PROTECTION STATUTES ARK, CAL, COLO, ILL, MARYLAND, MICH, NEVADA, NJ, NM, OREGON, UTAH, VERMONT, WASHINGTON Prohibit requiring or requesting employee/applicant to disclose username or password to access personal social media. Also prohibit requiring employee/applicant from accessing in employer’s presence or divulging contents of personal social media. Many (but not Illinois) have exceptions for investigations protecting confidential and proprietary company information. Critical that company does not allow employees to use personal email for work.
U.S. SOCIAL MEDIA DURING EMPLOYMENT: OWN IT. Own the Company’s social media. Don’t leave all responsibility all to one person (HMV) Don’t forget about it. Periodically check on it. Save it. Be careful about disciplining employees for use of social media to complain about the workplace. Federal NLRA protects associational rights of both union and non-union employees, including the right to engage in “concerted activity” for the purpose of “mutual aid or protection”. 29 U.S.C. § 157.
U.S. KEY STRATEGY: THE SOCIAL MEDIA POLICY Every Company should have one. Include appropriate limits on social media (nondisclosure of company information, no harassment, employee endorsements, etc.). Make clear who owns what. Prohibit use of company name in personal twitter handles, blog names, etc. Disclose company’s right to inspect (to the extent permitted by law) to ensure compliance. Inform employees of monitoring and no expectation of privacy if company resources are used. Have employee sign acknowledgment and consent.
U.S. SOCIAL MEDIA POLICY—NLRB DISCLAIMER Employee can file charges with the NLRB if the social media policy has a “chilling” effect on concerted activity – even if no employee has been disciplined for violating the policy. o Broadly prohibiting disclosure of confidential information, threatening statements, or disparagement is bad. Specific prohibitions with examples are good. o NLRB: Social Media Policy Disclaimer. Specific notice of right to engage in concerted activity and disavowal of policies intent to interfere with or limit.
EU SOCIAL MEDIA IN HIRING - RISKS Social Media: a useful tool but not reliable Social Media is a major recruitment tool for employers. A lot of information on candidates is accessible online, either on professional (LinkedIn) or personal (Facebook) Social Media. Information is not necessarily correct and accurate, and not necessarily originate from the candidate.
EU SOCIAL MEDIA IN HIRING - RISKS Is it legal for an employer to access information posted on Social Media by a candidate? o Consultation and collection of personal data on Social Media may be considered as data processing o Consequently: candidates must be informed in advance of the data processing, consultation and collection of personal data must be limited to the identification and/or assessment of the professional skills of the candidate for a specific position, data collected must be kept only for such time as may be required to achieve the purposes for which it was collected.
EU SOCIAL MEDIA IN HIRING - RISKS What if a candidate publishes false information about its career/training on Social Media? o The answer differs from one country to another. o From a civil law perspective, the lack of veracity of the information might lead to a dismissal if: the employee has been informed the information collected was in direct relation to the hiring, the employee is not able to perform the tasks for which he has been hired. o In the UK, a dismissal does not need to be justified for employee with less than two years of service.
EU SOCIAL MEDIA DURING EMPLOYMENT Is it possible for an employer to prohibit its employee from using Social Media during working time? Yes and it is recommended to do so… … BUT in all cases, employers must respect employees’ right to privacy at work. employers may also face difficulties of proof.
EU SOCIAL MEDIA DURING EMPLOYMENT Is it possible for an employer to monitor the use, by an employee, of Social Media during working time? o Permanent monitoring => compliance with Directive 95/46/CE. o The monitoring must: Have a legitimate purpose, Be proportional to this purpose, Be as unintrusive as possible (no automatic and continuous monitoring), First carry out at a global level, an only then, if the control reveals some misuse of Internet, impose individual controls. o Information of employees and employees’ representatives o Formalities (notification or authorization request) with the national data protection authority
EU SOCIAL MEDIA DURING EMPLOYMENT Is proof obtained in breach of the above valid? o Depends on local laws of Members States o In civil-law Member States, the answer differs depending on the nature of the case: Criminal cases: generally admissible Civil cases: not admissible in France/ admissible in Luxembourg and Belgium depending on the specific circumstances of the case. o In the UK, admissible but may lead to penalties on the employer.
EU SOCIAL MEDIA DURING EMPLOYMENT Can an employer decide to dismiss an employee on the basis of information posted by an employee on Social Media? o Employees’ posts on Social Media may be offensive, defamatory, or in breach of a contractual obligation of confidentiality or sometimes also have a bad effect on the reputation of the company.
EU SOCIAL MEDIA DURING EMPLOYMENT Can an employer decide to dismiss an employee on the basis of information posted by an employee on Social Media? o 1st Key element: is the information published on Social Media public or private? Mainly a matter of fact, depending on the confidentiality settings. French and British cases: Information accessible to general public = no right to privacy (Conseil des Prud’hommes Boulogne-Billancourt (French lower labor jurisdiction) 19 November 2010, n°09/00316). Information accessible to the friends but also to the employees friends of friends = public = no right to privacy (French Court of Appeal of Reims June 2010, n°09/3209). Information accessible only to the employee’s friends = private nature = right to privacy (French High Court 10 April 2013, n°11- 19530; Adrian Smith v Trafford Housing Trust, 2012, British High Court of Justice 3221 (ch)).
EU SOCIAL MEDIA DURING EMPLOYMENT Can an employer decide to dismiss an employee on the basis of information posted by an employee on Social Media? o 2nd Key element: does the information published on Social Media present a link with the employee’s functions or with the employer? Information of a public nature might justify disciplinary sanctions only if the content has a link with the employee’s functions or with the employer: injuring your neighbor on Facebook has no link with the employer, attending London Fashion Week during sick leave and posting the information of Facebook has a link with the employee’s functions (Gill vs. SAS Ground Services UK Limited, British Employment Tribunal,2705021/09), expressing political opinion: no link with the employee’s function or with the employer.