I do wish the Europeans would make up their minds. There was an ECJ ruling a couple of years ago that made it clear that you could monitor your employees’ private use of the internet while at work. The GDPR also makes it clear that you can process information that the data subject has “manifestly” made public (Article 9.2e). So that’s all right, then.
Apparently not. The Article 29 Working Party, the blessed King Canutes of the EU, have recently opined that employers can’t ubiquitously monitor private use of their workplace IT systems, and that you can’t process public Facebook profiles as part of a recruitment process. It’s a bit more nuanced than that, and there’s a lot of other detail, but that’s the gist.
There’ll be a lot of people, including me, scurrying off to review their employee communications monitoring policies (and their BYOD and acceptable use policies) and trying to work out how to plug the hole this punches in the dike. And there’ll be a good number of HR departments hurriedly deleting public profile data they’re holding on candidates, because apparently public doesn’t quite mean what we thought it did.
Oh, and by the way, they think LinkedIn is okay to process, apparently, but not Facebook. I’m glad they could tell the difference; I’m not sure I can.