To BYOD or not to BYOD? Legal checklist under European / Belgian law

1. What is BYOD ?

BYOD comes in “different shades of grey”.

• “bring your own device” : employees are allowed to use their privately owned hard- and software. IT-applications and company data of the employer are made available on the platform of the end-user.
• “choose your own device” : the employer still provides the hardware and the employee can choose e.g. the model.
• “smuggle your own device” : this means that people are using a second tablet, smartphone or tablet, and use that one also for company purposes next to the one provided by the employer.

2. Employee – Employer relationship

If the user is an employee (not self-employed or contractor) one must bear in mind the classical principles of labour law, such as:

• depending on the size of the company: who has to be involved in the company’s BYOD policy (e.g. employee’s representatives)?
• depending on the extent of the BYOD policy: is it a change in the employee’s working conditions?
• in some cases one may even take into account the legislation about minimum safety and health requirements for work with display screen equipment
• to what extent can the employer monitor and control the smartphone, laptop, or tablet? See also “employee privacy” below.
• when a company-owned device is lost or stolen, the company’s IT department can remotely wipe it. But is the company allowed to erase a smartphone or laptop owned and paid for by the employee?

3. Employee Privacy

Is the company allowed to access personal e-mails and text messages (SMS) on a personal smartphone or tablet used for work?

The same goes for browsing history, installed software and other data?

There is a large regulatory framework in this area, including the Data Protection Act of 1992, some opinions of the Privacy Commission, and Collective Bargaining Agreement 81 protecting the privacy of employees relative to controls on electronic online communications in the private sector workplace. The latter allows employers to carry out certain controls on their employees’ Internet and e-mail use. It is not permitted to consult the content of such use. In the workplace, the employer may oversee Internet and e-mail use in order to accomplish four objectives:

1. To trace any improper Internet or e-mail use.
2. To protect the interests of the employer, which could mean being able to detect whether any sensitive information is being leaked to competitors.
3. To oversee the security and proper functioning of the ICT network, e.g. protection against malware, viruses etc.
4. To check whether internally agreed rules on Internet use (policies, employment contract, ..) are being adhered to.

Only in the first 3 cases the employer can focus his investigation on a particular employee to check who is in breach. In the 4th case, the employer must first notify the staff with a general warning. Only if one finds that there’s been an abuse, it is allowed to identify the employee but the party concerned must be confronted in private first before receiving a sanction or being fired.

4. Security

Here also, there are several regulatory requirements that you must take into account:

• data protection legislation :

A breach of IT-security could easily also cause a breach of internal (financial and reporting) control. The Data Protection Directive of 1995 imposes an explicit obligation for adequate security on every company that processes personal data (data about physical persons, such as names, addresses, financial data, etc.). Pursuant to this obligation, the controllers and processors of such personal data should take 'appropriate' security measures.

'Appropriate' or 'adequacy' in this context is measured according to 4 criteria:

- the measures should be 'state-of-the-art'
- the nature of the data has to be taken into account (stricter for financial data, health data, etc. compared to mere contact data)
- the measures should be in line with the potential risks (financial institutions are often a target for hackers)
- the investments have to be proportional to the potential of the controller or the processor.

• electronic communications legislation

If companies provide publicly available communications services over public networks (internet, mobile payments via cellular phones etc.) there are similar legal security obligations that are contained in the EU Electronic Communications Directive.

• general duty of care

Every person and every company have a general duty of care. If the lack of appropriate security measures leads to damages for third parties, the liability of the company which omitted to apply best practices may be involved. Contrary to the specific legal security obligations described above in the specific laws, the general liability can to a certain extent be reduced by liability disclaimers that have to be carefully drafted.

• the new EU data protection regulation ?

On 25 January 2012, the European Commission has officially released its proposal for a comprehensive reform of the 1995 data protection rules on personal data processing. The proposed Regulation has been published on the European Commission’s website. Should the proposed Regulation ultimately be adopted, it would then become directly applicable across the whole European Union’s territory after a transition period of two years.

