The forthcoming commencement of the General Data Protection Regulation and the High Court’s recent referral of the Schrems case to the CJEU highlight the ongoing importance of Data Protection issues. Peter Murphy looks at a recent opinion of WP29.
What is WP29?
The Article 29 Working Party (WP29) is an independent, European advisory body on Data Protection and Privacy established by the 1995 Directive. Its role is to provide guidance on Directives. It looks to harmonise the application of data protection rules throughout the Union.
What has the WP29 done?
On 8th June the WP29 issued Opinion 2/2017 on data processing at work. This article will look briefly at Opinion 2/2017 and its conclusions.
What does Opinion 2/2017 say?
Opinion 2/2017 looks to complement Opinion 8/2001 – the seminal Opinion of WP29. Obviously technology has progressed rapidly since which has impacted massively on the workplace. This Opinion, mindful of GDPR, looks to assess the legitimate interests of employers and the reasonable privacy expectations of employees in respect of new technologies.
In summary the Opinion states:
- employers should always bear in mind the fundamental data protection principles, irrespective of the technology used;
- the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications;
- consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequences;
- performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;
- employees should receive effective information about the monitoring that takes place; and
- any international transfer of employee data should take place only where an adequate level of protection is provided
Conclusions
The Opinion sets out a number of points for employers to be mindful of. The fact that an employer owns an electronic device does not rule out the right of employees to secrecy of their communications and related location. Employers should also be aware that because of the imbalance in the relationship, employee consent to monitoring of their devices is almost never free and cannot be relied on. While legitimate interest can be relied on it must be shown that it is proportionate. Measures of employers should be transparent and policies and rules concerning same must be clear and readily accessible. It is also noted that the use of “the cloud” will result in the
international transfer of employee data. This should only take place where an adequate level of protection is ensured and the data shared outside of the EU/EEA is limited to the minimum necessary for the intended purposes.
While there are still uncertainties around data processing and the GDPR what is sure that it is an important and expanding area and one which all Employment lawyers must be aware of.