Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

CNIL Releases BYOD Guidelines

France-BYODSecurity concerns and the need to increase cyber security measures have recently boosted the use of Bring Your Own Device (BYOD) policies in France. Recent events have exacerbated fears of data breaches and hacking for IT managers who were not overly concerned before. As a consequence, IT security teams are seeking to apply the same security and device management systems that apply to their own company’s equipment to employees’ devices when employees use their devices for work purposes. 

Obligation to notify

A BYOD policy usually forms part of a company’s IT policies. It must be formally presented to the works council to ensure employees are informed. As an activity involving data processing, the implementation of a BYOD policy should also be notified to the French data protection authority – the Commission nationale de l’informatiques et des libertés (CNIL) before its implementation.

However, in considering the obligation to notify the CNIL, a company should be aware that:

  • The CNIL pointed out in its guidelines (see below) that when an employer has already filed a normal declaration about employee management (including the processing of personal data to ensure the safe and proper operation of information systems), there is no need for an additional declaration to cover the BYOD policy.
  • Similarly, there is no need for a further declaration to the CNIL if the company has appointed a Data Protection Officer (“Correspondant informatique et libertés“).
  • The company cannot rely on simplified norm n°46 since it only concerns the electronic means that are made available by employers, which is not the case for BYOD (since, as its name suggests, these are devices owned by employees).

Privacy concerns

The expansion of an employer’s control over its employees’ devices raises concerns for the privacy and protection of employees’ personal data. It is, however, challenging for an EU company to harmonize its privacy compliance position throughout Europe as countries may have different approaches on key aspects of the enforcement and validity of BYOD policies, such as on the effectiveness of employee consent in this context.

Harmonization may become easier under the future EU Data Protection Regulation but, meanwhile, the CNIL has published new guidelines on BYOD (the guidelines are dated February 19, 2015, and were made publicly available by the CNIL on March 4, 2015). An unofficial English translation of the guidelines appears below.

The CNIL’s guidelines on BYOD

In the guidelines, the CNIL takes a conservative approach to BYOD security. The CNIL prohibits, for example, a company “remotely wiping” an employee’s private data from their device. The CNIL indicates that companies must find a balance between their legitimate security concerns and the privacy of their employees. Consequently the security measures that are implemented must be proportionate to the threats and risks to the IT system and the company must ensure that employees are properly aware of the measures in place.

These guidelines are not, of course, French law. But they are influential as they set out the CNIL’s interpretation of what is required under French data protection law so that it would be prudent for companies to take note and comply.

Unofficial translation of the CNIL BYOD guidelines:

BYOD: What are good practices?

February 19th, 2015

With the development of BYOD, the boundaries between professional and personal lives are blurred. The French CNIL (Commission Nationale de l’Informatique et des Libertés) wishes to remind companies of best practices for the use of BYOD, in order to reconcile the security of corporate data with the privacy protection of affected employees.

  1. What is “Bring Your Own Device” (BYOD)?

The acronym “BYOD” is the abbreviation of the English expression “Bring Your Own Device” (in French: “Apportez Votre Equipement Personnel de Communication” or “AVEC“) referring to the use of personal computer equipment in a professional context.

This can be the case where an employee, for example, connects to the corporate network, using his own personal computer, tablet or smartphone.

  1. Personal devices can only be used as an alternative in the professional context

French labor law requires employers to provide employees with all the means necessary to perform their professional duties. The use by an employee of personal computing devices for business purposes does not affect this obligation on employers.

  1. Data security

The employer is responsible for the security of the company’s personal data, including when it is stored on devices that the company does not control, legally or physically, but for which the employer has granted permission to access company’s resources.

The major risks to be protected against range from occasional unavailability, risks to data integrity, and risks to confidentiality due to external compromises of the company’s information system (intrusion, virus, Trojan horses, etc.).

  1. How to limit the risks for data security?

Identify the risks, taking into account the specifics of the context (what equipment, what applications, what data?) and assess the risks in terms of severity and likelihood. Determine the measures to be implemented and implement a security policy accordingly.

For instance:

  • Protect those parts of personal devices intended to be used within a professional framework (create a “security bubble”);
  • Control remote access through a strong user authentication system (if possible using an electronic certificate, a smartcard etc.);
  • Implement encryption solutions (VPN, HTTPS, etc.);
  • Implement a procedure in the event of failure/loss of the personal device (i.e. the network administrator should be informed, an alternative professional device must be provided, professional data stored on personal devices must be remotely wiped); and
  • Require compliance with basic safety measures such as locking the device terminal with a sufficiently robust password which is regularly changed (8 characters with a combination of lower case letters, upper case letters, numbers and special characters) and the use of up-to-date antivirus software.

The company must raise user awareness regarding the risks, determine the responsibilities of each user as well as specifying and describing the precautions to be taken in a policy which constitutes a binding document between the company and employee.

The company must implement a process where the employee must obtain the authorization of the network administrator and/or the employer prior to the use of personal devices in a professional context.

  1. What privacy safeguards must be provided?

The security of the company’s information system should be reconciled with respect for the privacy of employees who use personal devices as part of their professional activity.

For instance, security measures which restrict the use of a smartphone within a private context (e.g. prohibiting surfing the internet or downloading mobile applications) on the sole ground that the smartphone can be used to access the company’s resources, should not be implemented.

Such restrictions are hardly justified by the nature of the risk to the company and are not proportionate to the required purpose.

In the same way, the employer must not have access to private elements stored in the personal space of the device (list of visited websites, photos, videos, calendars or directory).

The employer is permitted to implement a remote wipe tool specifically designed to capture the remote access of corporate resources through the employee’s device, but the employer cannot “arrogate” the right to remotely wipe all of the data stored on the employee’s device.

  1. What formalities are required?

If the employer has made a standard declaration to the CNIL about the management of employees (including the processing of personal data to ensure the safe and proper operation of the information systems), there is no need for an additional declaration to cover the BYOD policy. This is also the case if a Data Protection Officer “Correspondant informatique et libertés” has been appointed.

The simplified norm n°46 is not applicable for companies because it only concerns electronic devices that are made available by employers, which is not the case for BYOD since, as its name suggests, these are devices owned by employees.

The use of BYOD does not change the rules on formalities which affect data processing more generally (e.g. request for an opinion, authorisation or declaration as appropriate).