‘Protection of Employee Privacy in the Digital Workplace’: Arguments and Comments Presented during the Defence of Seili Suder’s Doctoral Thesis
employee privacy; data protection in employment; digital workplace; EU law
This contribution is based on the opinion I presented in my role as designated opponent for the doctoral dissertation of Seili Suder. *1 The dissertation, a compilation-based work comprising five pieces published earlier, with Suder as sole author *2 or in collaboration with other researchers *3 , alongside a framing compendium of the research conducted, which systematises but also to a considerable degree complements the deliberations contained in the relevant publications, was defended in proceedings hosted by the University of Tartu’s School of Law on 6 December 2021. It was accepted for commencement of awarding of the degree Doctor of Philosophy in Law on 27 September 2021 by a resolution of the council of that faculty.
The dissertation was designed to contribute to employment-specific discussion of privacy and data protection by exploring the main legal concerns and practical challenges posed by deployment of the ‘newest’ digital monitoring technologies (i.e., monitoring of social media, the monitoring of microchipped employees, and monitoring technologies of the sort used amid the SARS-CoV-2 pandemic – such as contact-tracing applications and health‑monitoring technologies) within the current European privacy and data-protection framework. While these are, as Suder aptly observes, among ‘the most substantial and thus influential around the world’, there remains the unresolved question of the need, if any, for establishment of specific/sectoral provisions at the EU level that regulate privacy and data protection, by, inter alia, delineating more precise/strict conditions under which the latest technologies affording employee monitoring should be deemed permissible.
The digital age has revolutionised the operations of both huge corporations and small, family-run businesses. It is only by looking back a few decades into the past that we see how dramatic the changes have been that have shaped the modern workplace. The ‘new world of work’, with its urgent pursuit of cost-efficiency, automation, and connectivity, has brought with it many legal and ethics-linked challenges, including several related to the erosion of once clear boundaries between professional and private life. Thanks to certain generally accessible new technologies, acquisition and processing of various types of personal data in the contemporary world of work takes place on an unprecedented scale. The acceptance of such a dynamic as a natural element of the sui generis institutional culture of modern workplaces is problematic, as the relevant data-processing practices visibly transcend the heretofore accepted limits of employers’ control and supervision and, in consequence, considerably reinforce the inherent asymmetry between the parties in the employment relationship by furnishing employers with a reinvigorated source of power over employees – namely, that of information *4 .
Interestingly enough, despite voluminous literature on the right to privacy, the employment-specific doctrine thus far has focused mainly on analysis of those forms of privacy and data-protection infringements already perceived as more ‘traditional’ (such as monitoring, drug testing, and collection of personal data) *5 . In addition, the still rather scarce academic discussion of emerging legal and ethics challenges ushered in by the newer technologies in the workplace is dominated by American scholars. At the same time, the protection of privacy in employment, as the outbreak of the pandemic clearly confirmed, remains in a process of developing regulation. The choice of the topic for the dissertation is, therefore, much welcomed, as it articulates a valid research objective of both theoretical and practical importance.
The ‘framing portion of the dissertation is clearly structured around an introduction, four parts dedicated to addressing each of the research questions posed by the author *6 in a separate manner, and conclusions. In the introduction, after appropriately delineating the context and significance (including the potential privacy- and data-protection-related problems) of incorporating the latest digital monitoring technologies into modern workplaces, A noteworthy aspect of Suder’s presentation of the specific components of the research methodology is that the author decided to narrow the scope of the research to two building blocks of the European architecture – the ECHR and GDPR – while deliberately omitting the relevant provisions and institutional setting of the Charter of Fundamental Rights of the European Union from consideration. Suder also restricted the analysis of the GDPR to particular data-protection principles. Although the reasoning behind such a choice is sound in general, the treatment could be made more complete, inter alia, via the addition of a few reflections on the possible added value of the Charter with regard to privacy- and data-protection-connected standard‑setting for the digital workplace, accompanied by brief explanation of why those GDPR principles not within the scope seem to be less important/problematic in the employment context and, therefore, do not constitute part of the ‘core’ when it comes to establishing the relevant standard of protection in the digital workplace. At the same time, although I generally do agree that ‘the choice to focus both on privacy and data protection is inevitable because the discussion concerning digital monitoring technology should be based on both topics’, it is difficult to accept the rather hasty assumption that ‘data protection is considered as a part of privacy’. Given the complexity of the relationship between the two ‘apparently distinctive rights’ *7 , much discussed in the European literature, but even more importantly the potential implications of such a statement for the future and for the employment-specific regulatory framework postulated by the author, I would have expected this issue to have been addressed with greater attention and depth in the introductory remarks.
