New EU guidelines restrict employer rights to social media

European officials have issued new guidelines directing employers to notify job applicants before viewing their social media profiles, even if applicants have made their profiles public. In addition, the guidelines say that scanning social media profiles will only be allowed when the information they contain is “relevant to the performance of the job which is being applied for.”

The strict new rules were created by the Data Protection Working Party, an advisory group set up under Article 29 as part of the European Union’s General Data Protection Regulation (GDPR), a sweeping update of data privacy law scheduled to take effect on May 25, 2018 in all 28 member countries. Though the Working Party’s recommendations do not have the force of law, they are considered highly influential and are likely to have a strong impact on the way regulators and courts interpret the law.

Employers should note that the guidelines apply to “all situations where there is an employment relationship,” which means they affect workers without a formal job contract as well as employees.

Under the new GDPR privacy law, large companies will be required to appoint a data protection officer to oversee compliance. Severe violations, including improperly transferring personal data outside the EU, can result in fines of up to 4 percent of annual revenue, or €20 million ($23 million), whichever is greater. Other violations, including not keeping track of customer consent, could bring fines of up to 2 percent of revenue or €10 million ($11.6 million).

After Brexit, sending EU personal data to the UK will only be lawful if the European Commission deems the UK as having an adequate level of data protection. Though this designation has so far been extended to only 11 countries, the UK is likely to obtain a favorable assessment, analysts say.

No tracking software

In addition to social media, the Working Group takes a dim view of software used to track employees’ internet activities by using screen captures, keystroke loggers or webcams, saying such measures are “very unlikely to have a legal ground under legitimate interest.”

Employers may give workers wearable devices like Fitbits, but they are prohibited from collecting any data from the devices or working with third parties that collect it, as US employers sometimes do in working with their insurance companies.

Even anonymized data, which is sometimes used in the US to improve productivity, will probably be considered off-limits. Because information about individual employees is available through multiple channels, “it is technically very difficult to ensure complete anonymization,” the Working Group said.

Giving out detailed information about employees is also verboten. For example, a delivery company can text customers to let them know a product is on the way, but it cannot include the driver’s name or photograph.

Bucking a trend

As social media has become widespread, it has become commonplace for employers and recruiters to use it in assessing job applicants. According to a Jobvite survey, 87 percent of US recruiters check job candidates’ LinkedIn accounts, 43 percent check Facebook and 22 percent check Twitter. A CareerBuilder survey found that 57 percent of employers are less likely to interview a candidate with no online profile, and 54 percent have decided against hiring a candidate based on their social media profile.

It’s not hard to understand the EU’s concerns about privacy in such situations. In the Jobvite survey, nearly half of employers said they viewed photos showing alcohol consumption negatively. During last year’s US election season, 11 percent of recruiters in the survey said that knowing a candidate supported Donald Trump would bias their decision to move forward. Seven percent felt the same way about Hillary Clinton supporters. Employers have also fired workers for posting negative content about their companies.

But employers use social media — especially LinkedIn — not just to review applicants or employees, but to find “passive” candidates who have skills they need, but have not applied for a job. In Europe, 64 percent of companies said they used LinkedIn, 41 percent said they used Facebook and 29 percent said they used Twitter to find job candidates, a 2013 study said.

Far from objecting to this process, many workers tailor their profiles to attract recruiters. Under the new guidelines, employers would seemingly be faced with a Catch-22 provision requiring them to gain potential candidates’ consent before viewing their profiles. Even then, they would be able to collect only information “necessary and relevant” to the job duties — but how could they do that without viewing the entire profile and risking that they’d be swayed by something irrelevant?

Enforcement of the new rules could prove to be a sticky wicket. Member states are required to create their own enforcement authorities, though an EU board will have oversight. In cases of multiple jurisdiction, one authority is supposed to report to the board; nevertheless, the result could be a legal quagmire, some attorneys believe. The EU will also need to improve coordination with US regulatory authorities.

While collecting data on employees can be useful, it also creates significant privacy challenges, the Working Group believes. The group’s laudable aim — which may require further refinement in practice — is to find a reasonable balance.

Paul Sutton, Head of Legal Advisory Group, contributed to this article.