BYOD – Labour law aspects
→ Hans Georg Laimer
BYOD brings a lot of advantages for both employers and employees. However, there are several labour law issues that need to be considered before implementing this new trend.
BYOD is happening whether employers like it or not
More and more employees use privately-owned devices for work purposes. This so-called “Bring Your Own Device”, “BYOD” or “Consumerization” is – from an employer’s perspective – aimed primarily at increasing productivity, mobility and employee’s motivation. However, BYOD comes along with a host of security and legal issues, especially as no specific statutory provisions exist in this regard.
Key labour law issues
Loss of control / Employee’s privacy
The main issue for employers implementing BYOD is a loss of control. Employers are responsible for corporate data, even if it is stored on employee-owned devices. But how can employers bindingly instruct employees on how to use their privately-owned devices in order to secure business data? What if employees’ privately-owned devices are lost or stolen? What happens if the employee leaves the company? If the employer needs to access the personal device, how can that be accomplished without violating the employee’s privacy?
BYOD involves the risk that employees using their own devices will raise wage and hour claims for working overtime. How can employers effectively control the extent to which employees are working when allowing BYOD?
In principle, the employer is obliged to compensate the employee for work-related costs. However, the separation of those costs from the employee’s private costs may be difficult without a suitable agreement (eg with regard to mobile phone bills).
By analogy with section 1014 of the Austrian Civil Code (Allgemeines bürgerliches Gesetzbuch-ABGB), employers may be held liable, independent of fault, for all losses typically linked to the performance of work tasks (eg if an employee has had an accident using his or her own car to perform work). In connection with BYOD, it may be difficult to assess whether a loss (eg a lost or stolen device) results from the employee making his or her device available for the employer’s use or if it is attributable to the sphere of the employee’s risk.
Furthermore, according to section 4 of the Employment Liability Act (Dienstgeberhaftpflichtgesetz-DHG), employers may be held responsible for damages caused by employees (eg if client data is lost) depending on the fault of the employee.
Agreements with employees
In order to prevent uncontrollable data loss, as well as corporate and personal liability, BYOD should be implemented on the basis of an individual agreement setting out several conditions under which employees may use their personal devices. Such an agreement should primarily cover the following issues:
- Usage and storage: the specifics of usage and storage should be defined in detail. Employees should, for example, be prohibited from sharing the device with friends and family, from storing unsecure apps on the device, from changing the configuration of it, etc. Furthermore, employers should describe the consequences (eg up to the termination of employment) of violating these rules and enforce them, if so required.
- Device management / Data privacy: employers should obtain the employee’s prior consent to be able to manage the employee’s devices (eg in order to install a Mobile Device Management Software, to carry out an update, to remotely wipe the device if it is lost or stolen, etc.) in order to properly secure business data.
- Costs: employers need to define who will be paying for the device, usage charges, losses, etc.
- Working time: employees should be required to keep detailed records of the employee’s starting and finishing working times when using devices outside the office. Furthermore, in order to reduce compensation claims, employers may agree with employees on a so-called all-in-agreement, provided that such a payment actually covers employee entitlements.
- Termination of employment contract / Lost or stolen devices: the agreement should address what happens with company data stored on personal devices when an employee leaves or is terminated from the company. It must also include actions that will be taken if a device is lost or stolen (eg immediately report stolen devices, data-wiping of mobile phone, etc.).
The conclusion of one or more shop agreements may be necessary with regard to measures employers may take in connection with the implementation of BYOD. It should be noted that in some cases (eg monitoring and accessing data and applications on employee’s device in order to protect corporate data), even the consent of the employee affected may not replace the works council’s consent. Thus, in order to properly implement any measures, employers should assess if the works council may have co-determination rights before implementing them.