Data-driven workplace surveillance risks breaching employee rights

The digital transformation of the modern workplace has ushered in a new era of algorithmic control, real-time performance tracking, and data-driven personnel decisions. Amidst the growing reliance on artificial intelligence and big data, a new legal study warns that such practices may be on a collision course with fundamental rights. An article titled “The Legitimacy of Modern Data Processing in the Workplace”, published in the European Labour Law Journal, examines the legal thresholds for processing employee data and presents a comprehensive critique of the current balance between employer interests and worker protections under EU data protection law.

Written by Johannes Warter of the University of Salzburg, the study scrutinizes the use of AI and algorithms in monitoring workers, evaluating performance, and making employment-related decisions. Drawing on the General Data Protection Regulation (GDPR), the Platform Work Directive, and recent case law involving Amazon's logistics centers, the paper probes the legal justification for data processing under Article 6(1)(f) of the GDPR, which allows such processing based on legitimate interests, provided the rights and freedoms of employees are not overridden.

Are employer interests enough to justify AI-driven employee surveillance?

GDPR’s proportionality test not only requires any data processing to be not only in pursuit of a legitimate aim but also necessary and proportionate. Employers have cited a range of interests to justify algorithmic tracking, ensuring operational efficiency, managing workflows, detecting fraud, or improving employee performance. These interests are legally recognized, but the study emphasizes that invoking them is not sufficient on its own.

To be lawful, the processing must pass three tests: a legitimate interest must exist, the processing must be necessary to achieve that interest, and the resulting interference with employee rights must be proportionate. In practice, Warter finds that this balance is often tilted too far in favor of employer control. In Germany, for example, the Administrative Court of Hanover upheld Amazon's continuous monitoring of warehouse workers via hand scanners, concluding that tracking indicators like productivity and quality compliance did not violate privacy because the data reflected “work performance” rather than personal traits. The court even dismissed concerns over employee stress, citing the availability of jobs in Germany as evidence that workers do not face undue pressure.

In contrast, the French data protection authority (CNIL) took a stricter stance. It fined Amazon €32 million, arguing that real-time monitoring tools such as the “Stow Machine Gun Indicator”, which triggered alerts for rapid task execution, created a psychologically intrusive environment. CNIL found that some indicators, such as idle time tracking before and after breaks, crossed the line of proportionality and imposed constant justification burdens on employees.

What role do fundamental rights play in regulating workplace data collection?

The study identifies a critical gap in current jurisprudence: the underutilization of fundamental rights as a legal counterweight to data processing practices. Article 6(1)(f) of the GDPR requires that employee interests and fundamental freedoms be weighed against employer objectives. However, many court decisions fail to explicitly reference rights enshrined in the EU Charter of Fundamental Rights—such as the right to dignity, private life, fair working conditions, and protection from discrimination.

Warter argues that failing to integrate these rights into data protection decisions undermines the very function of the GDPR. If, for instance, an algorithm increases the risk of workplace accidents by imposing time pressures, it violates the right to physical integrity. If it systematically disadvantages certain groups in promotion decisions, it breaches anti-discrimination protections. Even where legal employment contracts exist, Warter notes, most data processing bypasses genuine employee consent due to the inherent imbalance of power.

The study further contends that data protection law should be seen as a conduit, or “capacitor”, for safeguarding broader social rights. Rather than viewing data protection in isolation, the GDPR should be interpreted as a tool that reinforces existing labor and human rights in the face of expanding algorithmic governance. This includes respecting limits set by other legislation, such as the Working Time Directive, which mandates rest periods that may be undermined by AI scheduling systems.

How can legal clarity and worker protections be strengthened in data-driven workplaces?

The study highlights pervasive legal uncertainty surrounding what constitutes proportional data use. Few high court decisions provide definitive guidance, leaving national regulators and courts to interpret proportionality on a case-by-case basis. Warter recommends borrowing from labor law doctrines such as the right to consultation, the prohibition of intrusive questioning, or tiered monitoring approaches to define clearer boundaries for lawful data use.

The paper also points to the value of collective bargaining. Company-level agreements between employers and worker representatives can preemptively codify acceptable uses of algorithmic tools, aligning data use with workplace norms and ethical standards. While such agreements are not immune to legal review, they can increase transparency, procedural fairness, and buy-in from employees.

Moreover, the study argues that some protections are non-negotiable. When fundamental rights guarantee a minimum level of protection, such as daily rest time, protection from unjust dismissal, or safe working environments, no balancing test can override them. In such cases, automated systems that systematically violate these norms must be considered unlawful regardless of employer interests.