Review of private WhatsApp messages on work mobile phone deemed unlawful
In June 2017 a Swiss-based company (the employer) dismissed an employee with immediate effect on the grounds that she had made wrongful use of her work mobile phone by installing WhatsApp and using it for private purposes, thereby infringing the employer’s terms of employment. In particular, she had made a defamatory statement against the company’s director, harassed a colleague, given access to sensitive information and faked an illness – all of which had been reflected in a private WhatsApp conversation with a third party.
The company’s decision to dismiss the employee with immediate effect was made following the discovery of the WhatsApp conversation on the employee’s work mobile phone. The employer took screenshots thereof and submitted it as evidence to challenge the respective dismissal with the Labour Court of the District of Zurich (the first-instance court).
However, the first-instance court concluded that the company’s review of WhatsApp messages had been unlawful and the related screenshots were thus inadmissible as valid evidence.
On 28 September 2018 the company appealed to the Supreme Court of the Canton of Zurich (the second-instance court), which confirmed the first-instance decision.
The second-instance court considered the employer’s investigation to be a data processing activity in accordance with the Federal Data Protection Act (FDPA). Further, the court stated that any such processing that lacks a connection to an employee’s workplace is unlawful in an employment context.
This decision clarifies that employers must clearly regulate the private use of work communication devices, as well as any related control mechanisms. Under no circumstances can employers view information that is declared to be private. Further, data processing such as verifying WhatsApp chat messages – even if the information is stored on a work mobile phone – must be done in accordance with the more restrictive Article 328b CO, which strictly limits the lawfulness of personal data processing that is required to assess an employee’s job suitability or performance under an employment contract
Regulatory Outlook | Data Protection & Cyber Security | July 2019
on 29 March 2019, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulation 2019 came into effect, and amended the definition of ‘consent’ in the Privacy and Electronic Communication (EC Directive) regulations 2003 to align to consent under the GDPR (meaning that implied consent and browse-wrap consent for cookies is non-compliant).
The UK ICO itself has admitted that its own cookie banner and cookie consent mechanisms did not comply with these updated requirements and have introduced a new cookie preference centre. Organisations should use this as an opportunity to revaluate their current cookie practices, and in particular in preparation for the e-Privacy Regulations.
Processing of children’s data
The ICO has released a new consultation document on its code of practice applicable to information society services which may be accessed by children. The draft code sets out key principles for ensuring an “age appropriate design”, including to set “default” privacy settings at the highest protection (such as geolocation information to be set to “off” by default). The code will apply to relevant services that are ‘merely likely’ to be accessed by children, and not just those that are ‘targeted’ at children.
The European Data Protection Board (EDPB) has published a set of draft guidelines to clarify what is meant by ‘lawful processing’ under Article 6(1)(b) of the GDPR (for processing that is necessary for performance of a contract) in the context of contracts for online services.
The guidelines state that a controller must be able to show that the main object of the contract with the data subject cannot be performed without the processing of the relevant personal data. If there is an alternative way to perform the contract without such processing, and the processing is merely ‘helpful’, then it will not be objectively ‘necessary’. This will require controllers to more closely scrutinise the actual purpose and requirement for the personal data being processed under Article 6(1)(b).
New GDPR Guidelines on CCTV Surveillance
The European Data Protection Board (‘EDPB’), which was established just over a year ago with the introduction of the General Data Protection Regulation (‘GDPR’), has recently made available for public consultation its Guidelines on the processing of personal data through video devices (‘the Guidelines’), which includes not just CCTV, but also dashcams, private security cameras and mobile phone cameras.
These Guidelines shed light on how video surveillance may be made use of and under what parameters, especially in light of the new GDPR paradigm. First and foremost, it is vital to note that these Guidelines only concern video surveillance wherein personal data, as understood by the GDPR, are actually being processed. Therefore, the surveillance must include information that relates to an identified or identifiable natural person (i.e. a ‘data subject’), such as footage of a person’s face, name tag, or other distinguishing characteristics that render them identifiable (e.g. unique tattoos or birthmarks). Personal data, in any but especially in this context, would also include car license plates, identification documents and most notably, biometric data. On the other hand, footage lacking any such personal data (e.g. research cameras that solely monitor wildlife creatures, the night sky or microscopic organisms) would fall outside the scope of the GDPR and consequently, of these Guidelines.
The starting point for setting up any kind of video surveillance system should always be an assessment of whether such a system is needed in the first place. The Guidelines suggest considering alternatives wherever possible, depending of course, on the purpose in question. If the camera is going to be installed for security purposes, the data controller, i.e. the person who will be responsible for the video footage that would be collected, should consider what other measures may be implemented instead of a camera system, which measures would be less intrusive on individuals’ rights to privacy and data protection. For instance, one should consider whether reinforced walls and glass, better locks, better lighting or hiring security guards would have the same effect.
Furthermore, any installed cameras should only record those areas that need to be surveilled. The typical example provided by the EDPB is that of a shop with a camera installed outside to monitor the entrance to the shop and/or the shop windows, to protect against theft and vandalism. Wherever possible, those cameras should not also monitor the pavement or the road outside, since that would mean that personal data of persons who simply pass by and never even enter the shop are being processed, which would exceed the purpose of installing such cameras i.e. security. Hence, the principle of data minimization – only collecting that data which is strictly necessary – as enshrined by the GDPR, plays a key role in video surveillance.
Another consideration should be whether the persons that will be recorded as a result of the installation of the video surveillance system, would reasonably expect to be recorded in that particular instance. For instance, the Guidelines opine that at the workplace, an employee would in most cases not likely expect to be monitored by their employer, whilst a visitor at a bank or at a jewellery store would be more likely to expect that they would be monitored due to the increased need for security. This is not to say that video surveillance cannot take place when an individual does not always expect it, but there must be even greater transparency and information provided to the recorded data subject in those instances where they are less likely to expect such recording.
Therefore, if one decides that a surveillance system is indeed necessary, this leads to the question of what should be communicated to data subjects about a surveillance system and in what manner must this be achieved. The EDPB has included a helpful template in the Guidelines.
Such a notice (which is arguably, much more detailed than currently required) would relay important information to the data subject, in a simple and concise manner, specifically:
1. That you are in or about to enter into an area where video surveillance is taking place;
2. Why the recording is taking place (i.e. the controller’s justification for installing a CCTV or other video system);
3. The identity of the controller (or its representative) responsible for the video system;
4. The rights that the data subject can avail themselves of in respect to such processing of their personal data;
5. The contact details of a data protection officer or, where one is not appointed, whichever individual would be responsible for the footage being recorded, who would ideally be the same individual whom the data subjects would be able to contact to exercise their rights as mentioned in point 4 above;
6.Where the data subject can find further information regarding the processing of their personal data.
International Comparative Legal Guide to Data Protection 2019 – 6th Edition
A practical cross-border insight into data protection law.
The ICLG to: Data Protection Laws and Regulations covers relevant legislation and competent authorities, territorial scope, key principles, individual rights, registration formalities, appointment of data protection officer and of processors – in 42 jurisdictions.