I Introduction

The early part of the 21st century has been characterised by the rapid proliferation of mobile devices and social media platforms. The most recent statistics show the following:

  1. It is estimated that, in 2019, more than 5 billion people had mobile devices, an increase of 100 million (2 per cent) from the previous year, and that more than half of these connections were smartphones.
  2. The number of internet users in 2019 was 4.39 billion, an increase of 366 million (9 per cent) as compared to January 2018.
  3. There were 3.48 billion social media users in 2019 and the worldwide total has grown by 288 million (9 per cent) since 2018.
  4. In January 2019, 3.26 billion people used social media on mobile devices, a growth of 297 million new users, representing a year-on-year increase of more than 10 per cent.

These figures illustrate that internet use continues to both grow and accelerate, with more than 366 million new users coming online during the past year. India, in particular, stands out, with internet users increasing by nearly 100 million in the past year, representing annual growth of more than 20 per cent. Internet penetration in India now is approximately 41 per cent, an increase of 10 per cent as compared to a year ago. This means that India now is responsible for more than a quarter of the global growth in the past 12 months. Overall, Asia-Pacific represented 55 per cent of the annual growth figure, with China adding another 50 million new users in the past year. The United States continues to expand internet user growth as well. Despite already having an internet penetration rate of 88 per cent a year ago, US internet user growth increased by nearly 9 per cent year-on-year, totalling more than 310 million users in January 2019, reflecting a 95 per cent penetration. African nations represent the fastest growing internet communities, although many begin with relatively small bases. Western Sahara had the greatest year-on-year relative gains, with the reported number of internet users in the country increasing almost fivefold since January 2018.

Specific to social media, this use is not evenly distributed across the world, and penetration rates in parts of Africa still remain in single digits. Middle East nations, specifically the United Arab Emirates and Qatar, continue to top the social media penetration rates. In the past year, China added the most new social media users, with the country's total rising by nearly 100 million. Data suggests that more than 1 billion people in China use social media. India's social media growth continues as well, with more than 60 million users signing up to social media for the first time during 2018. The global social media audience also has matured, as people around the age of 30 now account for the largest share of the world's social media users. Senior audiences are better represented as well, and Facebook's various platforms report a greater number of users over the age of 55 than users under the age of 18.

Further, people are spending more time than ever on social media. The average social media user now spends more than two hours on social platforms each day, equating to one-third of their total internet time and one-seventh of their waking lives. Interestingly, time spent on social media varies considerably across cultures, with internet users in Japan spending an average of just 36 minutes on social media each day while those in the Philippines spend the most time (more than four hours each day). Facebook, arguably the most popular form of social media, has reached 2.41 billion active users per month; 88 per cent of Facebook users access the site on mobile devices and 95 per cent of visits are made on smartphones and tablets. Furthermore, Instagram (which is owned by Facebook) has more than 1 billion monthly active users, Twitter has 330 million monthly active users and LinkedIn has 303 million monthly active users (although LinkedIn has more than 610 million members). In China, WeChat, Tencent's popular messaging app, is estimated to have passed 1 billion monthly active users. Finally, 5G service is gradually being rolled out across the United States and China. China also has launched research and development work for its 6G mobile networks.

The message of these statistics is that mobile devices and social media are a ubiquitous part of everyday life around the world, including in the workplace, and are becoming increasingly so. One industry survey has indicated that 90 per cent of businesses use social media for business purposes, nearly 80 per cent of businesses have social networking policies and 70 per cent of businesses report having to take disciplinary action against employees who misuse social sites. In addition, nearly 60 per cent of businesses monitor employees' use of social media at work. In turn, employers must be cautious about what actions they take when monitoring employees' behaviour online, because, depending on the jurisdiction, ownership of the device and other circumstances, this can implicate a wide range of employee protection and privacy laws.

