Employers who check a job candidate's Facebook or Twitter profile before deciding whether to hire them may be in breach of European law, top regulators have said, as the EU tightens its data protection policies.
According to guidelines published by EU data protection agencies, employers will from now on require a "legal ground" before checking the social media profiles of potential employees. The regulators add that data collected from a search must be necessary and "relevant to the performance of the job".
An estimated 60 per cent of employers use social networking sites to screen potential candidates before making decisions, according to a survey of more than 2,000 employers conducted by CareerBuilder, an online recruitment company.
The regulators, who together form a group on data protection known as the Article 29 working party, do not themselves make EU law.
But since they police the law's implementation in the 28 member states — and seek a common interpretation with which to do so — their role is highly influential.
"The opinion of the working party is non-binding but very persuasive due to who they are," said Phil Lee, a data protection specialist at Fieldfisher, the law firm.
"They will influence how the national data protection authorities read the rules. In this case, they have said there must be a really good reason, relevant to the role concerned, for an employer to check someone's social media profiles."
The guidelines say that while employers may view such inspections as justified, "[they] should not assume that merely because an individual's social media profile is publicly available they are then allowed to process those data for their own purposes."
Prospective employees must be told before they submit their job application if the company intends to conduct an audit of their social media profiles, and employers cannot force employees to accept their friend requests.
The working party's opinion is also likely to govern the interpretation of a new and stricter EU law, known as the General Data Protection Regulation, which is due to come into force in May 2018.
The new legislation will require large companies to appoint a "data protection officer" to ensure compliance and impose fines of up to 4 per cent of global turnover, or €20m.
The guidelines lay down strict rules for other areas of employment. Companies must not issue employees with wearable devices to monitor their health and activity, which the working party says is illegal even with the consent of the employee, given the "unequal relationship" between employers and employees.
The working group has also taken aim at software used by companies to track an employee's movements and web activities when working from home. It notes that "software packages" that allow screen capturing, key logging, or webcam enabling, are "very unlikely to have a legal ground under legitimate interest".
The rules ban employers from sharing unnecessary information on their employees with customers. It gives the example of a delivery company which sends its customers the name, location and a small photo of the courier, "allowing the customer to check if the deliverer is indeed the right person".
The group argues that the customer does not need either the name nor photo of the deliverer, and says there is thus "no legitimate ground" to provide it.
The guidelines refer to "all situations where there is an employment relationship" — meaning they protect even workers without a formal job contract.
More from the Financial Times: