In 1890, Warren and Brandeis defined the right to privacy as ‘the right to be let alone’ (4 Harvard Law Review, 93-220). What if we apply this in a modern work context?
In light of automation and new technologies in the work environment, the right to privacy has become part of the labour law language. Recent developments and technological evolutions, such as digitalization, big data, the internet of things, artificial intelligence and robotization, are influencing the world of work in such a way that attention to privacy and data protection is growing with an increased pace and relevance. Against this background, the right to privacy presents itself as a very flexible and adaptable concept. New principles and rules in the context of privacy and data protection have become appropriate and enrich our legal discourse. We argue that the privacy notion moved into a concept of ‘Privacy 4.0’.
The concept of ‘Privacy 4.0’ represents the stages of development of this right. Privacy moved forward with different ‘layers’ or ‘levels’ in its overall scope of protection. It is due to the technological responsiveness of the right to privacy. It gives this right a broader meaning in the employment law and technology debate and makes it particular relevant in the future of work context, sometimes framed in light of ‘Industry 4.0.’
The issue was the theme of my talk during the Labour 2030 Conference, held in Porto (Portugal), 19-20 September 2019 (labour2030.eu). It is also the subject of my contribution in the Comparative Labor Law and Policy Journal (Vol. 41, fall 2019, “Special Issue on Automation, AI and Labor law”).
Privacy 1.0. : Privacy at work
As provided in international legal instruments, “everyone” has the right to privacy. Also workers have, therefore, a right to privacy. This legal departure point has not been evident since the very beginning. An employment relationship implies, in the traditional view, a subordinate relationship or a relationship of dependency. Employers may exercise legal authority over their workers. So how can this fit with ‘the right to be let alone’? Labour lawyers recognise this question. It refers to the ‘Privacy 1.0.’ discussion. The right to privacy has overcome the issue by receiving horizontal effect and application in employment relationships. The European Court of Human Rights (ECtHR) gave a strong basis to the application of the right to privacy in employment relations. In Niemietz v Germany it held that there is “no reason of principle why this understanding of the notion of “private life” should be taken to exclude activities of a professional or business nature” (Niemietz v. Germany, ECtHR 16 December 1992, No. 13710/88, par. 29). On the basis of this broad scope, provided to this right, workers have been relying on the right to privacy in a wide range of issues.
Privacy 2.0.: Privacy and worker data protection
In the eighties and nineties, technological evolutions brought the potential of data processing to the fore. As a consequence, various (international) regulators started to address the issue of personal data protection. Institutions like the OECD or the Council of Europe adopted instruments in the early eighties – and later on legislation came of the European union. Privacy took a step towards a developed meaning, Privacy 2.0. The growing digitalisation of work spheres intensified the relevance of data protection. The current European ‘GDPR’ shows the importance of this broad approach of data protection. It gives new checks and balances in the employment context. A question is how to see the legitimacy of data processing in the employment context. The employment context is not per se a limitation to data processing. But it has become obvious that the justification for data processing, as the GDPR suggests, requires a test of ‘necessity’. For all personal data processing, the link with the legitimate purpose (and the employment relationship) must be established. Workers, furthermore, ‘must be informed of the existence of any monitoring, the purposes for which personal data are to be processed and any other information necessary to guarantee fair processing’ (WP Opinion 2/2017, p.8). That seems evident, but it sometimes lacks attention in employment relations.
Privacy 3.0 : Monitoring and surveillance of workers
New technologies have turned the modern workplace into a potential major control area. Monitoring and surveillance of workers through technology have become increasing issues with the rise of one particular technology: the internet. It gave rise to more intensified connection of computers and data, a world-wide flow of information. Furthermore, it created and rapidly expanded the possibilities of (electronic) communications. With the rise of the internet new devices came up that could be connected to networks, such as gps-tracking systems, electronic badges, computer software following the work flow, video surveillance and the like. These new developments rapidly evolved. They also brought the right to privacy to Privacy 3.0. In this next level of orientation, the right to privacy started to focus more intensively on the issue of fairness and fair processing and whether the online world needed other or similar principles compared to the offline world. Fairness, in this context, addresses the imbalance of informational power and control between data controller and data subject. That would be, in the employment context, a power shift between employers and workers due to a new electronic monitoring environment.
