"The right to disconnect", on the right track to get data protection at work
The right to disconnect or to be unreachable by one’s employer can be essentially regarded as a data protection right. The European Parliament has been asking for a Directive in this area.
The European Parliament (EP) has adopted a Resolution urging the European Commission to prepare a Directive on the so-called "right to disconnect". France, Italy, Spain and recently Belgium have passed legislation in this regard.
"The right to disconnect refers to workers’ right not to engage in work-related activities or communications outside working time, by means of digital tools, such as phone calls, emails or other messages" and "should entitle workers to switch off work-related tools and not to respond to employers’ requests outside working time, with no risk of adverse consequences, such as dismissal or other retaliatory measures" (European Parliament, Resolution of 21 January 2021 with recommendations to the Commission on the right to disconnect (2019/2181(INL)) PDF, accessed 28 Feb. 2022.).
The right to disconnect, "to switch off" or to be unreachable can be essentially regarded as a data protection right arising within the employment context. EP`s Resolution on the right to disconnect emphasises that the unprecedented "use of digital tools for work purposes has resulted in an ‘everconnected’, ‘always on’, or ‘constantly on-call’ culture, which can have detrimental effect on workers’ fundamental rights and fair working conditions" (Ibidem.).
EP stresses that the need for adoption of a European Directive and its subsequent transposition into national legislations throughout the EU is particularly important in the context generated by COVID-19 crisis. Because the pandemic has produced a significant increase of teleworking "leading to additional work-related stress and obscuring the divide between work and private life, it has become even more urgent to ensure that workers are able to exercise their right to disconnect" (Ibidem.).
The European Pillar of Social Rights stipulates that the workers have the right to data protection within the employment context (Principle 10) and to a fair work-life balance (Principle 9).
Belgium has recently joined the slowly growing number of countries to pass legislation concerning the right to disconnect, although it refers to a small category of employees. From 1 February, the federal civil servants in Belgium may not be contacted anymore outside working time, except for emergency situations (Maithe Chini, "Right to disconnect": boss may no longer call employees after hours, in The Brussels Times, accessed 28 Feb. 2022.).
But the goal of the proposed Directive is to widely apply the right to disconnect "to all workers and all sectors, both public and private" regardless of their form of employment and to have this right effectively enforced throughout the EU (EP, op. cit.).
The use of smart devices and applications for work-related electronic communications when working from home or remotely can pose multiple privacy concerns, effacing the very thin line between work and private space.
The employer or the service provider of the electronic communication services could potentially access very sensitive or even special categories of personal data like religious beliefs, racial or ethnic origins, health data or political opinions, revealed by employees or even members of their families when using the same devices or applications.
During COVID-19 crisis, telework was adopted by many companies as a business continuity strategy. In Europe, employers heavily rely on technology provided by US tech giants, for communication, cloud storage or data analytics, which implies international data transfers to US, a country not deemed adequate for such processing by the European Commission.
After Schrems II decision of the Court of Justice of the European Union in 2021, international data transfers from EU to US have become very problematic, because practically there is no technical or organisational measure to effectively prevent US surveillance agencies from accessing the European citizens` personal data.
More intricate "work connections"
Employees can also remain "connected" to work while using company cars tracked by a GPS device for personal issues or during non-working time. The GPS can collect data about both the vehicle and the driver, including the driving behaviour of the employee. Even during working time, a trip of the employee to a clinic can reveal sensitive medical data to the employer (See Article 29 Working Party, Opinion 2/2017 on data processing at work, p.19 sq.).
Thus, it must be possible for the employee to securely switch off the GPS device when performing private activities or during non-working time. Also, other measures to enhance privacy and avoid continuous monitoring could be put in place, like to "abscond" from the employer the location data inside a perimetre and making it visible only when the device is leaving the designated area (See ibidem, p. 20.).
When using personal devices for work, under the so-called BYOD (Bring Your Own Device) policy, the employer/service provider could also process private data about the employees and members of their families that are using the same devices, including children.
Security and collaboration solutions such as EMM (Enterprise Mobility Management) have the objective to sandbox and protect the corporate data on personal devices used for work, but it has to be considered that some of these services (for example Google Workspace/Workspace for Education) can process personal data for tracking and profiling for advertising, which lacks legal ground when performed within employment context.
Moreover, it can affect the family members of the employee, leading to tracking and profiling or even serving ads based on the profile of a certain user to some other wrongfully identified users. Also, the location of the device or other metadata can be disclosed by the EMM software to the employer, service provider and third parties and this fact should be thoroughly considered from a data protection perspective.
Vetting the service providers in the employment context
The employers should carefully vet their information and communication technology (ICT) providers offering services that process personal data of their employees and perform Data Protection Impact Assessments (DPIAs) where required. Furthermore, the employer should include into the agreement adequate data protection provisions.
Definitely, it has to be taken into account that the employers can usually rely upon contract, legal obligations and legitimate interests as legal grounds for processing their employees’ personal data, and seldom consent.
The vetting process is preferably to be carried out by a privacy professional in order to identify the many privacy traps that can inextricably hide inside and outside contracts, terms and conditions, privacy policies, data protection agreements or non disclosure agreements. The monitoring of communication content and metadata or online tracking pose serious risks to privacy.
The privacy practices of the provider should be carefully assessed in order to avoid invasive processing of employees` personal data such as tracking and profiling for advertising purposes, during working or non-working time. In the employment context there is no legal ground for such processing, therefore the employer has to be careful in this respect even in cases when such a provider could be deemed controller in its own right.
Moreover, the tracking and monitoring can extend even to members of the employee`s family when those members are using the devices and applications utilised for work or across devices.
Also, a special attention is to be paid to international transfers of personal data to third countries, especially to US providers. Although tech giants like Google or Amazon can offer top-notch services and unbeatable prices, their use within EU infringes the European rules concerning international data transfers. The safest but certainly not the cheapest alternative is to contract European Union/European Economic Area based service providers that process personal data locally.
Transparency and appropriate training of employees
The employees should properly receive information in writing regarding the right to disconnect and complementary undergo appropriate information security and personal data protection training with special regard to telework and the right to disconnect.
According to the EP Resolution "employers must provide workers with sufficient information, including a written statement, setting out the workers’ right to disconnect, namely at least the practical arrangements for switching off digital tools for work purposes, including any work-related monitoring or surveillance" (EP, op. cit.).
The EP upholds that practical arrangements for implementation by the employer of the right to disconnect should be "agreed by the social partners by means of collective agreement or at the level of the employer undertaking" (Ibidem.).
The training of the employees is a sine qua non organisational measure that must be taken by the employer in order to properly implement the right to disconnect and it is also an obligation enshrined into the envisaged Directive.
The in-work training should address practical matters such as how to effectively control/switch off the location, camera and microphone while working or during free time, the system used for measuring working time or the fact that the superiors and co-workers should not contact other colleagues during their free time for work-related purposes unless there is an emergency.
The employees whose right to disconnect has been infringed should have the right to dispute resolution and redress in order to ensure the compliance with the provisions of the proposed Directive. The EP Resolution also states that infringement of the national provisions adopted within the scope of the Directive should result in dissuasive fines for the employers.
Author's note: The material is for informational and general purposes only and does not constitute advice on personal data protection, physical or information security. For particular situations you should obtain expert advice.
Dinu Gherman (photo - author's archive) specializes in Data Protection. He manages data security for companies in Romania and abroad.
The opinions expressed by EURACTIV.ro experts do not necessarily represent those of the EURACTIV.ro newsroom and/or partner newsrooms.