• also for data controllers from outside the European Union

Theoretically the proposed Regulation would not only be applicable to data controllers established in the EU. As with the current Directive, it also extends its scope of application to the processing of personal data of data subjects residing in the EU by a controller who is not established in the EU.

5. Data breaches

In the newly envisaged European data protection regulation, the security breach notification introduced for public network operators and service providers by a European directive of 2009 would be extended to all data controllers:

• As soon as a controller becomes aware that a personal data breach has occurred, he would be obliged to notify this breach to the competent supervisory authority without undue delay and, where feasible, within 24 hours.
• The individuals whose personal data could be adversely affected by the breach would also have to be notified without undue delay in order to allow them to take the necessary precautions.

Companies can try to protect themselves by taking security measures (identity and access control, encrypt data, allow remote wipe, password-protection, company wide imposed measures against viruses and malware, deleting temporary files, …).

Having a BYOD policy featuring those measures will help protect information and allow the organisation to defend itself against claims if a data breach does occur. Moreover it is advisable to embed technical measures in a carefully balanced BYOD-policy, certainly when dealing with employees (labour law and employee privacy issues).

6. Tax and social security

For tax purposes (under Belgian law) BYOD could be considered under the umbrella of “extralegal advantages”. Financial compensation for the use of the own device may under certain conditions be considered as a "cost proper to the employer" implying that no tax or social security are due.

7. Supplier license issues

An important aspect that may not be forgotten is the impact of BYOD on your existing IT-supplier contracts, including issues such as:

• does the company’s software license (volume license etc) allow extra devices? Price?
• desktop virtualisation issues
• if the company’s IT is outsourced (e.g. support, maintenance): does BYOD imply an extra cost for the company?

It is likely that some software licenses and also hardware and software support contracts must be adapted to suit the BYOD needs.

8. Company’s liability for employee activity

In principle the liability of an employee is limited. The employer is held liable for damage caused to third parties by the employee during the execution of the employment contract. However the employer can claim back from the employee the compensation it paid if the damage caused by the employee is caused by fraud, a serious fault or a ‘frequently occurring minor fault’. Without a clear BYOD-policy, the employer may find it challenging to gather proof of unacceptable, or even illegal, employee activity.

In addition, during the course of an investigation or monitoring because of a work-related issue, one may come across illegal personal content. It should be clear for the company’s IT department what they should do in that case in order not to engage the company’s liability.

9. Exiting employees

An employee is legally obligated to respect the company’s secrets, business secrets etc and to keep them confidential even after termination of his employment contract. If he doesn’t, he may even face criminal charges.

In addition, companies often require employees, and freelancers or contractors, to sign confidentiality agreements (NDA’s) to keep them from taking trade secrets, lists of sales leads and other proprietary data to competitors or to start their own competing business. Enforcing all this and gathering proof of a breach of confidentiality, becomes a challenge when people store proprietary information on their own personal smartphones or tablets. Therefore, a BYOD policy should require employees to let the company inspect their device when they leave the company to ensure that all of confidential information has been deleted.

10. Regulated sectors

If your company is active in a regulated sector, such as banking, & finance, insurance, or in the pharmaceutical or health sector, there may be specific requirements related to data confidentiality and security.

11. Best Practices

It is advisable to draft a carefully balanced policy that can be enforced against the employee. Just as in an Internet policy or social media policy the BYOD policy should warn employees about what might be monitored and what action will be taken in case an infringement is suspected.

Policies should be well balanced and not contain any illegal monitoring or controlling mechanism or disproportionate sanctions. Otherwise, there’s a danger that any evidence gathered might be excluded in court. This means that any evidence for an immediate dismissal (“motif grave” / “dringende reden”) is unusable. Obviously, BYOD can be integrated into already existing policies e.g. Acceptable Use Policies (not only for internet and email, but also for mobile devices etc.), Social Media policy, Internet-policy.

Don’t hesitate to contact us for more info or legal advice about BYOD, social media, email & Internet use of employees etc.