A long running battle about whether an individual’s dynamic IP address constitutes “personal data” and thus comes under Data Protection law has finally been resolved by the European Court of Justice (ECJ). The Court came to the view that it is personal data, but that those storing it may have a legitimate interest to do so without the individual’s explicit, prior consent (C-582-14).
The significance of this finding for employers is that such data is currently often stored on company systems for security purposes. It is generally not regarded as personal data because it does not, in itself, identify an individual. Yet coupled with third party information from an internet service provider the individual could be identified. There would be no defence for employers that the data has to be stored to deal with hackers as it would relate to employees and contractors. Hence in the future employment contracts will need to include a clause giving specific, informed consent to such processing – even in internal communications. It remains a moot point how such consent can be proven to be “freely given” when it is an operational necessity.
Things will get far worse under the EU General Data Protection Regulation because of the new right to be forgotten and the reduced scope for exemptions from the provisions. Consent will need to be verifiable and an “unambigious indication” – so it may need to be gained for each communication. What is more, the company processing the data will need to explain each time what it plans to do with the data. This will cause havoc for even internal communications that will have to either contain preambles or clearly written footers – or, if strictly adhered to – a pre-transmission window containing a processing statement and requiring the recipient to agree to the communication before the email can be received.
Employers will not be able to wait for case law to find out how to deal with these new requirements. That is why it is so important that FedEE members attend our next HR Data Protection Forum meeting to ensure that our code of practice contains workable solutions to this otherwise impossible measure before it hits them in May 2018.