Business, data protection, and employees
Regulating for Globalization
Please refer to this post as:, ‘Business, data protection, and employees’, Regulating for Globalization, 26/02/2018, http://regulatingforglobalization.com/2018/02/26/business-data-protection-and-employees/
Tilting at windmills?
Innovations in information technology can be both positive and negative when applied to the workplace. On the positive side, there is an extended reach for individuals in any one country. Borders become less of an obstacle. However, regulatory frameworks within jurisdictions may remain hardened. Employment is one regulatory framework in which rigidity is evident. Ambitions for workplace efficiency precipitate rules that endeavour to remove (rather than work with), from labour/employment law, the human variable. Technological innovation in the workplace is explored here as one permutation of this ambition.
As presently perceived, algorithms provide all the certainty that numbers ostensibly offer. Algorithms in the workplace recall the spirit of Frederick Taylor’s ‘scientific management’ (outlined in his 1919 book The Principles of Scientific Management), wherein workers required an unusual amount of cajoling. Algorithms provide the metrics to coax optimal effort. To Taylor’s chagrin, algorithms are immune from neither critical analysis nor scrutiny. Engaging with algorithms as potential sources of information, instead of solutions in themselves, can yield a better understanding of technology in the workplace. Moreover, further investigation can contribute to anticipating the nature of future challenges as well as assist in avoiding the ‘transparency fallacy’.
Using communications theory, Daithí Mac Síthigh has asked a question especially pertinent to the broader legal community: why have certain distinctions been made in the regulation of particular forms of media? He points out that there can be curious divisions based on the perception of the medium under consideration. A message to be derived from the medium of algorithms is that the workplace is not devoid of social considerations, and pragmatism in the workplace does not necessarily exclude recognition of those who populate it.
The GDPR and Algorithms
The General Data Protection Regulation overarches this topic. Within the GDPR, employers fall under the definition of ‘controller’. The GDPR contemplates ‘profiling’ algorithms for workplace outputs. Article 22 provides the data subject (here the employee) with a right to avoid a decision based solely on automated processing that carries a legal effect. The distinction targeted here is between automated decision support (where a person makes the final decision) and automated decision-making (where there is no human judgement involved). Art.22 does not apply, though, where the decision arrived at by automated processing ‘is necessary for entering into, or performance of, a contract between the data subject and a data controller’. The Article 29 Working Party in its Opinion 2/2017 on data processing at work explained that ‘performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity’.
Frank Hendrickx’ recent contribution to this blog highlighted some recent decisions of the European Court of Human Rights as it faces the challenges of IT in the workplace. Here I return to the considerations contained within those decisions to ask whether, with algorithms, we are not being diverted from the medium, thereby ignoring the message.
Two matters stand out. First, there appears to be only a loose framework being developed. Second, there is wide scope for efficiency arguments to be aligned with algorithmic monitoring. The GDPR and the ECtHR’s decision in Bărbulescu v Romania prompt further deliberation with regards to consent in employment contracts. Based upon Art. 7(4), a dispute may arise as to whether or not the processing is necessary for the performance of the employment contract. Art. 6(1)(b) of the GDPR reiterates the point. It defines lawful data processing as that ‘necessary for the performance of a contract to which the data subject is part’. The employer may legitimately argue there must be the capacity to determine whether or not workers are adhering to contractual obligations: for example, are workers adhering to workplace IT security protocols and/or conducting themselves in a way that does not breach data protection? These could both be viewed as aspects of the performance of the employment contract. Bărbulescu suggests that at work monitoring may be permissible in order to ensure that workers are performing contractual duties; so long as they have been informed beforehand. If this is to be the case, it may be wondered whether or not the protections outlined within the GDPR are attenuated.
The Third Section of the ECtHR returned to the issue of consent in López Ribalda and Others v Spain. In an effort to cut down upon (if not eliminate) losses due to theft, a supermarket installed both visible and hidden cameras. Classifying covert video surveillance of employees as a ‘considerable intrusion’, the majority of the Court found a violation of Article 8. The ECHR not only protected individuals ‘against arbitrary interference by the public authorities’, but it also required the state to take steps to provide effective respect for private life.
Requiring workers to be merely informed stops short of a more complete analysis of the act of monitoring itself. The question arises: in what state are privacy rights at work left?