It is no doubt that the coronavirus pandemic has given companies a boost in implementing work-from-home solutions. However, even before that, smart working has always been part of the employment relationship and, together with it, the need to ensure that efficiency and performance levels were met, regardless of the premises from which the employee was working.
Technology offers a number of solutions to set up corporate surveillance, in its broadest sense. Indeed, it is not only a matter of work-performance but also of ensuring compliance with company policies and, at large, regulatory and legal provisions which may expose the company to liability risks (also from a criminal perspective). For the employer’s peace of mind, however, the monitoring shall necessarily be balanced with elements that allow trust, transparency and respect of the employees’ rights to privacy.
Necessary enabler of lawful remote controls over employees, in fact, is the compliance with data protection provisions. Although national law may provide for specific requirements and keeping in mind that also labor issues have to be factored in, the overall approach followed in European countries under the GDPR is that any technical solution that may imply the remote control of the employees’ performance shall be assisted with (i) a dedicated policy (usually named IT equipment and network Use Policy), and (ii) a data protection information notice. The first should explain to employees how they can use the IT company’s device, how monitoring takes place, for what purposes, under which conditions; while the second informs them on how their data are collected and used in the context of monitoring activities. The combination of these documents serves the purpose of making monitoring transparent to employees and, to achieve day-to-day effectiveness, it should be coupled with proper training. In this environment, another effective compliance tool for companies is a Data Protection Impact Assessment, to document and account for how to struck an acceptable balance in the monitoring activities.
We noted that during the pandemic companies were rushing to try to update their IT, Privacy and BYOD policies in order to enable more stringent monitoring solutions and to cover material resort to remote working. However, this is an item to be addressed as part of a broader digital transformation strategy, and not just of simply updating rules and procedures, but rather re-visiting them as long term ones, in order to address other connected risks such as cyber-security threats.
In the blurring of lines between home and work, transparency and proportionality are rules of thumb for legitimate controls. This is indeed confirmed by the European Court of Human Rights’ judgement in the renowned case Barbulescu v. Romania, where a terminated employee claimed that the national courts failed to protect his right to privacy and secrecy of correspondence, following dismissal of his action against his former employer for unlawful monitoring of his electronic communications and for accessing their contents. If it’s clear that a 24-hour monitoring, or recording of each activity performed by the employee is excessive, finding the right balance is not an easy task, especially in scenarios where employees are allowed to use IT tools for (limited) personal use or to use their own device for professional purposes (BYOD), as this makes it more difficult to discern the personal from the professional use and to impose the adoption of specific measures.
Recently, national data protection authorities showed their continuous interest on the topic: earlier this month, the Swedish Data Protection Authority issued guidance on the processing of employees’ personal data by private or public entities, and covering also the area of employees’ monitoring.[1] In Germany, instead, the Hamburg Data Protection Authority issued the second highest ever GDPR-related sanction (so far) against a famous fast-fashion company for unlawful employee-monitoring practices.[2] In Italy, the Data Protection Authority recently sanctioned a telephone company for unlawful analysis of the performance of the employee’s work activities and for non-compliant geolocation of the employee.[3]
There is a rising attention over such practices and a high risk of individual claims, especially from terminated employees as well as employees involved in internal investigations. Consequences of unlawful monitoring may include inadmissibility of the resulting evidence in possible litigation as well as reintegration into work and damages, both from a reputational and a monetary perspective. Finally, unlawful monitoring of employees may end up in unwanted attention from the data protection authorities, on whose agendas this matter is a priority throughout the EU.
[1] https://iapp.org/news/a/swedish-dpa-issues-guidance-on-processing-employee-data/
[2] https://iapp.org/news/a/hamburg-dpa-issues-35-3m-euro-fine-over-employee-monitoring/
[3] https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9263597