Thursday, December 15, 2016
This international special issue explores the privacy risks associated with the use of geolocation devices by the industry. There has been, in particular, a spectacular increase in the use by the industry of geolocation data in the employment context. As geolocation systems cost less and less and have proved to be very useful when installed on devices carried by employees (e.g. mobile telephones) and/or on (corporate or private) vehicles used by the employees, the industry is widely using such systems nowadays.
Nevertheless, the geolocation of employees creates inherent risks to their right to movement and to privacy. Many countries have thus set up a framework for the use of geolocation devices by employers in order to manage risks for and preserve the fundamental rights of employees.
The geolocation of employees is a common practice in the working environment in Greece too. Establishing a legal framework for the fair use of such a process constitutes a major stake as far as the right to privacy is concerned.
The Lexing® network members provide a snapshot of the current state of play worldwide. The following countries have contributed to this issue: South Africa, Germany, Belgium, Costa Rica, Spain, France, Greece, New Caledonia.
Notably, in early 2013 Ballas, Pelecanos & Associates L.P.C. joined Lexing, the first international network of lawyers dedicated to digital and advanced technology law, with presence in 24 countries worldwide. The network’s focus has been placed on the legal aspects of robotics and artificial intelligence (often called Robot Law), a fast developing field of law with significant penetration in most business industries.
Ballas, Pelecanos & Associates L.P.C. offers compliance services and legal advice on contentious, non-contentious and often complex data privacy issues to the most prominent multinational companies in the IT industry sector, as well as in other important industry sectors, having acquired, during the past years, valuable experience in the relevant sector of law.
For any further information you may contact George Ballas, head of the firm’s Data Protection Practice Group.
Use of geolocation systems at work.
Collection and processing of employees’ geographic location data essentially involves processing of employees’ personal data, falling therefore within the scope of applicable data protection regulation. Notably, in the General Data Protection Regulation [Regulation (EU) 2016/679] (The General Data Protection Regulation entered into force on 24 May 2016 and it shall apply from 25 May 2018) ‘location data’ are specifically included in the definition of ‘personal data’. Geolocation systems can be installed on devices carried by employees (e.g. mobile telephone, etc.) and/or (corporate or private) vehicles used by employees. Such systems usually process data from satellites (GPS) and electronic communications networks (mobile, Wi-Fi), basically serving security, monitoring, productivity evaluation and work optimisation purposes. The use of geolocation technologies can effectively blur the line between work and private life, while striking a balance can be a challenging task for regulators.
Working Party 29 Opinions.
Working Party 29 (Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.) has repeatedly reviewed the issue in question; relevant are Opinion 5/2005 on the use of location data with a view to providing value added services and Opinion 13/2011 on Geolocation services on smart mobile devices. The general principle adopted in the above mentioned Opinions is that the lawfulness of such processing operations should not rely exclusively on the employee’s consent; in light of the problematic nature of employee consent, employers may only adopt such technology “when it is demonstrably necessary for a legitimate purpose, and the same goals cannot be achieved with less intrusive means”. Moreover, Working Party 29 takes the view that “processing of location data on employees must correspond to a specific need on the part of the company which is connected to its activity” and it can be justified “where it is done as part of monitoring the transport of people or goods or improving the distribution of resources for services in scattered locations (e.g. planning operations in real time), or where a security objective is being pursued in relation to the employee himself or to the goods or vehicles in his charge”.
Greek legal framework.
The Greek Data Protection Law 2472/1997 provides a horizontal regulatory framework without specifically referring to the use of geolocation technologies. However, geolocation technologies have been within the scope of the Greek Data Protection Authority (DPA)’s mission and work, having issued a number of relevant Decisions (inter alia, 162/2014, 163/2014, 165/2014), DPA Directive 115/2001 on privacy at work (Based on the Article 29 Working Party 55/2002, working document on the surveillance of electronic communications in the workplace) and also having published relevant Guidelines on its website. According to the said DPA Guidelines, the installation of geolocation systems does not violate the privacy of the employee if it is not used in order to monitor the employee, but in order to facilitate a more efficient business operation (e.g. route optimization) and enhance employee safety. It is also noted, that if the system is in place only for the employee’s convenience, then the latter must be able to disable it at will. In the DPA’s view, employee performance evaluation based on monitoring via technical means constitutes, in principle, “excessive processing and violation of the principle of proportionality”.
The following Lexing® network members have also contributed to this issue: South Africa, Germany, Belgium, Costa Rica, Spain, France, New Caledonia. This issue and all previous publications are available here.