We are observing growing regulatory scrutiny of advanced employee monitoring practices, particularly from the European Union. Here are the key takeaways:
1. Advanced Threat Monitoring Technologies are Evolving Rapidly, Increasing the Surveillance Points Available to Employers.
Advanced threat monitoring technologies are becoming increasingly sophisticated and can provide monitoring capabilities not only for incoming/outgoing network traffic, but for a wide range of employee activities leveraging features such as screen recording and key logging. Solutions that offer extensive proactive capabilities designed to help organizations identify threats before they happen are increasingly relying on a large array of data and surveillance points to conduct behavioral pattern analysis, often creating profiles about each employee.
In addition to increased surveillance capabilities and employee profiling techniques, many technology providers are also advertising the ability to use the detailed employee monitoring data for secondary, non-security purposes (such as assessing employee productivity or predicting when an employee may be planning to leave their job).
2. Covert Monitoring is Increasingly at Odds with Insider Transparency Obligations.
The level of privacy employees can expect in the workplace varies by jurisdiction. For example, employees in the United States (U.S.) have a relatively low expectation of privacy in the workplace and employers have few restrictions on their ability to monitor employee activities. In contrast, in the European Union including the United Kingdom (UK), there is a much greater expectation of privacy in the workplace, and employer’s legitimate interest for monitoring employees must be more expressly balanced against employees’ privacy rights.
Regardless of whether employees have a reasonable expectation of privacy in the workplace, covert monitoring of employees (i.e., monitoring without prior notice) is becoming increasingly difficult to justify. For example, employers in the U.S. are required under the laws of Connecticut, Delaware, and, most recently, New York to, among other things, provide employees prior written notice of their monitoring practices. In addition, the California Consumer Privacy Act requires employers to provide notice of employee personal data collection practices, which will require additional detail starting in January 2023 once the amendments introduced by the California Privacy Rights Act come into effect and the limited employee personal data exceptions expire.
In the European Union, employers are also generally required to provide notice of their data practices to employees under the General Data Protection Regulation (“GDPR”). EU regulators and courts take the position that covert employee monitoring should be a means of last resort and limited to specific cases where there is a concrete suspicion of serious wrongdoing and, in particular, criminal behavior.
The rules for monitoring can be more restrictive depending on the applicable EU Member State law. Germany, for instance, has implemented more restrictive provisions in its Federal Data Protection Act pursuant to which monitoring is only permitted for the purpose of detecting criminal offenses or other serious wrongdoing in case there are factual indications that give rise to the suspicion that the employee committed such actions in the employment relationship, the processing is necessary to detect such offence, and the employee’s legitimate interest in the exclusion of the processing does not outweigh the employer’s interests.
3. Continuous and Indiscriminate Monitoring is Increasingly Difficult to Justify as Being Proportionate.
Comprehensive privacy laws are evolving to focus not only on informed data processing, but also proportionate data processing. For example, under the EU’s GDPR and the UK’s Data Protection Act 2018, the scope of employee monitoring must be a proportionate response to the risks faced by an employer. This generally requires the employer to identify a legitimate business interest in monitoring that definitively outweighs the interests in protecting employee privacy. For instance, if internet misuse can be prevented by using web filters the employer has no general right to monitor.
Where monitoring is continuous and indiscriminate (meaning it is occurring 24/7 over long periods of time for all employees regardless of risk), the task of identifying a legitimate business interest in such extensive monitoring that outweighs the interests in protecting employee privacy can be exceedingly difficult. German supervisory authorities, for instance, consider permanent monitoring as impermissible and only permit temporary monitoring of specific individuals.
4. Advanced Monitoring Techniques are Increasingly Difficult to Justify Based on Abstract Security Concerns Alone.
Historically, employers have justified employee monitoring activities by pointing to general or abstract security concerns (i.e., if we don’t watch our employees, we can’t prevent security incidents from occurring). While regulators seem comfortable with that justification for basic security monitoring measures like automated firewalls, we are increasingly seeing regulators take the position that abstract, potential security risks cannot be used as a means of justifying widespread and invasive advanced monitoring techniques (including keystroke logging and screen recording). Instead, according to many regulators (particularly within the EU), advanced monitoring techniques should be reserved for higher risk situations, such as where the employer has a reasonable basis to believe an employee poses an imminent threat to the security or safety of the company.
Some regulators are even taking the position that extensive advanced employee monitoring by itself may be incompatible with an employer’s obligation to ensure such monitoring is proportionate, regardless of the justification an employer may try to rely on.
5. Scope Creep of Advanced Monitoring Technologies Step Outside of Traditional Justifications.
As noted above, the vast data troves created by advanced monitoring technologies can often be used for multiple secondary, non-security purposes (such as productivity monitoring or employee departure risk).
However, comprehensive privacy laws across the globe are evolving to adopt the purpose limitation principles we see enshrined in the EU GDPR (i.e., that personal data be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”). The purpose limitation principle, in combination with obligations relating to proportionality, create a significant barrier for employers to use employee monitoring data justified under a security purpose for secondary non-security objectives.
Regulators are increasingly skeptical of these secondary, non-security uses of employee monitoring data, and we anticipate many regulators may outright reject them when the data to be used is collected using advanced monitoring technologies that present a significant impact to employee privacy.
6. Need to Conduct Privacy Impact Assessments and Consult with Employee Representatives
Under the GDPR, any such monitoring technologies generally require a data protection impact assessment prior to the activation of the monitoring. In addition, some countries, such as Germany, may require not only to consult with but actually seek approval from works councils.
What Should Companies Do If They Want to Engage in Employee Monitoring?
- Carefully review the capabilities and monitoring techniques of any vendor you plan to engage for advanced threat monitoring purposes—including analyzing potential privacy-focused settings (such as identity masking).
- Carefully assess which data protection laws are applicable and what the specific requirements of the jurisdictions are (including requirements to engage with local works council or regulators).
- Perform a privacy assessment of the technology and, where appropriate, required data protection impact or similar assessments.
- Ensure contracts with vendors properly address data protection law requirements and limit their ability to use data for secondary purposes.
- Develop program documentation and processes to justify the monitoring, such as by:
- Providing prior notice of monitoring practices to all impacted employees.
- Limiting monitoring techniques used to the least intrusive measures by default (e.g., metadata monitoring only).
- Implementing tiered monitoring practices based on the risk presented by each employee group (e.g., employees handling particularly sensitive data may require heightened monitoring).
- Developing technical and procedural measures designed to prevent the recording, review, and retention of non-work-related personal data (including considering whether applicable law allows the employer to prohibit personal use of company-owned systems).
- Retaining data collected through advanced monitoring systems only for as long as necessary for the purpose for which it was collected (shorter retention periods typically being easier to justify).
- Adding human oversight of the deployment of advanced and intrusive monitoring practices (such as through prior human approval and/or after-the-fact audits).
- Keep an eye out for technology improvements that could impact prior assessments.
- Reach out to employee representations where so required under applicable law.