Data Loss Prevention (DLP) systems are important tools for the protection of business secrets and intellectual property. The prevalence of IT communication systems in business relationships facilitates communication and is a business enabler for every company. However, the simplicity of communication entails major risks for business sensitive information. Employees with access to such information may – deliberately or inadvertently – leak such data to third parties. The implementation of a DLP system may, in addition to other IT security measures, be a powerful means to prevent respective data losses and leaks.
However, as DLP systems generally monitor all employee communication with (at least) external parties, there are strong concerns from a data protection perspective which should be kept in mind when implementing those tools in Europe.
1. General Privacy Requirements Even though DLP systems primarily monitor business communication data, European pri-vacy requirements, both under the currently applicable EU Data Protection Directive and the future EU General Data Protection Regulation in force from May 2018 on, will apply. Differing from other legal systems (e.g. in the U.S.), European data protection law also protects business communication data, and each processing of such employee data will require specific legitimization. Accordingly, even such business communication may be monitored only under limited circumstances:
1.1 Consent Declarations will generally not suffice The U.S. approach of informing employees that they should have no expectation of privacy, and the collection of mandatory, broad consent declarations by the employees with respect to the data use involved in the DLP systems will not be a feasible approach in Europe. While it is disputed to what extent privacy consent declarations are permissible in employment relationships at all (due to the potential lack of voluntariness resulting from the fact that the employee is generally dependent on the employment relationship), the respective consent declaration will most definitely be considered void if the employee has no possibility to reject such consent declaration. In this case it is evident that the consent declaration has not been provided voluntarily, and will accordingly have no effect from a data protection perspective.
1.2. Legitimate Business Interests in implementing a DLP System However, even without employee consent it should generally be permissible to implement a DLP system at least to a certain extent. The employer will often have legitimate business interests in implementing such a DLP system, and will be able to do so when safeguarding that these interests are not overridden by potential interests or fundamental rights and freedoms of the involved employees. Accordingly, DLP systems will generally have to be adapted to EU requirements when implemented in Europe, safeguarding employee rights by following means:
- Transparency: The employees will have to be informed transparently about the monitoring involved with a DLP system.
- Purpose Limitation: The purposes for which the DLP system shall be used (in par-ticular protection against data losses/leaks) must be defined in detail when imple-menting the system; respectively collected data must generally not be used for other purposes.
- Proportionality: The scope of the data collection must be reasonable with respect to the purposes for which they are collected.
- Data Economy / Privacy by Design: The DLP system should be configured in a way to have the least influence on the privacy rights of the employees possible; accordingly privacy-friendly settings shall be preferred over “catch all” settings. Only persons with a strict “need to know” should have access to the data collected by the DLP system. These requirements will become even more important once the EU General Data Protection Regulation enters into force in May 2018.
- Data protection Impact Assessments: From May 2018 on, in all EU Member States the implementation of a DLP system will likely lead to the need to conduct a data protection impact assessment before its implementation. However, even now, some EU Member States may require a privacy impact assessment before implementing a DLP system.
2. Data Protection Authority Filings In a number of EU Member States, the use of a DLP system and the potential data trans-fers involved will require a filing before the national data protection authorities. While such filing requirements will likely fall away from May 2018 on, at the current stage filings may still be required.
3. Use of external Providers To the extent a cloud DLP system is used or external providers are involved in the collection and review of the findings of the DLP system, data processing agreements will generally have to be concluded with respective third parties (even if such third parties belong to the same company group as the employer that has implemented the DLP system!). If the DLP data is sent to countries outside of the European Economic Area (such as the United States), additional safeguards will have to be implemented, e.g. the conclusion of EU Standard Contractual Clauses between the data exporter in the European Economic Area and the third country data recipient.
4. Employment Law Requirements A number of EU Member States have, in addition to thorough data protection require-ments, passed employment laws that require attention. For instance, in Germany, if works councils are installed in a company that implements a DLP system, such works councils will have co-determination rights with respect to the implementation. Similar information and co-determination rights may exist in France and Italy.
5. Private Use of IT Devices In addition, if employees are permitted to use the business IT devices/internet access/e-mail accounts also for private purposes, additional requirements may apply. For instance, in Germany and Portugal very strict additional requirements will be triggered which will make it more challenging to implement DLP systems in these cases.
6. Local Peculiarities On top of the general requirements set out above, additional local requirements resulting from local data protection/telecommunication and employment regulations may apply. Consequently, it may be sensible to check for requirements in the particular EU Member States in which the DLP system shall be implemented.
7. Coordination and Legal Advice European Data Protection Authorities are rather sceptical with respect to the implementa-tion of DLP systems in Europe. However, there is certainly a strong business need to im-plement respective systems. Consequently, the implementation of DLP systems will often be required from a business perspective. In order to avoid significant fines (which may, from May 2018 on, rise up to EUR 20,000,000 or, depending on the company group’s annual turnover, even higher amounts) and to cope with the legal requirements in the various EU Member States involved, it will be necessary to prepare the implementation of a DLP system carefully (see more information on global project steering for privacy projects here ).