This article was co-authored by Rebecca Dooley, Trainee Solicitor, Dublin.
Automated surveillance of employees by their employers is not a new practice and originates as far back as the Industrial Revolution. However, with technological advancements and the COVID-19 pandemic having escalated new ways of working, including remote working, the monitoring of this work has been called into question.
This is particularly so in light of the increased use of Artificial Intelligence (AI) in software that monitors user location as well as user activity, such as keystroke and computer activity and eye tracking.
Whilst there is often a genuine business need that underpins a certain level of employee surveillance in the workplace, such as time recording, safety and security of employees and supervising employee output, the emergence of AI in the workplace has given rise to employees raising concerns about their rights and freedoms.
Outside of the EU, there have been cases where AI-collected data has been deployed against employees in employment rights cases. For example, the decision of the British Columbia Civil Resolution Tribunal Case on the use of data collected by employee-tracking software, Besse v Reach CPA Inc [11.01.23]. The Court allowed evidence from a time tracking application, which showed the Applicant had logged just over 50 hours of work that was said not to have been spent on work-related tasks.
Large amounts of personal data is processed in the workplace on a daily basis, requiring employers to comply with the EU General Data Protection Regulation (GDPR), to protect the rights of employees. While the GDPR – implemented into Irish law by virtue of the Data Protection 2018 - goes someway to clarify employee rights and obligations, there is a growing case for specific legislation on employee surveillance in the wake of the increasing technical abilities of AI.
The law as it stands
The Data Protection Act 2018
Article 5 of the GDPR states that processing personal data must be lawful, fair, transparent and comply with the principles of purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.
Irish employees also have a right to privacy under the European Convention on Human Rights. The European Court of Human Rights has confirmed that employee surveillance may infringe this right (Barbulescu v Romania [2017]). This also applies to video surveillance of employees (Lopez Ribalda v Spain [2019]).
Doolin v Data Protection Commissioner (DPC) [2022]
The Court of Appeal’s ruling in Doolin v DPC [2022] (Doolin) confirms that an employer must notify its employees of the purpose of using CCTV in the workplace, even if it is being used for disciplinary purposes.
In Doolin, a CCTV camera was installed outside of a staff room following a discovery of graffiti. The plaintiff, an employee, received a disciplinary sanction following footage showing that he may have taken unauthorised breaks. The plaintiff complained to the DPC, objecting to the footage being used to monitor staff and for disciplinary proceedings. The employer’s CCTV policy provided that the purpose of the CCTV system was to prevent crime and promote security. The plaintiff argued that its use in disciplinary proceedings was not a stated purpose of the CCTV policy, nor was it in line with data protection law.
The Court of Appeal (CA) found that the use of CCTV was unlawful as the employer’s CCTV policy confirmed the footage was collected and processed for the specific purpose of security. The employee could not have reasonably expected it to have been used to monitor his performance.
This decision may appear slightly dated as it relates to the use of CCTV, and not other AI models of surveillance. However, the judgment is clear that employers cannot collect and process employee data for any particular purpose, unless that purpose has been communicated to the employees. The decision highlights the need for clear HR policies, which should be easily understood and available to employees.
DPC guidance
The DPC has published a detailed guidance note for employers on data protection in the workplace. Key points include:
- Technological surveillance of employees in the workplace can be extremely intrusive and its use must be justified and proportionate.
- It is generally unlawful to use covert software to monitor employee’s activities.
- Covert surveillance of employees should not be used generally and should only be allowed where a crime has been committed, or is suspected to have been committed.
Call for legislation
The Financial Services Union (FSU) has released its study on Employee Experiences of Technological Surveillance in Financial Services which confirmed that 91% of employees were concerned about excessive surveillance and data collection. In June 2023, the FSU spoke at the Irish Government Committee on Enterprise, Trade and Employment and recommended the introduction of legislation to regulate the surveillance of employees, in particular the use of AI, to carry out this surveillance.
Some EU member states are already regulating employee surveillance:
Section 26 Federal Data Protection Act and Data Protection Adaptation Act provides that employers are only permitted to use surveillance of employees in the workplace if there is a belief that the employee committed a criminal activity).
Law No 58/2019 provides that employers can only use surveillance information collected about employees by CCTV or other surveillance procedures, in relation to crimes.
Regulation of AI in Europe
In April 2021, the European Union published a proposal for the regulation of AI, known as the AI Act. The draft regulation proposes to classify certain uses of AI as high risk, meaning there will be certain minimum, mandatory requirements in relation to their use. These include AI systems to make decisions on promotion and termination, task allocation, monitoring or evaluation. The new law also proposes an outright ban on other uses of AI in the workplace, such as emotion-recognition systems (which are in use in other jurisdictions).
Comment
Despite the fact that employees are unlikely to ever enjoy the prospect of any form of monitoring, employers can help waylay such concerns by being honest and transparent about why they are conducting such monitoring and informing employees as to how their data is being used. However, given that there are considerable gaps in the law with regard to the use of AI and other modes of surveillance, and with employees becoming increasingly concerned about the level of surveillance deployed, there is a clear need for legislation in this area to give clarity to all parties.
Although the DPC guidance is clear that covert surveillance is unacceptable, employers should seek advice where drafting policies on the use of employee surveillance. Misuse of employee data risks breaching data protection laws and is an increased litigation risk.
Looking ahead, employers should start preparing for the EU’s proposed AI Act regarding employee surveillance. The legislation is expected to become applicable in 2024, following which Ireland will be required to implement it into local law.