Recent Changes in Employee Monitoring Laws and Regulations

There has been a rapid, global development towards strengthening user privacy laws. Much of this can be attributed to technologies outpacing legal frameworks. The advent and scale of Generative AI (or Gen AI) is one such example.

McKinsey, in 2023, reported that the economic potential of Gen AI applications is between $2.6 trillion and $4.4 trillion annually. But at the same time, understanding, controlling, and guaranteeing safety from Gen AI is a significant challenge for risk and compliance functions. Why? Because there's a lack of functional transparency and the data used for training, potential for intellectual property infringements, and a host of user privacy violation concerns — and all of that at unprecedented scale and speed.

The situation is not as clear-cut in the realm of employee monitoring, but the easy access to and use of employee data — thanks to powerful analytics, use of AI, and unification of data — does spring into question the viability of rules and regulations designed for a less data-intensive era.

According to a survey by Top10VPN, the demand for employee monitoring solutions shot up after the pandemic, as much as 75% in March 2020, 75% in Jan 2022, and 73% in Q1 2022. Many companies, large and small, across the world rely on these solutions to ensure that the work's on track, people are accountable, and there's no time theft that could be detrimental to both employee privacy and the business's bottom line. But there are two sides of the coin.

The employee monitoring tools are getting powerful. They are capable of tracking everything from conventional keystrokes to more advanced web browsing and even facial expressions. The benefits, if you think of it, are manifold. Businesses can amplify productivity, identify potential security loopholes and insider threats, discover areas for improvement and devise policies in favour of employees, and even go granular into understanding what works well for employees' well-being.

But at the same time, there's substantial potential for misuse. Businesses can find themselves being too intrusive — to the extent that it leads to a toxic work environment and becomes a breeding ground for distrust. In fact, granular access to activity data can pave the way for discrimination and unfair treatment. Employees' working methods can be misconstrued as them slacking off. And that's why it's often reported that employees are unhappy with them being put under the scanner. About 39% of employees report that monitoring has a negative impact on their relationship with the employer. 43% confirm that such a practice affects company morale.

We have often discussed the existing regulations in place, such as the General Data Protection Regulation (GDPR), the Electronic Communications Privacy Act (ECPA), etc. These regulations, especially GDPR, have set high standards for protecting user data and privacy. This includes a well-defined focus on employee data as well.

However, the scope and scale of data collection possible surpass the capabilities of the regulations that were envisioned only a few years back. In simple words, the gap between what's technologically possible and what's legally permissible is widening. The result? A regulatory vacuum that leaves the space open for inadvertent and even intentional misuse of technology for surveillance. So, regulatory reforms and continuous dialogue about keeping existing frameworks in vogue is a valid call.

Updates & Changes in Employee Monitoring Laws

Given the above concerns, jurisdictions across the world are realising the urgency of implementing laws that promise regulation of AI-powered systems and protection of employee rights and data.

For ease of understanding and comprehension of the impact, we're listing four such major updates and the geographies that will be influenced.

The Information Commissioner's Office (ICO) has recently stepped up regulation of data intrusive activities from businesses. The February 2024 case of Serco Leisure Operating Limited getting the Enforcement Notice from ICO serves as a good example. The regulator instructed the company to stop processing biometric data. This instruction was backed by Articles 5, 6, and 9 which advocate for fair and lawful processing, a lawful basis for processing, and more.

All of this in the backdrop of ICO's updated guidance for lawful monitoring in the UK suggests that the regulator is keeping pace with technological advancements in the surveillance space. Their idea is to ensure better regulatory certainty, protect employees' data protection rights, and build a business ecosystem that fosters trust among employees and customers.

Here are the key updates to ICO's employment practices and data protection guidelines that bear relevance to the use of employee monitoring software:

• Monitor workers lawfully: ICO makes it mandatory for businesses to consider the six lawful bases and choose one from them to monitor workers lawfully. These bases include Consent, Contract, Legal Obligation, Vital Interests, Public Task, and Legitimate Interests. Each base encapsulates procedures that lead to lawful monitoring and keep everything in check.

• Inform about automated decision-making: ICO defines the action plan for businesses using employee monitoring software that helps with lawful automated decision-making. In such a case, businesses need to inform the employees of the information being processed and the underlying logic of such processing. The employees also need to be given the opportunity to demand human intervention.

• Checklists: For ease of mapping the regulatory requirements to company-wide practices, ICO offers checklists that businesses can use for data protection considerations.

The National Commission on Informatics and Liberty (CNIL) of France has an approach akin to ICO in ensuring businesses are held accountable for misuse of employee data — precisely what their recent €32 million fine on Amazon France Logistique tells us.

The French Data Protection Authority ruled that Amazon had set up an illegal monitoring system wherein the company measured granular work interruptions for micromanaging employees. The overarching response of the authority towards Amazon was a sanction against several GDPR breaches, including those related to employee monitoring using scanners, failure to ensure lawful processing according to Article 6 of GDPR, and more.

That said, here are the recent updates to CNIL's response to employee monitoring that concerned businesses must keep a check on:

• The aggregation and holding time of data: One key piece of information from CNIL's recent ruling is that they have a strict focus on how long the companies are holding employee's data and if that period is justifiable. To borrow from Amazon's example, CNIL observed that the warehouse scanner data collected over the month was used for statistical analysis. The regulator instead ruled that one week is enough for assessing performance and identifying training needs.

• Transparency of information: While not a fresh facet, the decision of CNIL raised eyebrows on how businesses avoid informing employees (including temporary workers) about the practice and extent of monitoring — something that won't be entertained by regulators.

The Digital Personal Data Protection Act of 2023 is pending legislation and public consultation, but it's expected to bring about a slew of significant changes in the Indian employee monitoring landscape.

The Act brings forward a balanced approach to consent regarding employee data use. According to it, employers must obtain employees' consent for data processing. This will limit the non-consensual use of data at the hands of company HRs. However, the Act reserves employers' right to surpass consent in case of scenarios that are "certain legitimate uses." These include situations related to loss or liability.

The European Union is also updating the otherwise well-established GDPR policies that control employee monitoring across the EU and are, in fact, a staple set of rules for regulating surveillance worldwide. Some key changes relate to:

• Fostering better functioning of cross-border cases, with better admissibility of complaints and streamlining of dispute resolution
• Providing a better stage to parties under investigation, so that their voices are heard and swift resolutions are offered

These are more qualitative updates to refine the regulatory landscape, but their impact could be significant when it comes to consistency in enforcing and implementing GDPR principles across the EU.

• Regulators worldwide are responding to the use of better technology to monitor employees and ensuring that it's done in a lawful way
• Employees' rights are front and center of these new updates
• Any misuse of monitoring technologies and employee data would invite greater scrutiny and accountability

Also Read: How to monitor employees legally and effectively