Use the Lexology Navigator tool to compare the answers in this article with those for other jurisdictions.
Employment and privacy law issues
What employment issues must companies consider in deciding whether to switch to the bring your own device (BYOD) model?
For most companies, implementing the BYOD model offers a number of benefits – for example, it tends to increase productivity and efficiency in the workplace, as employees are typically more comfortable and used to working with their own devices. It may also result in technological innovation, as many employees will bring devices that are more cutting-edge compared to those provided by their employer. In addition, allowing employees to work with their own devices generally increases their flexibility to follow up on work-related matters outside business hours and may also improve overall employee satisfaction (as employees do not need to carry around multiple devices).
However, when considering implementing the BYOD model, companies should consider important employment-related issues.
Under Belgian law, employers are obliged to provide employees with the means to perform the tasks set out in their employment contracts. Therefore, employees cannot be forced to purchase a specific device or use their own devices for work purposes at their own expense. Thus, any BYOD policy must be based on voluntary participation and, as a result, may be difficult to implement throughout the entire workforce. This may increase implementation costs as the company must accommodate the use of different types of device on its network and must typically have a pool of company devices ready as alternatives for those employees who do not or no longer want to participate.
Although not strictly required under Belgian employment law, employees should generally receive some form of compensation when they bring their own device for professional use. Different approaches are possible. Some companies pay a fixed monthly reimbursement to employees participating in the BYOD model, accepting the risk that this fixed amount is higher than the actual costs incurred by the employee. Other companies choose to reimburse only the costs related to the actual professional use of the employee-owned device. However, this approach may trigger privacy concerns, as the company will need to review the use of the employee-owned device to determine professional versus personal use, which provides it with certain insights into the employee’s personal use of the device.
Allowing employees to use their own device may also raise issues under the law dealing with the wellbeing of workers in the performance of their work and other regulations on the health and safety of employees in the workplace which set out certain conditions concerning the tools (eg, screens, keyboards and software) used by employees for the performance of their employment contracts.
In addition, employees must be provided with clear instructions on the company’s expectations with regard to the use of employee-owned devices for following up on work-related matters outside business hours to ensure compliance with working time restrictions. As well as providing clear guidance, employers should consider taking measures to prevent employees from exceeding working time limits (eg, preventing emails from being sent to employees’ personal devices outside business hours).
Further issues relating to BYOD arise from the fact that BYOD devices are employee owned and, by default, also used for private purposes. This significantly restricts employers’ ability to monitor the use of devices. Further, BYOD poses higher risks with regard to the misuse of business information, information security and excessive personal use during working hours. Employers should carefully consider these risks, taking into account that:
- the loss of sensitive business information (eg, disclosure to a competitor) could seriously damage the business;
- excessive personal use of BYOD devices during working hours can be costly; and
- they are ultimately liable for employees’ actions during working time (including any damage resulting from an information security breach via a BYOD device).
Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
In principle, the global presence of an organisation raises no specific legal issues or concerns when implementing the BYOD model, other than those associated with the cross-border transfer of personal data collected through the devices. These issues and concerns must be considered regardless of who owns the device.
Organisations that are active in sectors dealing with significant amounts of personal data (eg, IT companies) or sensitive data (eg, pharmaceutical companies) may need to consider specific confidentiality and heightened information security requirements. Organisations dealing with these types of personal data should carefully review their legal obligations with regard to confidentiality and information security and, if necessary, take measures to ensure that the expected level of information security is guaranteed when employee-owned devices are used (eg, by limiting the possibility of storing sensitive data on mobile devices and requiring the use of strong authentication techniques). If this is not possible, they should not allow employees to use their own devices for work purposes.
Privacy and confidentiality
How do privacy laws, employment laws and protecting a company's confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
A company’s interest in protecting confidential information in a BYOD context generally conflicts with employees’ privacy rights. Under employment and data protection laws, companies should strike a balance between employees’ rights (including the right to privacy) and the company’s organisational and business needs (including the need to protect confidential business information).
The monitoring of employees’ use of electronic devices is a perfect example of this conflict of interest. Companies have a legitimate interest in monitoring employees’ use in order to:
- prevent improper or unlawful behaviour (which could result in damage to others and liability for the company) or practices that could damage the company’s economic and financial interests (eg, the disclosure of confidential information);
- ensure that their IT network is secure and functioning properly; and
- detect violations of company policies.
From the employee’s perspective, monitoring is likely to be considered an invasion of privacy – in particular, when it is performed in the context of the BYOD model, as the employee, by default, uses his or her device for private and business purposes.
In order to accommodate these two conflicting interests, the Belgian legislature has regulated the monitoring of employees’ use of online communication means through Collective Bargaining Agreement 81. This collective bargaining agreement recognises the need for companies to monitor employees’ use of electronic devices, while setting out stringent requirements to safeguard employees’ privacy rights. The principles and requirements set out in Collective Bargaining Agreement 81 must be strictly applied when monitoring is performed in the context of BYOD, as devices are, by default, not used solely for professional purposes. The collective bargaining agreement provides an exhaustive list of reasons for which employees can be monitored, and requires that any invasion of employees’ privacy be limited to what is strictly necessary for the permitted monitoring. Further, it requires companies to be transparent about their monitoring practices. Companies should inform their employees about:
- any monitoring and its purposes;
- the processing of personal data in the context of the monitoring (including where and for what period data will be stored); and
- the frequency of the monitoring.
Employees should also be informed of their rights and the restrictions on the use of electronic devices, as well as the penalties that they may face for violating these rules. To comply with this transparency obligation, companies typically issue a BYOD policy (as a standalone document or as part of an existing IT policy) when implementing the BYOD model. The Data Protection Authority also recommends issuing a disclaimer, to be displayed on BYOD devices, reminding employees of the company’s policy with regard to the use of electronic devices and the possible monitoring thereof.
