fbpx

GDPR in the time of COVID-19

The COVID-19 has clearly had a global impact, forcing many industries and businesses to shift their operations and services to remote-working in light of the various measures that have been adopted by governmental authorities in an attempt to contain the spread of this pandemic and ‘flatten the curve’.

Fortunately, the present state of technology has enabled businesses to quickly set up remote-working facilities and continue their operations remotely, which has helped reduce and contain the disruption brought about by Covid-19. Be it through the use of teleworking capabilities, the establishment of Virtual Private Networks, or remote IT access through the cloud servers, certain businesses have managed to retain a semblance of normality and business continuity in these troubling and uncertain times.

However, with this shift to remote working, an issue which has come to fore pertains to how employers can ensure that employee-productivity levels remain at par whilst working from home. Understandably, employers have the interest to ensure that their employees continue to work “as normal”, even though they are not currently under the scrutiny of an office environment. In this respect, one should recall that IT system developments have provided the employers of today with a wide range of monitoring capabilities which has enabled them to collect and process a significant amount of information pertaining to their employees’ computer usage and activities. It is now possible to monitor VPN usage, keep a record of keystrokes, record a list of websites visited, remotely take screenshots of a particular computer monitor and, in extreme circumstances, even enable webcams and collect footage, and so on. Given the current situation, these are all measures which an employer might be inclined to implement to ensure that its workforce continues to fulfil their employment duties.

However, in the rush to scramble for effective solutions during these rather unprecedented measures, an employer must nonetheless ensure that this does not come at the expense of setting aside the rights given to an employee at law, including his or her statutory data protection and privacy rights.

In that regard, a relevant question that needs to be considered is whether, in these extremely troubling times, “monitoring measures” adopted by employers are justifiable and, if so, whether they can be implemented in a manner which is in conformity with the GDPR. Essentially, the principal aim of GDPR is to ensure that personal data is processed lawfully, fairly and in a transparent manner. In effect, the GDPR seeks to protect the use (i.e. processing) of an individual’s personal data, regardless of whether it is collected or obtained in the context of that individual’s personal or employment capacity. Furthermore, the processing of an individual’s personal data must also be proportionate to the purposes for which it has been collected. In that sense, the GDPR prohibits the collection or use of personal data which is either excessive or otherwise irrelevant.

Within the specific context of “employee usage monitoring”, the European Court of Human Rights (“ECHR”) has expressed itself on this point in Bărbulescu v. Romania, where it held that “[t]he notion of private life is a broad concept. It encompasses, for example, the right to establish and develop relationships with other human beings, and the right to identity and personal development”. On this basis, the ECHR held that telephone calls made by an employee from business premises are prima facie covered by the notions of “private life” and “correspondence” for the purposes of Article 8. The Court further held that e-mails sent from work should be similarly protected under Article 8, as should information that is obtained from the monitoring of personal internet usage.

Therefore, at an ECHR level, there is clear judicial recognition that the notions of “respect for private life” and “privacy of correspondence” equally extend to the workplace. Although not delved into in that judgement, the term “workplace” can also be construed as being a rather fluid concept, applying to both the standard office premises and also a remote-working environment.

Similarly, in the wake of the adoption of the GDPR, the Article 29 Data Protection Working Party (now replaced by the European Data Protection Board) also issued guidance on the processing of personal data when employees are working remotely, in order to take into account rapid adoption of new information technologies in the workplace and monitoring capabilities.

In this Opinion, the Article 29 Data Protection Working Party essentially stipulates that an employer may only collect data relating to an employee through monitoring (e.g. internet usage) under strict conditions and only for “legitimate purposes, with the processing taking place under appropriate conditions (e.g.,proportionate and necessary, for a real and present interest, in a lawful, articulated and transparent manner), with a legal basis for the processing of personal data collected from or generated through electronic communications”. The Article 29 Working Party even went so far as to specifically identify certain monitoring technologies or methods, such as “recording an employee’s keystrokes and mouse movements”, as being disproportionate and overly intrusive.

