Data Processing in Employment Relations; Impacts of the European General Data Protection Regulation Focusing on the Data Protection Officer at the Worksite
© Springer Science+Business Media Dordrecht 2015
Serge Gutwirth, Ronald Leenes and Paul de Hert (eds.)Reforming European Data Protection LawLaw, Governance and Technology Series2010.1007/978-94-017-9385-8_66. Data Processing in Employment Relations; Impacts of the European General Data Protection Regulation Focusing on the Data Protection Officer at the Worksite
(1)
Union of Private Sector Employees, Graphical Workers and Journalists, Alfred Dallinger Platz 1, A- 1034 Vienna, Austria
Abstract
From the 1990s European Unions are increasingly confronted with ignored employees’ privacy or misused employees’ personal data. There has been a vivid European discourse about this issue in the early 2000s. The European GDPR brings the topic back to the European agenda. The article points out who is involved in employee data protection from side of the employees’ interest organizations. The contribution further describes which are the employees’ interests stressing some crucial points of the GDPR such as the data protection officer at company site and the article on data protection in employment relations. The author tries to figure out how the GDPR matches the employees interests – or otherwise. Therefore she compares the European Commission’s approach with that of the LIBE-committee to see which one would serve more the employees’ fundamental right to privacy.
This article gives an insight on how the European Data Protection Regulation (EDPR) will effect labour relations and looks for consideration of employees’ interests within the EDPR. According to Harding,1 Haraway,2 and other representatives of the “standpoint theory”, it is important to openly state the position of the author. I am a sociologist, working with the Austrian Union of Private Sector Employees, Graphical Workers and Journalists (GPA-djp). My main field of work is consultation of works councils who are responsible for privacy issues at the workplace, employees’ data protection and monitoring systems. Dealing daily with privacy issues at workplaces – whether it is a newly installed surveillance camera, an international mother-company’s request to receive all employees’ performance data, a whistle-blowing hotline necessary according to the US-American Sarbanes-Oxley Act or a new navigation device placed in all company cars without the approval of employees or workplace representatives – is the very practical background of this text. Workplace experience shaped this article on one hand. On the other hand, I was involved in law amendments that deal with workers privacy – both in Austria and Brussels. My task was to promote the employees’ view and interests in discussions with politicians at the European Trade Union Confederation (ETUC), with members of the European Parliament and with Representatives of the European Commission. These discussions are another background shaping this text.
Employees’ interests nowadays are losing weight all over Europe (Busch et~al. 2012).3 Their rights are cut and social exclusion is on the rise. Thus, they are marginalised – especially since the economic crisis. The standpoint methodology postulates that research should initially concentrate on marginalised groups. The perspective of the “marginalised lives” is inevitable for science, as Sandra Harding4 says.
The epistemological approach of this text is Karin Knorr-Cetinas5 Manufacture of Knowledge where she shows that scientific work always depends on social (and technical) means and interaction. New scientific texts are always shaped by several different players. I tried to demonstrate – following the conventions of Knorr-Cetina – how different players shape a new European law.
Empirically the article mainly uses diverse writings by Austrian and international unions and other organisations focusing on the impact the EDPR will have on employees’ interests.
The aim of the contribution is to link practical experience with the academic sphere by expressing the standpoint of marginalised employees’ interests in the field of privacy politics at workplaces.
6.1 An Outline of Employee Data Protection
All over Europe the use of personal data of employees is business. Personnel administration by personal information systems, personal data created by the use of email and the internet, data of working time records, attendance and sickness records, data from video cameras, and many more information and communication technologies (ICT) are implemented on company levels generating and administrating personnel data. Employers all over Europe and beyond precede much more data than is effectively needed to fulfill legal or contractual requirements.
Sure, data protection is a topic concerning everyone but employees as data subjects often are double victims once as citizens and consumers and secondly as dependent workers. Sometimes being an employee and a private person concerned is so closely connected (for example, when working at a hospital and having personal medical records stored at the same place or when working at a banking institution and being forced to have a banking account there as well) it leads to misuse of personal data. Looking at dynamic data, connection data or just log files, one can easily recognize that personal data is sometimes created automatically, without consent or even knowledge of the data subject, indicating that employees’ access and the right to information is difficult to achieve. The information imbalance is evident. Employers might use this data without informing the employee – the result may be a surprising end of the employment relation.
