One effect of COVID-19 has been a sharp increase in businesses’ use of remote surveillance solutions to protect corporate resources and monitor the productivity and behavior of employees who will be working from anywhere but the office for the foreseeable future. Although such tools can provide valuable performance insights and mitigate data loss and other risks, they can also significantly increase a business’s legal risk.
This is especially true for businesses with employees working in the EU, where employee privacy is typically protected to a much greater extent than in the United States. Indeed, the German subsidiary of international retailer H&M recently learned a €35.3 million (approximately $41 million) lesson about these legal risks after being fined by a supervisory authority in connection with a workforce monitoring program that “led to a particularly intensive encroachment on employees’ civil rights.”
Employers are permitted to monitor EU employees at work, as long as they comply with the laws and regulations of both the EU and individual Member States. This includes the EU’s General Data Protection Regulation (GDPR), which applies to any U.S. or multinational business that has employees in, or monitors the behaviors of, individuals in the EU.
Remote surveillance solutions increasingly offer sophisticated features that promise—among other things—to identify suspicious activity, detect potential insider threats, and provide real-time alerts about employee behaviors. But automated technologies that generate insights or conclusions about employees based on data collected from employer-monitored systems, networks, and connected endpoints can generate additional risk because the GDPR (as well as the laws of some individual Member States) provides protections for individuals subject to automated decision making and profiling.
Further, the use of employee surveillance solutions powered by Artificial Intelligence (AI) and Machine Learning (ML) technologies may trigger additional compliance requirements under the GDPR. We will explore those issues and others, and offer risk mitigation strategies that employers should consider before monitoring employees in the EU.