A sea change in data protection law in the European Union (EU) is about to take place, and your organization doesn’t have to be based in the EU to feel its impact.  The General Data Protection Regulation (GDPR) will take effect on May 25, 2018.  The GDPR applies not just to EU Member States, but also to U.S. organization with EU-based employees.  Any U.S. organization that has a branch, office, affiliate, franchise, or agent based in the EU should check if it must comply with the GDPR.  Failure to comply with the GDPR can lead to fines of up to 20 million euros or 4% of annual global turnover (revenue), whichever is higher.

The GDPR regulates how “personal data” of EU citizens is collected, stored, processed, and destroyed.  The GDPR definition of “personal data” has a broader meaning than how U.S. laws usually define the term.  In addition to typical identifying information (e.g., name, address, driver’s license number, date of birth, phone number, or email address), “personal data” under the GDPR includes more expansive categories of data such as salary information, health records, and online identifiers (dynamic IP addresses, cookie identifiers, mobile device IDs, etc.).  The GDPR also provides heightened levels of protection for special categories of employee data, including racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data.

The GDPR has wide-ranging effects on data collection, use, and retention.  Some of the data practices regulated by the GDPR include:

  • Data processing – Consent is one legitimate basis for processing personal data of employees, but the GDPR requires that consent be freely-given, specific, informed, and revocable. This means most blanket consent provisions typically found in employment contracts are not valid.  If obtaining consent according to GDPR requirements isn’t practical, an employer might need to rely on other legal bases for processing employee data.  Processing employee data is legal if it is necessary for the performance of the employment contract, required by law, or in the employer’s legitimate interests which outweigh the general privacy rights of employees.
  • Employee monitoring – The GDPR limits what employers may do with data obtained through employee monitoring.
  • Notification – The GDPR specifies what information employers must include in notices informing employees about the kind of personal data that will be collected from them.
  • Right to be forgotten – Under certain circumstances, data subjects have the right to require data controllers to erase their personal data.
  • Data portability – A person is entitled to transfer their personal data from one electronic processing system to another without being prevented from doing so by the data controller.
  • Data breach – The GDPR governs the procedures and substantive requirements for giving notification of a personal data breach.

Now is the time to revisit your employment contracts and policies with privacy counsel to ensure compliance with the GDPR.

The rear LCD display on a Flip Video camrea

(Photo credit: Wikipedia)

“Smile, you’re on Candid Camera.”  Originally coined on the eponymous TV show, that catchphrase is becoming more of common refrain in the workplace.  Any employee with a smartphone can easily record an office conversation in secret.  But are such covert recordings legal?  And what control, if any, does management have over the making of such recordings?

The Law of Recording Face-to-Face Conversations

A majority of states (approximately 37) follow the one-person consent rule for recording face-to-face conversations.  This rule authorizes the recording of a conversation so as long as one person in the conversation consents.  The consenting party can also be the person recording the conversation.  Practically speaking, this means it is legal to record a conversation with another person without his or her knowledge.

Most other states require the consent of all participants in the conversation.  Covert recording of face-to-face conversations would not be permitted in states that follow the all-party consent rule.

Workplace Bans on Covert Recordings

Even if covert recordings are legal, management may regulate the practice if done so consistently with the right of employees to engage in concerted activity, which is protected under Section 7 of the National Labor Relations Act (NLRA).  A recent National Labor Relations Board decision illustrates this.  Whole Foods Market, Inc., Case No. 01-CA-096965 (Oct. 30, 2013).  The case involved a challenge to a company policy that banned employees from recording conversations without prior management approval.  The company’s stated purpose for the policy was “to eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded.”

The administrative law judge (ALJ) in the case upheld the policy.  The ALJ noted that there is no protected right to record conversations in the workplace, but even if there were such a right, management may regulate the exercise of that right.  It was not adopted in response to union activity, and it was clearly tied to the company’s core value of fostering open and honest dialogue about company matters.  The ALJ disagreed that the policy could reasonably be interpreted as a restriction on using social media to communicate and share information about work conditions through video recordings made at the workplace.  The policy regulated a means of communication as opposed to the protected activity itself.  It also did not prohibit employees from making recordings during non-work time.  The policy therefore did not violate Section 7 rights.

Takeaways

The Whole Foods Market decision suggests questions that management should consider when drafting a work rule against covert recordings to ensure that the rule does not violate the NLRA:

  • Is the rule clearly linked to a purpose besides preventing employees from engaging in Section 7 activity?
  • Does the rule leave open alternative channels for employees to communicate about Section 7 activity?
  • Does the rule allow employees to make recordings during non-work hours?

A ban on covert recordings is more likely to withstand a legal challenge if management can answer “yes” to each of these questions.

Enhanced by Zemanta