Throughout history working conditions changed with tools and instruments of work. The biggest change until now was the industrial revolution turning hand work in machines’ work. Currently we are facing a digital revolution shaping nearly every workplace.6 ICT has changed working conditions in terms of reaction time, multitasking, availability of knowledge and – foremost important in matters of fundamental rights – monitoring possibilities. Systems are much more interdependent and linked to each other than they were in the twentieth century. Unified communication systems, shared documents and cloud services transform employees into anywhere- and anytime-workers, who at the same time can be easily traced and tracked. Acquisition and retention of employees’ personal data by ICT is happening at high speed nowadays. The large and further increasing number of data leads to the use of information without caring about the data processing principles set by the European Commission in the European Data Protection Directive regarding finality, proportionality, transparency – just to mention the most important ones.
6.2 European Scientific Research on Employee Data Protection
EU-wide comparisons concerning individual awareness on data protection at the workplace among employees in general and among employees responsible for ICT are evidence of highly differing consciousness within the EU countries. An average of every third employee in the EU feels well informed about his/her data protection rights and just half of the employees trust their employers.7 Just 13 % of the 4.800 data controllers interviewed in 27 EU member states are familiar with the national data protection law and the same amount frequently contacts the national data protection authority.8 These few figures reveal the necessity of a data protection officer at the worksite (DPO) in order to fulfil the legal requirements and to protect the employees’ fundamental right to privacy. DPOs can strengthen employees’ privacy at the workplace since they make sure that the company’s data proceedings correspond with data protection law and other law applicable to the line of business. According to the Austrian Private Sector Union DPOs should be the information link between employer, employees, clients, customers and business partners. Currently Germany is the only country within the European Union that has implemented a mandatory DPO at company level for companies with more than nine employees dealing with data proceedings.
Following the European Data Protection Directive each member state shall implement the directive into national law, hence should have an equivalent data protection level. But this is not the case in the employment context, as some few studies have shown dealing with national legal frameworks as well as industrial relations. Available studies on an international level are missing some crucial points. Some authors deal with an international scope, but do not focus on labour law,9 other findings are limited to the comparison of legal standards regarding the use of email and the internet at the workplace, but do not include other data processing.10 The European Article 29 Data Protection Working Party conducted a summary of the national legislation on surveillance and monitoring of electronic communication in the workplace in 2002, describing that the then member states were missing other data processing as well.11 None of these studies combines the legal situation with technical innovation at workplaces and the only one that does12 has no neutral approach to technology. None of these studies includes the member states that joined the European Union after 2004. It seems as if the discourse had its peak in the early years of the 2nd millennium. A more recent study was published in 2011, but it is limited to the Australian law and to the use of Email and internet.13
This might be caused by the fact, that there are diverse legal backgrounds as well as diverse cultures in data protection in general. The “Eurobarometer” 2008 detected that 72 % of the EU citizens do not even know about their national data protection authority, whose purpose is — amongst others — to protect individuals against data misuse. In 2010, the European Union Agency for Fundamental Rights realised a study dealing with the role of national data protection authorities. Findings are that these authorities are organised quite differently regarding their independency, resources, assertiveness and sanction possibilities.
6.3 Legal Situation
In the last 15 years there have been several attempts to regulate privacy at workplaces constraining the use of monitoring and surveillance within employment relationships respectively. Some European countries have specific legislation in this area. In 2004, Finland amended the “Act on the Protection of Privacy in Working Life” based on an act first passed in 2001. This is the most elaborated act on this topic in the European Union specifically dealing with employee data proceeding and including applicants data as well. Of course, jurisdiction and single clauses within labour or constitutional law deal with workplace monitoring, workplace privacy and workers representatives’ participation, but single acts of legislation on this very topic are a rare good.
Intersectoral collective agreements in Norway, for example, state that privacy at workplaces is to be retained. The Belgian national collective agreement No. 81 from 2002, the “agreement on the protection of the private lives of employees with respect to controls on electronic on-line communications data”, is another European “early bird” regulating data protection within industrial relations. However, it only applies to private employment relations. The agreement states the goals allowing for the online monitoring of employees’ behavior at the workplace, e.g. technical functioning of the ICT as well as controlling of inner company internet compliance.14
The problem with compliance guidelines is that employees or workplace representatives are never involved when such compliance regulations, behavior guidelines, codes of conduct Binding Corporate Rules (BCR) – or however the documents are called – are established. Putting surveillance measures in force in order to control employees’ behavior according to employer-driven compliance always puts the employee on the weaker part. Compared to the set of possibilities within the GDPR enabling an employer to process employees’ personnel data, an increasing importance of Binding Corporate Rules (BCR) can be indicated.
