U.S. AND EU Privacy and Social Media in the Workplace

Report
December 9, 2013
U.S. AND EU
PRIVACY AND SOCIAL MEDIA
IN THE WORKPLACE
PRIVACY ISSUES IN EMPLOYMENT
EU
GENERAL EUROPEAN RULES ON PRIVACY
AT WORK
•
Privacy and secrecy of correspondence

Article 8 of the European Convention for the Protection of Human
Rights and Fundamental Freedoms.

ECHR 23 November 1992, Niemitz v. Germany; ECHR 27 May
1997, Halford v. the United Kingdom:
o Private life includes professional life,
o Secrecy
of correspondence applies to all forms of
communications at or from workplace (letters on paper and
electronic communications).
EU
GENERAL EUROPEAN RULES ON PRIVACY
AT WORK
•
Protection of personal data (Directive 95/46/CE)
(i) When is the Directive applicable?



A processing…
… of personal data…
…determined by an entity established in a Member State or using
equipment located in a Member State.
EU
GENERAL EUROPEAN RULES ON PRIVACY
AT WORK
(ii) What are the main principles laid down by the Directive?
o
o
o
o
o
o
Legitimacy of processing
Quality of personal data processed
Security of the personal data
Information of the data subject
Formalities with national data protection authorities (“DPA”)
Sanctions
EU
GENERAL EUROPEAN RULES ON PRIVACY
AT WORK
(iii) Special focus on employee’s personal data processing
o
o
o
Consent of the employees is not a legitimate ground the
processing of employees’ personal data
The monitoring of the use of electronic devices in the
workplace is strictly regulated
Transfer of employees’ personal data outside the EU (and
especially to US non safe-Harbour companies) is not free
and must generally receive prior authorisation from a
European DPA.
U.S.
GENERAL PROTECTION OF
EMPLOYEE INFORMATION
•
Protection of data through regulation has generally fallen
into three categories:
o
o
o
Industry specific statutes directed towards consumers (i.e.
financial institutions)
Statutes protecting health related information
o HIPAA, GINA, ADAAA, FMLA, drug testing.
Personally identifiable information “PII” (identity theft statutes).
U.S.
GENERAL PROTECTION OF EMPLOYEE
INFORMATION: IDENTITY THEFT STATUTES
o PII: typically name or first initial and last name in
combination with social security #, driver’s license #, date
of birth, credit card #, bank account number with access
data.
Statutes generally require reasonable measures to protect data
and notification to person of data breach;
 Federal Fair Credit Reporting Act – employers who have third party
perform background checks on employees must make reasonable
measures to ensure proper disposal of consumer information from
credit report to prevent unauthorized access or use.

U.S.
GENERAL PROTECTION OF EMPLOYEE
INFORMATION: OTHER LEGAL PROTECTIONS



Electronic Communications Privacy Act, Computer Fraud & Abuse
Act, N.C.G.S. § 15A-287 (NC electronic surveillance law), N.C.G.S. §
14-458 (NC Computer Trespass Act), Tex. Penal Code § § 16.02 &
16.04 (Tex. Electronic surveillance and stored communications
laws).
Constitutional right to privacy in some states, i.e., Cal. Constitution
Art. 1, §. 1.
Common law invasion of privacy claims and “intrusion into
seclusion” claims – cf., Hall v. Post, 85 N.C. App. 610, 615 (intrusion
claims include “invading a person’s home or other private place,
eavesdropping by wiretapping. . ., peering through windows, . . . and
opening personal mail”)
U.S.
PRACTICAL ADVICE
•
Generally, employer can monitor U.S. employee
communications, obtain device access and copy/delete
company communications, provided that:
o Employer has reasonable business justification for monitoring &
device inspection activity.
o Employees voluntary granted consent to the monitoring /
inspection activity.
o Employer monitoring/review does not exceed scope of employees’
consent.
EXCEPTION #1: social media protection laws – cannot
require or request that employee provide password or access
to personal accounts.
 EXCEPTION #2: National Labor Relations Act: Cannot target
certain groups (i.e., video camera focused only on certain
employees)

