Last year, we discussed the risks associated with employee monitoring practices on foot of the CNIL’s decision to fine Amazon €32 million for its use of an employee activity and performance monitoring system. Now, the issue of employee monitoring has come to the fore once again in light of a recent CNIL decision to fine a French real estate company €40,000 for its disproportionate surveillance of employees, which we consider below.

Background

The CNIL commenced an investigation into the French real estate company’s employee monitoring practices in light of complaints that it had received. During its investigation, the CNIL found that the company had, from September 2021 to October 2022, used software on the computers of some of its employees which tracked their working time and evaluated their productivity in the context of their remote working arrangements. More specifically, the software:

• automatically detected periods of employee inactivity via mouse movement and keyboard activity levels (which could result in salary deductions, unless the employee justified such periods of inactivity or otherwise made up the time); and
• measured employee productivity by tracking the websites that they visited and programs that they used and comparing the time spent on such websites and programs as against the employee’s overall working time. The software was also configured to take regular screenshots of the employee’s screens, with the intervals for such screenshots set by management on a case-by-case basis.

In addition, the CNIL found that the company deployed an on-site video surveillance system which continuously captured sounds and images of its employees present on its premises for theft-prevention purposes. The recordings were available to supervisors to view in real-time via a mobile application.

Summary of key findings by the CNIL

• Tracking software: The company was unable to rely on legitimate interest as a legal basis for the processing of employee personal data in the context of the monitoring of employee activity and measuring of employee productivity via the software, as the deployment and operation of the software disproportionately interfered with the fundamental rights of the employees. As a result, the processing of employee personal data in this manner lacked a legal basis and so breached Article 6 GDPR.
• On-site video surveillance: The CNIL noted that permanent surveillance of employees can only be justified in exceptional circumstances and that, in principle, to be proportionate, the video surveillance device must not capture sound. In the present case, the continuous recording of sound and images of employees at their workstations and during their breaks was neither adequate, nor relevant, nor limited to what was necessary in light of the objectives pursued by the company (theft prevention) and so constituted a breach of the data minimisation principle under Article 5(1)(c) GDPR.
• Transparency: Neither the company’s internal documentation nor the employees’ respective contracts of employment contained sufficient information on the processing of employee personal data in the content of the tracking software or on-site video surveillance to fulfil the transparency requirements of Article 13 GDPR.
• Data security: The company allowed multiple users to share access to an administrator account, through which data collected by the company’s employee tracking software could be viewed, via a single set of login details. The lack of individualised accounts and logins did not permit the effective tracing of access to, and actions carried out on, this system and so constituted a breach of the data security requirements under Article 32 GDPR.
• Lack of a data protection impact assessment (“DPIA”): The company had not carried out a DPIA in respect of its processing of employee personal data in the context of the employee tracking software, despite the likelihood that such processing would pose a high risk to the rights and freedoms of such employees. The company was therefore in breach of the requirements of Article 35 GDPR.

Outcome and commentary

Ultimately, the CNIL imposed a fine of €40,000 on the company in light of the fact that it had breached several fundamental principles of the GDPR and that such breaches were “particularly serious” in view of the associated infringements of the fundamental rights and freedoms of its employees. In determining the quantum of the fine, the CNIL took account of the company’s financial situation and its small size.

This recent decision again highlights the readiness of supervisory authorities to take enforcement action against employers that carry out employee monitoring practices that are considered to have a disproportionate impact on employee privacy. It also makes clear that employee monitoring practices will continue to attract close scrutiny from supervisory authorities, particularly in the context of their handling of complaints from data subjects. Considering this, employers seeking to implement any employee monitoring measures should first ensure that such measures undergo a robust and comprehensive analysis from a data protection perspective to ensure their compliance.

Finally, Annex III (4)(b) of the EU AI Act includes a specific provision on the use of AI systems in workplace settings including where an AI system is intended to be used to “monitor and evaluate the performance and behaviour of persons in such relationships.” Employers considering the use of AI systems to undertake such monitoring should also consider their obligations in relation to high-risk AI systems before they embed them within the business. 

The authors would like to thank Julie O’Brien for her contribution to this briefing.