The risks of online employee monitoring during the COVID-19 crisis
“Social distancing” and the lockdown measures adopted during the current Covid-19 health crisis have set homeworking as the new standard for many employees around the world and in particular in the European Union. Companies are forced to implement new tools quickly (software, platforms, applications or IT equipment) to ensure business continuity. The stakes are high: the ultimate goal is to provide assurance to their employees, customers and partners that it's "business as usual".
However, this sudden and unprecedented shift from the offline to the online world leads to an ever-increasing collection of personal data concerning employees. No more physical team meetings on Monday mornings. These meetings are now taking place on videoconference platforms, and coffee breaks with your colleagues are being replaced by emojis that are shared on instant messaging apps.
Some of the features offered by these various online platforms can have a significant impact on employees’ privacy. Some employers may be tempted to monitor their employees remotely. For example, some videoconference platforms allow event hosts to analyse their participants’ attentiveness in real time. Others allow meetings to be recorded. Such recordings may include the participants' voice, chats, and faces but also their private surroundings at home –as captured via their webcams- as well as the screens shared by the speakers. Other websites enable automatic transcriptions.
Over the years, Data Protection Authorities (DPA) in the EU have adopted guidelines on employee monitoring and have been adapting these guidelines to technological developments. In France, for example, the CNIL’s guidelines concern the monitoring of Internet or e-mail use by employees, monitoring and recording calls, and the combination of video recording or screenshots with recordings of phone conversations. Such guidelines may be used as a basis for implementing new tools such as video-conferencing software to enable employees to continue to work from home.
In light of recent events, the EDPB has announced that it is preparing guidelines on teleworking tools and practices in the context of the COVID-19 outbreak. However, the adoption of these guidelines has been postponed in order to give priority to guidance on contact-tracing apps and processing of health data for research purposes.
The Covid-19 crisis does not alter the principles and rules on which the protection of employees' privacy is based. Regardless of the technology, tools and third-party providers that are being used, companies who offer homeworking tools to their employees must ensure that the processing of their employee data complies with the principles and rules under the General Data Protection Regulation (GDPR) and must also be aware of the specific rules that govern employees’ privacy under national laws.
1. Purpose limitation: to what end?
Regardless of the current situation, the purpose of the processing must be specified, explicit and legitimate. Some companies may be collecting – knowingly or even unintentionally – large amounts of personal data without a predefined and specific purpose. Some companies may also want to set up an automated and systematic monitoring of their employees’ performance, for example through enhanced monitoring of the working hours. Companies must ensure that such processing has a legitimate purpose.
2. Data minimisation: are all personal data collected necessary?
Personal data may only be collected if necessary to achieve a specific purpose. In the current Covid-19 crisis, the underlying principle of proportionality is crucial. For example, is it necessary to systematically record videoconference meetings or to collect the chats posted by employees in order to organise virtual events? Similarly, is it proportionate to collect data on the duration and frequency of employee breaks to monitor their working hours? Also, what data is needed to ensure the security of the company's information systems (e.g. webcam activation, recording of mouse movements, screenshots)? Companies will need to assess how the data protection by design and by default must be embedded into those tools to comply with the data minimization principle.
In addition, employees have a role to play in limiting the amount of personal data that is collected by their employers. For example, they should avoid using work-related videoconferencing tools for their private communications or browsing on their professional laptop during their free time; they must remember to log off from videoconference sessions and switch off their webcams when they are not in use; and they should only provide information that is necessary for the purpose of registering on a work-related tool (e.g. name and email address).
3. Lawfulness: is the processing lawful?
In the given context, companies must assess on what legal grounds they may collect and process the personal data of their employees. In the employment context, it is generally advised not to rely on an employee's consent given the imbalance of powers between an employee and an employer, and the fact that consent is generally not given freely by the employee. Instead, companies may rely on the necessity to process employee data for the performance of the employment contract between the employer and the employee. Employers may argue that the online tools are necessary to ensure their employees can continue to work and thus to perform their employment duties. Alternatively, companies may rely on the existence of a legitimate interest to carry out the processing. As always, the legal grounds for the processing must be analysed on a case-by-case basis, and will vary depending on the circumstances of each processing, the rights and freedoms of employees, their reasonable expectations and the safeguards that are implemented to protect such rights.
4. Transparency: have all employees been informed?
Transparency towards employees is key in the given context. Unlike other forms of employee monitoring (such as the use of CCTV cameras), online monitoring is not so obvious for employees and can easily go unnoticed. In such circumstances, the border between lawful and covert surveillance is very thin.
