< Back

Share |

Data Privacy issues and Social Networks from a French perspective

February 2013

77% of French internet users are members of a social network (Facebook, Viadeo, LinkedIn, Twitter etc.). According to the Cegos observatory, 37% of them say they are "fans" of their company on a social network, and more than 50% of the executive employees are registered on at least one professional social network1 . In the professional environment, 61% of the employees surveyed hold and use a Facebook account, 9% use Viadeo and 6% use LinkedIn.

Expansion of these social networks brings the question of the employees' monitoring with respect to the use of these web sites in the workplace.

Conditions for monitoring of employees' use of these social networks are identical to those regarding monitoring of employees’ general use of the Internet.

the internet

In general, employers can set out the general conditions of use and restrict access to the internet in the workplace. These limitations are not per se a breach of employees' right to privacy since their purpose is to prevent abusive personal use of the internet through numerous connections to social networks notably.

Three conditions are required in order for an employer to conduct monitoring on a lawful basis:

  • Employees representative bodies must be informed or consulted before implementation of such monitoring.
  • Each employee must be notified of at least: the purpose of the monitoring, the recipients of data fields caught in the monitoring activity, his/her right to oppose on legitimate grounds to the processing of his/her personal data and his/her right of access and rectification.

    Please note that:
    • If disciplinary procedures may be initiated on the basis of the data processed, employees must be explicitly informed.
    • Such an employee notification can be provided in the framework of an information technology charter appended or not to the internal staff rules of the company and by individual note or memorandum.

  • A declaration should be filed with the French data protection authority (the CNIL).

    Two situations have to be considered with this respect:
    • Where there is no individual monitoring of technological tools at employees' disposal, only a simplified declaration of conformity with a simplified standard issued by the CNIL may be required2 . This would be the case of software only enabling to conduct statistics on the global use of the internet by the employees.
    • Where the employer is willing to set up an individual monitoring of the employees, for instance by analysing log data of each employee and calculating the time spent by each employee on the Internet, a "normal" declaration has to be filed with the CNIL. Note that filing of a normal declaration implies providing detailed information on the processing, e.g. its purpose, categories of data processed, recipients, retention duration.

    However, where a data privacy officer (CIL) has been appointed, no declarations have to be filed with the CNIL.

    actions on the keyboardCertain extreme monitoring systems are illegal according to the CNIL. This is the case of "keyloggers" which enable the monitoring and registration of any and all actions on the keyboard. Keyloggers would only be acceptable in the context of exceptional safety concerns.

    Given the growing use and complexity of the social networks, it may be of good practice to include specific developments on the use and monitoring of these websites within the existing general technology charters of companies. It would also be wise for an employer to consider whether its filing obligations have been satisfied against not only its  technology charter but also the reality of its data processing activity!

    If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

    1 Source: APEC 2012.

    2 Norme simplifiée n° 46 : Délibération n°2005-002 du 13 janvier 2005 portant adoption d'une norme destinée à simplifier l'obligation de déclaration des traitements mis en œuvre par les organismes publics et privés pour la gestion de leurs personnels

Data Privacy issues and Social Networks from a French perspective
Gregory Sroussi

Gregory Sroussi  

Myriam
Bouchrara

 


Gregory and Myriam provide an insight into the social media and data privacy issues in France.

"Given the growing use and complexity of the social networks, it may be of good practice to include specific developments on the use and monitoring of these websites within the existing general technology charters of companies."