The early part of the 21st century has been characterised by the rapid proliferation of mobile devices and social media platforms. At the end of 2016, there were about 3.8 billion smartphone users in the world, and by 2020, there will be 5.7 billion. The Asia-Pacific will account for about half of this growth as India surpassed the United States to become the second-largest smartphone market in 2016 with 347 million smartphone connections. In the United States, by 2020 it is expected that nearly 81 per cent of all mobile users will own a smartphone – a significant increase from 26.9 per cent in 2010. In China, it is estimated that the rate of smartphone users will rise to 74 per cent by 2020. Concerning mobile devices, in the third quarter of 2017 alone, Apple announced that it sold 45.4 million smartphones. Along the same lines, Facebook, arguably the most popular form of social media, has reached 2.07 billion monthly active users, over 1.74 billion of whom access the site on mobile devices. Furthermore, Facebook-owned Instagram has over 800 million monthly active users, Twitter has 330 million monthly active users and LinkedIn has 106 million monthly active users (although LinkedIn has over 467 million members). In China, WeChat, Tencent's popular messaging app, surpassed 889 million monthly active users in the fourth quarter of 2016, an increase of over 350 million users since the first quarter of 2015. By 2020, there will be 3.1 billion unique mobile subscribers in the Asia-Pacific compared to 2.7 billion subscribers in 2016. Most of this growth will come from India and China. The number of 4G connections in India is also forecast to grow rapidly, increasing from approximately 3 million connections at the end of 2015 to 280 million connections by 2020.
The message of these statistics is that mobile devices and social media are a ubiquitous part of everyday life around the world, including in the workplace, and are becoming increasingly so. One industry survey has indicated that 90 per cent of businesses use social media for business purposes, and 43 per cent of businesses allow all their employees to access social media sites at work. Even more important, however, is the fact that nearly 60 per cent of businesses noted that they monitor employee social media use at work. In turn, employers must be cautious about what actions they undertake when monitoring employees' behaviour online, because depending on the jurisdiction, ownership of the device and other circumstances, this can implicate a wide range of employee protection and privacy laws.
It is important, therefore, to write social media policies that achieve company business goals while remaining compliant with local laws. For example, China, Iran, North Korea and Syria ban Facebook, YouTube and Twitter (or all three) in some capacity. Additionally, if a company wishes to join the 36 per cent of employers who ban social media use at work (one in five companies blocks Facebook, 15 per cent shut out Twitter and nearly 14 per cent ban YouTube), there are potential issues to consider. For example, in Argentina, Japan and Spain, although employers may ban social media use and block access to those sites on company-provided equipment, employers cannot actually interfere with employees' use of employee-owned devices. Regardless, if a company seeks to prohibit social media during work time, which is generally permissible, it is well advised to clearly communicate such policies and connect such policies to a cogent business reason, such as ensuring worker productivity or availability. While employers have legitimate concerns about employee productivity while on company time, employers should be aware that some jurisdictions have strong protections for employees' and individuals' otherwise seemingly trivial social media use because of past experiences with despotism and totalitarianism.
What remains universal in today's workplace is that social media pervades every aspect of the employment life cycle: recruitment, potential bullying and harassment, productivity levels, potential discrimination, the protection of confidential information, trade secrets and intellectual property, an employee's rights to a private life and freedom of expression, reputational issues for all parties, legal and regulatory obligations, defamation, privacy considerations, termination and even post-termination.
Accordingly, the key question for global employers is what policy and approach should be used to leverage the benefits and address the challenges posed by these new technologies in the workplace.
Employers must determine, for example, the extent to which social media will play a role in employee recruiting efforts. Throughout the world, most employers require some form of background information on candidates for employment. In some jurisdictions, such as the United Kingdom, employers generally rely upon a reference provided by a former employer. In others, such as the United States and China, employers typically require a thorough background check carried out by a third-party provider. In addition to these formal mechanisms, however, employers also occasionally seek to gather information through informal channels. While some employers and those involved in recruitment still gather anecdotal information about candidates through 'word of mouth', there is now the greater temptation to review the candidate's online profile and information posted on social networking sites and the internet. One survey in 2017, for example, found that 70 per cent of employers check job applicants' social media profiles prior to making a hiring decision and 54 per cent of employers decided not to hire a candidate because of information found on social media. Information on these sites and the internet is very difficult to take down, so tagged pictures taken from a drunken night out could follow a candidate throughout his or her career. While the result of this information permanence is a potential treasure trove of information for employers considering applicants for employment, there is widespread debate – as evidenced, for example, by the debate across the EU in recent years over the 'right to be forgotten'2 – over whether this information should be reviewed and considered by employers during the recruitment process. And this debate is reflected in the widely varying laws on this topic throughout the world.3 Indeed, the European Court of Justice is set to determine whether the 'right to be forgotten' can apply beyond the borders of the EU, which would require search engines, such as Google to remove links to certain information globally.
The general view is that if an employee exposes his or her personal information publicly on social media networks, this is viewed as the problem of the employee and not a public policy issue. In France, as long as information on a candidate is deemed public (i.e., as long as it is not published on spaces with access restricted to preselected 'friends' or 'followers') and the collection of information does not involve the violation of the right to private correspondence or privacy, then potential employers and any third parties (including recruitment agencies) are entitled to look at such information. The candidate must, however, be informed of the social media-based data collection process. On the other hand, in Italy, it is not permissible to refer to social networking sites to make decisions about recruitment and selection of candidates because referring to social media sites in such a context would be an infringement of an individual's right to privacy. Similarly, in Canada, using social media in the recruitment and selection process may risk violating privacy laws. If businesses collect information from social media sites in the recruitment and selection process, it may make it challenging to comply with privacy laws, as set forth in guidelines and decisions of Canadian privacy regulatory authorities. In 2017, an EU data protection working party released non-binding recommendations that employers should have 'legal grounds' to search applicants' social media.
In Germany, for example, employers may not obtain any information from social media sites to answer questions that they would not have been permitted to ask of a candidate directly. Furthermore, employers should only consult purely business-focused networks, such as Xing or LinkedIn, provided that the employer informs the employee about this in the job advertisement. In addition, employee data should be acquired only directly from the employee; the employer is not allowed to collect any information on a severe disability or equal treatment; and the employer may only solicit information from the previous employer if it has the consent of the candidate. Similarly, in the UK, employers must be familiar with the UK Information Commissioner's Office (ICO) Employment Practices Code and the Employment Practices Code Supplementary Guidance. The ICO recommends that an employer should only seek personal information on a candidate if it is relevant to the job decision being made and that it views the gathering of such information as a form of vetting. Further guidance also is available from the UK's Advisory, Conciliation and Arbitration Service in its fact sheet on the use of social networking in recruitment. A failure by an employer to comply with these laws or guidance may result in the employer facing an employment tribunal claim, an action for damages or a complaint to the ICO.
In any case, employers should be aware of discrimination claims that may arise as a result of the alleged improper use of information gleaned from social media. Before accessing social media, and certainly before making decisions based on information found on social media, employers should carefully consider:
- the evidentiary weight to be given to information obtained from a social media site;
- that information posted may be inaccurate, out of date, not intended to be taken at face value, or even posted by someone other than the person who is the subject of the enquiries;
- that relying on information contained in social media sites creates a risk of discrimination, either because someone is treated less favourably by reason of a protected characteristic, or a condition is imposed that has a disparate impact on a particular group; and
- that any use of social media sites when making employment decisions should comply with data privacy requirements (including in relation to the secure storage and deletion of information after it is no longer needed) and any internal policies about monitoring of such sites.
iii Bring-your-own-device POLICIES
Company work is increasingly being conducted on employees' personal mobile devices. Even when there are no formal policies permitting or addressing it, employees are already using their personal devices for work purposes by using workarounds such as forwarding work emails to personal email accounts, taking conference calls from personal smartphones and using the calendar features on their personal devices to track both business and personal appointments. Accordingly, prudent employers are left with little choice but to embrace this trend and put into place policies and limitations that will prevent the employer from being caught flat-footed in a situation in which it needs to access, review or delete company information on an employee's personal device.
Such policies, if well crafted, can also offer significant benefits for both employers and employees. For employees, these types of policies are desirable because they cut back on the number of devices that employees must carry around and check, and also allow employees to choose which device or operating system is most comfortable for them. Such policies can also result in cost savings for the employee if the employer provides a technology allowance or covers a portion of the service costs for the employee's use of a personal device for work purposes. Employers also can realise significant savings as the costs of providing a technology allowance or paying a portion of service costs are likely to be significantly less than the hardware and service costs of providing a separate company-issued device. Moreover, as employees – and especially young employees – increasingly cite workplace flexibility and other similar 'intangible' benefits as key in their assessment of a company's desirability as an employer, any efforts that companies can make to give them an edge in this regard will be beneficial.
Once employees have been hired, employers must have in place policies to guide and manage employees' use of technology in the workplace. Bring-your-own-device (BYOD) programmes in particular can raise thorny issues for employers, despite their many obvious benefits for both employers and employees. For example, there are a number of scenarios in which an employer will want to be able to access, review or even delete data and other information on a device. In conducting an internal investigation, for example, an employer may need to review an employee's work-related emails or text messages. An employer might also be obliged to produce such information in a litigation or government investigation. The device could also include confidential business information or trade secrets that would need to be protected, particularly if the employee resigns or the device is lost or stolen. Accordingly, in enacting mobile device management policies, employers seek to ensure that their data, trade secrets and other proprietary information are secure and accessible to the company, even when residing on an employee's personally owned device. Because of these concerns, companies generally seek to craft policies that limit to the greatest degree possible their employees' expectation of privacy with respect to activity conducted and data stored on a mobile device. Employees, by contrast, expect a certain degree of privacy with respect to their use of mobile devices and particularly their personal information stored on personally owned devices. Especially outside the United States, that expectation of privacy is often protected by the law.
Specifically, the privacy and data protection laws of many jurisdictions place limitations on a company's ability to access information on an employee's mobile device (especially when that device is owned by the employee and therefore assumed to contain non-work-related personal information). Some countries are particularly restrictive. In Brazil, for example, accessing or deleting any personal information about an employee will be problematic, even if the company issues a clear and specific policy that indicates that it may do so, and obtaining an employee's consent to such a policy is unlikely to bring such access within the bounds of the law. Similarly, in Germany and the Netherlands, monitoring, accessing or deleting personal information on an employee's mobile device (whether company-issued or personally owned) is permissible only if there is circumstantial evidence that an employee is engaged in serious misconduct, such as fraud, sexual harassment or disclosure of the company's confidential information and there are no less intrusive methods to achieve the company's legitimate business objectives. Moreover, in Germany, accessing the personal information of a third party (such as a family member or non-business acquaintance of the employee) on an employee's mobile device without such third party's consent could violate German data protection, telecommunication and even criminal laws. Because it would be nearly impossible to avoid this on an employee's personally owned device, companies should access such devices only in severe cases where there is no other viable means available to achieve the company's purpose in accessing the information. Finally, in many European countries, an employer that wishes to implement a mobile device or BYOD policy will need to inform and consult with the works council before doing so.
By contrast, in India and Mexico, employers have more flexibility provided that they are transparent with employees about the terms of their mobile device management policy and offer employees a choice about the degree of access that the company will have to employee personal information.
If an employee refuses to consent to the terms of a BYOD policy, or later withdraws his or her consent, the company should work with the employee to ensure that all company information is deleted from the employee's personal device, and the employee should from then on be required only to work from a company-issued device (and not to conduct personal business or store personal information on such device). In light of this, BYOD-only policies can be particularly problematic because they do not offer employees a real choice as to whether or not to consent to the processing of their personal information.
As a general matter, an employer's legitimate interest in protecting its business must be weighed against an employee's right to privacy (and data protection concerns). Accordingly, as a best practice, employers should consider the following steps:
- put in place clear, well-defined and well-communicated policies or contractual provisions concerning the appropriate use of social networking sites and the sanctions for non-compliance;
- ideally, employees should consent explicitly to such policies in writing. In some jurisdictions, such as the Netherlands and France, however, express consent will not be sufficient in and of itself to allow monitoring;
- monitoring should go no further than is necessary to protect the employer's business interests;
- monitoring should be conducted only by designated employees, who have been adequately trained to understand the limits on their activities;
- personal data collected as a result of any monitoring should be stored safely, not tampered with, not disseminated more widely than is necessary and not stored longer than is necessary;
- train management and employees in the correct use of information technology; and
- be able to particularise and document any misuse of social media sites by employees.