Therefore, employees must be individually informed in accordance with Art. 13 and 14 of the GDPR. Employee privacy policies may need to be updated to inform employees about any changes that are made to a company’s internal practices or processes, including the introduction of any new technology into the workspace. Specifically, companies will need to ensure that their privacy policies properly reflect and describe the purposes of the processing, the legal grounds on which the data are being processed, the recipients of the data, and the period during which the data is retained. Substantial changes made to the policies will need to be clearly brought to the attention of employees via appropriate means of communication (e.g. on the intranet or directly by email).
Companies must also ensure they comply with national labour laws, which may require them to inform or consult the employee representative bodies, such as work councils. In particular, some national laws may impose a prior information or consultation of the Works Council if the company decides to use new technology to monitor the activities of its employees. Such laws will vary from one EU member state to another and are not harmonised at EU level. For example, the French Supreme Court recently upheld a decision of a court of appeal ordering a company to suspend its use of new HR software used for time management on the grounds that the software had been installed and used without prior notification and information of the competent council therefore violating the rules of the Labour Code.
5. Integrity and confidentiality: how to ensure continuous security?
Homeworking is also a game-changer in terms of data security. Employees are now using more frequently their personal equipment (computers, laptops, smartphones) for professional purposes and are relying on VPN connections to remotely access their companies’ information systems, which can increase the level of risk for companies. At EU level, the European Network and Information Security Agency (ENISA) has released some practical tips on how to implement homeworking software. At a national level, some DPAs have also issued guidelines, such as the CNIL's guidelines to employers and employees, which provide some best practices. The CNIL also recently updated its fact sheet on BYOD (Bring Your Own Device) to address specifically some of these issues. In addition, the French National Agency for the Security of Information Systems (ANSSI)'s recommendations on "digital nomadism" also provide guidelines on how to secure remote access and ensure data confidentiality and integrity as well as user authentication.
Some DPAs have also recently adopted guidelines on the use of videoconferencing tools. For example, the Irish DPA provides a comprehensive list of tips for both employees and employers. The CNIL also provides a list of precautions to take before downloading any videoconferencing apps. Among these tips, one will note checking the vendor's privacy policy, including the information on processing purposes (e.g. advertising purposes) and the security measures such as end-to-end encryption. Users are also advised to check the confidentiality settings of such tools and to turn off the microphones and webcams of their devices when they are not being used.
Against this background, companies must implement appropriate security measures and may need to update their security policies and other internal documentation, to address specific issues such as homeworking and BYOD.
In addition, the threat of data security breaches has also increased, as hackers and other cybercriminals take advantage of the vulnerability of companies to send them phishing emails or spam. Companies must therefore be on the lookout and draw the attention of their employees to such risks. Let us recall that the loss, destruction or unauthorized access to personal data, whether accidental or intentional, amounts to a personal data breach under the GDPR, which may require notifying the competent Data Protection Authorities and in some cases the individuals themselves if the risk caused by the data breach is high.
Finally, before entering into a contract with third-party service providers, companies must carry out their due diligence and review the security measures that are put in place by their vendors and IT service providers, in accordance with Article 28 of the GDPR.
6. The principle of accountability: how to train employees?
More than ever, employees need training on how to use these new homeworking tools properly. This may require companies to provide specific training to their employees and possibly to update any internal guidelines on how to access and process personal data. At this time, companies may find it useful or even necessary to explain to their employees how to use videoconference tools appropriately and in a secure manner. To this end, companies may choose to provide guidelines on how and when to record videoconferences with a view to limiting the systematic recording of videoconference and sharing of such recordings. The Irish DPC recommends providing employees with clear and understandable information on the settings such tools provide to ensure data security and to protect personal data and the confidentiality of electronic communications.
7. Data Protection Impact Assessment (DPIA)
Furthermore, in light of the current circumstances, companies may need to carry out a data protection impact assessment whenever the processing is "likely to result in a high risk for the rights and freedoms” for individuals (art. 35 of the GDPR). In practice, a DPIA is required when at least two of the nine criteria identified in the EDPB's Guidelines are met, for example: (1) systematic monitoring, (2) data concerning vulnerable subjects, i.e. employees, (3) innovative use (incl. new technologies), and (4) evaluation or scoring, including the profiling of employee performance.
At a national level, some DPAs have identified the continuous monitoring of employees as a type of processing that systematically requires a DPIA (for example, in France the CNIL blacklisted processing carried out for the purpose of "constantly monitor the activities of the employees concerned").
8. Protecting the rights of employees
In their capacity as data subjects, employees may continue to exercise the rights that are granted to them under the GDPR, such as the right of access and the right to object.
The new homeworking conditions may incite some employees to send queries to their employers about the manner in which their personal data are being processed. Regardless of the current situation, companies must continue to protect the rights of their employees, including by ensuring that any requests made by employees are handled properly and efficiently by the different stakeholders within the company (IT, HR, Data Protection Officer, etc.). This can be challenging at a time when everyone is supposedly confined at home. As a result, individuals should expect "unavoidable" delays in the handling of the requests, according to the Irish and the British DPAs. The GDPR does not make any exceptions, even though the procedure for responding to data subject access requests may need to be adapted to the current situation. In that regard, the Irish DPA recommends responding to data subject requests in several phases: first to provide electronic records and then the hard copies if possible.
Moreover, it is worth noting that employees have a right to object "on grounds relating to [their] particular situation" if the processing involves an automated processing of their personal data (including profiling) on which decisions about them are being made (art. 21 of the GDPR). Consequently, should employers choose to make decisions that will have a legal effect on their employees or significantly affect them otherwise, such employees are entitled to challenge those decisions and request a human intervention to their employer (Art. 22(1) of the GDPR).
In conclusion, the current Covid-19 crisis is forcing organizations to re-think and change the way people work and interact with one another. As a result, organizations must be attentive not to use any technology in a manner that could violate the privacy rights of their employees. Even in times of crisis, the Data Protection Authorities will continue to protect the rights of individuals and to enforce the GDPR and national data protection laws. While some DPAs (e.g. UK and Ireland) seem conscious that they must release the pressure of enforcement for some time, this does not mean that they will turn a blind eye in case of serious infringements to the GDPR.
Olivier Proust
Partner – Belgium | Brussels
Olivier.Proust@fieldfisher.com
Sixtine Crouzet
Associate – Belgium | Brussels
Sixtine.Crouzet@fieldfisher.com
Hazel Grant
Partner – UK | London
Hazel.Grant@fieldfisher.com
Phil Lee
Partner – UK | London
Phil.Lee@fieldfisher.com
Thorsten Ihler
Partner – Germany
Thorsten.Ihler@fieldfisher.com
Dr Felix Wittern
Partner – Germany | Hamburg
Felix.Wittern@fieldfisher.com
However, this sudden and unprecedented shift from the offline to the online world leads to an ever-increasing collection of personal data concerning employees. No more physical team meetings on Monday mornings. These meetings are now taking place on videoconference platforms, and coffee breaks with your colleagues are being replaced by emojis that are shared on instant messaging apps.
Some of the features offered by these various online platforms can have a significant impact on employees’ privacy. Some employers may be tempted to monitor their employees remotely. For example, some videoconference platforms allow event hosts to analyse their participants’ attentiveness in real time. Others allow meetings to be recorded. Such recordings may include the participants' voice, chats, and faces but also their private surroundings at home –as captured via their webcams- as well as the screens shared by the speakers. Other websites enable automatic transcriptions.
Over the years, Data Protection Authorities (DPA) in the EU have adopted guidelines on employee monitoring and have been adapting these guidelines to technological developments. In France, for example, the CNIL’s guidelines concern the monitoring of Internet or e-mail use by employees, monitoring and recording calls, and the combination of video recording or screenshots with recordings of phone conversations. Such guidelines may be used as a basis for implementing new tools such as video-conferencing software to enable employees to continue to work from home.
In light of recent events, the EDPB has announced that it is preparing guidelines on teleworking tools and practices in the context of the COVID-19 outbreak. However, the adoption of these guidelines has been postponed in order to give priority to guidance on contact-tracing apps and processing of health data for research purposes.
The Covid-19 crisis does not alter the principles and rules on which the protection of employees' privacy is based. Regardless of the technology, tools and third-party providers that are being used, companies who offer homeworking tools to their employees must ensure that the processing of their employee data complies with the principles and rules under the General Data Protection Regulation (GDPR) and must also be aware of the specific rules that govern employees’ privacy under national laws.
1. Purpose limitation: to what end?
Regardless of the current situation, the purpose of the processing must be specified, explicit and legitimate. Some companies may be collecting – knowingly or even unintentionally – large amounts of personal data without a predefined and specific purpose. Some companies may also want to set up an automated and systematic monitoring of their employees’ performance, for example through enhanced monitoring of the working hours. Companies must ensure that such processing has a legitimate purpose.
