The Need for Employee-specific Data Protection Law: Potential Lessons from Germany for the EU
1. Data Protection at Work
It has long been recognised that personal data processing in the employment context has distinct challenges that require special regulatory treatment. As early as 1999, Spiros Simitis and Mark Freedland, writing independently, reached the same conclusion (see here and here): that the omnibus rules of the now repealed Directive 95/46/EC were not fit for the particular requirements of the employment sector. A specific European directive on the protection of employees’ data was needed. Two decades on, little meaningful progress has been achieved at the policy level. Multiple attempts to introduce employment-specific data protection law at the Union level failed due to a combination of legal, political, and constitutional reasons.
While its fundamental objective is to harmonise data protection rules throughout the EU, the GDPR has a less than stellar reputation when it comes to the employment context: the GDPR is too generic adequately to cover the specificities of the employment relationship; it does not counter the informational and power asymmetry inherent in the employment relationship; and it fails to address the collective rights and interests of employees. Instead, the GDPR leaves these issues to be addressed at the Member State level. Through the opening clause under Article 88 GDPR, Member States can provide ‘more specific rules’ for data protection in the workplace through their regulatory choice (whether through legislation, collective bargaining agreements or a combination of both).
Germany is one of the Member States which has enacted national legislation utilising Article 88 GDPR. Within the German national data protection law implementing the GDPR, the German legislator used the opening clause under Article 88 to provide for data protection rules exclusively applicable in the workplace. However, whether these provisions comply with the requirements set forth in Article 88 GDPR has now been questioned before a national court (see further below). As a result, significant political momentum has developed in Germany for developing new, freestanding workplace data protection legislation. The remainder of this blog post highlights the developments in Germany, articulates the requirements set forth by Article 88 GDPR, and draws lessons for other EU Member States regarding the regulation of workplace data processing.
2. Key developments in Germany
Germany has led the charge in providing more specific rules utilising Article 88 GDPR. Section 26 of the Federal Data Protection Act (BDSG) lays down, inter alia, specific purposes for processing employee data, strict rules on obtaining consent, and conditions for processing sensitive employee data. Furthermore, the legislator reserves the right to address questions of data protection in the employment relationship within this provision or within the framework of a separate law. However, Section 26 BDSG is insufficient and has been widely criticised for its lack of clarity and concretisation, among other things. This has given rise to repeated calls for specific data protection rules that exclusively apply to employment and several initiatives are emerging to that end. Key recent developments include:
- On 20 January 2021, the Administrative Court of Wiesbaden asked the CJEU for a preliminary ruling on whether and to what extent Section 23 of the Law of Land Hessen on the protection of data and freedom of information (HDSIG), which corresponds to Section 26 BDSG, provides ‘more specific rules’ within the meaning of Article 88 GDPR. The referring court is of the opinion that the national legislation does not meet the substantive requirements of Article 88(2) GDPR, which requires that Member State rules ‘shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing (…) and monitoring systems at the workplace.’ Specifically, the referring court is of the opinion that the HDSIG provides no ‘suitable and specific safeguards’ with respect to employee data processing. The referring court further argues that the HDSIG does not provide ‘more specific rules’ for workplace data processing within the meaning of Article 88(1) GDPR; instead, it merely repeats the general rules for personal data processing already set forth in the GDPR.
This case is still pending and will be the first ruling of the CJEU relating to Article 88 GDPR. The ruling will determine how the requirements of Article 88 GDPR should be interpreted and transposed into national laws across the EU. In addition to guiding future Member State laws based on Article 88 GDPR, it may have implications for existing Member State laws: although several Member States have created rules regulating workplace data processing, it is not clear whether these rules comply with the requirements set forth in Article 88. The CJEU’s forthcoming ruling may therefore call into question the value of existing national workplace data processing provisions, as many of them, like the HDSIG, simply cross-refer to the GDPR without fleshing out ‘more specific rules’.
- The German governing coalition agreed that creating a distinct employee data protection act would be a priority of the coalition during its governing term, with an emphasis on legal clarity and effective employee data protection. (Coalition agreement 17).
- The Federal Ministry of Labour and Social Affairs established an interdisciplinary council to examine whether stand-alone legislation should be enacted on employee data protection. On 17 January 2022, the council released its detailed final report, concluding that a separate law on the protection of employee data is necessary within the framework of the possibility opened up by Article 88 GDPR.
- The German Trade Union Confederation (DGB) published in February 2022 a draft Employee Data Protection Act. The draft addresses several issues including the use of AI systems, behavioural or performance monitoring, and video surveillance.
- On 4 May 2022, the German Conference of the Federal and State Data Protection Authorities (DSK) published a call for the creation of an Employee Data Protection Act. The DSK issued a resolution declaring unambiguously their view on the timing for an Employee Data Protection Act: “”
- On 22 September 2022, Advocate General Campos Sánchez-Bordona delivered his Opinion on Case C‑34/21 (the preliminary reference made by the Administrative Court of Wiesbaden which is outlined above), agreeing with the referring court that paragraph 23 of the HDSIG does not meet the requirements set out in Article 88 GDPR. ‘Article 88 of the GDPR cannot provide a basis for Paragraph 23 of the HDSIG,’ he wrote, ‘first, because it does not lay down more specific rules [than the GDPR], and, second, because it simply repeats the general protections laid down in Article 5 of the GDPR’ (para 75).