Back to the Belgian national agreement, we can see an advantage for Belgian employees. Individual controlling measures must always be preceded by generic controlling measures. Hence, employees are better protected against false suspicions and probably consequently caused dismissal. Furthermore, Belgian employers must inform employees and their representatives prior to any monitoring measures. The approach of generic before individual monitoring also follows the Portuguese data protection authority that published guidance on employees’ internet and email use.
Many national data protection authorities elaborate guidelines and similar documents as well (for example the United Kingdom, Ireland, Italy, Austria or France) in order to deal with the data protection responsibilities within employment relations. Some national data protection authorities expressed opinions dealing especially with electronic communication at workplaces, for example, Denmark, Germany, Ireland, Italy, France or Belgium.15 But these documents are of rather weak legal binding. Obviously, authorities all over Europe have – more or less successfully – tried to fill a legal gap.
Information duties before conducting individual surveillance measures within employment relations can be found in France, the Netherlands, Spain, Sweden or Austria. Consent of employees is explicitly needed in some national labour laws such as labour legislation in the Netherlands, France, Germany or Austria. Workplace related regulation of video surveillance exists in Belgium and Denmark.
Delbar et al. say: “Despite a lack of specific legislation, the general legal framework and principles are interpreted as having implications for employees’ internet and e-mail use in some countries.” The German way of getting along with employee data protection is constitutional law stipulating the right to “informational self-determination”. Much adjudication are operationalizing the constitution and therefore giving guidance for workers’ data protection as well. But jurisdiction differs a lot all over Europe as, for example, in Italy the employer got the right to see an employees’ private email sent to the companies address anytime, while Dutch and French courts deny this recurring due to the fundamental right of keeping correspondence secret. Moreover, national jurisdiction is a weak instrument when European wide legal security shall be the outcome.
“Given the general absence of specific legislation on employees’ privacy at the workplace, the introduction of such provisions has been discussed or proposed in a number of countries, sometimes with direct relevance to internet/e-mail use.” state Delbar et al.16 Finland, Germany, Norway and Sweden have tried to change this status quo and worked on specific legal acts – some of them still struggling for a better legislation on employee data protection.
6.3.1 The Austrian Example
Austria is a typical example for the international legal situation. No special rules on workplace privacy, only little evidence of jurisdiction and an only slowly rising awareness of the importance of the topic shape the field of Austrian employee data protection.
Doubtless there is an economic dependency of employees on their employers. Since no employee wants to accuse his/her employer of data abuse during an existing employment contract, court rulings on the right of data protection of employees are rare. Even more so, since evidence is sometimes hard to proof. The result is no jurisdiction in Austria regarding data protection legislation. This is also driven by the fact that data protection law belongs to individual right, which means employees have to lodge an appeal before a court of first instance and pay a lawyer on their own. Workers representatives have no right to be party in the proceeding. Rulings concerning employee data protection after an employee has been dismissed refer to labour law, where more jurisdictions exist that judges can rely on. The result is a prevailing lack of data protection jurisdiction in employment relations causing legal insecurity.
A recently concluded study by an employees’ interest organization (the Chamber of Labour Vienna) found, that only one out of four ICT systems that would need compulsory regulation by a works agreement, concluded between the workforce representative and the employer, is actually regulated.17 One reason is that ICT is difficult to understand for workplace representatives as well as employers. To regulate ICT, negotiators must have at least some technical understanding and know how personnel data is proceeded. Due to the fast advance of ICT, weekly updates and new implemented systems every year, it is difficult to make up leeway. The increasing quantity of systems, some of which are corresponding with each other, neither makes things easier. Therefore, even interested employees and works councils lose track. Data protection officers (DPO) at company level could remediate this obstacle. Representative figures in Austria show that the employees are better informed and more works agreements are concluded in companies, in which DPOs have been established voluntarily.18
Some legislation parties in Austria are engaged in developing a legal regulation on employee data protection since 2010, but did not succeed yet. In the last 5 years, there have been several efforts to strengthen workplace privacy by legally implementing a DPO at the company level. The first attempt in summer 2010 should have brought about an obligatory DPO with dismissal protection, a 4-year working period, technical resources and knowledge as well as permanent further education. He/she should not have been bounded by employer’s instructions. The position of a company DPO as the Austrian Trade Union Federation (“Österreichischer Gewerkschaftsbund”, ÖGB) wanted it, should have even more weight, as he/she would only be put in place with the approval of workplace representatives and should be responsible not only for company and customer data, but also for employee personal data. The employer’s interest organizations’, the Chamber of Business, argument is that this would be too expensive and that there would be no necessity of such a position due to a well-functioning Austrian data protection law.
