1. Data Protection at Work
It has long been recognised that personal data processing in the employment context has distinct challenges that require special regulatory treatment. As early as 1999, Spiros Simitis and Mark Freedland, writing independently, reached the same conclusion (see here and here): that the omnibus rules of the now repealed Directive 95/46/EC were not fit for the particular requirements of the employment sector. A specific European directive on the protection of employees’ data was needed. Two decades on, little meaningful progress has been achieved at the policy level. Multiple attempts to introduce employment-specific data protection law at the Union level failed due to a combination of legal, political, and constitutional reasons.
While its fundamental objective is to harmonise data protection rules throughout the EU, the GDPR has a less than stellar reputation when it comes to the employment context: the GDPR is too generic adequately to cover the specificities of the employment relationship; it does not counter the informational and power asymmetry inherent in the employment relationship; and it fails to address the collective rights and interests of employees. Instead, the GDPR leaves these issues to be addressed at the Member State level. Through the opening clause under Article 88 GDPR, Member States can provide ‘more specific rules’ for data protection in the workplace through their regulatory choice (whether through legislation, collective bargaining agreements or a combination of both).