Photo courtesy : Internet

Off late several companies had become extremely concerned for moonlighting by their employees. Moonlighting is a term that signifies involving in a second job for profit  while being in a full time employment. The 2020 covid pandemic has increased the tendency for moonlighting for employees in several companies including the tech companies as most of the workplaces reduced the salaries of employees and this caused huge financial tension for many. Legally moonlighting may or may not be safe for many: many European countries, US, Canada, Australia etc, may allow employees for moonlighting. Even academicians including teachers, university professors may also choose for a second job when they are off duty. But the problem arises when the employees go for moonlighting with the company data.

Why and how Moonlighting becomes an offence and who are the victims? in 2022, Tesla terminated an employee for showcasing and discussing  certain automobile features in his YouTube channel. Interestingly running a YouTube channel had not been considered as moonlighting even though such activities may help the YouTuber to earn profit.  But this was considered as offensive by the company because the employee actually criticised certain products using the company data which only he could access being an employee. Now consider the other side of the coin: if this employee had secretly sold the company data to other competing company for profit or may had been engaged in moonlighting works like consumer preference analysis, product marketability analysis, business analysis or even employee data analysis with the help of the confidential data of his employer company, he would have been definitely subjected for legal liabilities and he may even have the chance for being jailed.  This may no longer remain simple harmless moonlighting. Rather, it may involve data privacy breach by the concerned employee because he may  have  violated the integrity and confidentiality of the data owned and maintained by the companies.

Here we have to understand the types of the data and the types of the ‘victims’ that may be affected:

First victim would be the company itself as the company secrets including trade secrets would be affected. The designs, company logo, manufacturing process, company policies for marketing, specific software etc, may fall within the meaning of company’s intellectual properties which many employees fail to acknowledge or may not know. 

The second typology  of the victims has a wider scope than the first: it includes individuals and their  personal data that may have been collected by the companies in the name of customer data, patient data, government beneficiary data, banking related data etc. Presently almost all companies have become body corporates who collect certain kinds of personal as well as sensitive persona data: Tesla itself collects customer data that may include sensitive personal data like birthdates, banking information, social security numbers etc. There are several big tech companies that may be involved directly or indirectly involved  in government data collection and  processing work.

Moonlighting with such data may become extremely dangerous for the second type of the victims, especially children. There are 5 basic reasons for this:

1. Children’s data including health data, school data, parent’s financial data etc, may be misused by different types of perpetrators. This may also aide in physical space kidnapping, abduction and assault on the child.
2. Profiles of children may be sold to criminal gangs operating in deep and dark nets for online child sexual abuse related purposes. Often job seekers or individuals looking for moonlighting opportunities may fall in the trap of such gangs who may make them sell such sensitive personal data for a handsome amount. Here the criminal gangs may finely create a very much convincing agreement for the job seekers that in reality may not have much legal value as employer-employee contract. But the language of such agreements may be so finely constructed that it may actually make the employee fall in legal trouble if the entire operation is unearthed by the law enforcement agencies while the actual criminals may escape the clutches of the law.
3. Child and adolescent victims may not be aware of the victimhood unless they are made aware of the data breach by their peers or by the acquaintances of their parents. Resultant, their online and offline security may be hugely breached and it may be beyond repairing especially for children who may come from socio-economically challenged backgrounds.
4. Such kind of illegal moonlighting may enlarge the risks of ransom attacks for hospital, schools, public welfare data etc.
5.  Companies or stakeholders who are engaged in the outsourced work of data collection, processing may also have to face legal action for not providing proper security to the confidential data. In such cases these cases may be held primarily liable as the burden of proof for innocence and strict diligence complied with may fall on the companies.

What is the way out then? EU General Data Protection Regulation has emphasised on the issue of privacy, security and consent for data collection, data processing, data archiving etc. Even though EUGDPR does not mention about moonlighting with confidential data as an offensive behaviour, it however focuses on right to privacy, data collection and processing rules etc.  We also have to look into several international conventions including the 2001 Budapest cybercrime conventions which throws light on content related online crimes, intellectual property rights related crimes and online child abuse related issues. All these prohibit data theft and unethical profit gain from misuse of data. Moonlighting with public, personal and sensitive confidential personal data falls off from the line of ethical moonlighting on the basis of skills of the job seeker/employee and thereby it becomes a punishable offence. But we must note that moonlighting with data involving children can be extremely dangerous because immediate harm to children may not be repaired by restorative and reparative justice quickly. But there is still a silver lining behind the vicious cloud of malicious data and activities. Companies and body corporates who primarily deal with public and personal data of general individuals can strengthen their data protection mechanism by applying stricter surveillance on the access on the said data, purpose of access to such data and mapping footprints of the usage of such data. They may also apply stricter policies against moonlighting especially against those employees who may directly deal with confidential data. Further, punishment for such kinds of moonlighting may not be restricted to termination and other penal actions by the primary companies alone. Such employee must also be made liable for breaching the data confidentiality of the children and he must be made to cooperate with the criminal justice machinery to track the data, pull down the data from vicious domains and also should be responsible for payment of compensation. Above all, courts must also consider banning them from using multiple profiles and they must be put under surveillance for their usage of information and communication technology.