Episode 1, World@Work: Employment, privacy and financial regulation issues when accessing employees personal devices

Ruth Buchanan:

Hello and welcome to this World@Work podcast. My name is Ruth Buchanan and I'm an employment partner in the Ashurst London office. I'm delighted to be joined today by James Comber, a contentious regulatory partner in Hong Kong, Andreas Mauroschat, an employment partner in our Frankfurt office, Rhiannon Webster, head of Ashursts data protection practice in London, and Karen Mitra, who leads our Asian employment practice out of our Singapore office. Welcome to all of you. In this episode, we're going to be taking a deep dive into the employment, privacy and financial regulation issues which employers should consider when they want to know how to access employees' personal devices, for example, to access data from WhatsApp or similar messaging services.

The situation can sometimes arise where an employer reasonably believes that there is employee misconduct. For example, if an employee is sharing confidential information outside of the organization or where an employer thinks that the employee has been utilizing their personal device for work purposes. Because this issue is truly global, we're going to be tapping in, excuse the pun, to the expertise of the panel and the position in the UK, Europe, and across AsiaPac.

Karen, coming to you first, as I'm sure our listeners will know in the UK and Europe, employers will need to consider both data protection and employment law issues when carrying out checks on an employee's personal phone. We'll be taking a look at these obligations shortly, but what should our clients be thinking about in AsiaPac?

Karen Mitra:

Thanks, Ruth. Well, as a general rule, the data protection considerations are not quite as strict in APAC compared to Europe, and that's really just because of the different legislative regimes that apply. While data protection is definitely an issue for us, it more commonly arises in relation to the obligations after the data is collected rather than before. The more significant issue that we see in the APAC region tends to be the question of whether or not the employer actually has the ability to require the employee to hand over their phone for checks, and if they do, how far that obligation extends. Obviously it's fairly straightforward where you've got an express right in legislation or you've reserved the right to do that in the employment contract. But those types of clauses are really rare, and employers who provide company devices may not have really turned their minds to a situation where they might need to access a personal device that's also being used for work purposes.

And of course, the position will vary across the jurisdictions, but as a general rule in the common law jurisdictions at least, whether or not the employer can require an employee to provide a personal device for checking will come down to whether or not that requirement is a lawful and reasonable direction. That of course, has to be considered on a case by case basis, having regard to the particular facts in the scenario. There may be regulatory considerations that can feed into that, and I know James is going to discuss those a little bit later, but really that's the crux of the issue; is the direction lawful and reasonable? Then there's the associated question of, how far does the reasonableness of that direction extend? Then what could an employer actually do in relation to an employee's employment if the employee doesn't comply with that direction, where the employer asserts that it's both lawful and reasonable?

Ruth Buchanan:

Thanks, Karen. That's a really helpful overview. Andreas, turning to you, things are a little bit different in Europe and with GDPR, aren't they? Could you please take us through the compliance steps which employers would have to take, including what employers should incorporate into their data protection impact assessment (DPIA) if they do want to carry out personal phone monitoring?

Andreas Mauroschat:

Certainly, Ruth. As you indicated, employers will need to conduct a privacy assessment, a DPIA, for any of their procedures. They want to apply in connection with searches or monitoring of personal devices. Now, what's a DPIA? A DPIA is a structured process which is mandatory for any type of data processing which would create high risks for the individuals concerned. The DPIA must be documented and it must be completed prior to adopting any of the relevant procedures or taking any real action. Obviously, in relation to searches of private devices, the DPIA will first need to describe the relevant data processing and detail and identify any related risk. With respect to the monitoring of personal devices, obviously the risk of excessive intrusion into the employee's fundamental rights to privacy without an appropriate and applicable justifying legal basis is quite obvious.

Identifying a valid legal basis under the GDPR in our case is indeed quite difficult. Content which would be the first natural choice, may not be reliable in many cases as it may not be considered freely given, particularly if there's any actual or factual pressure on the employee to consent. In addition, consent will always need to be given in full knowledge of all relevant facts, particularly that may be difficult to achieve in an investigation context where you simply for reasons of the investigations may not be in a position to disclose a full picture of relevant facts. And finally, and probably quite importantly, consent may be revoked at any time. Even if the processing until then would stay legitimate and covered by consent it could still get us in trouble by any further use of the information reviewed by the search going forward. Given these issues with consent, the only relevant alternative legal basis would be legitimate interest.

