data privacy & protection: what now after the ruling of november 2005?
TRANSCRIPT
Data Privacy & Protection in Belgium: what now
after the ruling of November 2005?
ISACA
IT Security Open Forum
7 December 2005
Johan Vandendriessche
Table of contents
• A. Legislation applicable to workplace “surveillance”
• B. Contradictory interests
• C. Different forms of surveillance
• D. Control of the use of means of
(tele)communication
• E. Control of the location of employees
• F. Video-surveillance
A. Belgian legislation applicable to
workplace “surveillance”
• General right to privacy
• Article 22 of the Belgian Constitution “Everyone has the right to the respect of his private and family life,
except in the cases and conditions determined by law. The laws, decrees and rulings alluded to in Article 134 guarantee the protection of this right”
• Article 8 “Everyone has the right to respect for his private and family life, his
home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
A. Belgian legislation applicable to
workplace “surveillance” (continued)
• Belgian labour law
• Law of 3 July 1978 concerning labour contracts
Article 2 and 3: an employee undertakes to perform the contract against payment of wages under the authority of the employer
Article 16: employer and employee owe each other respect, during the performance of the contract they must behave decently
Article 17: the employee must: • Perform his work honestly and with care, at the time and place that has been
agreed
• Act according to the orders and instructions given by the employer (concerning the performance of the contract)
• Omit from unfair competition and respect the confidentiality of personal or confidential information
• Refrain from endangering his colleagues, his employer and third parties
• Return the company property in good order
A. Belgian legislation applicable to
workplace “surveillance” (continued)
• Law of 13 June 2005 on electronic communications
New framework for electronic communications
(Partially) replaces the “Belgacom law” (Law of 21 March 1991)
Article 124: “Without consent of all directly or indirectly involved persons, it is prohibited to 1° intentionally obtain information about the existence of any information that has been sent by electronic means and that is not personally addressed to him; 2° intentionally identify persons involved in the transmission of the information and the content thereof 3° notwithstanding the articles 122 and 123 intentionally obtain information concerning electronic communication and concerning another person; 4° modify, delete, publish, conserve or use otherwise, the information, identification or data that has been obtained intentionally or not
A. Belgian legislation applicable to
workplace “surveillance” (continued)
Article 125: exceptions to article 124
If the law permits or imposes the acts under article 124
If these acts are committed solely for the purpose of
ensuring the correct functioning of the network and to
guarantee the proper delivery of the electronic
communications service
If the acts are committed solely for the purpose of offering
the end-user a service consisting of preventing the reception
of unsolicited electronic mail, provided that the required
consent has been obtained
A. Belgian legislation applicable to
workplace “surveillance” (continued)
• Article 314bis of the Criminal Code:
“Is punishable with imprisonment of 6 months and/or a fine
of 200 EUR up until 10000 EUR (x5,5):
1° intentionally, with the aid of any equipment private
communication or telecommunication to which he is not part,
during the transmission thereof, intercepts himself or through
a third party, obtains information thereof himself or through a
third party, records himself or through a third party, without
the consent of all participants thereof;
2° or installs himself or through a third party any equipment
with the intent of committing one the acts mentioned above”
A. Belgian legislation applicable to
workplace “surveillance” (continued)
• Law of 8 December 1992 on privacy protection in
relation to the processing of personal data, as
modified by Law of 11 December 1998
• Imposes restrictions to the processing of personal
data, e.g.:
Principles concerning purpose, proportionality and
transparency
Security obligations
B. Contradictory interests
• Employer Financial interest
• Efficient and productive employees
• Preferably spending their time at work on work
• Employee Respect of “privacy”
• Given the nature of the employer-employee relationship some form of control will be excerced by the employer
• Often leads to discussions related to evidence, in case of dismissal of employee
C. Different forms of surveillance
• “Manual” surveillance: not possible nor efficient in
larger companies
• Many forms of “electronic” surveillance:
Surveillance of the use of means of (tele)communication
(use of internet, e-mail, telephone, facsimile, …)
Surveillance of the use of data support (flash disks, CD’s,
portable hard disks, digital cameras, mobile phones with
digital cameras, …)
Surveillance of the location of employees (geolocation by
means of GPS and GSM)
Video-surveillance
C. Different forms of surveillance
• Use of company property and labour time:
prerogative of the employer
Employer may prohibit the use of company property for
personal use
Employer may allow the use of company property for
personal use (subject to specific conditions)
D. Surveillance of the use of means of
(tele)communication
• Surveillance purposes: distinction between
professional/private communication and
content/communication data
Collective Workers Agreement nr. 81 only mentions private
communication and relates to communication data
Other legislation does not distinguish different forms of
communication and content/communication data
D.1. Private communication
• Collective Workers Agreement nr. 81 on the
monitoring of online communication of employees
• Report: the employer should be able to have access
to professional communication without any formalities
whatsoever
• Conclusion: CWA nr. 81 only applies to private
communication?
