Understanding BYOD legal issues under European privacy and data protection law
Upcoming SlideShare
Loading in...5

Understanding BYOD legal issues under European privacy and data protection law



Presentation given during ISACA's Mobile Security Imperatives 2012 virtual conference.

Presentation given during ISACA's Mobile Security Imperatives 2012 virtual conference.



Total Views
Views on SlideShare
Embed Views



2 Embeds 3

http://www.slashdocs.com 2
http://www.docseek.net 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Understanding BYOD legal issues under European privacy and data protection law Understanding BYOD legal issues under European privacy and data protection law Presentation Transcript

  • Understanding ‘BYOD’ Legal Issuesunder European Privacy and DataProtection Law Johan Vandendriessche Lawyer © TechTarget
  • BYOD / BYOT• ‘Bring your own device’ (BYOD) and ‘Bring your own technology’ (BYOT)• Legal issues – Privacy and data protection – Electronic communications – Labor law issues – Intellectual property rights / data ownership and recovery – Cybercrime – Tax law issues – Insurance• Main concern: (technical) security issue© TechTarget 2
  • Information Security• Information Security – Availability and integrity of information – Exclusivity, confidentiality and protection of information• IT & Information security law? – No consolidated set of laws and regulations • Data Protection • Cybercrime • Secrecy of (electronic) communications • Intellectual Property Rights (copyright, patents, …) • General regulations (SOX, Wassenaar Arrangements) • Sector-based or specific regulations (e.g. HIPAA, PCI DSS, MiFiD, …) – General due diligence and care obligation in civil law countries • (Indirect) Compliance obligation • (Indirect) Obligation to ensure information security?• Large contractual scope: NDAs, SLAs, IP contracts, IT policies, self-regulation, …© TechTarget 3
  • Privacy• What is privacy?• Various sources – European Convention on Human Rights – Treaty on the Functioning of the European Union (TFEU) – Charter of Fundamental Rights of the EU – National (constitutional) legislation• Privacy at work in the EU? – Telephone calls – E-mail / Use of Internet and online technology• Principle of privacy at work has been confirmed by ECHR and Article 29 Working Party – National laws implement privacy at work differently© TechTarget 4
  • Data Protection• Limitations in relation to the processing of personal data – Personal data: “any information in relation to an identified or identifiable physical person […]” • Very large legal interpretation to the concept of personal data • Not necessarily sensitive information (although stricter rules apply to special categories of personal data) – Processing: “any operation or set of operations which is performed upon personal data […]”• Purpose: impose strict (civil and criminal) liability to the entity that is processing the personal data – Data controller – Data processor (“service provider”)© TechTarget 5
  • Data Protection Principles• Processing of personal data is prohibited, unless allowed by the law• The data processing must comply with specific principles • Proportionality • Purpose limitation • Limited in time • (Individual and collective) Transparency • Data quality • Data security • (Individual and collective) Enforcement measures• No export of personal data to non-EEA countries, unless adequate protection is offered© TechTarget 6
  • Security Obligation• General security obligation – implement appropriate technical and organizational measures • Appropriate level • Measures are interchangeable – Unlawful processing • accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. – Assessment • the state of the art and the cost of implementation • risks represented by the processing and the nature of the data to be protected© TechTarget 7
  • Security Obligation• Specific security obligations – Confidentiality – Some national legislation imposes additional security obligations• Data processor related obligations – Data processing agreement • In writing or in equivalent – Impose general security obligation onto the processor – Compliance verification© TechTarget 8
  • Future Data Protection rules• Draft Regulations – COM(2012) 11final• EU-wide application – One legal instrument for all EU Member States – ‘Direct effect’ – no implementation required – Substantial delegation to the European Commission• Additional compliance measures – Compliance program – Data protection by design and by default – Data breach notification – Data protection impact assessment – Data protection officer© TechTarget 9
  • Compliance Program• Key principle: accountability• Ensure and be able to demonstrate compliance – Adopt policies – Implement appropriate measures • Documentation • Implementing data security requirements • Performing data protection impact assessment • Prior authorization or consultation (where required) • Data protection officer (DPO) – Implement mechanisms to verify effectiveness – Verification by independent internal or external auditors, where proportionate© TechTarget 10
