Location, Location, Location: Recent Developments in "GeoPrivacy" and the Impact on the Use of GPS in the U.S. Workplace

Posted on July 5, 2011 by Privacy and Data Protection Practice Group

By Philip L. Gordon

Ever since revelations in May that smartphones track the location of their users, location privacy has been a red hot issue in virtually every forum — except the U.S. workplace. Just last week, for example, the U.S. Supreme Court agreed to review a federal circuit court decision (covered by our blog when decided last August), holding that the federal government’s warrantless use of 24/7 location tracking for more than a month violated the Fourth Amendment rights of a criminal suspect. The Wall Street Journal dubbed June 15, 2011, “location privacy day on Capitol Hill” after two bills were introduced to limit the use of location data by industry and by law enforcement. And, in the European Union, the Article 29 Working Party, which is responsible for providing guidance on the application of the European Union Data Protection Directive, recently published its “Opinion 13/2011 on Geolocation Services on smart mobile devices.” While none of these developments directly implicate the U.S. workplace, U.S. employers should closely monitor the location privacy debate, particularly given their increasingly common reliance on GPS-enabled smartphones and vehicles to track employees.

The European guidance is especially noteworthy for multi-national employers. Although this guidance, as its title suggests, deals almost exclusively with tracking consumers, the guidance contains a short section—which received scant public attention—that squarely addresses tracking employees. The guidance explains that it is unlawful for employers in the E.U. to track their employees unless “it is demonstrably necessary to supervise the exact locations of employees for a legitimate [business] purpose.” Even then, continuous monitoring generally is impermissible, and employees must be able to turn off location tracking during non-work hours. The guidance also discourages employers from using vehicle tracking devices to monitor the behavior of employees by, for example, recording the vehicle’s speed. Given this guidance, multinational employers should closely scrutinize the nature and scope of any location-tracking program before implementing it in the European Union.

The U.S. Supreme Court’s decision next term in U.S. v. Maynard also could have an impact on U.S. employers. As we explained in our blog post on the D.C. Circuit’s decision that is subject to Supreme Court review, a ruling that law enforcement’s 24/7 use of surreptitious location tracking violates the Fourth Amendment arguably could be used to support a claim against employers that engage in 24/7 location tracking without notice to employees. The rationale for such a decision likely would be that continuous tracking establishes a pattern of activity over a period of time which reveals private information about the target of the tracking, such as whether the person is a recovering alcoholic as reflected by regular visits to Alcoholics Anonymous meetings, is considering pregnancy as suggested by weekly trips to a fertility clinic, or is having an extra-marital affair. Despite the distinctions between Fourth Amendment standards and the elements of the common law tort of invasion of privacy, this rationale likely would apply with equal force in the common law context.

Finally, while the Congressional activity to date has focused on consumer privacy, it would not require a substantial leap in legislative drafting to extend the coverage of these bills to location tracking of employees. Alternatively, state legislators, taking the cue from Congress, might implement state-specific requirements, which could result in an unwanted patchwork of requirements for multi-state employers.

While U.S. employers currently are subject to virtually no regulation when tracking employees, the keen focus on the issue in Europe, in the criminal context, and in the consumer sphere very well may spill over to the U.S. workplace. Employers that use, or that are considering using, location tracking in their workplaces should continue to monitor these developments closely.

Photo credit: binabina
Tags: , , , , , ,
  • Print
  • Trackbacks
  • Share Link

What's Left of Employee Consent as Grounds for Data Processing After Recent European Court of Justice Decision on Attorney-Client Privilege?

Posted on October 4, 2010 by Privacy and Data Protection Practice Group

European Union flag and mapU.S. corporations routinely rely on domestic employees’ consent to searches and disclosure of their personal information to avoid liability for privacy-based claims. In the European Union, by contrast, national data protection authorities and the Article 29 Working Party, which issues guidance on the implementation of the European Union Data Protection Directive, have repeatedly warned employers against relying on employees’ consent to provide a legitimate basis for processing personal data. In the European view, the balance of power in the employer-employee relationship so disproportionately favors the employer that an employee’s consent to an employer’s processing of personal data typically cannot be truly voluntary.

The recent decision by the European Court of Justice (ECJ) in Akzo Nobel Chemicals Ltd. v. EU (pdf), albeit addressing attorney-client privilege (known as the “legal professional privilege” in the E.U.) demonstrates just how risky it can be for employers to rely on the consent of E.U. employees as a legitimate ground for data processing. In Akzo, the ECJ rejected the assertion of the legal professional privilege to protect from disclosure communications between in-house counsel and their internal business clients in an anti-trust investigation. The following quotation reflects the logical fulcrum of the court’s decision:

[A]n in-house lawyer cannot, whatever guarantees he has in the exercise of his profession, be treated in the same way as an external lawyer, because he occupies the position of an employee which, by its very nature, does not allow him to ignore the commercial strategies pursued by his employer, and thereby affects his ability to exercise professional independence.”

