mjhjmtu

I live in Belgium and I'm working for a government institution as a contractor.

About two months ago I've had to reinstall my (own - but professionally used) laptop that is connected to the corporate "Bring Your Own Device" (BYOD) wifi throughout the day. I reinstalled my computer at home, on my own time. But, apparently, it seems that my laptop's Dropbox has been syncing over the company network (which doesn't seem to be blocked by it) while I was at work and has consumed about a 100 gigs of network-traffic-data in a few weeks time.

Today, I've received a very stern talking-to from the network department saying that this is unacceptable (which I do not deny) and that appropriate action will be taken against me. I've notified the network administrator that this is the first time this has happened and that I will take care not to let it happen any more in the future.

However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?

So my question is: Considering the new EU privacy regulations (GDPR and such), to what lengths can an employer go in terms of checking the traffic on the company wifi-BYOD-network?

Note that I'm not looking to harass the organisation, because I was at fault (even though I did not know it at the time) I just want to find out if their course of action is according to procedure.

This is the first time they have notified me and I've never had any of these issues before.

Notes:

• I have full authorization to connect to the network even with a
  personal device - this is a "bring your own device network", apart
  from downloading a lot for which the IT policy states no hard limit,
  I've not breached any official IT regulations.


• We are talking about network usage data (there are no
  personal files of mine stored on a company resource - I only use
  their network), I'm very well aware how back-up and sync systems
  work, I just happened to forget that Dropbox was on and syncing on my
  own laptop (which I use as part of my job professionally, so it
  holds meetings notes, my designs, models and such) while connected to
  the company BYOD-wifi-network.


• This is a government organisation, in a government owned building but the provide a corporate wifi. Their internet access is top tier in Belgium and bandwidth is generally not a problem.


• Things might be different in the UK, but in Belgium internal IT policies certainly do not overrule privacy concerns. Privacy is taken very seriously.


• Here, it is very common for an independent contractor to use their own equipment in addition to the equipment provided by the client. In this case, my laptop is my own professional equipment that I mostly use to take notes and create models. I do most of my "real" work on my client's infrastructure.

One thing, in general Belgium has always been one of the more strict countries with respect to privacy, GDPR changed very little to none about that. There are multiple privacy-related issues that are not covered by GDPR (which focus on data protection) but are covered by Belgian laws.

There are two very important principles that apply here from both belgian law and CAO's (collective employment agreements):

1. The employer cannot do this without express consent. Typically this consent is part of your contract or work policy (arbeidsreglement). If such consent was never given this practice is almost always considered illegal.


2. Given 1, there is also something called the 'proportionality' principle. If the main concern was the data usage and they only monitored your device's usage, that's likely okay. However if they got a lot further and they monitored the exact content and services they used that's very likely not acceptable. If their main worry was however security that may be more acceptable but that argument may be a hard sell since you're talking about a BYOD network.

These are old rules (pre-GDPR) that have been tested in court multiple times. GDPR actually only makes these rules stronger, e.g. it is assumed the 'consent' part cannot be simply be 'your internet usage will be monitored' but must be more precise. Also if monitoring is applied (and allowed) GDPR adds stricter rules on retention of that data and so on. However, it is to be determined how all that will hold up in court.

Some sources for all this (dutch):

• https://www.securex.eu/lex-go.nsf/PrintReferences?OpenAgent&Cat2=49~~1&Lang=NL


• https://www.jobat.be/nl/artikels/internetcontrole-wat-een-werkgever-niet-mag/


• https://www.vacature.com/nl-be/carriere/groeien/kan-de-werkgever-e-mail-en-internetgebruik-controleren

I don't see any issues here - the network admins have discovered a risk (high bandwidth usage), identified who it belongs to (easy if the computer name gives it away), or alternatively have identified the AP consuming the traffic, traced it back to an IP address, and realised it was you.

Nothing here is in breach of the GDPR. They don't have data on you, they have data on a device. They are merely acting within their remit to secure the network and identify and mitigate any security risks by identifying the device eating the bandwidth, and notifying its owner (you).

The bottom line is, you connected your personal device to a private network.
You may have had permission to do this, however it's usual that any devices connected must comply with the networks' security policy, and this will always trump any so-called privacy concerns. Syncing data to an external DropBox could be considered a security risk in itself (regardless of whether it's blocked, it's a network the admins have no control over), so your network admins are right to be concerned and completely within their rights to have had a discussion with you.

However, I seem to remember that directly identifying a person and monitoring his network activity without good cause (and management approval) is a breach of privacy regulations. Is this the case?

You answered your own question. Your laptop is taking up a large amount of bandwidth so that is probable cause for investigation and identifying the source of. How would your company know you accidentally left it on? All they see is someone uploading gigs of data and they want to know who.

In terms of corporate compromise, seeing gigs of data move is a sign of a potential data breach. So they were correct to investigate and identify.

Ignoring GDPR which I don't think will help you; You stated:

1. the company has said they have a wifi which is for personal device use; but then failed to apply a data limit or a "fair use" policy.

This means that the IT team don't have any route to complain - as long as no data you downloaded is illegal - for example videos that you don't have the rights to.

2. You turned up and downloaded a large amount of data; in the background. Ie you have not spent paid time doing this.

This means your manager can't complain, because you didn't spend any man hours doing this.

From these, I don't see any reason why anyone can take any action at all against you; and I would strongly resist any "action" against you. If they complain at all, I would say that the way forward is to change the policy which they can THEN enforce, as you've not broken any law, and policies not written can't be enforced.

Depending on what "appropriate action" they take, I'd be prepared to fight it, because there is no reason this should go on your record.

Also Belgian here with some GDPR insight.

The only thing here that could be perceived in this situation, barring that they have not checked which data you've sent to your dropbox is your IP address.

Even then the European Commission classifies the following under personal digital data (more info EU Data Protection Directive 95/46/EC).

1. Metadata


2. Email addresses


3. Social media details and data attributed to them


4. IP addresses (edge case)

Whilst logging IP addresses is not allowed anymore (under the assumption that location could be derived from it), inside your own company network you are absent from this. From the protocol the network administrator has followed, he simply followed the bandwidth usage and traced it back to you. Which is completely legal.

So whilst yes, IP addresses could be perceived as personal data it is still an edge case in many uses. And this one seems completely fair.