data privacy & protection: what now after the ruling of november 2005?

Data Privacy & Protection in Belgium: what now

after the ruling of November 2005?

ISACA

IT Security Open Forum

7 December 2005

Johan Vandendriessche

Table of contents

• A. Legislation applicable to workplace “surveillance”

• B. Contradictory interests

• C. Different forms of surveillance

• D. Control of the use of means of

(tele)communication

• E. Control of the location of employees

• F. Video-surveillance

A. Belgian legislation applicable to

workplace “surveillance”

• General right to privacy

• Article 22 of the Belgian Constitution “Everyone has the right to the respect of his private and family life,

except in the cases and conditions determined by law. The laws, decrees and rulings alluded to in Article 134 guarantee the protection of this right”

• Article 8 “Everyone has the right to respect for his private and family life, his

home and his correspondence.

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”


workplace “surveillance” (continued)

• Belgian labour law

• Law of 3 July 1978 concerning labour contracts

Article 2 and 3: an employee undertakes to perform the contract against payment of wages under the authority of the employer

Article 16: employer and employee owe each other respect, during the performance of the contract they must behave decently

Article 17: the employee must: • Perform his work honestly and with care, at the time and place that has been

agreed

• Act according to the orders and instructions given by the employer (concerning the performance of the contract)

• Omit from unfair competition and respect the confidentiality of personal or confidential information

• Refrain from endangering his colleagues, his employer and third parties

• Return the company property in good order



• Law of 13 June 2005 on electronic communications

New framework for electronic communications

(Partially) replaces the “Belgacom law” (Law of 21 March 1991)

Article 124: “Without consent of all directly or indirectly involved persons, it is prohibited to 1° intentionally obtain information about the existence of any information that has been sent by electronic means and that is not personally addressed to him; 2° intentionally identify persons involved in the transmission of the information and the content thereof 3° notwithstanding the articles 122 and 123 intentionally obtain information concerning electronic communication and concerning another person; 4° modify, delete, publish, conserve or use otherwise, the information, identification or data that has been obtained intentionally or not



Article 125: exceptions to article 124

If the law permits or imposes the acts under article 124

If these acts are committed solely for the purpose of

ensuring the correct functioning of the network and to

guarantee the proper delivery of the electronic

communications service

If the acts are committed solely for the purpose of offering

the end-user a service consisting of preventing the reception

of unsolicited electronic mail, provided that the required

consent has been obtained



• Article 314bis of the Criminal Code:

“Is punishable with imprisonment of 6 months and/or a fine

of 200 EUR up until 10000 EUR (x5,5):

1° intentionally, with the aid of any equipment private

communication or telecommunication to which he is not part,

during the transmission thereof, intercepts himself or through

a third party, obtains information thereof himself or through a

third party, records himself or through a third party, without

the consent of all participants thereof;

2° or installs himself or through a third party any equipment

with the intent of committing one the acts mentioned above”



• Law of 8 December 1992 on privacy protection in

relation to the processing of personal data, as

modified by Law of 11 December 1998

• Imposes restrictions to the processing of personal

data, e.g.:

Principles concerning purpose, proportionality and

transparency

Security obligations

B. Contradictory interests

• Employer Financial interest

• Efficient and productive employees

• Preferably spending their time at work on work

• Employee Respect of “privacy”

• Given the nature of the employer-employee relationship some form of control will be excerced by the employer

• Often leads to discussions related to evidence, in case of dismissal of employee

C. Different forms of surveillance

• “Manual” surveillance: not possible nor efficient in

larger companies

• Many forms of “electronic” surveillance:

Surveillance of the use of means of (tele)communication

(use of internet, e-mail, telephone, facsimile, …)

Surveillance of the use of data support (flash disks, CD’s,

portable hard disks, digital cameras, mobile phones with

digital cameras, …)

Surveillance of the location of employees (geolocation by

means of GPS and GSM)

Video-surveillance

C. Different forms of surveillance

• Use of company property and labour time:

prerogative of the employer

Employer may prohibit the use of company property for

personal use

Employer may allow the use of company property for

personal use (subject to specific conditions)

D. Surveillance of the use of means of

(tele)communication

• Surveillance purposes: distinction between

professional/private communication and

content/communication data

Collective Workers Agreement nr. 81 only mentions private

communication and relates to communication data

Other legislation does not distinguish different forms of

communication and content/communication data

D.1. Private communication

• Collective Workers Agreement nr. 81 on the

monitoring of online communication of employees

• Report: the employer should be able to have access

to professional communication without any formalities

whatsoever

• Conclusion: CWA nr. 81 only applies to private

communication?