It is important, therefore, to write social media policies that achieve company business goals while remaining compliant with local laws. For example, China, Iran, North Korea and Syria ban Facebook, YouTube or Twitter (or all three) in some capacity. Additionally, if a company wishes to join the 36 per cent of employers who ban use of social media at work (one in five companies block Facebook, 15 per cent shut out Twitter and nearly 14 per cent ban YouTube), there are potential issues to consider. For example, in Argentina, Japan and Spain, although employers may ban social media use and block access to those sites on company-provided equipment, employers cannot actually interfere with employees' use of employee-owned devices. In any event, if a company seeks to prohibit the use of social media during work time, which is generally permissible, it is well advised to communicate these policies clearly and connect the policies to a cogent business reason, such as ensuring worker productivity or availability. While employers have legitimate concerns about employee productivity while on company time, employers should be aware that some jurisdictions have strong protections for employees' and individuals' otherwise seemingly trivial social media use because of past experiences with despotism and totalitarianism.

What remains universal in today's workplace is that social media pervades every aspect of the employment life cycle: recruitment, potential bullying and harassment, productivity levels, potential discrimination, the protection of confidential information, trade secrets and intellectual property, an employee's rights to a private life and freedom of expression, reputational issues for all parties, legal and regulatory obligations, defamation, privacy considerations, termination and even post-termination.

Accordingly, the key question for global employers is what policy and approach should be used to leverage the benefits and address the challenges posed by these technologies in the workplace.

II Recruitment

Employers must determine, for example, the extent to which social media will have a role in employee recruiting efforts. Throughout the world, most employers require some form of background information on candidates. In some jurisdictions, such as the United Kingdom, employers generally rely upon a reference provided by a former employer. In others, such as the United States and China, employers typically require a thorough background check carried out by a third-party provider. In addition to these formal mechanisms, however, employers also occasionally seek to gather information through informal channels. While some employers and those involved in recruitment still gather anecdotal information about candidates through 'word of mouth', there is now the greater temptation to review a candidate's online profile, and information posted on social networking sites and the internet. One survey in 2019, for example, found that 91 per cent of employers use social media for recruitment purposes. In addition, a 2018 study found that 43 per cent of employers use social media to check on current employees. Also, a 2018 survey found that 57 per cent of employers decided not to hire a candidate because of information found on social media. Similarly, from a job seeker perspective, a 2019 study found that 55 per cent of potential applicants who find a negative review about a potential employer do not apply for an open position with that employer. Information on these sites and the wider internet is very difficult to take down, so tagged pictures taken from a drunken night out could follow a candidate throughout his or her career. While the result of this information permanence is a potential source of useful information for employers when considering applicants for employment, there is widespread debate – as evidenced, for example, by the debate across the European Union over the 'right to be forgotten'2 – about whether this information should be reviewed and considered by employers during the recruitment process. And this debate is reflected in the widely varying laws on this topic throughout the world.3 Indeed, in September 2019, the European Court of Justice ruled that search engine operators are not required to carry out a de-referencing on all versions of a search engine to comply with the 'right to be forgotten' under the General Data Protection Regulation. In practice, this means that the 'right to be forgotten' online does not extend beyond the borders of the European Union. Search engines, however, still are required to discourage EU citizens from accessing those non-EU domains.

The general view is that if an employee exposes his or her personal information publicly on social media networks, this is viewed as the problem of the employee and not a public policy issue. In France, as long as information about a candidate is deemed public (i.e., as long as it is not published on spaces with access restricted to preselected 'friends' or 'followers') and the collection of information does not involve a violation of the right to private correspondence or privacy, then potential employers and any third parties (including recruitment agencies) are entitled to look at the information. However, the candidate must be informed of the social media-based data collection process. On the other hand, in Italy, it is not permissible to refer to social networking sites to make decisions about recruitment and selection of candidates because referring to social media sites in such a context would be an infringement of an individual's right to privacy. Similarly, in Canada, using social media in the recruitment and selection process may risk violating privacy laws. If businesses collect information from social media sites in the recruitment and selection process, it may make it challenging to comply with privacy laws, as set forth in guidelines and decisions of Canadian privacy regulatory authorities.