3. Lessons for other Member States
Considering the widespread agreement on the need for specific legislation and some of the practical steps already undertaken, it seems quite clear that we can expect a German law on employee data protection in the next few years. This is a welcome step in the right direction and could open the opportunity for other Member States to follow suit. Although Article 88 GDPR allows Member States to provide more specific rules on employee data protection, a closer review of national laws reveals that most Member States have not availed themselves of the opportunity to do so. Instead, employee personal data is regulated by a patchwork of provisions scattered in various pieces of legislation. Finland stands out among the 27 Member States by adopting a comprehensive (at least, in form) and freestanding set of data protection rules that apply exclusively to employment relations.
However, adopting employee-specific data protection legislation in and of itself does not guarantee adequate protection for workers. The key lesson that can be drawn from the German case is that while Member States have a wide discretion to determine the specific rules regulating the processing of workers’ personal data, they are not completely free to do so. Article 88(2) GDPR sets out specific substantive requirements that must be met in domestic laws, namely, as discussed above, that Member States include ‘suitable and specific’ protections specific to the workplace context.
Therefore, as AG Campos Sánchez-Bordona made clear in his Opinion, Member State laws must concretise and flesh out these ‘specific’ measures. It is also important to note that the GDPR provides a minimum threshold, which means that Article 88-based law cannot go below the minimum requirements. Member States can either stick to the minimum requirements of the GDPR or provide stricter and more protective provisions for workers (paras 64-75
4. Some critical issues to watch for
In drafting specific regulations for workplace data processing, Member States can aim to address at least two categories of issues, neither of which have been addressed in existing Member State laws based on Article 88 GDPR. The first category concerns longstanding deficiencies in EU data protection law relating to the specific characteristics of the workplace context. The second concerns relatively new data processing practices commonly referred to as ‘algorithmic management.’
1) Address issues that do not have adequate or explicit answer in the GDPR
As highlighted earlier, the GDPR is not sufficient to address the distinct features of employee data processing. Any Article 88-based legislation should identify and adequately address employment-specific issues. Specifically, the laws should seek to:
(1) create collective rights for employees;
(2) counteract the information asymmetry between employees and employers by prohibiting the collection of certain kinds of data, or collection of data for particular purposes, and creating expanded rights of data access for employees; and
(3) prohibit or very severely limit the reliance on consent as a legal basis for employee personal data processing.
2) Address harms arising from algorithmic management
The increasing deployment of algorithmic management systems in the workplace exacerbates the information and power asymmetry between employees and employers and gives rise to the loss of human autonomy. Introducing an employee-specific data protection law is a great opportunity to address these risks and establish worker rights and employer responsibilities around the use of algorithmic management. In addition to countering information and power asymmetry, an employee data protection law aiming to address algorithmic management must therefore restore human agency in management decision-making.
There are different ways to achieve this, including the prohibition of the full automation of certain ‘high stakes’ decisions with potentially significant adverse consequences on employees such as automated termination of employment. In situations where automated decision-making is allowed, new laws should establish clear rights and obligations, including clear standards for ‘meaningful human involvement’ in the entire lifecycle of decision-making systems. This should include rights to contest decisions, rights to human review of automated decisions, obligations to publish impact assessments, and information and consultation rights. While the GDPR provides some of these rights and obligations, an employee data protection law can clarify and concretise them in the specific context of employment.
As a starting point, once the proposed Platform Work Directive is adopted, Member States should transpose and expand its strong protections with regard to algorithmic management to employment contexts beyond digital labour platforms. Chapter III of this proposed Directive focuses specifically on algorithmic management; however, its provisions only apply to ‘platform workers’ and ‘persons performing platform work,’ and not to all employees. Therefore, when transposing the Platform Work Directive, Member State law could include provisions explicitly extending the rights and obligations created in Chapter III to all employees and employers, regardless of whether the employees are platform workers and regardless of whether the employer is a digital labour platform.
There is no doubt that employee data processing warrants specific regulation: the GDPR is too generic to adequately address the specificities of personal data processing in the employment context. The opportunity created under Article 88 GDPR remains underutilised. However, when making use of it, Member States must be sure to comply with the requirements it sets forth: namely, they must ensure that Article 88-based laws create ‘more specific rules’ rather than merely repeating requirements already established by GDPR. In doing so, they can address both the longstanding deficiencies of EU data protection law with respect to the workplace – especially the lack of collective rights – and the new challenges posed by the rapid growth of algorithmic management. We can expect that the first development in the exciting ‘next chapter’ of workplace data protection law will unfold in Germany, with a new freestanding law based on Article 88 GDPR.
This blog is part of the project ‘iManage – Rethinking Employment Law for a World of Algorithmic Management,’ funded by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 947806).