D.1. Private communication (continued)

• Online communications data?

Electronic online communications data in a broad sense sent

or received by an employee during the performance of his

task

All online technologies, internal and external

E.g.: internet, intranet, e-mail, SMS, MMS, IM, …

• Content?


• Purposes

The prevention of unlawful acts, libel and acts contrary to

decency

The protection of economic, commercial and financial

confidential interests of the company

The maintenance of the technical performance of the

computer system

The control of the respect of the terms of use of the

computer system


• Proportionality

The infringement of the privacy of the employee must be

restricted to a minimum (if unavoidable)

Interdiction of systematic individualisation


• Transparency

Collective

• To whom? (cascade)

- Works council

- Committee for prevention and protection

- Delegation of the Labour Union

- The employee

• How?

• Which information?

- The supervision policy

- The purposes of the monitoring

- Conservation? Place and duration?

- The permanent nature of the supervision


• Tranparency

Individual (i.e. the employee)

• Which information?

- All the information provided collectively

- The conditions of use of the equipment that is at the disposal of the

employee and the functional limitation thereof

- The rights, obligations and tasks of the employee, and possible limitations to

the use of communications on the network of the company

- Sanctions, if any, provided in the “employee policy” (règlement du travail /

Werkreglement)

• How?

- General instructions

- Employee policy

- Contractually

- User policy, each time the tool is used


• Individualisation?

Direct

• Purposes 1 -> 3

Indirect

• Purpose 4


• Indirect individualisation

• Procedure

General information obligation to all employees (first

irregularity)

Identification (second irregularity)

The concerned employee must be heard before sanctions

are taken

• Employee policy!

D.2. Professional communication

• CAO 81 does not apply?

• Article 124-125 of the Law of 13 June 2005

• Article 314bis of the Criminal Code

• Decision of Court of Appeal of Ghent 9 May 2005

Confirmation of earlier case law (Ghent and Brussels)

E. Surveillance of the location of employees

• Geolocation systems used to track the position of an

employee

Position at a certain moment

Route

Speed

• Specific legislation?

Law of 13 June 2005 on electronic communications?

Draft law


(continued)

• Evaluation under the Law of 8 December 1992 on

privacy protection in relation to the processing of

personal data

• Draft law on the supervision of employees by means

of a monitoring system connected to a GPS

navigation system for service cars, in

correspondence with the law of 8 December 1992 on

privacy protection in relation to the processing of

personal data (pending in the Belgian Senate, doc.nr.

51/1044)


(continued)

• Admissibility

Consent of the concerned data subject

Necessary for the purposes of the legitimate interests

pursued by the controller provided that the interests or

fundamental rights and freedoms of the data subject do not

prevail

• Lawfulness

Transparency

Purpose

Proportionality


(continued)

• The use of a monitoring system connected to a GPS

navigation system in a service car used by

employees is only allowed after consent of ad hoc

joint committees, the common committee for

government service or of the entities competent

under the legislation related to collective work

relationships

F. Videosurveillance

• Video-surveillance of workplace for different reasons:

Security

Control

• Cost-effective replacement for manual supervision

F. Videosurveillance (continued)

• Scope

• Video-surveillance (article 1)

“Any security system with one or more video cameras with

the purposes of supervising places or activities from a

location that is geographically distanced from these places

or activities, with or without conservation of the images it

collects and transfers”

• Video-surveillance at the workplace


• Purposes:

Safety and health

The protection of company property

Supervision of the production processes

• Machines: proper functioning thereof

• Employees: evaluation and improvement of work organisation

Supervision of the execution of the work by the employees


• Permanent surveillance

Camera functions continuously

Allowed: • Security and health

• Protection of company property

• Supervision of the production processes concerning machines only

• Temporary surveillance

Fixed installation, but working only during one or more periods

Temporary installation

Allowed: • Supervision of production processes concerning employees

• Supervision of the execution of the work by the employee


• Proportionality

Adequate, pertinent and not excessive

The use must be reduced to the minimum

• Procedural issues

Information obligation

Consultation obligation

Specific obligations in case of conservation of image footing

Thank you for your attention!

Johan Vandendriessche

Lawyer

Lontings & Partners

Tour & Taxis

Havenlaan 86 c b113

1000 Brussels

[email protected]

Tel: 02/787.90.12

Fax: 02/787.90.99

data privacy & protection: what now after the ruling of november 2005?

Business

employer article

right article

privacy article

belgian labour law law

belgacom law law

labour contracts article

belgian constitution

electronic means