Legal Update
Aug 19, 2014
The French Answer To Flexible Working: The Right To Privacy and To Limit Work After Business Hours - The Official Views From The CNIL and The Syntec Federation On Bring Your Own Device (BYOD)
Background
Ever since the first laws on the 35-hour week were enacted over fifteen years ago, monitoring working time has been a headache for employers in France. With the introduction of new technology and mobile devices, the situation has worsened. The French approach to flexible working is to reaffirm that employees have the right to privacy and in some sectors the obligation to disconnect, as recently shown by the CNIL, the French Data Privacy Watchdog and the SYNTEC Federation.
SYNTEC Agreement: An obligation for employees to disconnect
SYNTEC, the National Federation covering many employers in the IT sector and consultancy firms, recently signed a new collective bargaining agreement on working time limiting work after business hours, due to concerns expressed by Unions about employees’ work overload and burn-outs. Rather than a new law banning work after 6pm as was incorrectly reported in several newspapers, effective 4 January 2015, the agreement (which has been extended by law to all employees in this sector, one of the biggest in France) will impose on employees not just a right but an actual obligationto disconnect during daily and weekly rests. Employers will, for their part, be required to carefully manage employee workloads so that minimum rest times can effectively be taken. There is not an opt-out process for employees in the relevant job categories.
CNIL’s first official opinion on BYOD
The CNIL’s main duties are to inform individuals and corporations about their data privacy rights and obligations, as well as to provide guidelines and regulations on data privacy issues, but it may also impose financial penalties of up to 150,000 Euros per breach.
Where the so-called Bring Your Own Device or BYOD practice exists, employees have access to their professional emails, and the company’s data from their mobile phone, personal laptop or tablet. The CNIL, recently published its first official opinion on such practice in its latest newsletter . Rather than fighting it back, the CNIL embraces BYOD but emphasises the need to find a balance between the company’s data confidentiality and the protection of the employee’s privacy.
To ensure company held data and confidential information are secure, the CNIL recommends companies adopt certain good practices such as: (1) installing software (MDM-Mobile Device Management and MAM-Mobile Application Management for example) that enables employers to encrypt devices and remotely destroy data on employees’ devices if needed, (2) classifying data and better managing access rights, (3) storing employees’ personal or private data separately from company data, and (4) finally, adopting an IT policy which defines the company’s internal compliance rules.
The CNIL acknowledges that BYOD bears some risks but these are not dissimilar to issues raised by homeworking employees for which there is specific regulation, particularly on costs and working time. Similar to homeworking rules, employer monitoring of employees’ devices must not interfere with their right to privacy and must not become a tool to control the employee’s activity.
Take aways
CNIL’s implicit approval is good news but employers should ensure the practical recommendations, particularly around monitoring and the right to privacy, are effectively implemented to avoid employee claims, Health and Safety Issues and the intervention of the CNIL.
BYOD also raises many other legal issues not addressed by the CNIL or in the recent SYNTEC agreement, in particular:
- Are mobile devices working tools or personal items? This question is relevant for payroll tax purposes for example and to assess how data is recovered at the end of the employment;
- Is the company at risk for not consulting with the Works Council or the Health and Safety Committee before implementing a BYOD practice?
- How can working time effectively be measured due to the blurred lines between working and non-working times and how far should monitoring of working hours go?
It may be appropriate to include the CNIL’s recommendations and to have clear policies in the company Internal Rules (“Règlement Intérieur”), to ensure employees meet their obligations and that a right balance is found so business needs can be met.