Introduction
The field of digitalisation and privacy at work has received two major European Union initiatives over the last few days. First, on 24 June 2020, the European Commission issued its first report on the evaluation and review of the General Data Protection Regulation (the ‘GDPR’). It officially takes the form of a Communication from the Commission with reference to “data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation”.[1]
Second, on 22 June 2020, the European social partners adopted an autonomous agreement on the digitalisation of work.[2] This autonomous agreement has been created under the European Treaty’s framework and social partner’s freedom in the area of autonomous social dialogue and collective bargaining (art. 155 TFEU).
The two documents are as interesting as crucial. They show the need, but also the potential, of having the industrial relations actors involved in creating more specific rules and principles, and why not rights, related to the digital agenda and, more precisely, privacy and data protection at work.
Need for guidance in the world of work
The Commission’s new GDPR’s analysis confirms the broad scope of application of the legislation, but also its flexibility and adaptability. It is designed to be applied in different sectoral activities and to be responsive to new technologies.
The impact of the GDPR on the world of work is clear. It is applicable in the large area of work relations, worker data processing and human resources activities. The main legislative approach, together with the specifics and challenges of the world of work, has led to the need for more guidance in the employment context of data protection principles. This need has existed for a long time and has been recognised by various international bodies.
The former 1995 European data protection directive was similarly applicable in the employment context. In the past, the EU undertook some attempts for a legislative initiative in the area of employment data protection. The initiative ultimately did not succeed. Furthermore, under the (former) European Data Protection Directive, the ‘Data Protection Working Party’, established under the 1995 Directive, adopted some guidance on data protection in the employment context. The Working Party’[3] adopted Opinion 8/2001 of 13 September 2001 on the processing of personal data in the employment context.[4] Another instrument is the EU Working Document of 29 May 2002 on workplace communications.[5] On 8 June 2017, the Working Party issued Opinion 2/2017 on data processing at work. This opinion (further referred to as WP Opinion 2/2017) made a new assessment of issue “by outlining the risks posed by new technologies and undertaking a proportionality assessment of a number of scenarios in which they could be deployed”. The opinion is based on the 1995 Data Protection Directive, but already looks further and takes also the GDPR into account.[6]
Also in the Council of Europe, the desirability of adapting these data protection principles to the particular requirements of the employment sector led to the adoption of Recommendation No. R(89)2 on the Protection of Personal Data Used for Employment Purposes. This Recommendation was adopted by the Committee of Ministers on 18 January 1989 at the 423rd meeting of the Ministers Deputies. On 1 April 2015, the Committee of Ministers adopted a new Recommendation on the processing of personal data in the employment context (CM/Rec(2015)5) at the 1224th meeting of the Ministers’ Deputies.[7] This revised recommendation was motivated due to “the changes which have occurred internationally in the employment sector and related activities, notably due to the increased use of information and communication technologies (ICTs) and the globalisation of employment and services”.[8]
Due to the need to develop data protection principles that specifically address the use of workers’ personal data, the ILO developed a Code of Practice. The ILO Code of Practice concerning the protection of workers’ personal data was drafted to this end and adopted by a Meeting of Experts on Workers’ Privacy of the ILO in 1996.[9] It has not been adopted as an ILO Convention or a Recommendation and does not have binding force, but it should be used in the development of legislation, regulations, collective bargaining agreements, work regulations, policies and other practical measures.
Article 88 GDPR and the employment context
While looking at this broader development, the concrete starting point should be article 88 of the GDPR. It provides:
- Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
- Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.
Article of the 88 GDPR largely gives the message that the European standards and the world of work will benefit from specific rules and principles on data protection applied in the employment context. Furthermore, it is suggested that industrial relations actors can play an important role in this.
Finding a European response
The European Commission seems to be fully in line with the idea that European responses are important. With its first assessment report on the GDPR, the European Commission has now looked into the application and national implementation(s) of the GDPR. One of the findings is that we have a European regulation, but different national approaches still exist and the importance of coherence and adequacy in the European approach should be somehow be guarded.
