Use the Lexology Navigator tool to compare the answers in this article with those for other jurisdictions.
Employment and privacy law issues
What employment issues must companies consider in deciding whether to switch to the bring your own device (BYOD) model?
The BYOD model is not yet regulated by French employment law or by case law. It is therefore possible to analyse BYOD only through the prism of more general employment law rules, including the provisions relating to remote working.
The following issues are likely to be raised by the use of the BYOD model.
Under French law, employers are responsible for providing all necessary devices for employees to perform the employment contract. Consequently, an employer cannot make it mandatory for employees to use their own equipment to perform their tasks and their prior consent must thus be obtained before the employer decides to switch to BYOD.
Although there are no specific legal provisions or case law regarding whether employees must be compensated for using their own devices at work, some commentators recommend that employees receive a specific indemnity for BYOD use, as is required under French employment law for employees who work remotely.
Monitoring of working hours
BYOD may make the monitoring of working hours more complicated as it blurs the lines between employees’ professional and personal lives. For employees working from company premises, BYOD has no impact, as the control of working hours will be the same for employees using their own devices as for employees using company devices. However, for employees working from home with their own devices, it is much harder for the employer to control the employees' working hours, in particular regarding overtime pay exposure (as is the case for all employees working from home). One approach is to set a working time measured by a fixed number of days worked per year (‘convention annuelle de forfait jours’), and to state in the employment contract that the company will contact the employee only during a specific time period and that the employee has a right to log off (ie, take a break) during this period.
In addition, if BYOD is used by employers in order to geolocate employees using the geolocation tools available on most devices (eg, in the case of mobile workers), such use must be proportionate and comply with data protection rules. For example, geolocation can be used only where necessary in light of the employee's function.
Protection of private life
Under French law, all files and emails contained in employees' computers are presumed to be professional. This means that the employer can access all employee files unless they are explicitly marked as confidential. If an employee's personal devices are used for professional purposes, the employer should be able to access the documents and emails they contain. However, as these devices are also personal devices, the employer might infringe on the employee's private life when accessing data stored on the device. Recent case law tends to allow such monitoring on a personal device if this device is used in a professional context (eg, a personal USB key connected to a professional computer).
French employment law prohibits discrimination against employees during the recruitment process and in the course of the employment relationship. Therefore, employers must ensure that the candidate’s ownership of a device which can be used for professional purposes or the candidate's readiness to use his or her own device at work is not a criterion for hiring or not hiring this candidate or for treating an employee differently during the course of the employment relationship.
Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
There are no specific rules concerning the use of the BYOD model in highly regulated sectors in France.
However, any BYOD model must comply with banking and insurance provisions relating to the internal control system. These rules – in particular those implementing the requirements of the EU Capital Requirements Directives IV (Order of November 3 2014) and the EU Solvency II Directive (Ordinance 2015-378 of April 2 2015) into French law – provide for specific obligations with respect to the information systems of insurance and financial institutions. These institutions must set up information systems that allow for full control and tracking of the information flow and that safeguards the security, integrity and confidentiality of the information.
In addition, the Monetary and Financial Code provides for banking secrecy and confidentiality obligations (Articles L511-33 and L522-19 of the code). Banking secrecy applies to ‘personal/nominative information’, which is defined as any information that allows for the identification of a customer when such information is not publicly accessible. This mainly concerns information relating to the customer’s identity (eg, address, name or age), financial situation and banking transactions (eg, balances and transactions on a customer's account).
A bank employee using his or her own devices for professional purposes must therefore pay attention to any situation where confidentiality and/or security may be compromised on the device, in order to avoid violating banking secrecy and confidentiality obligations.
Despite the lack of specific rules relating to the use of the BYOD model in other regulated sectors (eg, healthcare and energy), this model does not seem to have been adapted to these sectors, as it raises a number of issues with respect to security (viruses are more likely to affect a personal computer than a professional one) and confidentiality (work information on personal devices could be accessed by employees' family members).
Privacy and confidentiality
How do privacy laws, employment laws and protecting a company's confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
One of the objectives of privacy laws is to ensure the security of the personal data of data subjects, whether those data subjects are employees or customers. Employment legislation aims to ensure a balance between the rights of employees and employers. Protecting confidential information is a way of protecting both the company and its customers. Therefore, when combined, privacy laws, employment laws and the protection of a company's confidential information have the same general purpose: to protect the data and interests of employers, employees and third parties.
A balance must be struck between these objectives by:
- drafting clear internal rules, including a specific (and balanced) BYOD policy, which fully informs employees of their rights and obligations arising from the use of the BYOD model; and
- obtaining employees' consent before they use the BYOD model.
Consent is always a controversial subject when employees are involved because it is not necessarily given freely. However, in the case of BYOD, it is often the employee who wishes to use his or her own device. In many cases the company would prefer employees to use company-issued devices. Under these circumstances, freely given employee consent appears easier to establish.
Finally, the criterion used to strike the most appropriate balance among the interests at stake should be the notion of proportionality. A proportionate measure implemented by the employer (ie, a measure which is strictly limited to the result pursued by the employer) will generally be lawful under both privacy and employment laws.
