Microsoft Office 365 and Azure have GDPR related features and mechanisms implemented and available for several month now. Google admins and users wishing to implement GDPR solutions, have been left to wait until today. That is very late.
“Even if in the case that the EU Safe Harbour 2.0 passes soon, I think that the general climate is a preference for data locality, and even if the regulations are cleared and there’s a path forward for legal transfer of data, I think that the appetite for the Europeans to have local data has increased.”
It’s enough to drive a regular IT market watcher to the point of despair. There has been a wide-ranging change in the way business operates driven by technology transformation — could there ever be a more obvious statement to make, ever? Continue reading →
Digital privacy at the workplace is actually something everyone should at least be thinking about. And not just high-profile folks in the limelight of the media, but all of us. In fact, these issues arguably affect us the commuting work-a-day masses far more than the power brokers. If you lose your job because of emails you sent, you’ll probably find yourself in a precarious situation.
Let us begin this discussion by first acknowledging the following: As an employee, you have entered into an agreement to rent your brain and body to a company in return for a salary. Your HR department may attempt to sugarcoat this sad fact of adulthood with free coffee in the break room or the occasional “Tapas Tuesday,” but you are essentially just a (replaceable) tool your company uses to create a product or provide a service. It is therefore in your company’s interest to get as much out of their tools (i.e. you) as possible. And that often takes the form of monitoring of your digital behavior.
Unfortunately, there aren’t a lot of universal hard-fact rules regarding privacy and employment. This is because there’s a messy patchwork of overlapping laws at the state, and local level, many of which were conceived and codified long before anyone was even aware of what an “e-mail” was.
Therefore, few universal pronouncements can be made and the courts tend to rule on a case-by-case basis in a “very fact-specific” manner, according to a law professor, who helped us highlight six general principles about using digital communication in the workplace. Please keep in mind that aspects of this laws have been actively evolving both in US and EU. Until now that is, when we count last “days of freedom” before 25 may 2018 and the GDPR.
1. Don’t say anything that could get you fired over company email.
As a general rule, an employer can’t intentionally access digital communications when you have a reasonable expectation of privacy. But ask yourself if your privacy expectations match up with that of the law.
One place you should probably expect to be monitored is when using company email. If you are using a company-issued computer to access company email stored on company-owned servers, you shouldn’t have an expectation of privacy. All those communications are basically your employer’s property.
Courts also look to what your company’s email policy says in deciding whether you reasonably expected privacy for your emails. It matters, for example, if that policy clearly says that workers can’t use company computers for personal email activity, and that they will be monitored.
If any of this is news to you, hopefully you haven’t been emailing anything that you wouldn’t want your boss to find out about.
2. Personal email accounts on third-party servers are protected, even if you access them on a company-owned computer.
If you use your company’s computer to check your private, password-protected email (i.e. one that lives on a third-party server like Gmail), then it is probably protected. There’s a Electronic Communications Privacy Act —that bans your employer (and others) from deliberately accessing that email without your permission. But. There are many court cases in which employees accessed private email through a company computer and an employer wanted to monitor these activities. The court found that these emails were inadmissible as they were accessed without the employee’s authorization in violation of the Stored Communications Act.
3. Employers can’t require that employees (or potential employees) give them access to their social media accounts.
As much as you might want to know if your current or potential employees are getting up to any shenanigans in their spare time, you—in a growing number of jurisdictions —won’t be able to request or require them to give you access to their social media accounts so you can find out. In fact, many countries are working on laws specifically making this practice illegal (surely based on no small part from lobbying and legal efforts of Facebook itself).
4. You can be fired because of what you post on social media.
As with email, an employer can’t use your work computer to directly access your social media accounts without your approval. But just because an employer can’t access your Facebook or Instagram accounts, it doesn’t mean they can’t use your social media to judge—and possibly even fire or discipline—you.
If your social media is password protected and the employer gains access without your authorization, that’s against the law. However, if there’s no privacy setting and you make your postings available to the world, it’s going to be harder for you to argue privacy.
5. BYOD (Bring Your Own Device) is a big confusing mess.
Many people use their own personal phone and tablet at work and will use these devices to access company email as well as other company documents. This is known as a “Bring Your Own Device” (or BYOD) setup. And when it comes to monitoring, unfortunately there’s not a lot we can do to guide you.
So, how far can your employer go to monitor your activity on a device that you purchased and use for your own personal communications? It’s TBD.
If your employer is intercepting or accessing your communications on your personal electronic device and you haven’t given them authorization to do so, then there is a risk that activity is going to violate the law.
6. Civil servants have protections that private employees do not.
Since their employer happens to be the government, public employees are protected from intrusion in many cases where private employees are not. Specifically, public employees would have the protection, which “protects a person from ‘unreasonable searches’ of their ‘persons, houses, papers, and effects,’ and also limits public employers to only ‘reasonable searches’ of the digital communications of their employees.
Of course, what counts as “reasonable” varies a lot by the kind of civil servants work setting. But for those of us employed in the private sector this just doesn’t apply.