European and UK enforcement actions in recent months indicate that employee monitoring continues to be a challenging and evolving area of compliance for organisations, particularly as their use of such systems continue to evolve with technological updates.
In December 2023, the French data protection regulator (CNIL) issued a fine on a logistics company regarding its employee monitoring practices, and on 23 February 2024, the UK data protection regulator (ICO) issued a series of enforcement notices ordering various organisations to stop using facial recognition technology and fingerprint scanning in their employee monitoring practices.
This article explores the takeaways from these decisions, as well as practical considerations for organisations when conducting employee monitoring using certain technologies.
Takeaways from the decisions
Employee monitoring must be proportionate
The more intrusive the monitoring, or the more granular the data collected about employees, the more prepared an organisation should be to justify it or consider less intrusive alternatives. The CNIL’s fine was imposed partly due to the relevant organisation’s overly intrusive and granular monitoring of its employees, as the CNIL considered, among other points, that the organisation’s flagging of worker interruptions of less than ten minutes and recording of completed tasks down to the nearest second to be excessively intrusive.
In addition, the CNIL considered that the organisation already had access to other data that were capable of achieving the organisation’s goals of quality and safety, and thus did not require monitoring of such granularity.
Using certain technologies to monitor employees may require heightened security measures
In particular, monitoring tools that record biometric data (including facial recognition) and video surveillance are likely to require heightened security measures in addition to posing an increased compliance challenges for organisations:
- Biometric data that is used to identify individuals (i.e., for authentication purposes) will count as special category personal data, and will require its own lawful basis of processing. The ICO noted that the nature of biometric data also means that such data is likely to be permanent and closely linked with an individual’s identity, and thus present an increased risk of harm in the event of a personal data breach. This in turns translates into the need for heightened security requirements to be implemented to safeguard such data.
- The ability for video surveillance to covertly monitor employees means that the sensitivity of data collected and corresponding risk of harm to individuals in the event of a breach are potentially higher than other types of employee monitoring systems. In practice, this means that heightened security is also required, as the CNIL took the organisation’s failure to implement sufficiently strong password protection and access controls over its video surveillance data into account when issuing its fine, as this meant that there was an increased risk that such data could be accessed or compromised anonymously by malicious actors.
Even a short data retention period may be excessive
While there are no prescribed data retention periods for employee monitoring data under European and UK data protection law, such periods must be proportionate. In practice, this means that organisations should be capable of justifying data retention periods by reference to the purposes for which the data was collected. Even a relatively short retention period may be excessive. In the CNIL’s decision, 31 days was deemed to be disproportionate, on the basis that this retention period applied to all of the organisation’s employee monitoring data, and the use of aggregated data would have been sufficient for the organisation’s purposes.
Additional practical considerations for organisations
The use of automated decision making (ADM) should be monitored closely. ADM is only permitted in limited circumstances under the GDPR, such as when it has been authorised by law or where it is necessary for the entry into or performance of a contract with the employee. Such decision making may also be permitted if an employee’s explicit consent has been obtained, although demonstrating valid consent in an employment context is problematic due to the imbalance of power between the organisation and the employee.
Organisations should also consider conducting a data protection impact assessment (DPIA) prior to conducting employee monitoring. In some circumstances a DPIA will be mandatory, such as when the biometric data of workers are processed for the purposes of uniquely identifying them, or when the monitoring is otherwise likely to result in a high risk to employees. Whether or not a DPIA is mandatory will also depend on the relevant jurisdiction. For example, the CNIL expressly requires DPIAs prior to the “systematic monitoring of employees’ activities” whereas the ICO does not.
In addition, the use of AI to monitor employees will carry its own risks. Such AI systems may constitute a “high-risk” AI system under the upcoming EU AI Act and will carry its own set of obligations once the EU AI Act enters into force. Such obligations include requirements relating to risk management, human oversight and cybersecurity, as well as transparency and documentation requirements.
Conclusion
The increased use of hybrid environments for work (particularly after the COVID-19 pandemic) and pressure on organisations to seek out more efficient methods of monitoring employees and to gather increased employee data for workforce planning are a few of the many factors leading organisations to consider and adopt new technologies for employee monitoring purposes.
However, organisations should also be mindful of the increased risks and obligations that may arise through the use of such technologies, as demonstrated by the recent decisions of regulators in the EU and UK. As such, organisations should review their monitoring practices regularly and/or conduct DPIAs to assess the proportionality and security of their monitoring systems, and keep themselves updated with developments.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.