Introduction
Data protection concerns
Damage limitation
Comment
Employers are increasingly keen to introduce a 'bring your own device' (BYOD) policy, for one main reason: cost efficiency. BYOD is a smart solution, allowing employers to assign company device management to employees and, by doing so, save manpower and costs on device support and maintenance. However, there is a downside: BYOD involves an employer allowing its employees to connect their private devices directly to the company's (secure) IT environment and access (sometimes sensitive) company data through such private devices.
How should this situation be viewed from a data protection perspective? When processing its data (eg, human resources, customer and supplier information), a company acts as a data controller and must therefore adhere to the obligations imposed by Austrian data protection law. In a nutshell, the company must exercise control over its data processing activities and ensure that the data is processed on valid legal grounds and in a safe environment. In addition, the company must ensure that the data is not disclosed to any unauthorised third parties.
It quickly becomes obvious that BYOD potentially conflicts with these obligations. By allowing BYOD, an employer is basically depriving itself of control over its data. The data will be stored on private devices that do not belong to the company and are not under its control. Also, such external and – from a company's perspective – potentially unsafe devices might be able to bypass the company's IT safety measures and establish direct links to its databases. In terms of data protection law, this means that the owner of the private device (typically, the employee) gains considerable control over the company's data, allowing him or her to take on the role of data controller. Any BYOD-related access to this data or any transfer thereof to the employee's device must therefore be qualified as a controller-to-controller data transfer. Such data transfers must be performed only on valid legal grounds.
However, under a BYOD policy, the employee's private device could easily be used by third parties (eg, the employee's relatives or friends) without the company's knowledge, let alone its consent. From the company's perspective, this means that corporate data is effectively transferred to a 'black box' data recipient, as the company can neither prevent the employee's private device from being used by parties other than the employee nor set any respective limits (as this would contravene the idea of a 'private' device being used, in contrast to a company device that is used at home).
Austrian data protection law does not recognise data transfers to 'unknown' data controllers. To circumvent this problem, a controller-to-processor relationship could be established between the company and its employees. However, as the key concept of a data processor working on behalf of a data controller lies in the usage of external data processing services, this concept does not correlate with an employer-to-employee relationship.
Austrian data protection law imposes obligations on data processors that cannot be easily administered by an employee. Similarly, BYOD undermines the company's security concept, since it typically allows devices to link to company databases despite the fact that such devices are not secured by the company's IT safety measures. However, a valid data controller-to-data processor relationship would require the employee (to the extent that he or she is deemed a data processor) to ensure that his or her data security standards are equal to those of the company (or at least equal to those of other external data processors). As private devices typically use consumer-orientated safety features, which are commonly less effective than those of companies, it is clear that the employee will also be unable to comply with this requirement.
So how should these concerns best be tackled, considering that BYOD is likely to become (at least) a medium-term trend? In light of existing data protection law, risk minimisation might be the best solution. However, this means that a company should be aware that BYOD does not really comply with the structure of Austrian data protection law. A company allowing BYOD would therefore be well advised to ensure that it retains control over its corporate data to the greatest extent possible, despite allowing the data to be stored on private devices and despite allowing such private devices to link directly to the company's databases.
This will require the company not only to implement a comprehensive BYOD privacy policy that imposes respective obligations on the employees, but also to train its employees regularly on how to use their private devices in a proper and data protection-compliant manner. In addition, the company should retain control over corporate data to the extent technically feasible (eg, through the implementation of remote access features or similar measures).
This is merely an initial sketch of the problem and BYOD is one of the most challenging data protection topics that companies are likely to face in the near future. Companies must understand the fundamental discrepancies between BYOD and data protection law in order to ensure that their BYOD approach and practice properly approximate Austrian data protection regulations. By allowing BYOD, an employer is basically depriving itself of control over its data. The data will be stored on private devices that neither belong to the company nor are under its control.
For further information on this topic please contact Günther Leissler at Schoenherr by telephone (+43 1 5343 70), fax (+43 1 5343 76100) or email ([email protected]). The Schoenherr website can be accessed at www.schoenherr.eu.