In other words, according to the ECJ, the employer’s commercial interests so cloud the judgment of in-house attorneys that they are incapable of providing unbiased legal advice to their employer.

The implications of this line of reasoning on E.U. data protection law are potentially profound. Attorneys often will be among the most highly educated members of an employer’s workforce. They have been trained to exercise independent judgment and, of course, have an ethical obligation to their client to do so. If Europe’s highest court has concluded that the employer–employee relationship fundamentally compromises an attorney’s ability to engage in independent decision-making — notwithstanding their education and professional responsibilities, employers can expect to face a heavy burden in persuading E.U. data protection authorities that factory workers, customer sales representatives, or even low- or mid-level managers voluntarily consented to the processing of their personal data.

For further analysis of this development, see Littler ASAP The European Court of Justice Reaffirms that Communications with In-House Counsel May Not Be Privileged in Europe by Nick Linn.

This entry was written by Philip L. Gordon.

Photo credit: FotografiaBasica
Tags: , ,
  • Print
  • Share Link

School District's Woes from Using Webcams to Track School-Issued Laptops Should Be an Eye-Opener for Employers

Posted on April 27, 2010 by Privacy and Data Protection Practice Group

According to a report issued by Gartner Dataquest, telecommuters constitute more than one-quarter of the U.S. workforce. That number likely will increase substantially as new, mobile technologies make it easier for employees to work anywhere at any time; a new generation of tech savvy employees enters the workforce; and employers embrace alternative work arrangements. With employees absent from corporate offices, how can an employer ensure that its mobile workforce is, in fact, working. The public relations debacle recently confronted by the Lower Merion School District in Philadelphia’s Main Line suburbs highlights what employers should and should not do.

According to a report issued last week by the School District’s attorney and recent news reports, the School District installed a program called Theft Tracker on more than 2,000 laptops issued to students. When activated, the program records the laptop’s Internet address, captures an image of anything on the computer’s screen, and takes a Webcam photo every fifteen minutes until the program is deactivated. Theft Tracker downloaded all captured information and images to the School District’s server and erased them from the laptop’s memory. The program reportedly was responsible for taking 56,000 photographs. Approximately two-thirds were related to six laptops that actually had been stolen. The local police relied on at least some of those photos to recover the stolen laptops. Many of the remaining pictures, however, were taken because School District employees forgot to deactivate Theft Tracker after students reported that they found laptops that had been reported stolen.

Since the story broke, the School District has found itself at the center of a maelstrom. At least one student has sued the School District, alleging invasion of privacy. The FBI is investigating for potential criminal conduct. Congress held hearings on surreptitious surveillance, and Senator Arlen Specter proposed the "Surreptitious Video Surveillance Act," to extend the Federal Wiretap Act to video surveillance without prior notice. Editorialists and the media have hammered the School District. What went wrong?

According to one news report and the School District’s attorney, the School District made several mistakes:

  • The School District did not have written policies and procedures regulating the use of Theft Tracker.
  • Parents and students were not provided with an explanation of the program and not required to consent to its use.
  • Students were asked to sign a policy that related only to use of the School District’s own network and did not mention school-issued laptops.
  • There was no written policy concerning disclosure to law enforcement authorities of information obtained through Theft Tracker

In addition, the School District apparently conducted no legal analysis before implementing Theft Tracker to identify and assess the potential legal risks.

Employers who consider implementing a program like Theft Tracker or otherwise want to activate Webcams on company-issued laptops should learn the lessons of Lower Merion School District’s disastrous foray into webcam use. The employer must first have a detailed understanding of the technology’s capabilities and subject the technology to a rigorous legal review. If, for example, the technology is capable of recording audio, its use could constitute unlawful wiretapping, especially in states where consent is not a defense unless all parties to the communication have consented. Running afoul of the two-party consent laws is easy especially when family members, house guests, and others who have not consented to the use of the technology could be recorded. Similarly, non-employees could easily be photographed without their knowledge or consent, potentially giving rise to a claim for invasion of privacy.