The second and third part of the dissertation’s framing portion are dedicated to critical analysis of employee privacy and data-protection standards, as encapsulated in the ECHR and the GDPR and further clarified in the relevant case law, from the perspective of particular challenges brought by digital monitoring at work. The analysis presented – nota bene, being considerably substantiated by ‘hypothetical cases’ involving new digital monitoring technologies, chosen by the author – is of great theoretical and practical importance, as it allows for better understanding of the potential shortcomings of the relevant framework with regard to the employment context as well as their implications for coherent setting of minimum standards across the EU. As the thorough discussion during the defence of the dissertation confirmed, the analysis in question could, however, further benefit from a brief explanation of potential implications of the accession of the EU to the ECHR (Art. 6 TEU) from the perspective of the current European standard of protection of privacy in the digital workplace.
The fourth and fifth part are devoted to examination of the standard of protection offered by the selected data-protection principles found in the GDPR (i.e., lawfulness, purpose limitation, fairness, and the transparency principle) with regard to digital monitoring in the workplace. Notably, the principle of lawfulness is given special attention by the author, reflected in the separate chapter devoted to analysing the legal bases for monitoring that are introduced in the GDPR. The approach chosen enables the thesis to provide insight as to which of the legal bases cited by employers for monitoring of employees in the digital workplace under the GDPR umbrella could potentially contravene the privacy and data‑protection rights of employees. It should be noted that the author in this connection too consciously restricts the scope of the relevant examination to employment contracts, addressed in Article 6(1)(b); the legal obligation incurred, per Article 6(1)(c); the employee’s consent, under Article 6(1)(a); and legitimate interests pursued by the employer, under Article 6(1)(f). The omission of other legitimate grounds in the compendium here is justified, given their generally very limited application in the employment context and the complementary analysis presented in the associated publications *8 . More problematic, as already alluded to above, might be the omission of some of the ‘fair information principles’. Compliance with all of these key principles constitutes a fundamental building block for the standard of protection set by the GDPR, as reflected also more specifically in its Article 83(5)(a), which states that infringements of the basic principles for processing of personal data are subject to the highest tier of administrative fines. Again, in light of the somewhat complementary nature of the relevant publications *9 and the more technical character of some of the principles left to the side, the author’s scoping decision could be backed up by the addition of more detailed explanation as to why the principles of lawfulness, purpose limitation, fairness, and transparency are perceived by the author as constituting the sui generis core of the relevant standard of protection in the digital workplace.
Notwithstanding the fact that some parts of the analysis presented in parts 4 and 5 may be less detailed than would have been ideal, the author, by nimbly manoeuvring between the arguments presented in the literature, Article 29 Working Party / European Data Protection Board guidance, and both international and national jurisprudence, manages to draw correct conclusions regarding the potential pitfalls of the technologically neutral yet far too generally couched standard of protection offered by the GDPR and, most importantly, to formulate some interesting suggestions pertaining to desirable norms for incorporation into future employment-specific legislation.
In the final part of the work, Suder delineates a set of original and generally well‑argued de lege ferenda recommendations. Regrettably, despite signalling such an intent within the introductory remarks, the author does not clarify ‘whether the EU legislature should enact a directive or a regulation that deals with employee’s privacy rights’. It is, therefore, not so clear to the reader either what the basis and rationale for such an action at EU level could be or what kind of desirable institutional setting should be installed within such a framework (a generalist/traditional court-based scheme or, instead, a specialist approach or special/separate scheme) according to the author. I would recommend that future publications give special attention also to the most problematic elements of the current framework from the perspective of coherent implementation of the requirements of substantive fairness in the digital workplace context throughout the EU.
In conclusion,itmust be noted that my critical observations presented above should be taken as an invitation for discussion only.There can be no doubt thatthe dissertation represents a scholarly work of high quality that integrates privacy discussion with data-protection and labour-law discourse in an admirable way while successfully implementing a socio-legal approach. The latter not only enriches the dissertation with an interesting portrayal of the social reality surrounding the data-processing practices in which employers recently have begun engaging but also, and far more importantly, supplies considerable support for the main hypothesis behind the dissertation in relation to the issue – so often raised yet rarely so comprehensively addressed in the literature – of the inadequacy of the current regulatory framework in the EU with regard to the employment context.