13 October 2020 | By Marten Männis
Employee data rights reaffirmed in various settings
The first week of October saw some interesting developments in the field of data processing and protection in light of EU law. Though not related in the conclusions that the developments draw, the decisions help illustrate the status of data usage in EU jurisprudence, highlighting the rights and responsibilities of European companies with regards to the management and usage of personnel data.
The first cases concerned the food and non-food distribution sector, including the French retail giant Casino and Les Mousquetaires. The European Commission had received information that potentially anticompetitive activities with regards to information sharing could be taking place between a number of undertakings. In response, the Commission required several of these undertakings to submit to inspections, in line with Articles 20(1) and (4) of Regulation No 1/2003, which gives the Commission the general power to conduct inspections into anticompetitive activities of companies. The premises of the companies in question were visited, in addition to making digital copies of information stored. This generated resistance amongst the companies under investigation, raising a plea of illegality, an allegation of infringement of the obligation to state reasons for the decision to inspect and the infringement of the right to inviolability of the home.
When raising a plea of illegality regarding the investigations, the companies alluded to a lack of an effective remedy to the general power of the Commission to carry out inspections under Article 20(1) and (4) of Regulation No 1/2003. In addition, some cases highlighted an infringement of the principle of equality of arms and the rights of defence.
Basing this part of the judgment on the case law of the European Court of Human Rights, the existence of a right to an effective remedy requires four distinct requirements: effectiveness; efficiency; certainty; and a requirement of a reasonable time. The court reaffirmed with this decision that the inspection procedure established under Regulation No 1/2003 does fulfil the four requirements appropriately.
The Court also noted that, in light of the principle of equality of arms and the rights of the defence, the Commission cannot be required to specify the evidence that is used as a justification for the overall inspection, as that would hinder the effectiveness of the procedure. Nevertheless, the Court concluded that though the Commission had sufficiently demonstrated a suspicion of anticompetitive activities, without concrete evidence of anticompetitive activities, the Commission cannot, for example, broadly acquire the personal data of employees. This led to the Court upholding the plea alleging the infringement of the right to the inviolability of the home.
During the same week in Germany, the Hamburg Commissioner for Data Protection and Freedom of Information imposed a €35.3 million fine to H&M’s Service Center. Since 2014, a portion of the workforce, based in Nuremberg, had been subjected to an extensive monitoring of the private lives of employees. Such information was stored on company storage networks. Minute details of vacations and sick leave were recorded – including vacation experiences, illness symptoms and professional diagnoses. Similarly, personal relationship developments and religious beliefs were included in these profiles, information which were often gathered through casual conversations at the workplace. This information was available to up to 50 individuals at managerial positions.
When the Hamburg Commissioner for Data Protection and Freedom of Information was informed of these activities, the company was required to freeze such actions and hand gathered information over to the authorities. In total, the company provided around 60 gigabytes of such data.
Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, considered this case as a serious disregard for employee data protection and viewed the fine as adequate and effective to deter companies from taking similar paths.
Though the H&M Service Center activities could be considered dystopian, effectively aiming to create a comprehensive profile of their employees with little regard for the individuality of people or their privacy, similar actions by other companies should be expected in the future, albeit in a less infringing way. Whether those will constitute a similar violation remains to be seen.
The two decisions highlighted in part reaffirm the rights of employees in European companies. Starting with the latter, though the case should be considered an extreme example, it is unclear where the line should be drawn. Is all supplemental personal information on the profiles of employees prohibited? Can such profiles only contain the bare essentials of an employee’s personal life, combined with accomplishments achieved at the workplace? Should access be restricted to just the HR department of a company, and/or specific supervisors of an employee?
Similarly, how would the collection of COVID-19 related information be regarded as? Could employers require employees to submit additional data of their personal activities for the safeguarding of their workers? An example could be given whether companies, whereby working from home is restricted or impossible, working in an open setting, could require employees to provide additional information about their whereabouts during their personal time, to the extent to ensure that workers do not participate in activities that could easily create an opportunity for the virus to spread within the undertaking.
In employer-employee relationships, there are examples where even by employees consenting to specific activities could underline an invalid consent, making the activities of employers illegal. Thus, by virtue of agreeing to specific activities will not suffice for the lawful processing of employee data. Similarly, Article 16 of GDPR does give employees the right to have inaccurate data rectified, something that would prove to be hard to accomplish on the collection of highly subjective information.
On the other hand, employers have the right to safeguard the information of their employees, as highlighted in the General Court decision mentioned above. Investigative organs cannot conduct investigations that include employee data, which in these cases concerned potential correspondence between different undertakings, without direct evidence pointing to anticompetitive activities, as that infringes to the inviolability of the home.
Though neither case will establish any strong precedent for future activities due to their uniqueness, it is positive to see relevant authorities uphold the importance of safeguarding employee information, whether it has to do with the collection internally or distribution to investigative bodies.