Now, in some of the EU member states, it is considered possible to rely on legitimate interest, particularly if there is a reasonable suspicion of serious wrongdoing. That would include criminal activities or a massive breach of law, always provided that the employer adopts appropriate safeguards to protect the employee's rights and freedoms when searching their personal devices. Such safeguards could include, most importantly, a detailed and complete privacy notice. In addition, a documented policy and procedure that governs the search, a strict limitation of the data searched on the device that really goes into detail. Are you looking for specific types of files? Are you looking into specific apps? Are you looking into specific timeframes? All that needs to be limited to the absolute minimum required for the investigation. Also, clear documentation of access rights, so people who have access to the investigation data and a clearly defined retention period, which ensures that the data is not used for any other purposes and that it is deleted immediately when no longer needed for the investigation.

Under German law, even if those safeguards would be applied, a search of private devices could generally not be based on the employer's legitimate interest, and that is due to the considered severe intrusion into the employee's sphere of privacy and the high risk of accessing sensitive personal information on the device. That could include information of vulnerable data subjects like kids or minors, data of third parties who are not related to the investigation at all, and the generally high likelihood of special categories of data being found and extracted from the device.

These could be obviously information revealing health issues, political opinions, or other considering the variety of data that would be potentially subject to the search. Back to the DPIA, the DPIA must identify all of these risks and assess whether the risk remediation and the risk containment measures, those are the safeguards which we've looked at, are sufficient to remedy the risks that have been identified. And if that is not the case, the employer must consider whether the processing and the search can still go on despite any of the residual risks identified. If that's not the case, the DPIA would have a negative outcome, which would have to be documented, and the search should not be conducted under this respective procedure, which has been found insufficient and should not be adopted.

Ruth Buchanan:

That's great. Thanks Andreas. Really, really helpful summary there. And turning to you Rhiannon, from a UK data protection perspective, are there any other issues which employers need to consider?

Rhiannon Webster:

Position under UK data protection law is very similar to the one that Andreas just outlined under the GDPR. We've got the same issues with consent in the employment context, and we probably have the same issues with relying on legitimate interest. To give some more color to that. The Information Commissioner's Office (ICO) in the UK has recently published draft guidance on monitoring at work, which contains a number of useful examples and case studies of what would be acceptable and what would not in an employment monitoring context. It doesn't actually cover monitoring of personal devices per se, and I think that's a gap at the moment. But it definitely warns against the review of personal messages and it states that even a ban on using work systems for personal use would not entirely justify accessing the content of personal messages on work phones. You can see where the Information Commissioner's thoughts are going, and it advises employers to investigate workers who breach any ban by looking at network data, rather than content.

Again, it's not addressing the personal phone head on, but you can see their thinking. Then in the section on monitoring device activity, for example, web browser activity, time spent on different applications or time away from your desk. These are IT solutions that employers can put on computers to find out what employees are doing. It's very clear that private use should not be captured where workers are using their own personal devices for work. In conclusion, I think it's hard to believe that the ICO would look kindly on spot checks on personal devices, and I can't see a way of doing such spot checks without looking at that personal content.

Ruth Buchanan:

Thanks, Rhiannon. I think, as you said, the ICO in the UK are very alive to the issues associated with monitoring employees and in the UK from an employment law perspective as well, a lot of the issues are the same as those highlighted by Andreas for Germany. One thing I wanted to flag on today's podcast was a very recent High Court decision in the UK, which is called FKJ v RBT, where the court made some quite interesting comments in relation to an employer's use of personal messages. The background to this case was that an employee brought employment related claims against her employer, a law firm, in the employment tribunal, and she lost. However, the employer used some of her personal WhatsApp messages in the defence of that claim, and having lost the employment tribunal claim, the employee commenced a misuse of private information claim against the employer that was based on the use and the retention of these WhatsApp messages.

There were about 80,000 private messages that she'd sent on WhatsApp between her boyfriend, her husband, and her best friend, and they included very intimate messages and images, and the employee claimed that her WhatsApp account had been hacked, whereas the employer contended actually that some of these messages had been found on her work laptop when she left and some had been received anonymously through the post. The court refused the employer's application to strike out the claim as an abusive process. And in doing so, the judge stated some quite interesting comments about the WhatsApp messages. First of all, the judge says that these communications aremessages in which the employee would ordinarily have had a reasonable expectation of privacy, that actually only about 40 of the messages were used in the employment tribunal claim and only about half of those 40 messages were relevant as evidence and were therefore disclosable.

Most of the messages were actually not relevant to the employment tribunal proceedings, and therefore there wasn't any justification for their retention or use. And furthermore, certain of those WhatsApp messages actually predated the employment tribunal proceedings and given their obvious privacy and given the absence at that time of any proceedings to which the messages might be relevant, the employer was actually under an immediate duty to notify the employee and to return the messages. Finally, they said that even if the proceedings had by then been on footthe correct course of action would still have been to return the material to the employee or to her solicitors who then would have had disclosure obligations in respect of it for the employment tribunal proceedings. And although this is an interim decision in the UK, it is clear that strict parameters have to be applied regarding usage and retention by employers who want to access an employee's personal messages. James, turning to you now, what is your experience in APAC, especially in regulated sectors like banking and finance?

James Comber:

Thanks, Ruth. Regulated entities such as banks and brokerages, they're invariably going to have obligations with respect to document retention and the proper recording of matters relating to the running of their regulated businesses. But these obligations do tend to vary across jurisdictions. For example, in Hong Kong, the Securities and Futures Commission requires all securities order taking for transactions to be done in a recorded manner, but there's very little else in the way of guidance or obligations beyond that except for much more general obligations that you might see applied by the Securities and Futures Commission or the Hong Kong Monetary Authority that the institution be able to monitor employee conduct. But it does not get down to the specific level of granularity about what to do with personal devices. What we also see in Asia, Hong Kong and Singapore, is that these are often banks or brokerages that are operating in multiple jurisdictions.

They're often headquartered elsewhere in places such as the United States where there are much more direct, specific and onerous obligations to retain all business related records, which would cover any form of communication between employees, their clients, or their contacts or prospects. What we generally see in the market is that banks and other financial intermediaries will often adopt the most stringent standard that applies to them and their key jurisdictions and then apply that standard across their business globally through their policies and procedures such as, for example, a bank's code of conduct. Despite a lack of specific regulation on this issue in many Asian jurisdictions, it's really the bank's policies that set the standard for what is expected of employees and these generally prohibit employees from using personal devices or unauthorized communications platforms such as WhatsApp or WeChat, to communicate about work matters or anything else that relates to regulated activities.

That gives rise to a number of issues that we see internal investigations or a regulatory enforcement context, particularly with the use of WhatsApp and WeChat - really just pervasive across the region and often driven by client demand. And one of the areas where we see that in particular is in respect of private wealth management, where if a client wants to use WeChat to communicate, it is a relatively bold relationship manager who will refuse to do so. And so there's a tension between what the client wants and what the institution expects the employee to do. And what we often also see in Asia is an employee might have both a personal device and a company supplied device, and they carry out work-related chats on both of those devices, which makes monitoring quite difficult.

Ruth Buchanan:

Thanks, James. I think we've got similar issues here in the UK. Karen, what do you think sparked this as a specific issue in APAC now?

Karen Mitra:

I don't think the issue has necessarily been limited to APAC, and we suspect it's been a global phenomenon, particularly coming from the end of last year when the US SEC announced charges against a range of regular entities, for longstanding and widespread failures to maintain and preserve electronic communications. And in particular the issue of staff intentionally deleting messages from unmonitored platforms. And so the investigation really wasn't limited to WhatsApp, but I think that was the platform that was most mentioned in commentary surrounding the investigation, probably just because so many people around the world use it and everyone knows what it is, and we've really seen those enforcement actions having an impact in Asia, and clients and staff have reacted in a variety of ways. It's varied from those employers who said, "Well, look, we're going to draw a line in the sand in relation to the use of such platforms, so just don't use them anymore."
To an increased focus on the use of non-approved platforms in the context of investigation, so going after this information in circumstances where previously they may not have in the context of investigation. And even proactive steps for employers to get access to those communications just to complete their records and not in the context of an investigation. Quite a wide range of approaches there. The unfortunate thing is of course, that employees who are faced with the possibility of regulatory or compliance or employee investigation action in relation to policy breaches for conduct that they previously understood to be okay or at least tolerated, have reacted by doing exactly the opposite of what employers and regulators would've liked.

They've just rushed to delete all of those messages probably as soon as they heard about the SEC charges. But the other issue, although we haven't really actually seen this in practice yet, it's probably a bit too early, is that we suspect a lot of employees will just move these communications and these types of discussions to more encrypted platforms. Things like Signal or Telegram where it's much harder for an employer to forensically retrieve the data if they do need to do so in the course of an investigation.

Ruth Buchanan:

Thanks, Karen. That's really interesting to hear that employees are heading towards these more encrypted platforms, but James, do you think that the existence of the regulations actually now makes it easier or harder for employers to gain access to personal devices?

James Comber:

In an investigation context I think is definitely relevant, particularly as Karen mentioned earlier, the issue we are looking at is whether a direction to provide a personal phone for inspection might be a lawful or reasonable direction for employment purposes because you have no express contractual right for it to be provided. An employer might well have a stronger case to say that the direction is lawful and reasonable, where they have a policy around bring your own devices to work that require the use of those devices as a precondition for the employee to agree to grant access in advance. And that might be in the context of an internal investigation, legal proceedings, or just to generally meet regulatory obligations in relation to record retention. Also, in particular, when it comes to investigations of suspected misconduct, you would generally need some kind of evidence or admission that the personal advice had been used for work purposes.

It wouldn't be enough just to say, "Well, we're regulated, so you have to give me your phone because I want to take a look at it." But oftentimes, particularly in the context of whistleblower investigations, the whistleblower might well provide WhatsApp communications with the subject of the investigation or the subject of the investigation may make that admission during an interview, at which point you do have a basis then to request access to the device. That said, even without a strict legal ability to compel the production of a personal device for inspection, there is often significant pressure on an employee to do so. And that is because a refusal to provide the bank or institution with access to the device might be viewed as a failure to participate in an investigation, which is generally a requirement under most banks' codes of conduct. And that then might raise questions as to the fitness and propriety of that employee.

And that's definitely the case when you get higher up the management hierarchy. The more senior the employee, the greater the scrutiny on why they might not be willing to provide their device.

The most frequent concern that we see raised by employees, and I think it's an understandable one on many levels, is that even if they admit that they've used their personal device for business communications, is that they still don't want to provide carte blanche access to the device, to the bank, because it will necessarily contain a lot of legitimately personal information that's unrelated to the employer's business or any issue under investigation. Photographs of children, spouses, boyfriends, girlfriends. So in other words, when you've got a personal device, there's often this real issue of intermingling of work and personal communications. And what we often see in response to that is that a protocol can be agreed during the course of the investigation to ensure that the employer does not have access to information that's entirely unrelated to their business.

One issue that we do see though is we all have friends at work, and that can in and of itself be an issue because you'll have, for example, a chat between two employees of an institution that can cover both the full range of business issues through to the sharing of deeply personal information. And that is an issue that has to be grappled with during investigations. I think though, one of the more interesting aspects in the contentious regulatory space when dealing with investigations is employee explanations as to what may have happened to their devices when they're requested all the data on them. And we do see what you could describe as significant creativity on how this issue is raised by employees faced with investigations, when you ask for a device of, "Oh, I dropped my phone in a goldfish bowl", "I left it in a taxi last week", "I don't have it anymore."

And that's often also coupled with explanations as to why their WhatsApp backup wasn't working and it can't be accessed through iCloud or things of that nature. When we come across those types of explanations, we do need to carefully test them, and when they don't withstand scrutiny, the focus of the investigation often morphs from one involving relatively straightforward regulatory issues that wouldn't warrant severe sanction against the employee to the employee ultimately being sanctioned for lying during the course of the investigation or seeking to mislead your employer.

Ruth Buchanan:

Thanks, James. Always interesting to hear, as you say, creative explanations that employees manage to come up with during the investigation. Karen, from an employment perspective, is there any particular guidance that you'd give to employers based on these experiences?