For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved?
A BYOD policy is usually adopted to address confidentiality and security concerns. Such policy usually forms part of a company’s IT policies. It must be formally presented to the works council to ensure that employees are informed.
As an activity involving data processing, the implementation of a BYOD policy must generally be notified to theCommission Nationale de l'Informatique et des Libertés (CNIL) before its implementation (no filing is required if the company has appointed a data protection officer).
In February 2015 the CNIL issued guidelines in which it acknowledged that the employer is responsible for the security of the company’s personal data (eg, against viruses), including when such data is stored on devices that the company does not control legally or physically, but to which it has given permission to access company resources. The CNIL indicates that companies must strike a balance between legitimate security concerns and the privacy of their employees. The employer must:
- identify the risks, taking into account the specifics of the context (eg, the equipment, applications and data), and assess the risks in terms of severity and likelihood; and
- determine the measures to be implemented and implement a security policy accordingly.
The security of the company’s information system should be reconciled in respect of employees' personal information. Consequently, only proportionate measures can be implemented, including the following:
Security measures which restrict the use of smartphones within the private context (eg, prohibiting surfing the Internet or downloading mobile applications) on the sole ground that the smartphone can be used to access company resources should not be implemented. According to the CNIL, such restrictions are not justified by the nature of the risk to the company and are disproportionate to the required purpose.
The employer must not have access to private elements stored in the personal space of the device (eg, browsing history, photos, videos or calendar).
The employer is permitted to implement a remote wipe tool specifically designed to capture the remote access of corporate resources through the employee’s device, but should not have the right to remotely wipe all data stored on the employee’s device.
In practice, many corporate mobile device management tools permit the screening and potential deletion of any content on the device that might threaten the IT system. These functions must be considered particularly carefully because of their potential effect on the employee’s personal information.
Separation and ownership of data
How can companies separate out what information sent or received on the device is official and business related? Who owns this information – the employer or the employee? And how can employer access to information be assured?
In its February 2015 guidelines the Commission Nationale de l'Informatique et des Libertés (CNIL) recommends that companies partition that section of the employee’s device which contains business-related information and create a ‘security bubble’ for this data. This security bubble will allow the employer to access professional information stored on the employee's device and to install security programs and software to protect company information while not accessing the employee's personal files. This measure will allow the employer to control company information stored on the employee's device while respecting the employee’s privacy.
Regarding the ownership of professional information stored on employees' devices, the employer is considered to be the owner of business-related information and, according to the CNIL, is responsible for the security of the company’s personal data stored on the employee's device.
Technically, it is recommended that the employer install a mobile device management program on the employee’s device that allows remote access to company data stored on the employee's device. In the event of a loss of the employee's device or termination of the employment contract, such a program would also allow the employer to delete remotely any business data stored on the device.
Breach events and departing employees
Handling a breach
What happens in the event of a security breach? Is the employee protected from liability?
Pursuant to French data protection law, data controllers are obliged to preserve the security of the personal data that they process and, in particular, to prevent its alteration and damage or access by unauthorised third parties. This could be achieved by implementing appropriate security measures with regard to the nature of the data and the risks of processing.
The Commission Nationale de l'Informatique et des Libertés (CNIL) takes the view that the employer is responsible for guaranteeing the security of company information, even where it is stored on devices that it cannot physically or legally control, provided that the employer has authorised the use of such devices.
In light of these elements, the employer, in its capacity as data controller, will normally be liable in case of a security breach.
The CNIL's recommendations impose a shared responsibility on the employer and its employees. In particular, the CNIL recommends that:
- the BYOD policy draw employees' attention to the risks that could occur relating to their devices and to their personal data contained herein;
- the BYOD policy clearly divide the responsibilities between the employer and the employees and define the security measures to be respected by both parties;
- the employee obtain the employer's prior authorisation before using his or her device as part of his or her professional activities, including ensuring that the device can support an mobile device management program; and
- the employer impose a duty on employees to alert the employer if the device is lost or damaged, so that the employer can react as quickly as possible to address the breach and the potential associated damages.
What steps can a company take to prevent an employee leaving the company from taking company confidential information via his personal device? And how can the employee's own personal information be safeguarded in the process?
In order to protect the company's confidential information, the employment contract should include a confidentiality clause pursuant to which the employee agrees not to disclose any information or knowledge to which he or she may have had access in the course of the employment contract. A specific confidentiality undertaking may also be signed between the parties.
If the employer partitioned the storage space of the employee's device to distinguish between professional and personal files and has implemented a mobile device management solution, deleting company data from the employee's device will be easier and the employee's personal data can be easily safeguarded.
The February 2015 guidelines of the Commission Nationale de l'Informatique et des Libertés state that the employer should not have the right to wipe remotely all data stored on the employee’s device. However, this may be complicated in practice. The approach taken by some companies is to include in the BYOD policy a clause providing that the personal files of employees are likely to be deleted when the employee leaves and therefore that employees are required to save their personal files externally (eg, in the cloud).