Part 3: Summer Global Privacy Roundup Series – What You Should Not Miss for Legal and Regulatory Developments
We are observing growing regulatory scrutiny of advanced employee monitoring practices, particularly from the European Union. Here are the key takeaways:
Advanced threat monitoring technologies are becoming increasingly sophisticated and can provide monitoring capabilities not only for incoming/outgoing network traffic, but for a wide range of employee activities leveraging features such as screen recording and key logging. Solutions that offer extensive proactive capabilities designed to help organizations identify threats before they happen are increasingly relying on a large array of data and surveillance points to conduct behavioral pattern analysis, often creating profiles about each employee.
In addition to increased surveillance capabilities and employee profiling techniques, many technology providers are also advertising the ability to use the detailed employee monitoring data for secondary, non-security purposes (such as assessing employee productivity or predicting when an employee may be planning to leave their job).
The level of privacy employees can expect in the workplace varies by jurisdiction. For example, employees in the United States (U.S.) have a relatively low expectation of privacy in the workplace and employers have few restrictions on their ability to monitor employee activities. In contrast, in the European Union including the United Kingdom (UK), there is a much greater expectation of privacy in the workplace, and employer’s legitimate interest for monitoring employees must be more expressly balanced against employees’ privacy rights.
Regardless of whether employees have a reasonable expectation of privacy in the workplace, covert monitoring of employees (i.e., monitoring without prior notice) is becoming increasingly difficult to justify. For example, employers in the U.S. are required under the laws of Connecticut, Delaware, and, most recently, New York to, among other things, provide employees prior written notice of their monitoring practices. In addition, the California Consumer Privacy Act requires employers to provide notice of employee personal data collection practices, which will require additional detail starting in January 2023 once the amendments introduced by the California Privacy Rights Act come into effect and the limited employee personal data exceptions expire.
In the European Union, employers are also generally required to provide notice of their data practices to employees under the General Data Protection Regulation (“GDPR”). EU regulators and courts take the position that covert employee monitoring should be a means of last resort and limited to specific cases where there is a concrete suspicion of serious wrongdoing and, in particular, criminal behavior.
The rules for monitoring can be more restrictive depending on the applicable EU Member State law. Germany, for instance, has implemented more restrictive provisions in its Federal Data Protection Act pursuant to which monitoring is only permitted for the purpose of detecting criminal offenses or other serious wrongdoing in case there are factual indications that give rise to the suspicion that the employee committed such actions in the employment relationship, the processing is necessary to detect such offence, and the employee’s legitimate interest in the exclusion of the processing does not outweigh the employer’s interests.
Comprehensive privacy laws are evolving to focus not only on informed data processing, but also proportionate data processing. For example, under the EU’s GDPR and the UK’s Data Protection Act 2018, the scope of employee monitoring must be a proportionate response to the risks faced by an employer. This generally requires the employer to identify a legitimate business interest in monitoring that definitively outweighs the interests in protecting employee privacy. For instance, if internet misuse can be prevented by using web filters the employer has no general right to monitor.
Where monitoring is continuous and indiscriminate (meaning it is occurring 24/7 over long periods of time for all employees regardless of risk), the task of identifying a legitimate business interest in such extensive monitoring that outweighs the interests in protecting employee privacy can be exceedingly difficult. German supervisory authorities, for instance, consider permanent monitoring as impermissible and only permit temporary monitoring of specific individuals.
Historically, employers have justified employee monitoring activities by pointing to general or abstract security concerns (i.e., if we don’t watch our employees, we can’t prevent security incidents from occurring). While regulators seem comfortable with that justification for basic security monitoring measures like automated firewalls, we are increasingly seeing regulators take the position that abstract, potential security risks cannot be used as a means of justifying widespread and invasive advanced monitoring techniques (including keystroke logging and screen recording). Instead, according to many regulators (particularly within the EU), advanced monitoring techniques should be reserved for higher risk situations, such as where the employer has a reasonable basis to believe an employee poses an imminent threat to the security or safety of the company.
Some regulators are even taking the position that extensive advanced employee monitoring by itself may be incompatible with an employer’s obligation to ensure such monitoring is proportionate, regardless of the justification an employer may try to rely on.
As noted above, the vast data troves created by advanced monitoring technologies can often be used for multiple secondary, non-security purposes (such as productivity monitoring or employee departure risk).
However, comprehensive privacy laws across the globe are evolving to adopt the purpose limitation principles we see enshrined in the EU GDPR (i.e., that personal data be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”). The purpose limitation principle, in combination with obligations relating to proportionality, create a significant barrier for employers to use employee monitoring data justified under a security purpose for secondary non-security objectives.
Regulators are increasingly skeptical of these secondary, non-security uses of employee monitoring data, and we anticipate many regulators may outright reject them when the data to be used is collected using advanced monitoring technologies that present a significant impact to employee privacy.
Under the GDPR, any such monitoring technologies generally require a data protection impact assessment prior to the activation of the monitoring. In addition, some countries, such as Germany, may require not only to consult with but actually seek approval from works councils.
The authors wish to give special thanks to summer associate Christina Lee for contributing to this piece.