REMOTE WORKING & DATA PROTECTION: WHERE LEGITIMATE BUSINESS INTERESTS END AND PRIVACY BEGINS

There must be a balance struck between the legitimate business interests of the employer and an employee’s right to privacy. In order to process an employee’s data, the employee must have provided the data controller/employer with their consent. Consent in the context of data protection is provided for under Article 6 of the General Data Protection Regulation 2016 (“GDPR”) and expressly provides that the processing of a person’s data is lawful provided the data subject/employee has given their consent. Remote working casts serious doubt over the issue of consent which is due to the disparity of power between the employer and employee and the employees’ financial dependence upon the employer. The European advisory board on data protection has stated the following:

“employees are seldom in a position to freely give, refuse or revoke consent, given the dependency that results from the employee/employer relationship. Unless in exceptional situations, employers will have to rely on another legal ground than consent, such as the necessity to process the data for their legitimate interest”.

Remote Working and the Risks Posed

The technologies available to employees in order to work remotely are constantly improving and if data protection principles are not adhered to, there is a risk that the legitimate interests of a business may turn into “unjustifiable and intrusive monitoring”.

It is essential that where an employer introduces technologies designed to facilitate remote working, that a Data Protection Impact Assessment is conducted. This will ensure that the processing of an employee’s personal data due to such technology does not infringe on an employee’s rights and freedoms. The increase in remote working will now inevitably bring monitoring systems that have existed in workplaces into the private life of an employee. The European advisory board has stated the following in the context of remote working:

“employers may think there is a justification for deploying software packages……that have capabilities of, for example, logging keystrokes and mouse movements, screen capturing (either randomly or at set intervals)……..enabling webcams and collecting footage thereof…………..the processing involved in such technologies are disproportionate and the employer is very unlikely to have a legal ground”

If an employee can demonstrate that their rights under the General Data Protection Regulation have been infringed as a result of an employer’s failure to comply with their obligations under GDPR then that employee may bring a data protection action against that organisation. A data protection action, if successful, may result in a declaration of such an infringement against an employer in addition to financial compensation.

When does an Employer’s legitimate business interests end and the employees’ right to privacy begin?

When an employer relies upon the legitimate interests of a business to process an employee’s data they must comply with the principles of proportionality. The employer must consider what data is necessary to conduct their business. When an employer’s data processing extends beyond the legitimate interests of the business the employer will run the risk of breaching an employee’s right to privacy.

In order to illustrate this point, the case of Bărbulescu v Romania [2017] ECHR 742 provides considerable guidance. In this case, the employee had been employed as an engineer in charge of sales. The employer informed the employee that his Yahoo Messenger communications had been monitored and had showed that he had used the Yahoo Messenger for personal reasons which was against company policy. In view of this the employer terminated his employment relying upon their internal regulations which prohibited the use of their computers for personal reasons. The employee brought proceedings to the Grand Chamber of the European Court of Human Rights alleging a breach of Article 8 of the European Convention on Human Rights (“ECHR”) which protects an individual’s right to respect for family life.

The Court noted that the Yahoo Messenger was a form of communication which allowed a person to live a private social life and therefore falls within the ambit of Article 8 of the ECHR. The court noted that the extent of the monitoring was never outlined to the employee, nor was he informed that the employer may have access to the content of the Yahoo Messages. The court further stated that although the employee was aware that the use of computers for personal purposes was prohibited, he had never been informed that his communications would be monitored. The court was critical of the employer’s policy on internet usage in that it did not clearly outline the extent of the monitoring effected by the employer.

Acceptable Usage Policies – Internet & Email

The above demonstrates the importance of clearly drafted acceptable internet usage policies in addition to the importance of complying with the principles contained in the General Data Protection Regulation. It is essential that a policy adheres to these principles and has been clearly explained to an employee upon commencement of employment.

Anyone wishing to read the above opinion of the European advisory board on data protection may do so by accessing www.ec.europa.eu.   Should you wish to discuss any of the above matters, please get in touch by contacting us at (01) 833 8147 or alternatively you can email us at [email protected]. Telephone and Skype consultations are available by appointment.