AI Summarize

Share

One of the great benefits of remote work is that it allows people from all over the world to collaborate together. However, remote and cross-border scenarios can raise some issues when it comes to understanding and navigating privacy laws and their requirements.

The confusion can grow even more when a company allows cross-border remote employees to use their own personal devices under a Bring Your Own Device (BYOD) policy, or if the company engages in remote desktop monitoring of its cross-border employees.

For example, for companies with U.S.-based headquarters that have remote employees based in other countries, both U.S. privacy regulations and other regions' privacy laws (such as the EU's General Data Protection Regulation (GDPR)) must be considered.

This article explores which privacy laws apply to remote employees' devices when they're part of cross-border teams, what compliance issues can be faced when BYOD and remote monitoring practices are happening, and strategies for ensuring compliance with laws across borders.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Why Do Privacy Laws Apply to Employee Devices?

Privacy laws can apply to employee devices when personal information is collected or used on that device. This applies to both company-issued devices and BYOD equipment.

Personal information is data that can be used to identify an individual, such as an email address, government ID number, financial account information, mailing or shipping addresses and similar data points.

Employees will likely be accessing and transmitting protected personal data about customers or other employees via their devices. This is why privacy laws will apply.

This can include activities like using their own cellphones to make work calls and collecting payment information during the call, or using their own laptops to do their work on and attend online meetings from where personal details may be shared with participants..

Additionally, privacy laws can be triggered if you monitor employee behavior via the devices, such as by having a remote employee install a desktop monitoring system on their own laptop so you can track something like how many keystrokes they make per hour.

These types of data collection and processing can trigger privacy laws like the GDPR or the CCPA/CPRA, depending on where the data is from, and what kind of data it is.

Another factor as to why privacy laws apply to employee devices is the increased risk of a data breach occurring, especially under a BYOD policy. A data breach from an employee device could potentially involve personal data about other employees and/or customers.

This can happen accidentally, for example if the employee loses his phone one night when out at an event. It can also happen if the device isn't protected with advanced security features, which is often the case with many BYOD phones and laptops. This is because personal devices may not have the same security protocols as company-provided devices.

What are Some Benefits and Privacy Challenges of BYOD Policies?

BYOD policies allow employees to use their own personal devices like smartphones and laptops for work activities. While this comes with some benefits, it also creates some challenges relating to privacy, especially in a cross-border context.

Benefits of BYOD

Here are some of the benefits that are present for your business and your employees when you implement a BYOD policy:

  • Lower operating costs: By letting employees use their own devices, employers won't have to purchase, maintain and distribute expensive company devices. This can save a lot of money, especially as your company grows.
  • Increased employee convenience: Employees tend to prefer using devices they're already familiar with. And not many people want to carry around more than one phone. Most employees will prefer to be able to use what they already have and know.
  • Easy collaboration: BYOD makes it easier to work with remote employees all over the world, even for short-term work, without having to send devices, wait to train the person on the device, then maintain the device and eventually get it back from the employee. With a global team of short-term workers, you can see how this could be a huge hindrance to easy collaboration.

Privacy Challenges of BYOD

Here are some of the privacy challenges that your business and your employees may face when you implement a BYOD policy:

  • Commingling of personal data: Personal and work-related data coexist on BYOD devices, which can really complicate privacy law compliance. For example, a U.S.-based employer that has a EU-based employee use her own device but install monitoring software might inadvertently access the employee's personal photos or messages. This could lead to legal violations.
  • Issues with consent: Obtaining valid consent from employees can be difficult since employees may feel coerced into agreeing to BYOD policies that may put their personal data at risk in order to maintain employment.
  • Conflicts of laws: Laws of the employer's jurisdiction may clash with those of the remote employees when it comes to BYOD issues. For example, U.S. employers might be used to implementing employee monitoring and not having to justify it, but EU-based employees are used to the GDPR, which imposes obligations on businesses doing the monitoring.
  • Greater risk of data breaches: As noted earlier, this risk increases when employees are allowed to use their own devices. Consider this: Someone wouldn't likely take a work phone to an amusement park on a weekend, but a personal phone will surely be taken. If the personal phone is also the work phone and has work-related personal data on it, it will be out in the public and potentially accessible by anyone far more than a work phone that may spend weekends in a desk drawer.

How Do You Determine What Privacy Laws Apply to Remote Employees' Devices in Cross-Border Teams?

This will depend on what jurisdiction your remote employees are located in, as well as where the data stored on the devices originates from.

In other words, the laws of where the remote employee is located and operating the device from is the law that will take precedence, as well as the location of the individuals whose data is being collected via the device.

Where the company itself is headquartered is secondary, as privacy laws work to protect the data being collected and not the data collector.

To keep this article as concise as possible, we will go with U.S. laws and the GDPR's standards, since if you comply with those, you will almost be guaranteed to be in compliance with privacy laws in other countries.