Privacy 4.0. : Humans in command
The final stage of development of the right to privacy is related to the rise of artificial intelligence (AI), algorithmic decision-making and robotics. Intelligent technology is on the rise, with algorithmic, big data, the internet of things and profiling becoming increasingly influential factors in our world of work. The digital work environment can be seen to deliver great potential and new opportunities for professional cooperation and for shaping the modern work relationship.
In its 2017 initiatives the European Parliament, adopting a resolution on robotics and artificial intelligence, refers to “the great potential of robotics” but also to “new risks owing to the increasing number of human-robot interactions at the workplace” (2015/2103(INL)). The European GDPR addresses profiling and algorithmic decision-making. The impact in the employment context is clear: recruitment assessment, performance evaluation, selection for dismissal, analysis of workers’ preferences, analysis of workers’ whereabouts, and so on. Under the GDPR, also fully automated decision-making are regulated, the ability to make decisions by technological means without human involvement. According to article 22, 1 GDPR, a data subject has the right not to be subject to a decision based solely on automated processing (including profiling) which produces important (legal) effects. However, they are not fully effective in the employment context, seen the exceptions. The right to object to profiling under article 21.1 GDPR is limited to situations where data processing is justified outside a contractual relationship. The approach of the GDPR is thus that the employment contract can provide for justifications to involve profiling and/or fully automated decision-making.
While workers will not necessarily (not easily) escape from artificial intelligence, algorithms or automated decision-making processes, the role of human intervention becomes more relevant. Under article 22, 3 GDPR (relating to fully automated decision-making) the data subject (the worker) has at least the right to obtain human intervention on the part of the controller (the employer). The European Working Party confirmed that human intervention is a key element in the GDPR’s data protection (WP, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, 3 October 2017, Revised 6 February 2018, 17/EN WP251rev.01, 27). Although we may be critical about how this will be guaranteed, a worker has additionally, according to article 22,3 GDPR, the right to express his or her point of view and to contest the decision.
The rights under the GDPR are consistent with the demands for a human-in-command approach in the future of work debate. According to the ILO’s Global Commission on the Future of Work: “It also means adopting a “human-in-command” approach to artificial intelligence that ensures that the final decisions affecting work are taken by human beings” (cf. www.ilo.org). In this context, the right to data protection comes in close interaction with employment rights. It would give workers a right to challenge decisions taken by employers. It would make sense to elevate this right to the collective level and give trade unions the same rights in order to strengthen the data protection.
New pathways for rights: humanization
The right to privacy gives as strong basis to construe a right to human interaction and a right to humanization of the workplace. Turning back to the case of Niemietz v Germany, the European Human Rights Court held that “it is, after all, in the course of their working lives that the majority of people have a significant, if not the greatest, opportunity of developing relationships with the outside world” (Niemietz v. Germany, ECtHR 16 December 1992, No. 13710/88, par.29). This opportunity – and thus the right – to develop human relationships has been further developed by the Court ever since. Over time, under the right to privacy, the Court elaborated the right to develop one’s ‘social identity’. This has different aspects. The right to develop one’s own identity also implies a right to make autonomous decisions and a degree of freedom. This is a very meaningful approach in the robot age. Working with AI and robots will increase the demands of a human dimension in a work context. The dependency on software and machines may, however, also lead to a make-over of the labour law language. In a context of new ways of working (for example, more autonomous work, more place and time sovereignty for workers), the right to be self-responsible and ‘to be left alone’ may become more relevant, in order to advance a human approach towards technologically dependent work. It also contrasts with the classical notions of subordination and workplace hierarchy. While labour law traditionally regulated subordination of workers, it may now become a regulator of the worker’s autonomy. The concept of privacy 4.0 is not only an ally in this new labour law discourse. It could be the core essence of Privacy 4.0. Humanization of work and human interaction may become the essence of the right to privacy’s next level.