Helping Employers Leverage Monitoring
While Staying Compliant With A Dynamic Legal Landscape
As a consequence of changes in technology and work as a whole, including the increasing adoption of hybrid and remote work such as “work from home (WFH),” employers are increasingly implementing employee monitoring of varying forms. While employers have reasonable justifications for wanting to ensure the accountability and productivity of employees, privacy laws are increasingly putting guardrails in place on the types of employee monitoring allowed and the compliance obligations that come into effect when undertaking such monitoring. After all, employee monitoring can be highly invasive, especially if proper notice is not given to employees and is instead done in secret. Therefore, whether it is in the context of the European Union’s General Data Protection Regulation (GDPR), the respective version of the law in the UK, or the increasing number of states in the United States passing comprehensive privacy laws such as California’s Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), lawmakers are instituting regulatory frameworks that must be followed concerning employee monitoring. There are also employee monitoring-specific laws, such as the case of New York’s law (Section 52-C), which requires, among other things, employers to provide employees with notice of electronic monitoring. Further, privacy regulators have stressed that policing this area will be a priority.
As a historical matter, employee monitoring is a uniquely sensitive area of the law, especially in light of the power imbalance between employer and employee. For this reason, in the context of EU and UK law, consent is generally not the appropriate legal basis for undertaking data processing that takes place as a part of the employer-employee relationship, particularly when it comes to employee monitoring. Even beyond the nuances of consent and appropriate legal bases for processing, by the very nature of the activity, sometimes, monitoring of an employee, especially for the occasional type that is aimed at a particular individual based on suspected wrongdoing, notice, and consent, can defeat the purpose of the monitoring. In contrast, the analysis and legal considerations shift for systematic and broad-ranging types of employee monitoring aimed at employees across the company. As a general matter, due to consent not being generally appropriate as a legal basis, employers must justify monitoring as a “legitimate interest” and ensure it is (a) necessary, (b) legitimate, and (c) proportionate to the perceived threat.
Another nuanced scenario in the context of employee monitoring concerns the potential of data processing that may include a variety of categories of personal information deemed “sensitive.” While each law has definitions for what is deemed “sensitive category data,” generally varying types of biometrics and health information, among others data types, fall into this more protective category, and there are prescribed compliance considerations and obligations that come with such sensitive data.
In light of the myriad considerations concerning employee monitoring combined with the dynamic regulatory environment, ensuring compliance is at the forefront of decision-making is critical.
Now that artificial intelligence is increasingly present in our lives, and its applications for employee monitoring have been growing, there is a renewed focus on the legal and compliance obligations that come into effect in certain scenarios. The FTC has signaled its intention to regulate the space, including in the employee context, and other regulators are paying attention to it.
At RICHT, we help clients capitalize on the value and need for employee monitoring in various scenarios while accounting for compliance and associated legal risks. From ensuring robust legitimate interest analysis and documentation to notice aimed at transparency as well as data mapping and data privacy impact assessments (DPIAs) of monitoring activities, we take a holistic approach aimed at avoiding negative consequences beyond just the legal enforcement realm in the form of fines to include bad press or friction with employees.
Employee Monitoring Legal Services We Offer
Monitoring Policies & Notices
Covert Monitoring Compliance
Data Mapping & DPIAs
Legitimate Interest Analysis
Data Loss Prevention (DLP)
Vendor Risk Review
Automated Decisionmaking
Data Retention & Minimization
Subject Access Requests (SARs)
Employee Monitoring Compliance Resources
French Privacy Regulator Fines Amazon France €32 Million For Employee Monitoring
French regulator CNIL said it had fined Amazon France 32 million euros ($35 million) for what the CNIL said was an “excessively intrusive” surveillance system set up to monitor the performance of staff.
CNIL Issues 10 Penalties Over Employee Monitoring Practices
France’s data protection authority, the Commission nationale de l’informatique et des libertés, issued 10 sanctions over recent months to private and public entities totaling 97,000 euros.
Barclays Faces $1.1B Fine Over Alleged Monitoring of Employees
The Information Commissioner’s Office (ICO), Britain’s privacy watchdog, is investigating Barclays over the bank’s use of software that allowed managers to measure the length of time employees were away from their desks and how long they took to finish tasks.
