In a major victory for privacy advocates, Europe's Court of Human Rights has ruled on organizations' abilities to monitor employee communications with limited consent. While precedent set in 2016 gave employers blanket ability to monitor traffic "to verify that the employees are completing their professional tasks during working hours", the new decision means employers across Europe will have to significantly curtail their data collection initiatives.
Understandably, all organizations need to protect the integrity and security of their corporate data and have long taken steps to meet these internal requirements. Some of these initiatives, however, have crossed a privacy line – impetus for the lawsuits brought against employers.
For some, corporate VPN, device profiling, and software agents are the most efficient means to securing corporate data despite the obvious drawbacks of deploying such solutions. While the organization may want to stop data exfiltration to an unsanctioned cloud app like a personal Dropbox, tracking that web traffic can reveal personal information.
The same issue exists on mobile. Where an employee wants to access corporate data on an iPhone or Android device, some organizations rely on mobile device management (MDM) to extend access. Like corporate VPN, MDM solutions require privacy compromises. While EU-based organizations may have been happy to make some of those compromises to meet short-term security needs, the new ruling makes use of such solutions an overreach.
Security solutions should balance data protection and privacy. In order to strike that balance while adhering to government standards and employee expectations, organizations must choose agentless technologies like Bitglass that prioritize data-centric security, privacy, and usability.