Developing bring-your-own-device programs for a global workforce
BYOD programs raise particular challenges for multinational employers, given the significant differences in local privacy and employment laws
By now, it is clear that “bring your own device” (BYOD) programs are here to stay. If anything, BYOD may be more prevalent than most employers suspect: One study reported that around 90 percent of U.S. employees use their personal smartphones for work purposes.
BYOD often appears to be a win-win proposition for employers and employees. Employers are excited by reduced technology costs when personal devices replace company-issued ones, and employees want to be able to use the devices they already know and love. According to some predictions, by 2017, one in two companies will no longer provide company-issued devices to its employees.
Despite the prevalence and popularity of BYOD, the BYOD model presents challenges to employers. Fundamentally, employers have less control over employees’ personally owned devices than over company-issued devices. BYOD programs raise particular challenges for multinational employers, given the significant differences in local privacy and employment laws. Employers need to understand these differences and develop an internal strategy that reflects their own BYOD-based risk analysis.
1. Identifying potential consultation requirements
A preliminary question is whether an employer can implement a BYOD program unilaterally, or whether the employer must consult with (or even obtain consent from) labor unions, works councils or other employee representative bodies.
In Europe, for example, an employer may need to complete a formal consultation process with its works councils before implementing a BYOD program. This process typically involves presenting the works council with detailed information about the proposed BYOD program and responding to the works council’s questions, concerns, objections and suggestions. In some European countries, the employer also may be required to obtain the works council’s prior approval in order to implement the BYOD program in that country. In some cases, an employer might consider implementing its global BYOD program in stages, starting with the U.S. and working up to the more challenging jurisdictions, in order to have a more specific, road-tested proposal to bring to the local unions or works councils.
2. Assessing potential payment obligations
Employers might assume that BYOD will save them money because they will no longer be paying for employees’ devices and service plans. The employer will want to check this assumption under local employment laws, though. In the U.S., for example, state laws may require employers to reimburse employees’ necessary work-related expenditures, which may include certain personal mobile phone expenses. Employers also may be required to compensate employees for time spent after-hours on work-related calls and emails, which may weigh against providing widespread BYOD access to all employees.
3. Deciding whether BYOD is voluntary or mandatory for employees
In most jurisdictions, including the U.S., an employer should obtain an employee’s express, informed consent to participate in the BYOD program. If an employer accesses, monitors, modifies or wipes an employee’s personally owned device without proper authorization from the employee, the employer might face potential claims under the federal Computer Fraud and Abuse Act, federal and state wiretapping laws, or common-law theories. The employee’s authorization would be most defensible if it is freely and voluntarily given.
Additional complexities arise under international data protection laws. In the European Union, for example, an employer needs to establish a legal basis for any processing of personal data in the context of a BYOD program. In practice, employers may need to obtain the employee’s consent because there may not be another legal basis available to permit all BYOD-related activities. While many EU member states allow processing of non-sensitive personal data based on the legitimate interests of the company, this exception is interpreted quite narrowly: the company’s interests must be balanced against the individual’s privacy (which may require performing a privacy impact assessment or similar analysis), and would not permit the processing of sensitive data (such as location data). Accordingly, an employer may have little choice other than to seek and rely on employee consent.
Consent needs to be freely given, informed and specific. This standard can be particularly challenging in the EU, where employee consent is often seen as not freely given because of the imbalance of power between employer and employee. If the consent is not freely given, it is invalid. At a minimum, employers should give employees the option of using a company-issued device rather than a personally owned device, if the employees need to use a mobile device for work purposes. This would help to demonstrate that the employee had a legitimate choice of whether to use a personally owned device for work purposes.
Admittedly, employers may find this approach less than satisfactory, especially if they aspire to join the above-mentioned one in two companies that are estimated to cease providing company-issued devices to their employees by 2017. However, without valid employee consent, such companies may be quite limited in what they may do in the context of their BYOD program.
4. Developing an appropriate BYOD policy or agreement
After the employer has considered these preliminary issues, the employer can start crafting a BYOD policy or agreement that provides the necessary information and obtains the employee’s voluntary consent. Regardless of whether the employer chooses to present this information in the form of a policy or an agreement, it is advisable for the employer to obtain the employee’s affirmative consent, whether through a written signature or a click-wrap where permissible.
Key issues to address in a BYOD policy or agreement include, but are not limited to, the following:
Software: A BYOD policy should describe the conditions and requirements for participation in the BYOD program, which may include downloading company-chosen mobile device management (MDM) software onto the personal device in order to push company security measures onto the device, and additional software installation or updates over time.
Security: A BYOD policy should require employees to prevent unauthorized access to company data on the personal device. Additionally, the BYOD policy should require employees to notify the company immediately if the personal device has been lost, stolen, or compromised.
Monitoring: Employers seeking to monitor BYOD activities in multiple jurisdictions can expect to encounter a variety of restrictions, depending on the types of monitoring and jurisdictions at issue. Accessing of personal content on the device can also be problematic. For example, German law generally prohibits employers from opening and reviewing personal emails of employees. If a company cannot distinguish between personal- and business-related communications, this can create a host of issues and prevent legitimate email monitoring. An appropriate MDM software solution might help in this regard, if it is designed to limit monitoring to company data only.
Remote wipe: It is important for companies to be able to remotely delete their company data from devices that have been lost or stolen, or when an employee leaves the company. Employers should draft their BYOD policies to include explicit and conspicuous consent to remote wipes. Employers also are encouraged to use a BYOD solution that allows a remote wipe of company data only, rather than forcing a complete wipe of the device that would delete the employee’s own personal photos, applications, and other content.
Data transfers: If the BYOD solution may cause data to be transferred to other countries, the employer should explain this in the BYOD policy and obtain any necessary consent to the cross-border transfers.
In conclusion, the prevalence of BYOD programs does not make them risk-free, and they present particular challenges for multinational employers. With careful planning and understanding of local laws, however, multinational employers can help to achieve the “win-win” value proposition of BYOD for both employer and employees.