That guidance was not however issued against the backdrop of a pandemic, such as the current situation, where an entire workforce has had to shift to remote working. Therefore, the question arises whether there is justifiable scope to reconsider and depart from the assessments made by the ECHR and/or the Article 29 Working Party in view of the extraordinary circumstances where most, if not all, employees are working remotely? Without delving into issues as to whether the machinery issued is owned by the employer or the devices used are personal computers belonging to employees, one must also consider this matter from the employer’s perspective, who has his own legitimate interests to protect.

In that context, does an employer have a legitimate interest in significantly monitoring employee usage? Would monitoring VPN usage, or logging websites visited by an employee, be justified in these extreme circumstances where the employer has an obligation to pay the employees’ wages? The argument from the employer’s perspective would be that an employer needs to ensure that his workforce is and remains productive in order to generate income and to, therefore, make it possible to continue paying wages and meet other obligations. There are also teleworking grant schemes and other initiatives available to employers, which may (as a condition for being able to benefit) require a degree of reporting on the nature or extent of the teleworking being carried out by the relevant employees.

Primarily, one must recall that there is a fundamental right to privacy enshrined in the European Convention on Human Rights. Additionally, within the context of employees working from their private residences, this right to privacy becomes even more pronounced given that there is a greater risk of it being impinged, and even possibly to a more severe extent, if certain monitoring measures are adopted. In a similar vein, it cannot be entirely forgotten and disregarded that the Article 29 Working Party has held that that use of software packages to monitor or log, for example, keystrokes and mouse movements whilst an employee is teleworking is disproportionate and would be difficult to justify on the basis of a legitimate interest.

Therefore, an appropriate balance does need to be struck between the following interests:

1. an employee has a right to secrecy of their communications and therefore an employer must not impinge of this right; but
2. an employer does have a legitimate expectation in ensuring that the employees are in fact utilizing the remote working facilities for professional matters.

In attempting to balance these interests, it is suggested that employers should aim to only adopt and use the least intrusive measure/s available. In fact, arguably, there are various alternatives to, for instance, monitoring or logging keystrokes and mouse movements or even monitoring VPN usage, which could just as effectively achieve the same aims and pose relatively reduced privacy and data protection risks.

An employer could, for example, monitor an employee’s log-in and log-out of the company’s VPN application, with automatic logouts set at randomized intervals to ensure that the computer has not been logged into and left on. Similarly, the employer could monitor aggregate levels of internet usage, as opposed to individualised monitoring for each employee. Another possibility includes utilizing pop-ups requiring the employee to answer a simple question in order to be able to continue using the PC. In that manner, if the PC has been left unattended for a significant amount of time on a frequent basis, this can then be alerted to the employer and addressed in an appropriate manner. However, the employer must not then look at the records to determine the length of time to respond e.g. 1 minute vs 15 minutes and use that to assess performance. What is crucial here is ensuring that the means utilized for determining whether an employee is working are then not used for another purpose, such as monitoring performance. Furthermore, in all cases, an employer must be upfront and transparent to its employees about what monitoring measures have been implemented, how they work and how they will be used. From a data protection perspective, transparency has and continues to remain absolutely paramount.

The key here is ensuring that:

  • There is proper communication to the employees that there will be some form of measures adopted to ensure productivity.
  • There is a clear explanation to all employees on what these measures are, how they will be implemented and what information they will collect.
  • The legal basis for doing so is clearly explained to the employees as well as the grounds for processing such personal data. Employers should avoid attempting to request and rely on employee consent since, for the purposes of the GDPR, valid consent needs to be freely-given and within the employer-employee context, especially in these circumstances where the economy is seen to be struggling, such consent will be heavily scrutinized. The legal basis here is a legitimate interest in ensuring productivity levels in the least intrusive manner possible.
  • The communication should be acknowledged by the employee.
  • As a form of good practice, the implementation of monitoring measures should be preceded by a discussion and consultation with a representative sample of the employees / workforce, who together with the employer should jointly formulate the rules and policies which will dictate how the monitoring will be carried out.
  • In conclusion, while employers do have a right to ensure that their employees are in fact being productive, they must factor in the fact that there are risks to privacy posed by home and remote working. These risks need to be addressed in a proportionate, non-excessive manner having regard to the type of business operations and the means and technology offered in order to ensure that the least intrusive measure is adopted.