For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved?
Setting out clear rules regarding the use of employee-owned devices in a comprehensive BYOD policy is an important step to ensure that the confidentiality of both the employer and employees are preserved. Having a clear policy raises awareness among employees about:
- the importance of ensuring that confidentiality is maintained when processing the company’s confidential information on their devices; and
- the restrictions and procedures that they must respect.
Formalising the rules on the use of employee-owned devices also allows the company to enforce these rules in practice. In this respect, it is important to communicate the BYOD policy properly to all participating employees and document this process (eg, by attaching the policy to the company’s work rules and having employees sign an acknowledgment that they have received it).
Further, a BYOD policy can also provide employees with the required information about how their devices will be monitored. Clearly explaining any limitations on employees’ privacy resulting from participation in BYOD will reduce the risk of employees feeling that their privacy rights have been violated.
Employers should involve employees as much as possible in the implementation of a BYOD policy, as it concerns the use of their personal devices. This involvement is important in order to secure employees’ support and ensure that they understand the rules that the company intends to enforce. To this end, employers may wish to provide regular training to employees on the BYOD policy and have employees occasionally certify that they are aware of their ongoing obligations.
Companies should consider covering the following topics in their BYOD policies:
- Limitations on the types of device that can be used – companies often limit the types of device that can be used in the context of BYOD, as this allows them to harmonise their information security policy, instead of having to customise information security measures for different operating systems.
- Acceptable use – BYOD policies should contain clear rules on the use of the employee-owned devices, including:
- how to separate professional and personal use;
- use by family members;
- expectations concerning employees’ availability outside working hours;
- information security protocols (eg, the use of strong passwords and encryption and rules on updating information security software);
- guidelines on social media use during working hours;
- restrictions on downloading applications; and
- rules on storing information on BYOD devices (eg, restrictions on storing company information).
- Monitoring of and access to data on the device – BYOD policies typically include information on how the company can monitor employees’ device usage. Companies will often provide technology that allows employees to separate professional and private information on their devices. This will reduce the legal restrictions on monitoring of and access to professional information by the company. BYOD policies should clearly explain which information should be stored in the professional environment of the device and the company’s right to access the information stored in this environment.
- Data breach procedure – BYOD policies should describe the procedure for reporting any lost or stolen device or any other unauthorised access to an employee’s device. Further, if applicable, employees should be informed of the possibility that their employer may wipe the information on their devices remotely if a data breach occurs.
- Post-employment – when an employee leaves, the company should be able to remove all company information from the employee-owned device. Employees should be clearly informed about this possibility.
- Reimbursement – BYOD policies may contain the company’s rules on reimbursing costs related to the professional use of employee-owned devices.
- Data protection – as companies are liable for processing personal data via employee-owned devices, BYOD policies may also remind employees that they should respect the company’s privacy policies when processing personal data on their devices for work-related purposes. Employees should also be informed of the processing of their personal data resulting from the use of personal devices for professional purposes (eg, retention of log data concerning actions performed on the network).
In addition to implementing a comprehensive BYOD policy, companies should consider providing information security software and mobile device management tools that employees can install on their devices to segregate and protect the company’s business-related information.
Separation and ownership of data
How can companies separate out what information sent or received on the device is official and business related? Who owns this information – the employer or the employee? And how can employer access to information be assured?
Some companies use special software (referred to as ‘sandbox software’) which allows them to create an isolated environment on employee-owned devices where business-related information can be stored safely. The software gives companies access to and control over the professional information stored on employees’ devices (eg, by creating back-ups) without having access to private information stored on the device. Separating professional and private information is also useful in the case of a data breach or when an employee leaves the company, as the company can wipe all business-related information on the device without deleting the employees’ personal information (eg, private pictures).
Although not explicitly required, the Data Protection Authority strongly recommends the use of such software to separate business-related information from private information. However, companies are responsible for all professional information stored and processed on the device and should therefore take adequate measures to protect it. If professional information is clearly separated from private information, the company will be considered to have control over the data.
Breach events and departing employees
Handling a breach
What happens in the event of a security breach? Is the employee protected from liability?
Companies are legally required to implement appropriate measures to protect business-related information on employee-owned devices against:
- accidental or unlawful destruction or accidental loss;
- accidental or unlawful alteration;
- unauthorised disclosure or access; and
- all other unlawful forms of processing.
When assessing the appropriate level of information security, companies should consider the specific nature of the data processed on the device. Therefore, security measures may vary depending on the type of information a certain employee can access from his or her device. BYOD policies typically require strong information security measures, due to the increased risk of loss or theft of data given the mobility of BYOD devices. If an employee can access sensitive personal data on his or her device, a strong authentication process should be put in place. The Data Protection Authority also recommends the use of encryption technology.
Companies are not only liable in their capacity as a data controller under Belgian data protection law, but also as an employer. Under Belgian law, employees are protected from liability for damage (including unauthorised loss, disclosure, use or deletion of information) to their employer or third parties during the performance of their work, unless the damage is due to fraud, intentional misconduct, gross negligence or commonly occurring faults.
What steps can a company take to prevent an employee leaving the company from taking company confidential information via his personal device? And how can the employee's own personal information be safeguarded in the process?
A confidentiality clause stipulating that employees cannot disclose confidential information can be included in employment contracts. The confidentiality requirement provided in this clause should continue after termination of the employment contract.
In addition, the use of sandbox software in combination with mobile device management tools may enable the company to delete (even remotely) information stored in the professional environment on the employee’s device when he or she leaves the company. As such, employees should be encouraged not to store any private information in the professional environment, as it may be deleted once the employment contract is terminated.