Working from the home office in times of Corona makes an evergreen of corporate IT blossom again: Bring Your Own Device. If companies want to quickly implement a possibility to work from home, they often have no choice but to allow employees to log into a company's network using their own personal computers. IT administrators like to give gray hair to the use of personal computers that cannot be freely administered by corporate IT. Looks like a good opportunity to explore the odds and ends of BYOD from an operational and legal perspective.
The Concepts: BYOD, CYOD or COPE?
For the sake of completeness, we should note that BYOD is not the only model that enables an employee to choose his or her "personal IT tool." We basically disinguish three different models:
BYOD (Bring Your Own Device) means that the device used (PC, laptop or mobile phone) is owned by the employee and is generally used by the employee for personal matters. Notwithstanding, the employer allows the employee access to company data and to the corporate IT network via the employee's personal device.
CYOD (Choose Your Own Device) is, so to speak, the IT-related version of a "company car": The employee selects a device that the company pre-configures and equips with security systems, and eventually provides it to the employee for work and for personal use. A CYOD device, however, is not owned by the employee but provided by the company.
Last but not least, COPE (Corporate Owned Personally Enabled) is a variant of CYOD, where the company on top also specifies the device class in order to keep maintenance and synchronization costs as low as possible. From an IT perspective, BYOD poses great challenges for system administrators when trying to achieve a consistent security level in a corporate IT-system.
Since CYOD and COPE have in common that the ownership of the device (usually) lies with the company, the risk factors coming with CYOD and COPE are different from those coming with BYOD. Following ,I want to shed some light on the points to be considered when implementing BYOD in your company.
If you want to use your employees' IT infrastructure to quickly implement a home office environment and introduce BYOD in your company, regardless of the company's size, setting-up and maintaining a BYOD policy is a must. Due to the related operational risks and legal aspects, implementing BYOD requires a stringend IT-administration of the concept, which can only be implemented consistently on the basis of a contract. Where employees elected a works council, the implementation of a BYOD policy requires an agreement with the works council.
Risks And Side Effects
The risks and legal requirements in connection with the implementation of a BYOD concept in a company are not negligible.
The operational risks mainly concern IT administration, IT security and the protection of company secrets. As an example, a company should consider the following points:
- difficulties of uniform IT administration due to the use of devices with different operating systems
- associated difficulties in the creation and maintenance of IT security
- unauthorized access to company data (e.g. daughter using dad's cell phone)
- higher virus susceptibility in case of poorly protected end devices
- protection of company secrets when employees change employment (and keep their own device)
- data protection problems if employees back-up their device via a cloud-service in a third country that does not have an adequate level of data protection
- actual loss of control over company data (and their confidentiality) in connection with personal back-ups with cloud-service providers.
The above points are not of a theoretical nature: it did happen that the new employee starts his job with his BYOD device at the new workplace and the colleague then notices that the "new guy" not only keeps using data and files, but also software applications of the former employer on his BYOD device.
The legal requirements when implementing BYOD can be significant depending on the type of company and the extent of corporate access to the personal device that may be required – and those are in no way limited to the application of the GDPR. Therefore, companies should bear in mind that the introduction of BYOD may require co-determination by the works council (i.e., an agreement with the works council) and may require compliant observance of applicable data protection issues.
If corporate software applications are installed on a BYOD device, or if corporate access is granted otherwise to the BYOD device, the following legal aspects should be observed:
- Telecommunications secrecy (Art. 10 GG): The company must not gain knowledge of the content of emails and telephone calls on the BYOD-device.
- Type and scope of the employee's personal use of the BYOD-device (e.g. surfing on dubious virus-prone websites) must not be monitored.
- Risk of criminal liability according to Section 302a (German Criminal Code, "StGB") and Section 206 StGB, if applicable, if the company remotely deletes all data (including personal data) stored on the BYOD-device without the employee's consent.
- Risk of criminal liability according to Section 202a StGB if a company overcomes the password protection on the employee's BYOD device.