If an employer determines that the benefits of the technology outweigh the risks, it still should implement detailed, written policies and procedures concerning the technology’s use to mitigate those risks. The guidelines should address at least the following: (1) identification of the employees authorized to activate the program; (2) identification of the management-level employees that must approve activation of the program; (3) circumstances in which the program may be activated; (4) the duration of the monitoring; (5) security for the fruits of the monitoring; (6) identification of the employees permitted to access the fruits of the monitoring; (7) how the fruits of the monitoring may be used; (8) when the fruits of the monitoring may be disclosed to law enforcement; and (9) how long the fruits of the monitoring will be retained.

The employer also should provide employees with full and fair notice of how the technology will be used and obtain the employee’s affirmative consent to its use. The notice should include, at a minimum, an explanation of the technology, the circumstances in which it will be activated, how the fruits of the monitoring may be used, and to whom they may be disclosed. Employers should beware that even after taking all of these precautions, use of webcams might be illegal in certain non-U.S. countries, such as the member states of the European Union.
 

This entry was written by Philip L. Gordon.
Tags: , , , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

What Does the Criminal Conviction for Privacy Law Violations of Three Google Executives in Italy Mean for Multi-National Employers in the U.S.?

Posted on March 9, 2010 by Privacy and Data Protection Practice Group

On February 24, 2010, a Milan court convicted Google’s Chief Legal Officer, Global Privacy Counsel, and a former member of Google Italy’s board of directors for violating Italian privacy law and imposed a six-month, suspended jail sentence. The case stemmed from a posting on Google Video® — a YouTube® predecessor — of a video depicting several teenagers bullying a classmate with Down’s Syndrome. Although the Google executives had no involvement in either the posting or in the decision whether and when to remove it, Italian law imposes criminal liability on senior executives for the actions of the corporation. Prosecutors alleged that Google should be held responsible not only for permitting the video to be posted in the first instance, but also for allegedly not having acted quickly enough to remove the video after receiving a complaint.

The convictions have wide ranging implications for e-commerce, but what are the implications for global businesses with employees in the European Union?

First, the Google convictions serve as an important reminder that government authorities in the E.U. are serious about enforcing data protection laws. Thus, U.S.-based multi-nationals need to confirm that their local affiliates are complying with local data protection law. Of equal importance, international transfers of employee data to the U.S. — for example, for inclusion in a centralized human resources data base — must satisfy local data protection requirements. Even after the employee data has been received in the U.S., data protection requirements (in addition to any imposed by U.S. law) will apply.

Second, the Google convictions highlight for U.S. employers a critical distinction between U.S. and E.U. privacy law. Under U.S. law, an employer’s legitimate business interests typically trump an employee’s countervailing privacy interests. U.S. employers, for example, have substantial leeway in conducting workplace video surveillance and searches of employees to prevent theft or deter workplace violence. In the E.U., privacy is a fundamental right that, as the Google convictions demonstrate, does not give way even to the freedom of expression so cherished and zealously protected in the U.S. According to the Italian prosecutor, protecting the dignity of the bullying victim took precedence over Google’s commercial interests, including its interest in being a platform for expression and communication over the Internet.

Finally, “privacy” in the E.U. is conceptually far broader than the “right to be left alone” underpinning U.S. privacy law. In the E.U., “privacy” encompasses the notion of data protection. Consequently, any use of individually identifiable information about a natural person — even a business e-mail address and phone number — is presumed unlawful unless the possessor of that information (known in E.U. law as the “data controller”) has a lawful justification for using the information. This prophylactic approach contrasts starkly with U.S. law which permits the use of personal information at the possessor’s discretion unless the law expressly prohibits or restricts the use. Moreover, such prohibitions and restrictions typically are confined to discrete categories of employee information, such as health information.

In short, the Google convictions should serve as a blinking yellow light to every U.S. employer with operations in the E.U., warning employers to consider potential implications under E.U. data protection law before using individually identifiable information about any employee who resides in the E.U.

This entry was written by Philip L. Gordon.
Tags: , , , ,
  • Print
  • Trackbacks
  • Share Link

Multinationals Certified to the U.S.-E.U. Safe Harbor Agreement Beware: The Federal Trade Commission Has Bared Its Enforcement Teeth

Posted on October 13, 2009 by Privacy and Data Protection Practice Group

European FlagSince its inception in the year 2000, the U.S.-E.U. Safe Harbor Agreement has attracted nearly 2,000 multinationals seeking to establish a lawful basis to transfer to the U.S. the personal data of their consumers and employees who reside in the European Union (E.U.). To obtain the benefits of the Safe Harbor, these organizations are required to (a) certify to the U.S. Department of Commerce that they have implemented the seven Safe Harbor principles, (b) post for their employees and/or customers (depending upon the type of personal data being imported from the E.U.) a Safe Harbor privacy policy that embodies those principles, and (c) implement policies and procedures to ensure that the organization processes personal data received from the E.U. in compliance with the privacy policy. The Safe Harbor certification must be updated annually.

