It is not the first time that we warn on the progressive intrusion into staff privacy by the administration. Generation 2004 and the rest of the staff representation is firmly against these practices. This time we want to warn you not of a forced intrusion, but one that you might be tolerating without being aware of the consequences. Many colleagues are using their private phones or tablets to access work email, for instance via Nine. As soon as you take this step, you accept that the Commission controls your device and has access to your data.
Let’s have a critical read of the privacy statement mentioned in the message sent by the IT helpdesk on 13/05/2024 where we are informed of the new security features on mobile devices registered in the EC mobile devices service (that is, your private devices being used to read work emails).
While the text is reassuring in many sentences, stating that the data will be used according to EU data protection standards, that personal data is not collected, etc., the devil is – as always – in the details.
These are explicitly mentioned data items that are collected:
“List of installed applications on the device, Device Brand, Device Model, Operating system (OS) version, Cellular technology used by the device, Last connection time to server, client version (i.e. the app installed on device), Mobile operator (company), Phone number (on iPhones only), Battery usage, Storage capacity, Memory capacity, Roaming status, Encryption state, Device name, Serial number, IMEI number, WiFi MAC address, Log data, Network data – IP, subnet, domain names.”
These data are enough to determine in which country you are connected at every time, which dating applications you have in your mobile phone, and which actions you have been doing (“log data” – that could include even web pages you have visited).
Some other sentences in the privacy notice deserve also attention:
- “System administrators can get full access to all stored data collected.”
- “The information collected will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.”
- “Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.”
In other words, it is possible to access to all data stored, and with a legitimate need, it can be used. While this should be reasonable, what is “legitimate”? Please note that colleagues have entered into disciplinary procedures for having expressed as private persons legitimate political opinions that were considered inadequate by the government of a Member State. The Commission found legitimate to sanction a colleague rather than respecting freedom of speech.
Imagine that you have the “wrong” applications in your private phone, you visit the “wrong” groups, you travel to the “wrong” countries… If the Commission considers legitimate to search within the data collected from your phone, this information can be used against you, and your only chance to defend your rights will be in court, spending considerable effort, time and money. While this situation is hypothetical, the fact is that if the data would not be collected at all, it could not be used against you.
We should expect the Commission to be loyal to its staff, but which is the option taken when there is a choice? The privacy statement makes clear that data is transferred again to the US (“Mobileiron acts as data processor. Contact details: Mobileiron Inc, 401 East Middlefield Road Mountain View, CA 94043 USA”). Please remember that the European Data Protection Supervisor (EDPS) has ordered the Commission to suspend all relevant data flows to Microsoft in countries outside the European Union (EU)/European Economic Area (EEA). However, instead of seeking compliance, the Commission and Microsoft are challenging this order. Both have filed cases at the EU General Court against the EDPS. So, the choice is to fight data protection, not to reinforce it.
As we have reported before, more and more colleagues are using their private mobile phones for work purposes, not always voluntary. Generation 2004 is against this trivialisation of staff privacy and abuse of property, and has requested human resources both in the Commission and in the EEAS a social dialogue to find constructive solutions.
The obvious solution to respect both privacy and the understandable need of the Institution to ensure IT security would be to provide corporate phones for work purposes.
In the meanwhile, we remain in this grey – dark grey-, area.
Are you happy to use your private device for work purposes? As usual, we’d be happy to hear from you!