Data Privacy & Protection: what now after the ruling of November 2005?
Data Privacy & Protection in Belgium: what now after the ruling of November 2005? ISACA IT Security Open Forum 7 December 2005 Johan Vandendriessche
Table of contents• A. Legislation applicable to workplace “surveillance”• B. Contradictory interests• C. Different forms of surveillance• D. Control of the use of means of (tele)communication• E. Control of the location of employees• F. Video-surveillance
A. Belgian legislation applicable toworkplace “surveillance”• General right to privacy• Article 22 of the Belgian Constitution “Everyone has the right to the respect of his private and family life, except in the cases and conditions determined by law. The laws, decrees and rulings alluded to in Article 134 guarantee the protection of this right”• Article 8 “Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
A. Belgian legislation applicable toworkplace “surveillance” (continued)• Belgian labour law• Law of 3 July 1978 concerning labour contracts Article 2 and 3: an employee undertakes to perform the contract against payment of wages under the authority of the employer Article 16: employer and employee owe each other respect, during the performance of the contract they must behave decently Article 17: the employee must: • Perform his work honestly and with care, at the time and place that has been agreed • Act according to the orders and instructions given by the employer (concerning the performance of the contract) • Omit from unfair competition and respect the confidentiality of personal or confidential information • Refrain from endangering his colleagues, his employer and third parties • Return the company property in good order
A. Belgian legislation applicable toworkplace “surveillance” (continued)• Law of 13 June 2005 on electronic communications New framework for electronic communications (Partially) replaces the “Belgacom law” (Law of 21 March 1991) Article 124: “Without consent of all directly or indirectly involved persons, it is prohibited to 1° intentionally obtain information about the existence of any information that has been sent by electronic means and that is not personally addressed to him; 2° intentionally identify persons involved in the transmission of the information and the content thereof 3° notwithstanding the articles 122 and 123 intentionally obtain information concerning electronic communication and concerning another person; 4° modify, delete, publish, conserve or use otherwise, the information, identification or data that has been obtained intentionally or not
A. Belgian legislation applicable toworkplace “surveillance” (continued) Article 125: exceptions to article 124 If the law permits or imposes the acts under article 124 If these acts are committed solely for the purpose of ensuring the correct functioning of the network and to guarantee the proper delivery of the electronic communications service If the acts are committed solely for the purpose of offering the end-user a service consisting of preventing the reception of unsolicited electronic mail, provided that the required consent has been obtained
A. Belgian legislation applicable toworkplace “surveillance” (continued)• Article 314bis of the Criminal Code: “Is punishable with imprisonment of 6 months and/or a fine of 200 EUR up until 10000 EUR (x5,5): 1° intentionally, with the aid of any equipment private communication or telecommunication to which he is not part, during the transmission thereof, intercepts himself or through a third party, obtains information thereof himself or through a third party, records himself or through a third party, without the consent of all participants thereof; 2° or installs himself or through a third party any equipment with the intent of committing one the acts mentioned above”
A. Belgian legislation applicable toworkplace “surveillance” (continued)• Law of 8 December 1992 on privacy protection in relation to the processing of personal data, as modified by Law of 11 December 1998• Imposes restrictions to the processing of personal data, e.g.: Principles concerning purpose, proportionality and transparency Security obligations
B. Contradictory interests• Employer Financial interest • Efficient and productive employees • Preferably spending their time at work on work• Employee Respect of “privacy”• Given the nature of the employer-employee relationship some form of control will be excerced by the employer• Often leads to discussions related to evidence, in case of dismissal of employee
C. Different forms of surveillance• “Manual” surveillance: not possible nor efficient in larger companies• Many forms of “electronic” surveillance: Surveillance of the use of means of (tele)communication (use of internet, e-mail, telephone, facsimile, …) Surveillance of the use of data support (flash disks, CD’s, portable hard disks, digital cameras, mobile phones with digital cameras, …) Surveillance of the location of employees (geolocation by means of GPS and GSM) Video-surveillance
C. Different forms of surveillance• Use of company property and labour time: prerogative of the employer Employer may prohibit the use of company property for personal use Employer may allow the use of company property for personal use (subject to specific conditions)
D. Surveillance of the use of means of(tele)communication• Surveillance purposes: distinction between professional/private communication and content/communication data Collective Workers Agreement nr. 81 only mentions private communication and relates to communication data Other legislation does not distinguish different forms of communication and content/communication data
D.1. Private communication• Collective Workers Agreement nr. 81 on the monitoring of online communication of employees• Report: the employer should be able to have access to professional communication without any formalities whatsoever• Conclusion: CWA nr. 81 only applies to private communication?
D.1. Private communication (continued)• Online communications data? Electronic online communications data in a broad sense sent or received by an employee during the performance of his task All online technologies, internal and external E.g.: internet, intranet, e-mail, SMS, MMS, IM, …• Content?
D.1. Private communication (continued)• Proportionality The infringement of the privacy of the employee must be restricted to a minimum (if unavoidable) Interdiction of systematic individualisation
D.1. Private communication (continued)• Transparency Collective • To whom? (cascade) - Works council - Committee for prevention and protection - Delegation of the Labour Union - The employee • How? • Which information? - The supervision policy - The purposes of the monitoring - Conservation? Place and duration? - The permanent nature of the supervision
D.1. Private communication (continued)• Tranparency Individual (i.e. the employee) • Which information? - All the information provided collectively - The conditions of use of the equipment that is at the disposal of the employee and the functional limitation thereof - The rights, obligations and tasks of the employee, and possible limitations to the use of communications on the network of the company - Sanctions, if any, provided in the “employee policy” (règlement du travail / Werkreglement) • How? - General instructions - Employee policy - Contractually - User policy, each time the tool is used
D.1. Private communication (continued)• Individualisation? Direct • Purposes 1 -> 3 Indirect • Purpose 4
D.1. Private communication (continued)• Indirect individualisation• Procedure General information obligation to all employees (first irregularity) Identification (second irregularity) The concerned employee must be heard before sanctions are taken • Employee policy!
D.2. Professional communication• CAO 81 does not apply?• Article 124-125 of the Law of 13 June 2005• Article 314bis of the Criminal Code• Decision of Court of Appeal of Ghent 9 May 2005 Confirmation of earlier case law (Ghent and Brussels)
E. Surveillance of the location of employees• Geolocation systems used to track the position of an employee Position at a certain moment Route Speed• Specific legislation? Law of 13 June 2005 on electronic communications? Draft law
E. Surveillance of the location of employees(continued)• Evaluation under the Law of 8 December 1992 on privacy protection in relation to the processing of personal data• Draft law on the supervision of employees by means of a monitoring system connected to a GPS navigation system for service cars, in correspondence with the law of 8 December 1992 on privacy protection in relation to the processing of personal data (pending in the Belgian Senate, doc.nr. 51/1044)
E. Surveillance of the location of employees(continued)• Admissibility Consent of the concerned data subject Necessary for the purposes of the legitimate interests pursued by the controller provided that the interests or fundamental rights and freedoms of the data subject do not prevail• Lawfulness Transparency Purpose Proportionality
E. Surveillance of the location of employees(continued)• The use of a monitoring system connected to a GPS navigation system in a service car used by employees is only allowed after consent of ad hoc joint committees, the common committee for government service or of the entities competent under the legislation related to collective work relationships
F. Videosurveillance• Video-surveillance of workplace for different reasons: Security Control• Cost-effective replacement for manual supervision
F. Videosurveillance (continued)• Scope• Video-surveillance (article 1) “Any security system with one or more video cameras with the purposes of supervising places or activities from a location that is geographically distanced from these places or activities, with or without conservation of the images it collects and transfers”• Video-surveillance at the workplace
F. Videosurveillance• Purposes: Safety and health The protection of company property Supervision of the production processes • Machines: proper functioning thereof • Employees: evaluation and improvement of work organisation Supervision of the execution of the work by the employees
F. Videosurveillance• Permanent surveillance Camera functions continuously Allowed: • Security and health • Protection of company property • Supervision of the production processes concerning machines only• Temporary surveillance Fixed installation, but working only during one or more periods Temporary installation Allowed: • Supervision of production processes concerning employees • Supervision of the execution of the work by the employee
F. Videosurveillance• Proportionality Adequate, pertinent and not excessive The use must be reduced to the minimum• Procedural issues Information obligation Consultation obligation Specific obligations in case of conservation of image footing
Thank you for your attention! Johan Vandendriessche Lawyer Lontings & Partners Tour & Taxis Havenlaan 86 c b113 1000 Brussels email@example.com Tel: 02/787.90.12 Fax: 02/787.90.99