U.S. Privacy Laws

In the United States, there is no single, comprehensive federal privacy law governing employee data. Instead, privacy protections are granted by different federal, state, and sector-specific regulations such as the following:

  • Federal Laws: Laws like the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA) provide limited protections against unauthorized access to electronic communications. However, these laws mostly apply to third-party interception of data, and offer minimal guidance on how employer monitoring of employee devices fits into this.
  • State Laws: A number of states now have privacy laws in place, and these laws are growing consistently. For example, California's CCPA/CPRA applies to businesses that handle the personal data of California residents, including employees. Other states, such as New York and Illinois, have laws such as the New York SHIELD Act and the Illinois Biometric Information Privacy Act (BIPA), both of which address handling personal data as well as data monitoring practices.
  • Industry-Specific Regulations: Certain industries, such as healthcare and finance, have regulations in place that impose specific requirements when it comes to how an employee handles data, particularly when devices access sensitive client information. For example, HIPAA and the GLBA.

U.S. laws don't generally impose strict obligations on employers who want to monitor employees via employer-provided devices.

However, when it comes to BYOD, things get a bit more complicated since BYOD/personal devices will contain both work-related personal data and personal data of the employee.

EU General Data Protection Regulation (GDPR)

The GDPR is one of the most strict privacy regulations in the world. It applies to almost any organization that's processing personal data of people located within the EU, regardless of where the organization doing the collecting is located.

This means that a company that has remote EU-based employees must comply, even if the company is located in the United States, as long as it is processing personal data of either the EU-based employee, or other individuals located within the EU.

Personal data is any information relating to an identified or identifiable individual, including data on personal devices used for work. This can include personal data found in work-related documents, browsing history done on a BYOD laptop after work hours that still may be tracked, and personal data found in work emails like email addresses and shipping addresses of customers and sales team contacts.

Example: An EU-Based Employee under U.S.-Based HQ and BYOD Policy

Consider an EU-based employee working remotely for a U.S.-based company and using a personal laptop under a BYOD policy.

The company's U.S.-centric policy allows the company to monitor the laptop for work-related activities like email and app usage.

However, the GDPR requires the employer to do the following:

  • Clearly define the scope of monitoring and ensure it is proportionate
  • Obtain explicit consent or rely on another lawful basis to do the monitoring, such as legitimate interests, balanced against the employee's rights
  • Implement technical measures to separate personal and work data, such as containerization or virtual desktops

Failure to comply with the GDPR could lead to the company being fined.

What are Some Conflicts of Laws that Occur With Remote Employees' Devices in Cross-Border Teams?

When EU-based employees work under U.S. headquarters policies, several conflicts may arise:

Monitoring Practices

Remote desktop monitoring, where employers use software to track employee activities like keystrokes, screen captures, or app usage, is pretty common in remote work relationships.

However, it creates significant conflicts between U.S. and EU privacy expectations. U.S. organizations may implement monitoring practices that are permissible under U.S. laws, but that conflict with EU regulations.

For example, it's acceptable in the U.S. to use software that logs keystrokes, or continuously accesses a webcam to ensure the employee is at the computer. Under the GDPR, this will likely be considered to be excessive and may be found to infringe upon the employees' rights to privacy.

The reason for enhanced GDPR protection here is because of the following:

  • Keylogging may collect excessive personal data, such as personal passwords entered during a lunch break.
  • Screen captures could inadvertently record personal information, such as personal emails opened in a browser.

In the U.S., employers generally have broad rights to monitor company-issued devices, provided that employees are notified about it and are aware. For BYOD devices, employers will have to comply with state laws like the CCPA/CPRA, which will likely just require transparency and a limit to what data is collected. Courts often uphold monitoring if it serves legitimate business interests, such as productivity or security.

In contrast, the GDPR imposes strict limits on employee monitoring. Employees must be informed about the purpose, scope, and methods of monitoring, and the monitoring must be necessary and balanced against the employees' privacy rights. "Blanket monitoring," such as continuously recording a device screen around the clock, will rarely be justifiable under the GDPR.

In addition, if there is any high-risk processing going on, such as excessively invasive monitoring of devices, a Data Protection Impact Assessment (DPIA) will be required to evaluate risks and discover risk mitigation measures.

Data Transfers and Storage

The GDPR has very strict conditions set up for how personal data can be transferred outside of the EU.

Transfers of EU-collected data to the U.S. are particularly scrutinized due to concerns over what was mentioned in the previous section: The allowance of surveillance practices and the lack of equivalent data protection standards in the United States.

Transfer mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are often used to make these transfers compliant.

While U.S.-based employers might seek consent from employees to engage in device monitoring, the GDPR views consent with skepticism when it's in the context of an employee and employer.

To be valid under the GDPR, consent must be freely given, specific, informed, and unambiguous, and employees may feel obligated to give consent or be fired. This can cancel out the freely given aspect.

Because of this, the GDPR may not consider consent as a valid legal basis for processing employee device data, especially when it involves monitoring activities.

Data Subject Rights

EU-based individuals, whether employees or other people whose data you have collected, have enhanced rights under the GDPR, including the right to access, correct, and restrict processing of their personal data.

U.S.-based employers who allow cross-border teams to use their own devices to collect personal data will have to establish a process to allow EU-based employees as well as any EU-based consumers to facilitate these rights with any data collected while either of the parties was in the EU.

Example Case: U.S.-EU Cross-Border Team

Consider this example to see how remote employee devices can trigger a number of privacy laws and legal requirements.

A U.S.-based tech company located in California has some employees in Ireland and implements a BYOD policy. The company uses monitoring software to track productivity, and requires its Irish-based employees to download the software onto their personal phones and laptops.

Here, the company faces the following challenges:

  • GDPR compliance: The Irish employees can object to the monitoring, citing a potential GDPR violation. The company would have to conduct a DPIA, limit monitoring to only work-related apps, and use something like containerization to protect personal data. The company would have to use SCCs or a similarly-allowed method for transferring EU-based employee data to U.S. servers.
  • CCPA/CPRA compliance: California employees can request access to what data the company has collected via their devices. The company would have to update its Privacy Policy to comply with CCPA/CPRA disclosure and transparency requirements.

How Do You Compliantly Implement a BYOD Policy for Remote and Cross-Border Teams?

To help meet privacy law requirements in BYOD and monitoring scenarios, employers can adopt the following strategies.

Create a Detailed BYOD Policy and Train Employees on it

Have a formal BYOD Policy that you share with your employees. A BYOD Policy should address the following points:

  • Acceptable use, or what obligations employees have when using their own devices, such as ensuring a device password is set and activated
  • What obligations the employer will have, such as providing free security software
  • What security measures are implemented/required
  • Privacy-related details, such as If tracking software will be used and what personal data may be collected
  • Safe and secure storage of physical devices
  • What protocols are used if the device is lost or stolen
  • Disclaimers and limits on employee liability

Here's a clause from West Virginia University's BYOD Policy that addresses the obligations of the person using their own personal device. It includes things like abiding by company-wide policies, reporting if the device is ever lost or stolen, having appropriate security on the device, and not use the device to disrupt any network it's connected to:

West Virginia University BYOD Policy - Personal device use clause

The following clause goes more into detail on device security that must be implemented on the devices. It addresses things like password requirements, virus software and automatic screen timeouts:

West Virginia University BYOD Policy - Device security clause

After you create your BYOD Policy, provide a copy of it to your employees and make it accessible via an online link at any time.

Have a GDPR-Compliant Employee Privacy Policy That Addresses Other Regional Laws

If you're having remote, cross-border employees using their own devices, create a GDPR-compliant Employee Privacy Policy.

Because the GDPR is such a strict privacy law, if you comply with it then you are very likely to be in compliance with laws of most other regions.

Include sections in your Employee Privacy Policy that address other regional laws that may apply to your employees, such as the CCPA/CPRA for California employees, or PIPEDA for Canadian employees.

Here's an example clause of how you can let employees know what purposes you collect personal information for, such as for hiring, performance reviews, or processing payroll or benefit claims. Here is where you could include if you engage in employee monitoring as well, and what personal data may be collected from that:

Sample draft Employee Privacy Policy - Purposes for information being collected clause

Here's an example of a section of a Privacy Policy from ABIOMED that has information specific to individuals protected by the GDPR. You should include region-specific sections like this in your Employee Privacy Policy for your remote, cross-border employees under your BYOD Policy:

ABIOMED Privacy Notice - EU GDPR rights clause

Take Steps to Protect Privacy on BYOD Equipment

If you engage in monitoring BYOD equipment, do whatever you can to help ensure that you're only collecting appropriate data from the devices and not violating your employee's privacy rights.

Some measures that you can consider include:

  • Containerization: Mentioned earlier, this is using software to create secure "containers" on BYOD devices, such as having a container for work-related data, and this is the only container the employee would have access to.
  • Virtual desktops: By providing remote desktop environments where work can be done physically on BYOD equipment but all actual work data is processed on company servers. This can help prevent accidental collection of personal data from the device, and also help boost security of company and work-related data.

Summary

If you have employees located around the world, and you allow them to use their own devices for doing their work, it can be difficult to navigate which privacy laws will apply to the relationship. The key factor here is the location of your employee.

One of the most commonly seen scenarios for this is a U.S.-based company that has EU-based employees. This can create confusion because of conflicts between what U.S. law allows, and what the GDPR more strictly limits, such as with employee monitoring practices.

The best thing you can do in this scenario is to use the GDPR as your baseline for compliance, and ensure that you're meeting its obligations if you have remote employees working from the EU and using BYOD equipment.

Create a BYOD Policy that outlines the use of the devices, create a GDPR-compliant Employee Privacy Policy, and be aware that personal data may be wrongfully collected or distributed through BYOD equipment. Take steps to mitigate this, such as requiring or providing strict security enhancements on all BYOD equipment.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy