Staff and employers negotiate fine line between privacy and surveillance on comms channels

In an era where data is the ultimate asset, should employers be permitted to monitor all channels of communication, including social media?

Social media has transformed the business environment, becoming integral to business operations, providing channels for customer engagement, insights, and collaboration. Social media touches every aspect of our personal and business lives.

Despite the popularity of short-form video platforms as well as a plethora of other professional social and networking platform options, LinkedIn remains a key professional networking hub.

As concerns grow that other platforms are too political, argumentative and toxic, LinkedIn’s position has been strengthened. It is seen as a platform for authentic and professional interactions that are consistently policed and sanitised by its moderators, and to a certain extent, by the sheer weight of professional user consensus on what constitutes acceptable behaviour.

Linkedin dominance

An excellent illustration of LinkedIn’s dominant position is provided by the gains in terms of users and usage that LinkedIn made following Elon Musk’s purchase of Twitter (now X) and the subsequent loss of confidence by users in the trustworthiness of that platform. Although that migration was often reluctant and made under protest, it was a move away from an ecosystem perceived as unstable and risky to something that offered the opposite.

In my experience, Gen Z in particular turns to LinkedIn for job searches, personal branding, and professional development. And it is not only younger or less experienced employees who do so. At the other end of the spectrum, over 50% of individuals earning over $75k utilize LinkedIn in the US, emphasizing its significance to the business eco-system.

One of the key functionalities that LinkedIn offers, beyond being able to connect with other professionals, is the ability to communicate with them. As such, it effectively constitutes a communication channel, both with specific individuals by way of messages and with a wider audience by way of posts.

And it is in connection with this that challenges come to light when it comes to the use of LinkedIn in the professional context. The key question really is whether your LinkedIn messages constitute personal or business communications.

Before we consider this though, let’s consider the broader context – the highly dynamic landscape of privacy rules and expectations.

Meta’s record penalty

The landscape of data privacy has recently been shaken by the record €1.2 billion ($1.3 billion) GDPR penalty imposed on Meta by Ireland’s Data Protection Commission. Meta was found to be performing improper data transfers to the United States, which opened the door for snooping.

Meta objected to this penalty, and claimed it had been unfairly “singled out” because thousands of other businesses were doing exactly the same thing without censure. The company also found the size of the fine hard to understand because the previous record fine stemming from GDPR rule enforcement was €746m ($815m).

But the one thing that the size of the fine does underline is that regulators, particularly those in Europe, have an expectation that businesses will respect the privacy of users, and that the consequences of breaking rules around data privacy will be serious and may result in fines that are unlikely to be written off as simply the cost of doing business.

Privacy versus convenience

The expectation from regulators for businesses having to respect user privacy is apparent. But what about the expectations of users themselves?

Given the pervasive role that technology plays in our lives, how plausible is it to live in today’s society with no intrusion into one’s private life?

Consider how much of what we used to consider as private is given up almost without thinking – simply because of the desire for convenience. Take face recognition, for example – we are happy to log in to apps using our facial features for convenience and a promise of greater safety. Or the huge number of people using voice ecosystems such as ChatGPT, Alexa, Siri on a daily basis, giving them insight into their everyday lives and allowing unfettered access to deeply personal data.

The concept of privacy is something that most people will subscribe to in theory, but convenience and familiarity can quickly overpower any concerns.

And once gathered, our data can be sold. Recently, UK supermarkets Sainsbury and Tesco admitted to making £300m ($381m) a year from selling information on the shopping habits of users.

Surveillance required – but how widely?

In certain sectors, of course, surveillance is non-negotiable and the expectation of privacy is lower simply because of the need by businesses and their regulators to ensure compliance with a vast number of laws and rules.

Sectors such as finance, healthcare, and critical infrastructure operate in regulated spaces where the capture, security, and preservation of communications is crucial.

Regulators, particularly those in the US and especially those policing financial services firms, have come down very hard on businesses perceived to have broken the rules by turning a blind eye to the pervasive use of off-channel communications by employees.

In simple terms SEC regulations, for example, state that any business-related conversations should be captured and preserved – and that firms are responsible for putting in place processes to store this data in a compliant archive.

The problem is that these regulations broadly require firms to capture electronic communication and telephone conversations – but they do not explicitly tell businesses which channels to use or not use. The emphasis on the regulators’ laws and enforcement decisions is placed squarely on the fact that the business communications were not preserved. And that by not preserving them, the company has left the regulator unable to do its job as the federal securities watchdog in overseeing the business.

But some vagueness persists, and with that uncertainty over which specific platforms or data types will be caught within the regulatory net, it can be hard finding the boundary of what precisely to capture.

LinkedIn capture in practice

When it comes to LinkedIn (and other social media where a user is required to have a personal profile), the question arises as to the extent to which an employee should relinquish an expectation of privacy around this – particularly when the entire ecosystem is designated as a “communication channel” that needs to be captured for compliance purposes

An interesting data point in a recent marketing report by Global Relay was that 47% of broker-dealers are using a LinkedIn connector to capture data. This illustrates two things in my view.

First, it demonstrates, like nothing else, the fact that this platform is almost certainly widely used for marketing of services as well as for business communications. Firms are unlikely to pay for a connector or invest funds to archive this information if there is no concern about potential regulatory scrutiny. These firms are, in effect, adopting a belt-and-braces approach.

Second, the fact that fewer than half of broker-dealers, firms who are often in the regulatory cross-hairs for off-channel communications, are monitoring it as a channel demonstrates perfectly the uncertainty as to what constitutes best practice here. There are firms out there who have determined that LinkedIn falls outside the perimeter and constitutes a personal or private space.

Global Relay’s report suggests that “there is a considerable chance LinkedIn may be the next platform to receive more regulatory scrutiny.” But what the future holds is uncertain.

Risk of misconduct

It is true that that regulators have a responsibility for safeguarding and minimising the risk of potential misconduct. It is also true that individuals who choose to work in industries where surveillance is mandatory implicitly agree to relinquish some of their rights to privacy, particularly when communication and connecting with existing and potential clients.

However, the big issue seems to be the fact that LinkedIn is not a conventional channel of communication. It straddles the line between a personal social media platform and a direct business communication platform.

Business-oriented chats may take place on the golf course for example – should we archive those? And how?

And if the surveillance framework is extended to LinkedIn, does that mean an employee’s reasonable expectation of keeping ownership of their social network and safeguarding their ability to look for a new role is compromised? How does the regulator ensure that this newly pervasive surveillance is not employed for nefarious or discriminatory purposes?

I would like to suggest that the uncertainty around LinkedIn reflects a wider debate around privacy boundaries in the workplace.

And that the debate over social media and surveillance more generally will continue alongside the quest to find a balance between employees’ privacy and compliance well beyond 2024.

Kieran Smith is an Analyst on Global Relay’s future leaders graduate program