U.S.
EMPLOYER’S ACCESS TO EU EMPLOYEE DATA

US – EU Safe Harbor
Voluntary self-certification with US Dept. of Commerce
 Seven principles
 Certain entities (such as banks/insurance companies)
not covered
 Similar certification under US-Swiss Safe Harbor
Framework
 Recent EU criticism of Safe Harbor framework

Model Clauses
 Binding Corporate Rules
 Express Consent

SOCIAL MEDIA IN EMPLOYMENT
U.S.
SOCIAL MEDIA IN HIRING - RISKS
•
•
•
•
May reject (or hire) based on incorrect information.
Applicant can assert that employer considered improper
information (e.g., protected class status)
Some U.S. states prohibit employers from discriminating
against employees/applicants for lawful use of lawful
products during nonworking hours (NC, NY, Colorado, others)
May run afoul of legislation prohibiting request for social
media passwords.
U.S.
PRACTICAL ADVICE: USING SOCIAL
MEDIA IN HIRING
• Think twice before doing it.
• Think twice before requesting a password, and then check
•
•
•
•
•
•
•
with your attorney.
Include release/authorization in applications (if permitted
by law).
Check terms and conditions of website being accessed.
No Pretext (do not falsify, impersonate, retrieve keystrokes
to get access).
Focus on job-relatedness of information.
Only give decisionmaker relevant information.
Retain information used for hire/no-hire decision.
Be consistent (don’t discriminate)
U.S.
PASSWORD PROTECTION STATUTES
ARK, CAL, COLO, ILL, MARYLAND, MICH, NEVADA, NJ, NM,
OREGON, UTAH, VERMONT, WASHINGTON
•
•
•
•
Prohibit requiring or requesting employee/applicant to
disclose username or password to access personal social
media.
Also prohibit requiring employee/applicant from accessing
in employer’s presence or divulging contents of personal
social media.
Many (but not Illinois) have exceptions for investigations
protecting
confidential
and
proprietary
company
information.
Critical that company does not allow employees to use
personal email for work.
U.S.
SOCIAL MEDIA DURING EMPLOYMENT: OWN IT.
•
•
•
•
Own the Company’s social media.
Don’t leave all responsibility all to one person (HMV)
Don’t forget about it. Periodically check on it. Save it.
Be careful about disciplining employees for use of
social media to complain about the workplace. Federal
NLRA protects associational rights of both union and
non-union employees, including the right to engage in
“concerted activity” for the purpose of “mutual aid or
protection”. 29 U.S.C. § 157.
U.S.
KEY STRATEGY: THE SOCIAL MEDIA POLICY
•
•
•
•
•
•
•
Every Company should have one.
Include appropriate limits on social media (nondisclosure of
company
information,
no
harassment,
employee
endorsements, etc.).
Make clear who owns what.
Prohibit use of company name in personal twitter handles,
blog names, etc.
Disclose company’s right to inspect (to the extent permitted
by law) to ensure compliance.
Inform employees of monitoring and no expectation of
privacy if company resources are used.
Have employee sign acknowledgment and consent.
U.S.
SOCIAL MEDIA POLICY—NLRB DISCLAIMER
•
Employee can file charges with the NLRB if the social media
policy has a “chilling” effect on concerted activity – even if
no employee has been disciplined for violating the policy.
Broadly prohibiting disclosure of confidential
information,
threatening
statements,
or
disparagement is bad. Specific prohibitions with
examples are good.
o NLRB: Social Media Policy Disclaimer. Specific
notice of right to engage in concerted activity and
disavowal of policies intent to interfere with or limit.
o
SOCIAL MEDIA IN THE EU
EU
SOCIAL MEDIA IN HIRING - RISKS
•
Social Media: a useful tool but not reliable



Social Media is a major recruitment tool for employers.
A lot of information on candidates is accessible online, either on
professional (LinkedIn) or personal (Facebook) Social Media.
Information is not necessarily correct and accurate, and not
necessarily originate from the candidate.
EU
SOCIAL MEDIA IN HIRING - RISKS
• Is it legal for an employer to access information posted on
Social Media by a candidate?
o
o