In 2017, an EU data protection working party released non-binding recommendations that employers should have 'legal grounds' to search applicants' social media. In Germany, for example, employers may not obtain any information from social media sites to answer questions that they would not have been permitted to ask of a candidate directly. Furthermore, employers should only consult purely business-focused networks, such as Xing or LinkedIn, provided that the employer informs the employee about this in the job advertisement. In addition, employee data should be acquired only directly from the employee, the employer is not allowed to collect any information about a severe disability or equal treatment, and the employer may only solicit information from a previous employer if it has the consent of the candidate. Similarly, in the United Kingdom, employers must be familiar with the UK Information Commissioner's Office (ICO) Employment Practices Code and the Employment Practices Code Supplementary Guidance. The ICO recommends that an employer should only seek personal information about a candidate if it is relevant to the job decision being made and that it views the gathering of the information as a form of vetting. Further guidance is available from the UK's Advisory, Conciliation and Arbitration Service in its fact sheet on the use of social networking in recruitment. A failure by an employer to comply with these laws or guidance may result in the employer facing an employment tribunal claim, an action for damages or a complaint to the ICO.

The effects of social media during recruitment cannot be overstated. This is, in part, because millennials and members of Generation Z account for more than one-third of the workforce. In the next 10 years, that figure is estimated to pass 50 per cent, making the youthful generations the most dominant in the workplace. Because these groups of employees have grown up communicating actively via many diverse social media sites and using several devices, the use of social media is a workplace trend with staying power for the foreseeable future.

In any case, employers should be aware of discrimination claims that may arise as a result of the alleged improper use of information gleaned from social media. Before accessing social media, and certainly before making decisions based on information found on social media, employers should carefully consider:

  1. the evidentiary weight to be given to information obtained from a social media site;
  2. that information posted may be inaccurate, out of date, not intended to be taken at face value, or even posted by someone other than the person who is the subject of the enquiries;
  3. that relying on information contained in social media sites creates a risk of discrimination, either because someone is treated less favourably by reason of a protected characteristic, or a condition is imposed that has a disparate effect on a particular group; and
  4. that any use of social media sites when making employment decisions should comply with data privacy requirements (including in relation to the secure storage and deletion of information after it is no longer needed) and any internal policies about the monitoring of these sites.

III Bring-your-own-device POLICIES

Company work is increasingly being conducted on employees' personal mobile devices. Even when there are no formal policies permitting or addressing it, employees are already using their personal devices for work purposes by using workarounds such as forwarding work emails to personal email accounts, taking conference calls from personal smartphones and using the calendar features on their personal devices to track both business and personal appointments. Accordingly, prudent employers are left with little choice but to embrace this trend and put into place policies and limitations that will prevent the employer from being caught flat-footed in a situation in which it needs to access, review or delete company information on an employee's personal device.

These policies, if well crafted, can also offer significant benefits for both employers and employees. For employees, these types of policies are desirable because they cut back on the number of devices that employees must carry around and check, and allow employees to choose which device or operating system is most comfortable for them. These policies can also result in cost savings for the employee if the employer provides a technology allowance or covers a portion of the service costs for the employee's use of a personal device for work purposes. Employers also can realise significant savings as the costs of providing a technology allowance or paying a portion of service costs are likely to be significantly less than the hardware and service costs of providing a separate company-issued device. Moreover, as employees – and especially young employees – increasingly cite workplace flexibility and other similar 'intangible' benefits as key in their assessment of a company's desirability as an employer, any efforts that companies can make to give them an edge in this regard will be beneficial.

Once employees have been hired, employers must have in place policies to guide and manage employees' use of technology in the workplace. Bring-your-own-device (BYOD) programmes in particular can raise thorny issues for employers, despite their many obvious benefits for both employers and employees. For example, there are a number of situations in which an employer will want to be able to access, review or even delete data and other information held on a device. In conducting an internal investigation, for example, an employer may need to review an employee's work-related emails or text messages. An employer might be obliged to produce this type of information in a litigation or government investigation. The device could also include confidential business information or trade secrets that would need to be protected, particularly if the employee resigns or the device is lost or stolen. Accordingly, in enacting mobile device management policies, employers seek to ensure that their data, trade secrets and other proprietary information are secure and accessible to the company, even when held on a device owned by an employee. Because of these concerns, companies generally seek to craft policies that limit to the greatest degree possible their employees' expectation of privacy with respect to activity conducted and data stored on a mobile device. Employees, by contrast, expect a certain degree of privacy with respect to their use of mobile devices and particularly their personal information stored on personally owned devices. Especially outside the United States, that expectation of privacy is often protected by the law.

Specifically, the privacy and data protection laws of many jurisdictions place limitations on a company's ability to access information on an employee's mobile device (especially when that device is owned by the employee and therefore assumed to contain non-work-related personal information). Some countries are particularly restrictive. In Brazil, for example, accessing or deleting any personal information about an employee will be problematic, even if the company issues a clear and specific policy that indicates that it may do so, and obtaining an employee's consent to such a policy is unlikely to bring access within the bounds of the law. Similarly, in Germany and the Netherlands, monitoring, accessing or deleting personal information on an employee's mobile device (whether company-issued or personally owned) is permissible only if there is circumstantial evidence that an employee is engaged in serious misconduct, such as fraud, sexual harassment or disclosure of the company's confidential information and there are no less intrusive methods to achieve the company's legitimate business objectives. Moreover, in Germany, accessing the personal information of a third party (such as a family member or non-business acquaintance of the employee) on an employee's mobile device without the third party's consent could violate German data protection, telecommunications and even criminal laws. Because it would be nearly impossible to avoid this on an employee's personally owned device, companies should access these devices only in severe cases where there is no other viable means available to achieve the company's purpose in accessing the information. Finally, in many European countries, an employer that wishes to implement a mobile device or BYOD policy will need to inform and consult with the works council before doing so.

By contrast, in India and Mexico, employers have more flexibility, provided that they are transparent with employees about the terms of their mobile device management policy and offer employees a choice about the degree of access that the company will have to employees' personal information.

If an employee refuses to consent to the terms of a BYOD policy, or later withdraws his or her consent, the company should work with the employee to ensure that all company information is deleted from the employee's personal device, and the employee should from then on be required to work only from a company-issued device (and not to conduct personal business or store personal information on that device). In light of this, BYOD-only policies can be particularly problematic because they do not offer employees a real choice as to whether or not to consent to the processing of their personal information.

IV MONITORING

As a general matter, an employer's legitimate interest in protecting its business must be weighed against an employee's right to privacy (and data protection concerns). Accordingly, as a best practice, employers should consider the following steps:

  1. put in place clear, well-defined and well-communicated policies or contractual provisions concerning the appropriate use of social networking sites and the sanctions for non-compliance;
  2. ideally, employees should consent explicitly to such policies in writing. In some jurisdictions, such as the Netherlands and France, however, express consent will not be sufficient in and of itself to allow monitoring;
  3. monitoring should go no further than is necessary to protect the employer's business interests;
  4. monitoring should be conducted only by designated employees, who have been adequately trained to understand the limits on their activities;
  5. personal data collected as a result of any monitoring should be stored safely, not tampered with, not disseminated more widely than is necessary and not stored longer than is necessary;
  6. train management and employees in the correct use of information technology; and
  7. be able to particularise and document any misuse of social media sites by employees.

Different jurisdictions have slight deviations from this approach that must be factored in before making a global social media or technology policy. Although surveillance of employees' use of social networking sites by the employer is permitted in Canada, monitoring must be reasonable and not rise to the level of an invasion of privacy. Notably, in 2012, the Court of Appeal for Ontario recognised a common law right of action for invasion of privacy (i.e., intrusion upon seclusion). In Argentina, Italy and Spain, even in circumstances where monitoring of social media may be permissible, employers are not allowed to monitor its content. As a general rule of thumb in the United Kingdom and Ireland, monitoring should be proportionate to the business need and its level of intrusiveness on an employee's private life. In 2017, the European Court of Human Rights held that employers can monitor employees' emails if the employees are notified in advance. Finally, consultation with works councils, worker representative committees and even health and safety committees may be necessary in various parts of either the promulgation or execution of a social media policy in jurisdictions such as China, France, Germany and the Netherlands.

A somewhat anomalous protection for employees exists under federal labour law in the United States. The National Labor Relations Act (NLRA), a statute primarily dealing with unions and unionised workforces, extends protections for those employees engaging in protected concerted activities over their terms and conditions of employment. The NLRA has been broadly interpreted by its responsible agency to cover employees' social media use. Significantly, from a monitoring perspective, employers must not promulgate or maintain a policy that is perceived to 'chill' employees' exercise of their rights under the NLRA.

V Discipline and termination

The lawful grounds for termination of employment will vary between jurisdictions depending upon the local definitions of gross misconduct, cause or personal reasons. Again, social media sites and mobile devices are increasingly playing a part in this key stage of the employment relationship. The central issue for most employers is whether they can terminate the employment for postings made on social media sites about their employer, colleagues, products or customers. These types of situations are arising with increasing frequency as participation in social networking becomes more widespread.

For example, in an unreported case from China that hit the press in December 2012, an air stewardess lost her labour arbitration claim against the airline from which she was dismissed following an internal investigation after it was discovered that she had posted negative comments on her employer's official Weibo page deriding the airline's public announcement about improvements to its food service. The labour arbitrator upheld the company's dismissal on the grounds that her comments had greatly damaged the company's reputation.

The answer to whether employees' contracts can be terminated for this type of behaviour, arguably, is yes, if the postings constitute behaviour that would be actionable if it took place in the 'real' (offline) world: bullying and harassment; discrimination; defamation; or breach of confidential information, trade secrets or intellectual property. However, the employer still needs to consider factors such as whether the postings are made during work time and from work equipment, the circumstances that led to the posting, whether the company has a policy prohibiting the relevant conduct and whether it has tangible evidence of the breach or violation. Case law indicates that the blanket justification for dismissal of bringing the employer's business or name into disrepute is not a reliable catch-all. Once again, however, there is fairly wide variation among jurisdictions as to what type of behaviour will be found to be actionable.

In many jurisdictions, the degree to which an employer can discipline or terminate the contract of an employee on account of the employee's use (or misuse) of technology will depend on the policies that are already in place. In Germany, for example, an employer's ability to use employee data obtained from social media with respect to a termination depends on the employer's policy on internet use in the workplace. Along the same lines, in China, whether an employer can justify a termination based upon comments posted on social networking sites turns on whether the act in question can be seen as a material violation of work rules set by the employer.

Other jurisdictions give broader rights to employers, though generally at least some restrictions exist. In the United States, for example, an employer is permitted to rely on information obtained from social media sites such as Facebook and Twitter to terminate employment of an employee, subject to certain limitations, but the use of the data in employment decisions increases the risk of employment litigation. The NLRA, for example, covers certain social media activity of non-supervisory employees when the activity constitutes protected concerted activity for collective bargaining or 'other mutual aid or protection'. This means that if a non-supervisory employee posts a workplace complaint on a social media site to encourage other employees to take a stand against a workplace policy, or if other non-supervisory employees comment on the post, it is likely that the employer would be prohibited, under the NLRA, from terminating or taking other adverse action against those employees based on their posts, even if the posts were critical of the employer. Employers are also prohibited under certain state laws from demanding that their employees or job applicants turn over their social media passwords to their employer, and a number of other states are considering legislation banning employers from making these requests. In the United Kingdom, an employer is permitted to rely on evidence from social networking sites when it terminates employee contracts even if the conduct takes place outside working hours and on personal equipment. The key to the successful use of this type of evidence by the employer is whether the evidence amounts to gross or serious misconduct that justifies the employer's decision to terminate the employment relationship. Regard should also be had as to the appropriate evidential weight given to the evidence, which may be unreliable or inaccurate.

VI Recommendations

Advance planning is the best form of defence when dealing with mobile device and social media management. Prudent companies will work to put policies into place that will ensure they are in the best position when difficult situations arise. With respect to social media, companies should consider the following:

  1. determining, as a matter of principle, whether personal use of social networking sites is permitted during work time or from work equipment and any rules on off-duty conduct;
  2. whether certain sites can or should be blocked or whether employees can or should be expressly prohibited from mentioning their employer, place of work, customers and colleagues on social media sites;
  3. whether, as a matter of principle, business use of social media sites is permitted, and set out clear examples of acceptable behaviour;
  4. encouraging employees to draw a distinction between their personal correspondence and use and their working life;
  5. prohibiting the disclosure of confidential, business, client or personal information and trade secrets and making derogatory or defamatory comments; and
  6. prohibiting anonymous communications to ensure that there is no risk of employees being perceived to promote or comment on the employer's products and to reduce the risk of bullying and harassment.

With respect to mobile device (including BYOD) policies, companies should consider the following:

  1. informing employees that there is no expectation of privacy with respect to company equipment, including their use of social media sites, and notifying employees that the employer monitors employees' use of social media sites, the internet and company equipment;4
  2. coordinating legal, human resources and IT colleagues and advisers to ensure that the policies and technology are consistent;
  3. providing transparent information to employees about how information on mobile devices (whether company-issued or personally owned) will be accessed, processed, reviewed, transferred, disclosed and deleted; and
  4. obtaining informed and uncoerced consent to the processing of personal information (recognising that BYOD-only policies may make obtaining uncoerced consent practically impossible).

Finally, in general, companies should:

  1. set out the sanctions for a violation or breach of the relevant policies and link these to any disciplinary rules, harassment and whistle-blowing policies;
  2. ensure that the policies are clear, up to date and well known and that reminders are circulated regularly;
  3. educate and train employees and managers on the policies; and
  4. ensure that the policies are enforced in a consistent manner.

If an employer already has a policy in place, it should review the policy to ensure that it is 'fit for purpose' bearing in mind developments in case law. Put simply, as technology develops, attitudes change and the global employer needs to be ahead of the game by ensuring that its policies and documentation reflect those developments. For example, a small number of employers have taken the next step of revising employment contracts to tighten the definition of confidential information, specify ownership of LinkedIn contacts, place a duty on the employee to delete contacts on termination and provide when online activity will breach post-termination restrictions against solicitation and competition.

VII Conclusions

Global employers must deal with the issues set out in this chapter through their policies and employment documentation and be prepared for the additional challenges posed by local culture and changing social attitudes to technology, social media and privacy in relation to conduct within or outside the workplace. Otherwise, multinational companies risk facing and potentially losing high-profile employment litigation that could damage both the reputation and value of the business.


Footnotes

1 Erika C Collins is a shareholder at Epstein Becker & Green, PC. The author extends special thanks to Ryan Hutzler for his contributions to this chapter.

2 The Data Protection Law Enforcement Directive entered into force in May 2016, and the General Data Protection Regulation became valid in European Economic Area [EEA] countries (including Iceland, Liechtenstein and Norway) on 20 July 2018, after the EEA Joint Committee and the three countries agreed to follow the Regulation.

3 In 2016, Turkey attempted to harmonise its data protection regime with that currently in force in the EU, which Turkey still is striving to join.

4 In many jurisdictions, employees will, in fact, have an expectation of privacy with respect to their use of social media and mobile devices (even if those devices are owned by and provided to the employee by the employer), but having policies that clearly limit the employees' expectation of privacy will best position the company in the event that it wishes to access, review or delete information contained on a device or on social media.