D.1. Private communication (continued)
• Online communications data?
Electronic online communications data in a broad sense sent
or received by an employee during the performance of his
task
All online technologies, internal and external
E.g.: internet, intranet, e-mail, SMS, MMS, IM, …
• Content?
D.1. Private communication (continued)
• Purposes
The prevention of unlawful acts, libel and acts contrary to
decency
The protection of economic, commercial and financial
confidential interests of the company
The maintenance of the technical performance of the
computer system
The control of the respect of the terms of use of the
computer system
D.1. Private communication (continued)
• Proportionality
The infringement of the privacy of the employee must be
restricted to a minimum (if unavoidable)
Interdiction of systematic individualisation
D.1. Private communication (continued)
• Transparency
Collective
• To whom? (cascade)
- Works council
- Committee for prevention and protection
- Delegation of the Labour Union
- The employee
• How?
• Which information?
- The supervision policy
- The purposes of the monitoring
- Conservation? Place and duration?
- The permanent nature of the supervision
D.1. Private communication (continued)
• Tranparency
Individual (i.e. the employee)
• Which information?
- All the information provided collectively
- The conditions of use of the equipment that is at the disposal of the
employee and the functional limitation thereof
- The rights, obligations and tasks of the employee, and possible limitations to
the use of communications on the network of the company
- Sanctions, if any, provided in the “employee policy” (règlement du travail /
Werkreglement)
• How?
- General instructions
- Employee policy
- Contractually
- User policy, each time the tool is used
D.1. Private communication (continued)
• Individualisation?
Direct
• Purposes 1 -> 3
Indirect
• Purpose 4
D.1. Private communication (continued)
• Indirect individualisation
• Procedure
General information obligation to all employees (first
irregularity)
Identification (second irregularity)
The concerned employee must be heard before sanctions
are taken
• Employee policy!
D.2. Professional communication
• CAO 81 does not apply?
• Article 124-125 of the Law of 13 June 2005
• Article 314bis of the Criminal Code
• Decision of Court of Appeal of Ghent 9 May 2005
Confirmation of earlier case law (Ghent and Brussels)
E. Surveillance of the location of employees
• Geolocation systems used to track the position of an
employee
Position at a certain moment
Route
Speed
• Specific legislation?
Law of 13 June 2005 on electronic communications?
Draft law
E. Surveillance of the location of employees
(continued)
• Evaluation under the Law of 8 December 1992 on
privacy protection in relation to the processing of
personal data
• Draft law on the supervision of employees by means
of a monitoring system connected to a GPS
navigation system for service cars, in
correspondence with the law of 8 December 1992 on
privacy protection in relation to the processing of
personal data (pending in the Belgian Senate, doc.nr.
51/1044)
E. Surveillance of the location of employees
(continued)
• Admissibility
Consent of the concerned data subject
Necessary for the purposes of the legitimate interests
pursued by the controller provided that the interests or
fundamental rights and freedoms of the data subject do not
prevail
• Lawfulness
Transparency
Purpose
Proportionality
E. Surveillance of the location of employees
(continued)
• The use of a monitoring system connected to a GPS
navigation system in a service car used by
employees is only allowed after consent of ad hoc
joint committees, the common committee for
government service or of the entities competent
under the legislation related to collective work
relationships
F. Videosurveillance
• Video-surveillance of workplace for different reasons:
Security
Control
• Cost-effective replacement for manual supervision
F. Videosurveillance (continued)
• Scope
• Video-surveillance (article 1)
“Any security system with one or more video cameras with
the purposes of supervising places or activities from a
location that is geographically distanced from these places
or activities, with or without conservation of the images it
collects and transfers”
• Video-surveillance at the workplace
F. Videosurveillance
• Purposes:
Safety and health
The protection of company property
Supervision of the production processes
• Machines: proper functioning thereof
• Employees: evaluation and improvement of work organisation
Supervision of the execution of the work by the employees
F. Videosurveillance
• Permanent surveillance
Camera functions continuously
Allowed: • Security and health
• Protection of company property
• Supervision of the production processes concerning machines only
• Temporary surveillance
Fixed installation, but working only during one or more periods
Temporary installation
Allowed: • Supervision of production processes concerning employees
• Supervision of the execution of the work by the employee
F. Videosurveillance
• Proportionality
Adequate, pertinent and not excessive
The use must be reduced to the minimum
• Procedural issues
Information obligation
Consultation obligation
Specific obligations in case of conservation of image footing
Thank you for your attention!
Johan Vandendriessche
Lawyer
Lontings & Partners
Tour & Taxis
Havenlaan 86 c b113
1000 Brussels
Tel: 02/787.90.12
Fax: 02/787.90.99