Until just a few weeks ago, the Federal Trade Commission (FTC), which enforces the Safe Harbor, had not commenced a single enforcement action in the nine years that the Safe Harbor has been in effect. Last week, the FTC requested public comment on six separate settlements of complaints alleging that multinationals had violated the Safe Harbor by representing to the public that they were current members of the Safe Harbor even though their certification was not up-to-date. Notably, the settlements do not include any monetary penalties, but instead would enjoin the targets from future misrepresentations about their Safe Harbor status.

The lessons learned include the following:
 

  • Multinationals must take compliance with all of the Safe Harbor’s requirements seriously; there is now some enforcement risk.
  • The nature of the enforcement risk is uncertain. The FTC’s charges required virtually no enforcement resources. The agency had to do nothing more than compare the target’s statements in their publicly posted Safe Harbor privacy policy against the certification records maintained by the Commerce Department. These settlements do not (at least yet) reflect the agency’s intention to perform on-site audits to determine whether the multinational’s internal process for handling personal data actually conforms to the seven Safe Harbor principles embodied in the organization’s Safe Harbor privacy policy.
  • The next, most likely enforcement step would be the FTC’s request to review the mandatory, annual self-assessment or third-party assessment of Safe Harbor compliance. The FTC would not have to expend any resources to “look behind” the assessment to find a violation. The failure to conduct the required annual assessment itself would be a violation.
  • Given the above, multinationals certified to the Safe Harbor should promptly confirm that their certification is current and conduct an assessment of their compliance with the Safe Harbor if they have not performed one during the preceding year. To the extent the assessment reveals any gaps in compliance, the gaps should be closed.

This entry was written by Philip L. Gordon.

Photo Credit: S. Solberg J.
Tags: , , , ,
  • Print
  • Trackbacks
  • Share Link

IAPP Practical Privacy Series: Human Resources 2008

Posted on June 6, 2008 by Nancy N. Delogu

Workplace privacy obligations continue to grow more burdensome for employers. As more information about workers becomes readily available, employers are often caught between a sense that failing to use that information may lead to negligent hiring and retention claims, and a fear that using or disseminating information that is private or protected will lead to litigation in its own right.

Littler Mendelson is a member of the International Association of Privacy Professionals, and a Gold Sponsor of the IAPP's "Practical Privacy Series Human Resources 2008" conference. The conference, which will take place in New York City on June 17, will cover a range of topics, including:

  • "What to Do When a Human Resources Security Breach Inevitably Occurs":  A security breach involving human resources data is high-stakes for organizations. This presentation focuses on the most common causes of HR security breaches and explains from the trenches how to respond in compliance with applicable notice laws, and without a disgruntled workforce when the dust clears;
  • "It's 10:00 A.M. -- Do You Know Where Your Employees Are and What They Are Doing?": New technology offers employers ever more sophisticated tools to keep tabs on their employees, but to what extent does this monitoring expose them to liability? This session examines the evolving U.S. law on these issues and discusses the challenges for global employers confronting data protection regimes modeled on the EU Data Protection Directive;
  • "H.R. Risk Assessments": Safeguarding HR information often plays second fiddle to seemingly more imperative privacy data, such as patient or customer information. Yet it can be among the most sensitive at an organization. This presentation highlights key lessons learned from HR privacy risk assessments across industries, and from helping organizations remediate weaknesses in their control environments. This session looks into the logistics of operationalizing a response program and handling specific recurring incidents; 
  • Littler's own Phil Gordon will speak on "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?": With ready access to sensitive personal information, employers are under increasing scrutiny to maintain a workforce that is beyond reproach. Social networking sites, blogs and other resources offer a wealth of information on candidates and employees. How deeply should employers tap these new information sources? This presentation will help frame the debate for your own organization; and
  • I'll be talking about how--and when--an employer can use sensitive medical information in the employment context in a presentation called "How To Handle Employee Health Information And Drug And Alcohol Testing In Compliance With The Alphabet Soup Of State And Federal Confidentiality Requirements": Managing employees’ health is a critical business imperative. Employers confront a maze of laws and regulations governing the confidentiality of employee health information, and dire consequences for mishandling such information. This session addresses questions on collecting, using, storing, documenting and disclosing employee health information, among other concerns.

If you are interested in these topics, or know someone who is, go to International Association of Privacy Professionals and click on the box titled "Practical Privacy Series." We'd love to see you there!

Tags: , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link