Karen Mitra:

I don't think these are necessarily limited to APAC, but the experience that we've been through, particularly in the last six months really reinforces the need for employers to have clear contractual terms or policies in place for the use of personal devices for business purposes. And that's even if you do actually have a policy where you give someone a work device as well, don't forget that there is a real possibility that they're still using their personal devices for these things. To communicate those policies really clearly to employees, which is often where someone can fall down, they have this great written policy, but no one's ever read it or seen it or understands what it actually means in practice.

Then just to be really aware of what employees are actually doing in relation to technology. And if you spot an issue, being proactive in that regard rather than reactive, which is obviously what's happened with respect to the use of WhatsApp, so that you can avoid any inappropriate usage being inadvertently being seen to be approved by the employer when actually you're really not happy with them doing that at all.

Ruth Buchanan:

Great, thanks. Thanks very much, Karen. And turning back to Europe, Andreas, are there any similarities or differences in Europe that you'd flag?

Andreas Mauroschat:

I think the potential difference is that under the GDPR accountability principle, searches on personal devices should only be conducted in accounts where the detailed written procedure, is set in advance. That will often be a works agreement, an investigation procedure or BYOD policy that governs the use of the personal device. The procedures will often address the employee concerns by having the data protection officer or a member of the Works Council or the employee's legal counsel present when relevant data is extracted from the device. As stated by James, it's also important to note that in most EU member states, employers will generally not have a right to request handover of a personal device for a compliance investigation. If the employee doesn't have an own interest to provide data from their devices to support their case and to provide exculpatory evidence, there will therefore typically not be any way to access data on personal devices.

However, if there is a refusal to hand over a device or there are, as James explained to us, some incredible stories about why the device has been lost or damaged, employers will assess the credibility of such statements, and obviously always this has to be based on the assumption of innocence. If there are indications that the employee is in fact not credible, that may even result in sanctions being opposed for lying during an investigation instead of, or in addition to the sanctions for the actual wrongdoing that was caused for the investigation. And finally, in the EU, employers always need to consider that any search of a personal device without a legal basis or in an excessive way may result in the evidence that was found being excluded from any labour, civil, or civil court proceedings. Such exclusion from the proceedings is particularly likely if the data has been obtained in breach of data protection law or by violating the employee's right to privacy. In extreme cases that may even result in the employee having claims against their employer for material damages as a result of an illegal search.

Ruth Buchanan:

Great. Thanks very much, Andreas. And Rhiannon, is there anything else that you would add on the UK data protection side?

Rhiannon Webster:

From the UK perspective, I think what we've seen is quite a notable silence from the ICO on this issue. It would be really great to have some guidance on monitoring of personal devices, and particularly in relation because we've had this quite high profile case that you referred to Ruth, FKJ v RBT, about the monitoring of WhatsApp messages. In saying that, the guidance that I referred to is currently in draft. There is a chance that they will put some more detail around the right of an individual's privacy in their personal messages. But I do think this is something that the ICO could usefully provide some clear guidance on.

Ruth Buchanan:

Thanks very much, Rhiannon. To wrap up this podcast, I think that there are a number of takeaways. First of all, consider incorporating a clause into employment contracts, explaining that the organisation may undertake personal phone monitoring as a deterrent or to ensure that it can comply with regulatory obligations regarding record keeping. Secondly, consider whether you have the in-house resources to undertake checks of personal devices and how you would deal with legitimate concerns from employees about the holding of their sensitive data that isn't relevant to the employer's inquiry. And finally, for those entities who haven't already done so, make sure that you've drawn a line in the sand in relation to the use of personal devices for work-related activities.

I hope you've enjoyed this podcast as much as I have. I'd like to thank our panelists, James, Andreas, Rhiannon, and Karen for their time today. Thank you for listening. We hope that you found it informative and interesting. To make sure you don't miss out on any of our other episodes, subscribe to this podcast and Ashurst's other podcasts on Apple Podcasts, Spotify, or wherever you get your podcasts. And while you're there, feel free to leave as a rating and a review. Until next time, thanks very much for listening and goodbye for now.