One of the ways forward for the GDPR, for the Commission, is not only to cope with “new technologies to support innovation and technological developments” but also “to support further exchanges of views and national practices between Member States on topics which are subject to further specification at national level so as to reduce the level of fragmentation of the single market”. It refers to personal data relating to health and research, or data that are subject to balancing with other rights. We suggest to expressly add to this the need for further guidance in the employment context. It is also submitted in the European Commission Staff Working Document, added to the Communication: “’The topics on which stakeholders would like additional guidelines from the Board include: the scope of data subjects’ rights (including in the employment context)”.[10]
A social partner response
The European social partners have now shown that they should be able to handle this task. They have responded to the digitalisation agenda and the implications for labour markets and the world of work, with the adoption of the “European framework agreement on digitalisation” of 22 June 2020.
This agreement addresses different aspects of the digital agenda for work, including work content, skills, working conditions and work relations and covering digital skills and securing employment, modalities of connecting and disconnecting, Artificial Intelligence (AI) and guaranteeing the human in control principle, as well as respect of human dignity and surveillance.
From the new agreement, it can be read: “The social partners in this agreement recall article 88 of the GDPR which refers to possibilities to lay down by means of collective agreements, more specific rules to ensure the protection of the rights and freedom with regards to the processing of personal data of employees in the context of employment relationships. Measures to be considered include: “enabling workers’ representatives to address issues related to data, consent, privacy protection and surveillance; always linking the collection of data to a concrete and transparent purpose. Data should not be collected or stored simply because it is possible or for an eventual future undefined purpose”.
The new framework agreement also includes references to AI and robots. It sets out directions and principles of how and under which circumstances AI is introduced in the world of work. For example, the human in command approach and the control of humans over machines and artificial intelligence should, according to the agreement, be guaranteed in the workplace.
These are crucial key-points for the development of a rights-based discourse.
The potential of industrial relations receives, therefore, strong evidence. This step is significant and should be much welcomed and made widely known and applied. But it also gives hope for more, with the horizon of a vast area of issues and challenges in the context of the GDPR and privacy at work. So let us see this initiative not as an end-point, but rather as a starting point for more and broader work, like a full and comprehensive set of privacy and data protection rights and principles, for the future of work, made by the social partners. In this way, a new step is made towards the implementation of the European Pillar of Social Rights,[11] referring to the right to personal data protection of workers in the employment context.
[1] [Brussels, 24.6.2020 COM(2020) 264 final; https://ec.europa.eu/info/sites/info/files/1_en_act_part1_v6_1.pdf
[2] https://www.businesseurope.eu/sites/buseur/files/media/reports_and_studies/2020-06-22_agreement_on_digitalisation_-_with_signatures.pdf
[3] The Working Party is an advisory group composed by representatives of the data protection authorities of the Member States, which acts independently and has the task, inter alia, of examining any question covering the application of the national measures adopted under the Data Protection Directive in order to contribute to the uniform application of such measures.
[4] Opinion 8/2001 of 13 September 2001 on the processing of personal data in the employment context, 5062/01/EN/Final, WP 48, 28p..
[5] Data Protection Working Party, Working Document on the Surveillance of Electronic Communications in the Workplace, 29 May 2002, 5401/01/EN/final, 35p.
[6] See: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 (Consulted 15 November 2017).
[7] https://search.coe.int/cm/Pages/result_details.aspx?ObjectID=09000016805c3f7a (consulted 9 November 2017).
[8] See the preamble of Recommendation CM/Rec(2015)5.
[9] ILO, Protection of workers’ personal data, An ILO code of practice (ILO, Geneva, 1997), 47.
[10] Brussels, 24.6.2020 SWD(2020) 115 final; file:///C:/Users/u0009915/Downloads/090166e5d0c710c3%20(1).pdf
[11] https://ec.europa.eu/commission/sites/beta-political/files/social-summit-european-pillar-social-rights-booklet_en.pdf