  • Data Breach Notification• Data breach notification duty – Data controller and data processor – Notification to supervisory authorities • Detailed information • Without undue delay and at the latest within 24 hours after becoming aware of the breach • If not within 24 hours, reasoned justification for the delay • Standard format is likely • Document data breach for verification purposes – Notification to data subjects • Likelihood of adversely impacting a data subject • Encryption may provide exemption • May be imposed by supervisory authorities© TechTarget 11
  • Data Protection Impact Assessment• When? – Specific risk to rights and freedoms of data subject • Nature • Scope • Purpose – General description – Consultation of data subjects© TechTarget 12
  • Data Protection Officer• Who? – Public authority – Large companies (>250 employees) • Groups of companies may designate a single DPO – Companies with data processing as ‘core business’ • Regular and systematic monitoring of employees• Specific guarantees for the DPO• Tasks – Advice – Monitor compliance – Contact Point© TechTarget 13
  • Right to be forgotten and to erasure• Right of the data subject to obtain erasure of personal data• Personal data on employee devices – Employee is part of data controller circle – Personal data must be removed from devices• Personal data made public – Reasonable steps, including technical measures, to inform third parties – Data controller is responsible for publication© TechTarget 14
  • BYOD Policies• Private device used for professional purposes vs. corporate device used for private purposes• Policies are a major instrument in both cases – Raise awareness (instruct) – Ensure policy enforceability (enforce) – Governing privacy expectations• Combine HR, IT and security• Contents – Scope/ eligibility (who, what, when?) – Rights and obligations of the parties involved • During contract (AUP & security) • Upon and after termination (data!)© TechTarget 15
  • BYOD Policies• Data breach related clauses – Encryption – Access to device • Data retrieval • Data wiping • Access without consent may qualify as ‘hacking’• Privacy at work related clauses – Managing privacy expectations – Implementing compliant monitoring© TechTarget 16
  • BYOD vs corporate only devices• Legal ownership of the device is generally not relevant for data protection purposes – Controller: determination of purpose and means – Devices owned by third parties can be used – Technology used and ownership thereof can have impact on security obligations• Security assessment – Proliferation of devices and data – Data recovery – Less security in case of private devices? – Increased management effort / risk? – Loss of control?© TechTarget 17
  • BYOD – the necessity of encryption• Non-BYOD precedents provide guidance for BYOD• Fine of 2.275.000 £ imposed by FSA on a UK company due to data loss by service provider (outsourced data processing) – Data loss related to 46.000 clients due to an unencrypted backup tape – No evidence that the data had been misused or compromised, but it was clear that there were no effective data protection systems in place or systems to manage the risks to the security of customer data resulting from the outsourcing arrangement© TechTarget 18
  • BYOD – the necessity of encryption• Data loss is a serious risk in most cases of BYOD – theft and loss of portable devices is very common – Security is generally less advanced on personal devices in comparison with corporate devices – Compared with (a limited number of) routine back-up tapes, the risk is higher as a result of the higher number of devices• The fine related to the absence of adequate security measures – Stolen or lost portable devices are generally re-used, rather than stolen for their data contents – The absence of encryption of the tapes was envisaged in the decision, not the loss as such• Future legal framework: mitigated data breach notification© TechTarget 19
  • BYOD – the necessity of respectingprivacy• Fines for illegal screening and monitoring of employees – Fine of 1.100.000 EUR imposed by Berlin DPA on a German company • Screening of employee and supplier data to combat corruption • Monitoring communication sent via external e-mail accounts by employees – Combined fine of approx. 1.500.000 EUR imposed by twelve German state DPAs on a German company for ‘spying’ on employees – Monitoring employees is regulated in a different manner in the EU member states • Generally based on transparency and proportionality • Involvement of Worker’s Representatives • Infringement may lead to illegally obtained evidence© TechTarget 20
  • BYOD – the necessity of respectingprivacy• Any monitoring of employees should be implemented in accordance with applicable law• Policies are a paramount instrument – Privacy expectations may be influenced / defined• Monitoring is particularly sensitive in case of BYOD, as the devices have a dual purpose (professional / private) – Monitoring, if any, should be restricted to use of the device within the employment context • Restrictions continue to apply in this context – Monitoring use of the device outside the employment context is disproportional© TechTarget 21
  • Conclusion• BYOD policy is a must – Raise awareness – Ensure enforceability of rules by supplementing (employment) contracts with policies – Covering legal & liability risks• Key data protection and privacy issues – Security – Future compliance and data breach notification duty – Monitoring employees (privacy at work)© TechTarget 22
  • Thank you for attention!© TechTarget 23