Consultation and collection of personal data on Social
Media may be considered as data processing
Consequently:
candidates must be informed in advance of the data
processing,
consultation and collection of personal data must be
limited to the identification and/or assessment of the
professional skills of the candidate for a specific position,
data collected must be kept only for such time as may be
required to achieve the purposes for which it was
collected.
EU
SOCIAL MEDIA IN HIRING - RISKS
•
What if a candidate publishes false information
about its career/training on Social Media?
o
o



o
The answer differs from one country to another.
From a civil law perspective, the lack of veracity of
the information might lead to a dismissal if:
the employee has been informed
the information collected was in direct relation to
the hiring,
the employee is not able to perform the tasks for
which he has been hired.
In the UK, a dismissal does not need to be
justified for employee with less than two years of
service.
EU
SOCIAL MEDIA DURING EMPLOYMENT
• Is it possible for an employer to prohibit its employee from
using Social Media during working time?




Yes and it is recommended to do so…
… BUT
in all cases, employers must respect employees’ right to
privacy at work.
employers may also face difficulties of proof.
EU
SOCIAL MEDIA DURING EMPLOYMENT
•
Is it possible for an employer to monitor the use, by an
employee, of Social Media during working time?
o
o
o
o
Permanent monitoring => compliance with Directive
95/46/CE.
The monitoring must:
 Have a legitimate purpose,
 Be proportional to this purpose,
 Be as unintrusive as possible (no automatic and
continuous monitoring),
 First carry out at a global level, an only then, if the control
reveals some misuse of Internet, impose individual
controls .
Information of employees and employees’ representatives
Formalities (notification or authorization request) with the
national data protection authority
EU
SOCIAL MEDIA DURING EMPLOYMENT
•
Is proof obtained in breach of the above valid?
o
o
o
Depends on local laws of Members States
In civil-law Member States, the answer differs depending on the
nature of the case:
 Criminal cases: generally admissible
 Civil cases: not admissible in France/ admissible in
Luxembourg and Belgium depending on the specific
circumstances of the case.
In the UK, admissible but may lead to penalties on the employer.
EU
SOCIAL MEDIA DURING EMPLOYMENT
•
Can an employer decide to dismiss an employee on the basis of
information posted by an employee on Social Media?
o
Employees’ posts on Social Media may be offensive, defamatory, or in
breach of a contractual obligation of confidentiality or sometimes also
have a bad effect on the reputation of the company.
EU
SOCIAL MEDIA DURING EMPLOYMENT
•
Can an employer decide to dismiss an employee on the
basis of information posted by an employee on Social
Media?
o
1st Key element: is the information published on Social Media public
or private?
 Mainly a matter of fact, depending on the confidentiality settings.
 French and British cases:
 Information accessible to general public = no right to privacy
(Conseil des Prud’hommes Boulogne-Billancourt (French lower
labor jurisdiction) 19 November 2010, n°09/00316).
 Information accessible to the friends but also to the employees
friends of friends = public = no right to privacy (French Court of
Appeal of Reims June 2010, n°09/3209).
 Information accessible only to the employee’s friends = private
nature = right to privacy (French High Court 10 April 2013, n°1119530; Adrian Smith v Trafford Housing Trust, 2012, British High
Court of Justice 3221 (ch)).
EU
SOCIAL MEDIA DURING EMPLOYMENT
•
Can an employer decide to dismiss an employee on the
basis of information posted by an employee on Social
Media?
o
2nd Key element: does the information published on Social
Media present a link with the employee’s functions or with the
employer?
 Information of a public nature might justify disciplinary
sanctions only if the content has a link with the employee’s
functions or with the employer:
 injuring your neighbor on Facebook has no link with the
employer,
 attending London Fashion Week during sick leave and
posting the information of Facebook has a link with the
employee’s functions (Gill vs. SAS Ground Services UK
Limited, British Employment Tribunal,2705021/09),
 expressing political opinion: no link with the employee’s
function or with the employer.
QUESTIONS?
Many thanks to Mrs Harriet Vaines, Solicitor from Davenport Lyons law office,
from her precious help regarding Social Media in the workplace in UnitedKingdom!

similar documents