EU legal frameworks for employee monitoring
The right to privacy and data protection have their legal basis in Article 7 and Article 8 of the EU Charter of Fundamental Rights. In the context of employee monitoring, the right to privacy enshrined in Article 8 of the European Convention on Human Rights (ECtHR) has been invoked in landmark rulings across different national jurisdictions. The right to data protection is also regulated by the GDPR, globally regarded as the gold standard in data protection law. Both rights are often protected by constitutional laws in individual Member States.
In addition to the GDPR, EU Directive 2002/14/EC establishes the right of employee representatives to be informed and consulted about substantial changes to work organisation and working conditions. Although seldom explicitly stated in national legislation, the introduction of devices designed to monitor the behaviour or performance of employees would qualify as ‘substantial change to work organisation’ (Article 4) and is therefore subject to information and consultation at workplaces. EU Member States such as Austria, Germany, Finland, France and the Netherlands have national laws granting information and consultation rights to employee representatives on matters of employee monitoring. Laws requiring explicit consultation can help ensure that these technologies are used ethically and responsibly.
New rules for employee monitoring
The use of digital technologies deployed for monitoring purposes inevitably involves the collection of large amounts of data and the processing of personal information at an unprecedented level of detail. Digital technologies such as Internet of Things (IoT) devices (devices that use sensors to capture information, for example, wearables), machine learning applications and data analytics rely on the collection and processing of large amounts of data. This poses significant compliance challenges to the GDPR principle of data minimisation. Furthermore, these and other technologies lack transparency in their data collection and processing, amplifying privacy risks and impeding data subjects’ awareness of these risks.
The following applications raise concerns about potential infringements of workers’ rights, prompting some Member States to introduce new safeguards within their national regulatory frameworks.
Computer vision technologies boosting video surveillance
An emerging application of AI is computer vision technology, which uses machine learning to enable computers and systems to assist in and make decisions based on visual data. This technology was used during the COVID-19 pandemic to ensure employees adhered to workplace safety protocols, such as maintaining social distancing and wearing personal protective equipment (PPE).
When integrated with existing CCTV systems, this technology may push the legal boundaries of what constitutes proportionate and legitimate workplace monitoring. With the surveillance capabilities of the digital camera – including embedded biometric technologies – monitoring extends beyond performance management to include employees’ behaviour and personal characteristics. Such technologies are also becoming more compact and affordable, potentially leading to increase usage in the workplace.
In most EU Member States, the use of CCTV in the workplace is regulated in legislation pre-dating the GDPR. For instance, in Italy, video surveillance equipment has long been regulated by both employment and data protection laws. The installation of such systems in the workplace requires a collective agreement with the works council and compliance with employment regulations. If there is no works council or disagreement regarding installation, authorisation can be sought from the competent local labour inspectorate. A prior impact assessment is required when a video surveillance system uses new technologies that pose a high risk to individuals’ data protection and privacy rights, such as integrated systems linking multiple cameras or intelligent systems.
Also in Spain, the Organic Law 3/2018 on the protection of personal data and guarantee of digital rights guarantees employees’ privacy against the use of a video surveillance system and geolocation in the workplace. The use of such digital devices at work for monitoring purposes is subject to consultation with employee representatives. Collective bargaining agreements at sector or company level may establish additional guarantees and protections.
In recent times, some EU Member States have updated their rules regarding workplace video surveillance and added additional safeguards. In Slovenia, the new 2023 Data Protection Act states that employers must consult with the representative trade unions and the works council or workers' representatives before implementing video surveillance.
In Denmark, the TV Surveillance Act, amended in 2023, permits companies to use remote or automatic cameras or similar devices in workplaces for security and crime prevention purposes only, and not for monitoring employees’ efficiency.
Emerging remote work regulations shaping monitoring practices
The emergence of new hybrid work models – a legacy of the pandemic – has brought additional challenges in the area of employee monitoring to the forefront. During the pandemic, there was a notable spike in the market for employee monitoring software, largely driven by employers wanting to retain the same level of control over employees now working from home. This demand arose as a means to balance the flexibility granted to employees working remotely with the need to maintain productivity and accountability. Post-pandemic, the demand for employee monitoring software has not diminished, as major software producers continue to release new productivity tracking solutions to the market.
Only in a few countries is spyware, which gathers data from a computer without the user's knowledge, and keylogger software, which records every keystroke made on a computer or mobile device, explicitly outlawed. As part of the amendments to regulatory frameworks on telework or remote work, some Member States have recently introduced new provisions regulating employee monitoring within telework or remote work settings. For instance, in Greece, a law introduced in 2021 (Law 4808/2021) explicitly prohibits the monitoring of teleworkers' performance through the use of webcams. In Portugal, a law modifying the telework regime (Law 83/2021) stipulates that employers are required to inform workers about the characteristics and mode of use of devices, programmes and systems to monitor their activity remotely. Similarly, in Cyprus, the framework regulating remote working, which came into effect on 1 December 2023, explicitly prohibits the use of webcams or other invasive technological methods for employee performance evaluation. In 2024, the Bulgarian Labour Code was also updated to include amendments concerning employee monitoring in remote work arrangements, including algorithmic management. Employers are now required to verify algorithmic decisions in work management ensuring human oversight.
Tracking use of social media: Uncharted territory for legislation
The monitoring of employees can also extend to their use of social media. While internal workplace policies may restrict employees’ access to the use of social media, a temptation for some employers is to screen and even extract information from employees’ social media accounts on the assumption that the information is posted publicly. Human Resources services use these types of AI algorithms to provide insights on retaining employees at risk of leaving or ensuring that employees’ public behaviour on social media does not negatively impact the company's reputation.
This type of monitoring can be assessed against the GDPR principle of proportionality to determine if the monitoring is justified, appropriate or necessary. However, questions remain regarding the potential infringements of privacy rights, especially given the lack of specific regulation on the use of social media in the employment context in most Member States. The fact that personal data is publicly accessible does not make GDPR requirements less applicable or reduce the legal protections afforded to the data subject.
Will the EU AI Act curb the use of surveillance technologies in workplaces?
With its emphasis on the protection of fundamental rights and freedoms, the EU AI Act should set additional safeguards against pervasive employee surveillance. The EU AI Act primarily governs high-risk applications of AI – those which pose significant risks to fundamental rights of workers. These applications are subject to scrutiny, checks and conformity assessments, which ensure that the application complies with certain requirements laid out in the Act such as risk management, and transparency. In high-risk AI systems for work management and recruitment, the conformity assessments will take the form of self-assessments conducted by the developers and providers of AI systems. The devil may lie in the detail of these self-assessments, as their accuracy and thoroughness will determine the effectiveness of safeguarding employees' rights and compliance with regulatory standards.
Conclusion
While employee monitoring is a common practice in the workplace, it has also emerged as a significant risk due to the rapid advancement of digital technologies. The line between employee monitoring and surveillance is becoming increasingly blurred, raising concerns at all levels. Despite various safeguards enshrined in both national and EU legislation to protect employees’ privacy and data protection rights, significant regulatory concerns persist due to the sheer volume of data being collected and lack of transparency in many applications.
Smart applications for employee monitoring purposes may push the boundaries of what is considered proportionate and legitimate. In response to the new challenges posed by ever more powerful digital technologies, some Member States have amended existing legislation to provide additional safeguards against intrusive monitoring practices. However, gaps in the legislation still remain. The new EU AI Act mandates self-assessments and oversight mechanisms for high-risk AI applications for recruitment and work management processes that could infringe on workers’ rights. Robust enforcement and oversight by a competent supervisory authority are crucial to ensure accountability and uphold ethical principles and fundamental rights in AI use, and more so when deployed for employee monitoring purposes.
Image © Billijs/Adobe Stock
