European Privacy Laws, BYOD, and Enterprise Mobility Print

Written by Cimarron Buser, February 23, 2015

Apperian, an Arxan Company


Germany has some of the world’s most stringent laws around data security and privacy regarding the use of employee-owned devices in the workplace. In fact, each German state has a data protection law of its own as well as individual data protection authorities.

Under the terms of the Federal German Data Protection Act, there are strict guidelines on who has access to an employee’s device and how company data should be stored, used, and accessed from a privately-owned device.

For instance, if an employee needs to store company data on a personally-owned device, there must be written guidelines to cover the circumstances.

Indeed, most of the privacy and protection laws are aimed towards protecting the rights of employees and guarding the separation of work-life culture in Germany. For example, German Labor Minister Andrea Nahles has called for an “anti-stress regulation” that would prevent employers from contacting employees after hours on their personal devices, just as employers are currently banned from contacting employees when they are on vacation under German law.

When relying on legacy mobile device management technology, these types of restrictions have hampered BYOD adoption in Germany.

Other European countries also have privacy laws in place that are aimed at protecting employees. For example, in the U.K. under the UK Data Protection Act, employers are expected to make employees aware of any monitoring that’s taking place, with the exception where criminal activity is suspected.

In France, any company with a BYOD policy that involves monitoring an employee’s personal device are required to gain the consent of the employee to do so.

Meanwhile, as part of the Spanish Law 15/1999 under the EU Privacy Directive, employees at organizations that implement BYOD policies should be made aware which data will be monitored or collected from their personal devices. In addition, employers in Spain are expected to obtain the consent of an employee before installing any software or technology to their personal devices that monitors data or activity on an employee’s device.

U.S. data protection policies aren’t as stringent as European laws. Historically, the U.S. has relied on more of a self-regulatory model for data protection while European nations favor more explicit laws. But as cyber-attacks against U.S. companies such as Anthem continue to expose sensitive corporate and customer data, companies may enact more severe BYOD and data protection policies of their own.