- Software licenses acquired by the employee for personal use of applications installed on a BYOD device may not cover an application's professional use or use for the company.
- There may be an obligation of the company to compensate the employee for damages if a BYOD device is lost or damaged during use for company purposes.
- Issues relating to labor protection law must also be considered, specifically if employees can always be reached by using a BYOD device (e.g. question whether this is to be regarded as on-call service pursuant to applicable German employment laws).
To protect corporate IT networks in BYOD scenarios, IT-administrators like to manage BYOD devices via mobile device management software (MDM tools), that is installed on the BYOD device and allows the device to be centrally administered and safeguarded. Apart from that, companies should look for a careful separation of personal and business data on the BYOD device which can be achieved by using so-called "container apps." These apps allow to separate personal and business data on the BYOD device in a fashion that the business data is stored in a container and can be administered by the company in an encrypted fashion via a web service.
By using these tools, however, it may be possible for the company to exactly understand the type and scope of the employee's personal or professional use of the BYOD device. Therefore, when implementing these measures, companies, should consider applicable co-determination regulations. Furthermore, when considering the use of MDM tools, the company should consider the above-mentioned risks of criminal liability as well as the data protection requirements mentioned below.
Of course, a company can also set-up pure terminal (or RDP) connections, where no data is processed on the BYOD device and which do not allow the downloading of company data. In this case there is no data on the device that may be subject to unauthorized access or loss. Further, there is no immediate need to require the hand-over of the device to the company (e.g., in case of a job change), since the company can block such terminal connections at any time without the need to physically access the device. Blocking local storage, however, may not be feasible in every work environment.
Covering these points in a BYOD policy requires compliance with applicable statutory provisions on general terms and conditions, which may, however, somewhat limit the desired flexibility of a BYOD policy.
In any case, companies should avoid a situation where personal and business data is mingled on a BYOD device, and avoid situations that may legally qualify the company as a telecommunications provider by allowing the employee's use of the corporate IT infrastructure for personal purposes.
While it is of course possible to set-up a BYOD policy compliant with applicable data protection laws, a company, however, cannot rule out the following of its core data protection responsibilities:
- The company always remains responsible for the processing of personal data by the employee.
- The company must ensure that the technical and organizational measures required by the GDPR are met by appropriately configuring the BYOD device.
- If the employee loses access to the BYOD-device and thus to company-related personal data stored on the device, the company is obligated inform the authorities and the concened data subjects.
In order to achieve GDPR compliance, a BYOD policy policy in particular should include provisions on
- the technical and organizational measures applied (access control, transfer control, input control, availability control, encryption, separation of business and private data)
- the employee's consent to the company's monitoring and control options
- measures to ensure the confidentiality of the employee's personal calls or communication via the BYOD device
- notification requirements in the event of theft or other loss of access to the BYOD device
- the employee's consent to surrender and to grant access to the BYOD device for the purpose of uninstalling and deleting business data.
Although the use of a BYOD concept may enable a company to quickly implement a home office environment, a company should also consider the legal aspects associated with its implementation. However, if the aim eventually is to implement a work from home scenario, in addition to BYOD implications, a company should also consider applicable German rules on workplace safety that also apply to home office scenarios.
This article is intended to convey general thoughts on the topic presented. It should not be relied upon as legal advice. It is not an offer to represent you, nor is it intended to create an attorney-client relationship. References to “MAYRFELD”, “the law firm”, and “legal practice” are to one or more of the MAYRFELD partners. No individual who is a partner, shareholder, director, employee or consultant of MAYRFELD (whether or not such individual is described as a “partner”) accepts or assumes responsibility, or has any liability, to any person in respect to this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of MAYRFELD. The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of MAYRFELD on the points of law discussed. You must take specific advice on any particular matter which concerns you.
For more information about MAYRFELD Rechtsanwälte PartG mbB, please visit us at www.mayrfeld.com.