After another unsuccessful attempt to implement an obligatory DPO to the Austrian data protection law in summer 2011, the third attempt followed in 2012. This amendment was stipulating that a voluntary DPO should be implemented at company level. Again, the Chamber of Commerce did not agree and the government dropped the plan again.
6.4 Employee Data Protection by Relevant European Players
6.4.1 The European Commission
In August 2001, the European Commission started a first round of formal consultation with social partner raising the question, whether protection of employees’ data requires special guidelines and if yes, how these guidelines should be expressed – by a directive, a recommendation or just a code of conduct? Employer organisations mostly found the existing legal framework sufficient and warned about excessive regulations and burdens for small- and middle-sized companies. (These concerns were expressed repeatedly when it came to consultations in 2010 as described in Sect. 6.5.2.). Unions all over Europe painted a controversial picture, stating that the existing directive is helpful but not sufficient and demanded a specific directive on workplace data protection.
In October 2002, the European Commission launched a second consultation of European social partners. In the end, the Commission elaborated a framework proposal for employee data protection including, among other details, obligatory employees’ representatives’ consultation before implementing new ICT, monitoring only if national data protection authorities controlled the ICT in advance and the interdiction of secret monitoring if there is no concrete suspect of a grave criminal misbehaviour.19 (Reading the proposals made by the European Parliament’s Committee on Employment and Social Affairs (EMPL) in 2013,20 one can find some of these points again.)
There followed no further action from the Commission’s side for a long period and the social partners did not take up the matter themselves. It was the year 2010 when the Commission started a new consultation; this time open to the public and dealing with data protection in general not specifically with employees’ data protection. 288 contributions were counted when the public consultation closed. Replies were manifold as the list of contributors shows.21
Big players in the field of ICT (such as eBay, Alcatel, Yahoo, Vodafone or Microsoft) sent their contributions as well as public authorities and interest organisation. The latter comprising much more employer organisations from the finance, medical and ICT sector than employees’ interest organisations. Papers raising awareness on the employees’ special interests in data protection just came from Germany and Austria. The ETUC and UNI Global Union, the international federation of the service sector unions, also responded to the Commission’s consultation.22 National unions in the EU and their umbrella organisations seemed not to be interested in the matter at that time, while those branches whose vital interest are affected by data processing were much aware of the imminent “dangers” of a new European data protection regime.
6.4.2 The European Article 29 Data Protection Group
The Article 29 Data Protection Working Party, an assembly of all national data protection authorities including representatives of the European Data Protection Supervisor and of the European Council with the aim to interpret the Data Protection Directive from 1995 according to specific problems raising all over Europe (for example, the proceeding of geo-data, cloud computing or face recognition), published the “Opinion on the Processing of Personal Data in the Employment Context” in 2001 aiming for: “further guidance on the issues where the application of general principles of data protection raises particular problems relevant to the employment context, such as the surveillance and monitoring at the working place, employee evaluation data and others.”23 This opinion was a landmark for advocates of an individual employee data protection act. Although some efforts have been taken to come to such an international legal norm, it has not yet been concluded.
The opinion of the Article 29 Data Protection Working Party are in general very helpful for unions, as they very often outline concrete suggestions on how to deal with actual problems occurring in the working area – for example, if employees’ data is transferred to non-European Union member states for reasons of bonus compensation, if external workers are located, if video surveillance is installed, and so on. Although the opinions do not have the power of legislation or jurisdiction, they give a perception on how the European Directive is to be handled and thus have an impact on employees’ privacy.
6.4.3 International Trade Unions
The International Labour Organization (ILO) was the first organisation addressing the issue of workers’ privacy. In 1997, the first work on this topic by a union confederation was published: “Protection of Workers’ Personal Data”.24 After that, it became rather silent around workers’ privacy at the ILO. When the European Commission’s consultation on the future legal framework of Data Protection Regulation was running in 2010, just a few European unions sent their statements – namely the Austrian and German union federations.25