With a large portion of the working population working from home, employers may be concerned about workforce productivity and the security of business confidential data. To combat these concerns, some employers are increasing digital employee monitoring. Employee monitoring may be legitimate, but requires a careful assessment of the employees’ privacy rights. This article provides a European overview of the elements to take into consideration when conducting employee monitoring.
Employee privacy is a long established right in European Union. Back in 2007, the European Court of Human Rights (ECHR) ruled that emails sent at work and information derived from private internet use are subject to the right to privacy, as expressed in article 8 of the European Convention of Human Rights. Employers who monitor internet and phone use of employees without informing them violate those employees' privacy rights.
In a 2017 ruling, the ECHR provided further clarification on the permissibility of employee monitoring. Employee monitoring is a balancing exercise between the employee’s right to privacy and the employer’s right to take measures that ensure the smooth running of the company. The monitoring measures must be proportionate to the aim they pursue. In determining whether the measures are proportionate, the ECHR developed a number of criteria. Employees must receive prior notice, the scope of monitoring should be clearly defined, and employers are required to justify the monitoring and provide legitimate grounds, especially when accessing actual content. Employers should also assess whether less intrusive measures are available to achieve the defined purposes, and must provide adequate safeguards.
Employers must also comply with the GDPR. This means that employers will need a legal basis for processing. In the employee-employer relationship, consent is presumed to be invalid given the hierarchical nature of the relationship. Therefore, employers will either need to base the monitoring on the necessity of the performance of the employment agreement or define a legitimate interest. Legitimate interest requires a balancing of the employer’s legitimate business interests and the privacy of its employees. Employers should carefully consider the impact of the monitoring on the employee’s privacy. As articulated by the ECHR, access to content will require stricter safeguards than the monitoring of behavior. Other important principles employers need to take into consideration are transparency, purpose limitation and data minimisation. Employers should clearly inform their employees that their devices are monitored, and should be specific about the purposes of such monitoring. Once defined, employers also need to make sure any data that is collected is only used for the specified purposes, and such data collection shouldn’t be excessive.
Data Protection Authorities
In 2017, the Article 29 Working Party published an opinion on data processing at work, which includes the use of monitoring systems in the employment context. The Working Party recommended that employers monitor their employees in the least intrusive manner and suggested that employers carry out data protection impact and legitimate interest assessment.
The Working Party also provided an overview of employee monitoring that is unlikely to be lawful due to its disproportionate and excessive nature:
- monitoring employees in sensitive areas, such as sanitary, religious and break rooms;
- automated decision-making, for example about employee performance;
- continuous monitoring instead of random monitoring; and
- covert monitoring, which can only be justified in very exceptional cases (for example, if there is a well-founded suspicion of a criminal offence).
Data protection authorities across Europe have been issuing a wide range of guidance on employee privacy during Covid-19. Below is an overview of the most recent guidance in:
The Belgian Data Protection Authority (GBA) published a list of processing activities that require a Data Protection Impact Assessment (DPIA). According to this list, the tracking of an individual's behaviour and the systematic or large-scale processing of telephony, internet or other communication data, metadata or localisation data of individuals, are processing activities that require a DPIA.
The GBA accepts that the right to privacy at work is not absolute and that an employer can have a legitimate interest in monitoring its employees. However, there is always a balance between the legitimate interest of the employer and the employees' right to privacy embedded in Belgian legislation. This implies that employees must be informed prior to the implementation of any monitoring activity. This information must include the purpose of the processing, the legal basis, the recipients of the data, the rights of the data subjects and the data retention periods.
In addition, several collective bargaining agreements (CBA's) must be observed as they been concluded to provide specific privacy protection for employees. This is the case for camera surveillance (CBA no 68 of 16 June 1998) and the electronic monitoring of internet and emails (CBA no. 81 of 26 April 2002). Regarding the electronic monitoring of internet and emails, it is important to note that CBA no. 81 lays down additional procedural rules, such as notifications requirements, works council consultation, monitoring and individualisation procedures and the implementation of monitoring policies. Furthermore, CBA no. 81 identifies the following purposes for which electronic online communication can be monitored: the prevention of defamation, illegal acts or acts that may offend the dignity of others, the safeguarding of confidential, economic, financial and trade interests of the employer, ensuring the integrity and/or the smooth operation of the IT network systems and/or monitoring compliance with the employer's policies and rules regarding the use of internet and email.
The GBA also issued FAQs on the processing of personal data during the Covid-19 coronavirus pandemic.
The French supervisory authority (Cnil) issued a list of processing activities that require a DPIA, which includes constant employee monitoring. In 2018, the Cnil also published general guidelines on online employee monitoring. Employees may only be monitored in order to ensure network security or to avoid behaviours by which employees make excessive and inappropriate use of the possibility to mark emails and documents as “personal” to avoid those to be considered as professional and accessible for the employer. Such monitoring must be strictly limited in terms of access and data retention (i.e. connection logs).
In addition, employees and employees’ representatives must be informed prior to the implementation of any monitoring activity and this information must include the purpose of the processing, the legal basis, the recipients of the data, the rights of the data subjects and the data retention periods. More recently, the Cnil published specific recommendations on various practices based on new technologies such as geotracking. The Cnil has published recommendations on good practices for remote working and videoconference tools in the pandemic context, but has not yet issued any additional Covid-19 specific updates on online employee monitoring.
As well as the GDPR, the German Federal Data Protection Act (Bundesdatenschutzgesetz) and – in certain cases – the German Works Constitution Act (Betriebsverfassungsgesetz) must also be observed. According to the German Works Constitution Act, the introduction of an employee monitoring system generally triggers the so-called co-determination by the works councils (where such exist), which then leads to the conclusion of a works agreement. Such works agreement can also serve as a legal basis for the data processing involved.
In the absence of such a works agreement, the German Federal Data Protection Act includes a specific statutory provision applicable to the processing of personal data of employees. However, it depends on the individual case whether monitoring employee behaviour is justified by this provision. If there is good reason to believe that a certain employee has disclosed information unlawfully or has committed a grave infringement of the employment contract, it is easier to rely on this statutory provisions, but the general, undifferentiated surveillance of employees will usually be found unlawful.
According to the Italian supervisory authority (“Garante”), data processing in the context of an employment relationship, by means of technological systems capable of remotely monitoring employees' activities, requires a DPIA. Additionally, depending on the way in which remote monitoring is carried out and the purposes of monitoring, an agreement with the trade unions or an authorisation by the national work agency (Ispettorato Nazionale del Lavoro) is required.
During this Covid-19 pandemic, the Garante issued certain clarifications in the form of FAQs, but has not given specific guidance on online monitoring of employees.
In the Netherlands, employee monitoring is listed as a processing activity that requires a DPIA. The Dutch supervisory authority (AP) also distinguishes between general monitoring and covert monitoring. For covert monitoring to be lawful, employers must have a reasonable suspicion of a criminal offence or wrongful use of company information.
Companies with a works council, will also need to obtain prior consent from the works council before conducting employee monitoring. The AP has not yet issued any Covid-19 specific updates.
The Spanish supervisory authority (AEPD) has listed the processing of personal data entailing systematic monitoring of data subjects as requiring a DPIA. This obligation likely also relates to employee monitoring, depending on the degree of employer’s control.
In addition, the Spanish Data Protection Organic Law envisages several "digital rights" affecting monitoring of employees, including the right of intimacy in respect of the use of digital devices in the workplace, which would entail the workers' representatives participating in the drafting of any policy regarding employee monitoring. The AEPD has not issued specific guidance on employee monitoring related to Covid-19.
Whilst the UK supervisory authority (ICO) has not issued specific guidance dealing with employee monitoring during the current pandemic, it has published new 'Working from Home' guidance and the pre Covid-19 guidance covering privacy implications of remote employee monitoring remains relevant.
Both include a requirement to have clear policies, procedures and guidance for employees who are remote working. This should include a clear notification of any new or adapted monitoring practices. This is fundamental to the data protection principle of transparency and ensuring that employees are fully aware that they are being monitored and for what specific purposes. Monitoring should also be conducted on a 'needs must' basis rather than as a blanket activity in respect of all employees regardless of role.
Systematic monitoring involving innovative technologies or tracking an individual's geolocation or behaviour is 'high risk' and will require a DPIA. The ICO has stressed the importance of businesses demonstrating accountability during the pandemic, by putting in place a DPIA in respect of any new or different processing, so it will almost always be necessary to conduct a DPIA where monitoring practices are introduced. In the UK, covert monitoring can only very rarely be justified (such as where criminal activity is suspected or malpractice where informing suspected employees would prejudice investigations).
Conclusion and recommendations
Employee monitoring is permitted, provided that it strikes the balance between the employer’s legitimate interests and the employee’s privacy rights. Employers need to establish a legitimate interest for monitoring, clearly inform employees of such monitoring, limit the processing to the data necessary to pursue the well-defined interests, minimise the collection of data, and substantiate the duration of the monitoring.
To ensure a fair balance between the legitimate interests and privacy rights, the GDPR requires a DPIA for any high risk data processing. Supported by the Article 29 Working Party’s opinion, most national data protection authorities have specifically confirmed that a DPIA is required prior to online employee monitoring.
Despite the uniform data protection framework, national employment legislation may impose additional requirements on employers. It is therefore important, as an employer, to recognise the national employee rights in the country concerned. For example, in addition to the requirement to inform employees prior to the monitoring, it may be necessary to inform or obtain consent from the relevant employee representatives or enter into a works agreement with the representative body.
What about Covid-19? Although several national data protection authorities provided some guidance and clarification on online employee monitoring during Covid-19, most data protection authorities have not yet implemented additional safeguards or requirements for employee monitoring during the Covid-19 pandemic.