Different jurisdictions have slight deviations from this approach that must be factored in before making a global social media or technology policy. Although surveillance of employees' use of social networking sites by the employer is permitted in Canada, such monitoring must be reasonable and not rise to the level of an invasion of privacy. Notably, the Court of Appeal for Ontario recently recognised a common law right of action for invasion of privacy (i.e., intrusion upon seclusion). In Argentina, Italy and Spain, even in circumstances where monitoring of social media may be permissible, employers are not allowed to monitor its content. As a general rule of thumb in the UK and Ireland, monitoring should be proportionate to the business need and its level of intrusiveness on an employee's private life. In 2017, the European Court of Human Rights held that employers can monitor employees' emails if the employees are notified in advance. Finally, consultation with works councils, worker representatives committees and even health and safety committees may be necessary in various parts of either the promulgation or execution of a social media policy in jurisdictions such as China, France, Germany and the Netherlands.
A somewhat anomalous protection for employees exists under federal labour law in the United States. The National Labor Relations Act (NLRA), a statute primarily dealing with unions and unionised workforces, extends protections for those employees engaging in protected concerted activities over their terms and conditions of employment. The NLRA has been broadly interpreted by its responsible agency to cover employees' social media use. Significantly, from a monitoring perspective, employers must not promulgate or maintain a policy that is perceived to 'chill' employees' exercise of their rights under the NLRA.
v Discipline and termination
The lawful grounds for termination of employment will vary between jurisdictions depending upon the local definitions of gross misconduct, cause or personal reasons. Again, social media sites and mobile devices are increasingly playing a role in this key stage of the employment relationship. The central issue for most employers is whether they can terminate the employment for postings made on social media sites about their employer, colleagues, products or customers. These types of situations are arising with increasing frequency as participation in social networking becomes more widespread.
For example, in an unreported case from China that hit the press in December 2012, an air stewardess lost her labour arbitration claim against the airline from which she was dismissed following an internal investigation after it was discovered that she had posted negative comments on her employer's official Weibo page deriding the airline's public announcement about improvements to its food service. The labour arbitrator upheld the company's dismissal on the grounds that her comments had greatly damaged the company's reputation.
The answer to whether employees' contracts can be terminated for such behaviour, arguably, is yes, if such postings constitute behaviour that would be actionable if it took place in the 'real' (offline) world: bullying and harassment; discrimination; defamation; or breach of confidential information, trade secrets or intellectual property. However, the employer still needs to consider factors such as whether the postings are made during work time and from work equipment, what circumstances led to the posting, whether the company has a policy prohibiting the relevant conduct and whether it has tangible evidence of the breach or violation. Case law indicates that the blanket justification for dismissal of bringing the employer's business or name into disrepute is not a reliable catch-all. Once again, however, there is fairly wide variation among jurisdictions as to what type of behaviour will be found to be actionable.
In many jurisdictions, the degree to which an employer can discipline or terminate the contract of an employee on account of the employee's use (or misuse) of technology will depend on the policies that are already in place. In Germany, for example, an employer's ability to use employee data obtained from social media with respect to a termination depends on the employer's policy on internet use in the workplace. Along the same lines, in China, whether an employer can justify a termination based upon comments posted on social networking sites turns on whether the act in question can be seen as a material violation of work rules set by the employer.
Other jurisdictions give broader rights to employers, though generally at least some restrictions exist. In the US, for example, an employer is permitted to rely upon information obtained from social media sites such as Facebook and Twitter to terminate employment of its employees, subject to certain limitations, but the use of the data in employment decisions increases the risk of employment litigation. The NLRA, for example, covers certain social media activity of non-supervisory employees where such activity constitutes protected concerted activity for collective bargaining or 'other mutual aid or protection'. This means that if a non-supervisory employee posts a workplace complaint on a social media site to encourage other employees to take a stand against a workplace policy or if other non-supervisory employees comment on the post, the employer likely would be prohibited, under the NLRA, from terminating or taking other adverse action against such employees based on their posts, even if the posts were critical of the employer. Employers are also prohibited under certain state laws from demanding that their employees or job applicants turn over their social media passwords to their employer, and a number of other states are considering legislation banning such employer requests. In the UK, an employer is permitted to rely upon evidence from social networking sites when it terminates employee contracts even if such conduct takes place outside work hours and on personal equipment. The key to the successful use of such evidence by the employer is whether the evidence amounts to gross or serious misconduct that justifies the employer's decision to terminate the employment relationship. Regard should also be had as to the appropriate evidential weight given to the evidence, which may be unreliable or inaccurate.
Advance planning is the best form of defence when dealing with mobile device and social media management. Prudent companies will work to put policies into place that will best position them when difficult situations arise. With respect to social media, companies should consider the following:
- determining, as a matter of principle, if personal use of social networking sites is permitted during work time or from work equipment and any rules on off-duty conduct. Consider whether certain sites can or should be blocked or if employees can or should be expressly prohibited from mentioning their employer, place of work, customers and colleagues;
- whether, as a matter of principle, business use of social media sites is permitted and set out clear examples of acceptable behaviour;
- encouraging employees to draw a distinction between their personal correspondence and usage and their working life;
- prohibiting the disclosure of confidential, business, client or personal information and trade secrets and making derogatory or defamatory comments; and
- prohibiting anonymous communications to ensure that there is no risk of employees being perceived to promote or comment on the employer's products as well as to reduce the risk of bullying and harassment.
With respect to mobile device (including BYOD) policies, companies should consider the following:
- informing employees that there is no expectation of privacy with respect to company equipment, including their use of social media sites and notifying the employee that the employer monitors employee use of social media sites, the internet and company equipment;4
- coordinating legal, human resources and IT colleagues and advisers to ensure that the policies and technology are consistent;
- providing transparent information to employees about how information on mobile devices (whether company-issued or personally owned) will be accessed, processed, reviewed, transferred, disclosed and deleted; and
- obtaining informed and uncoerced consent to the processing of personal information (recognising that BYOD-only policies may make obtaining uncoerced consent practically impossible).
Finally, in general, companies should:
- set out the sanctions for a violation or breach of the relevant policies and link these to any disciplinary rules, harassment and whistle-blowing policies;
- ensure that the policies are clear, up to date and well known and that reminders are circulated regularly;
- educate and train employees and managers on the policies; and
- ensure that the policies are enforced in a consistent manner.
If the employer already has a policy in place, it should review the policy to ensure that it is 'fit for purpose' bearing in mind developments in case law. Put simply, as technology develops, attitudes change and the global employer needs to be ahead of the game by ensuring that its policies and documentation reflect those developments. For example, a small number of employers have taken the next step of revising employment contracts to tighten the definition of confidential information, specify ownership of LinkedIn contacts, place a duty on the employee to delete contacts on termination and provide when online activity will breach post-termination restrictions against solicitation and competition.
Global employers must deal with the issues set out above through their policies and employment documentation and be prepared for the additional challenges posed by local culture and changing social attitudes to technology, social media and privacy in relation to conduct in or outside the workplace. Otherwise, multinational companies risk facing and potentially losing high-profile employment litigation that could damage both the reputation and value of the business.
1 Erika C Collins is a partner at Proskauer Rose LLP.
2 EU Justice Commissioner Viviane Reding speaking in November 2011 stated that individuals would have a right to force organisations to delete personal data that they store about them. In June 2015, the Council of the European Union released their general approach to the EU Data Protection Regulation. In December 2015, the European Parliament, European Commission and Council of the European Union reached an agreement on new data protection rules, establishing a modern and harmonised data protection framework across the EU. The European Parliament's Civil Liberties committee and the Permanent Representatives Committee of the Council then approved the agreements with very large majorities. In May 2016, the official texts of the EU Regulation and EU Directive with regard to the processing and protection of personal data were published in the EU Official Journal in all official languages. The General Data Protection Regulation (GDPR) entered into force in May 2016 and applies from May 2018. The Directive also entered into force in May 2016, and EU Member States were meant to have transposed it into their national law by May 2018. The objective of this new set of rules is to give citizens back control over of their personal data and to simplify the regulatory environment for business.
3 In 2016, Turkey attempted to harmonise its data protection regime with that currently in force in the EU, which Turkey still is striving to join.
4 In many jurisdictions, employees will, in fact, have an expectation of privacy with respect to their use of social media and mobile devices (even if such devices are owned by and provided to the employee by the employer), but having policies that clearly limit the employees' expectation of privacy will best position the company in the event that it wishes to access, review or delete information contained on a device or on social media.