2. Data minimisation: are all personal data collected necessary?
Personal data may only be collected if necessary to achieve a specific purpose. In the current Covid-19 crisis, the underlying principle of proportionality is crucial. For example, is it necessary to systematically record videoconference meetings or to collect the chats posted by employees in order to organise virtual events? Similarly, is it proportionate to collect data on the duration and frequency of employee breaks to monitor their working hours? Also, what data is needed to ensure the security of the company's information systems (e.g. webcam activation, recording of mouse movements, screenshots)? Companies will need to assess how the data protection by design and by default must be embedded into those tools to comply with the data minimization principle.
In addition, employees have a role to play in limiting the amount of personal data that is collected by their employers. For example, they should avoid using work-related videoconferencing tools for their private communications or browsing on their professional laptop during their free time; they must remember to log off from videoconference sessions and switch off their webcams when they are not in use; and they should only provide information that is necessary for the purpose of registering on a work-related tool (e.g. name and email address).
3. Lawfulness: is the processing lawful?
In the given context, companies must assess on what legal grounds they may collect and process the personal data of their employees. In the employment context, it is generally advised not to rely on an employee's consent given the imbalance of powers between an employee and an employer, and the fact that consent is generally not given freely by the employee. Instead, companies may rely on the necessity to process employee data for the performance of the employment contract between the employer and the employee. Employers may argue that the online tools are necessary to ensure their employees can continue to work and thus to perform their employment duties. Alternatively, companies may rely on the existence of a legitimate interest to carry out the processing. As always, the legal grounds for the processing must be analysed on a case-by-case basis, and will vary depending on the circumstances of each processing, the rights and freedoms of employees, their reasonable expectations and the safeguards that are implemented to protect such rights.
4. Transparency: have all employees been informed?
Transparency towards employees is key in the given context. Unlike other forms of employee monitoring (such as the use of CCTV cameras), online monitoring is not so obvious for employees and can easily go unnoticed. In such circumstances, the border between lawful and covert surveillance is very thin.
Therefore, employees must be individually informed in accordance with Art. 13 and 14 of the GDPR. Employee privacy policies may need to be updated to inform employees about any changes that are made to a company’s internal practices or processes, including the introduction of any new technology into the workspace. Specifically, companies will need to ensure that their privacy policies properly reflect and describe the purposes of the processing, the legal grounds on which the data are being processed, the recipients of the data, and the period during which the data is retained. Substantial changes made to the policies will need to be clearly brought to the attention of employees via appropriate means of communication (e.g. on the intranet or directly by email).
Companies must also ensure they comply with national labour laws, which may require them to inform or consult the employee representative bodies, such as work councils. In particular, some national laws may impose a prior information or consultation of the Works Council if the company decides to use new technology to monitor the activities of its employees. Such laws will vary from one EU member state to another and are not harmonised at EU level. For example, the French Supreme Court recently upheld a decision of a court of appeal ordering a company to suspend its use of new HR software used for time management on the grounds that the software had been installed and used without prior notification and information of the competent council therefore violating the rules of the Labour Code.
5. Integrity and confidentiality: how to ensure continuous security?
Homeworking is also a game-changer in terms of data security. Employees are now using more frequently their personal equipment (computers, laptops, smartphones) for professional purposes and are relying on VPN connections to remotely access their companies’ information systems, which can increase the level of risk for companies. At EU level, the European Network and Information Security Agency (ENISA) has released some practical tips on how to implement homeworking software. At a national level, some DPAs have also issued guidelines, such as the CNIL's guidelines to employers and employees, which provide some best practices. The CNIL also recently updated its fact sheet on BYOD (Bring Your Own Device) to address specifically some of these issues. In addition, the French National Agency for the Security of Information Systems (ANSSI)'s recommendations on "digital nomadism" also provide guidelines on how to secure remote access and ensure data confidentiality and integrity as well as user authentication.
Some DPAs have also recently adopted guidelines on the use of videoconferencing tools. For example, the Irish DPA provides a comprehensive list of tips for both employees and employers. The CNIL also provides a list of precautions to take before downloading any videoconferencing apps. Among these tips, one will note checking the vendor's privacy policy, including the information on processing purposes (e.g. advertising purposes) and the security measures such as end-to-end encryption. Users are also advised to check the confidentiality settings of such tools and to turn off the microphones and webcams of their devices when they are not being used.
Against this background, companies must implement appropriate security measures and may need to update their security policies and other internal documentation, to address specific issues such as homeworking and BYOD.
In addition, the threat of data security breaches has also increased, as hackers and other cybercriminals take advantage of the vulnerability of companies to send them phishing emails or spam. Companies must therefore be on the lookout and draw the attention of their employees to such risks. Let us recall that the loss, destruction or unauthorized access to personal data, whether accidental or intentional, amounts to a personal data breach under the GDPR, which may require notifying the competent Data Protection Authorities and in some cases the individuals themselves if the risk caused by the data breach is high.
Finally, before entering into a contract with third-party service providers, companies must carry out their due diligence and review the security measures that are put in place by their vendors and IT service providers, in accordance with Article 28 of the GDPR.
6. The principle of accountability: how to train employees?
More than ever, employees need training on how to use these new homeworking tools properly. This may require companies to provide specific training to their employees and possibly to update any internal guidelines on how to access and process personal data. At this time, companies may find it useful or even necessary to explain to their employees how to use videoconference tools appropriately and in a secure manner. To this end, companies may choose to provide guidelines on how and when to record videoconferences with a view to limiting the systematic recording of videoconference and sharing of such recordings. The Irish DPC recommends providing employees with clear and understandable information on the settings such tools provide to ensure data security and to protect personal data and the confidentiality of electronic communications.
7. Data Protection Impact Assessment (DPIA)
Furthermore, in light of the current circumstances, companies may need to carry out a data protection impact assessment whenever the processing is "likely to result in a high risk for the rights and freedoms” for individuals (art. 35 of the GDPR). In practice, a DPIA is required when at least two of the nine criteria identified in the EDPB's Guidelines are met, for example: (1) systematic monitoring, (2) data concerning vulnerable subjects, i.e. employees, (3) innovative use (incl. new technologies), and (4) evaluation or scoring, including the profiling of employee performance.
At a national level, some DPAs have identified the continuous monitoring of employees as a type of processing that systematically requires a DPIA (for example, in France the CNIL blacklisted processing carried out for the purpose of "constantly monitor the activities of the employees concerned").
8. Protecting the rights of employees
In their capacity as data subjects, employees may continue to exercise the rights that are granted to them under the GDPR, such as the right of access and the right to object.
The new homeworking conditions may incite some employees to send queries to their employers about the manner in which their personal data are being processed. Regardless of the current situation, companies must continue to protect the rights of their employees, including by ensuring that any requests made by employees are handled properly and efficiently by the different stakeholders within the company (IT, HR, Data Protection Officer, etc.). This can be challenging at a time when everyone is supposedly confined at home. As a result, individuals should expect "unavoidable" delays in the handling of the requests, according to the Irish and the British DPAs. The GDPR does not make any exceptions, even though the procedure for responding to data subject access requests may need to be adapted to the current situation. In that regard, the Irish DPA recommends responding to data subject requests in several phases: first to provide electronic records and then the hard copies if possible.
Moreover, it is worth noting that employees have a right to object "on grounds relating to [their] particular situation" if the processing involves an automated processing of their personal data (including profiling) on which decisions about them are being made (art. 21 of the GDPR). Consequently, should employers choose to make decisions that will have a legal effect on their employees or significantly affect them otherwise, such employees are entitled to challenge those decisions and request a human intervention to their employer (Art. 22(1) of the GDPR).
In conclusion, the current Covid-19 crisis is forcing organizations to re-think and change the way people work and interact with one another. As a result, organizations must be attentive not to use any technology in a manner that could violate the privacy rights of their employees. Even in times of crisis, the Data Protection Authorities will continue to protect the rights of individuals and to enforce the GDPR and national data protection laws. While some DPAs (e.g. UK and Ireland) seem conscious that they must release the pressure of enforcement for some time, this does not mean that they will turn a blind eye in case of serious infringements to the GDPR.
For more information on how we can assist employers with their rights and obligations to protect the privacy of their staff, please contact a member of the team:
Olivier Proust Partner – Belgium | Brussels
Olivier.Proust@fieldfisher.com
Sixtine CrouzetAssociate – Belgium | Brussels
Sixtine.Crouzet@fieldfisher.com
Hazel GrantPartner – UK | London
Hazel.Grant@fieldfisher.com
Phil LeePartner – UK | London
Phil.Lee@fieldfisher.com
Thorsten IhlerPartner – Germany
Thorsten.Ihler@fieldfisher.com
Dr Felix WitternPartner – Germany | Hamburg
Felix.Wittern@fieldfisher.com