Consent is one of six of the European Union (EU) General Data Protection Regulation (GDPR) legal bases that can be used to justify the collection, handling or storage of personal data. For consent to be valid, it must be clearly distinguishable from other matters, intelligible (comprehensible) and in clear and plain language, freely given, as easy to withdraw as it was to provide, specific, informed and unambiguous.

In the employment space, consent is believed to be problematic. Several privacy experts actual or perceived imbalance of power between the employee/applicant and employer make it difficult to prove that the consent was freely given and therefore valid.

Employees should be confident that their refusal of consent will not have a negative impact on their current or future employment. For an employer to be confident in the use of consent as a legal base, consent should be limited to operations that are neutral for both parties, such as when offering nonmandatory perks that an employee may feel free to refuse or discontinue (corporate discount programs), birthday celebrations at the workplace, photos on the company’s public website or social media pages, etc.

Other conditions for valid consent are that it must be specific and clearly defined. Asking to consent to company policies, such as a code of conduct or acceptable use policy will fall foul of these requirements. By the same token, the employee consent cannot be part of the employment contract. Instead of asking for consent to internal policies, employers should ask for these to be acknowledged or accepted.

There are, however, some exceptions where consent may be suitable in the employment context, examples of which are described here.

Before employment starts

Most of the data collected from job candidates will leverage GDPR Article 6.1. (b) as the legal basis and in this instance, the interviewee’s consent is not necessary. In some EU jurisdictions, employment or labor legislations state exactly what type of data can be collected for employment purposes.

On a basic level, lawmakers will have to answer questions that are now commonplace in an age of almost constant surveillance.

For example: Can a trucking company track its drivers when they’re off the clock? 

Do bosses have to tell their employees who are currently working remotely, if or when they are screening their emails or Slack messages? Recording their phone calls? Taking video recordings via work-owned laptops?

And then there are the complicated logistical matters.

If companies can’t collect or store their workers’ data, does that interfere with other functions, like cybersecurity shields on their computer networks? 

In making sure they’re not storing personal data that their employees don’t want them to, do companies have to read workers’ personal emails so they know what to delete?

We’re all familiar with the disclaimer that we hear when speaking to a customer service department – that our call may be recorded or monitored for quality assurance.  As a customer, we may want a vendor to record calls in order to keep a record of our complaints.  But as employees, we may not want our employers listening to our calls or reading our emails.  So, can employees expect privacy in the workplace?  The answer, more often than not, is no.

Employers are permitted to search employees’ workspaces because the workspaces are owned by the employer.  This includes offices, desks and, if applicable, a company-owned car.

Employers also have the right to track and monitor employee’s use of company equipment.  The computer equipment and email system, like the workspace, belongs to the employer.   Employers are permitted to block employees’ internet access and limit the sites an employee can visit to those related to work.  Employers also are permitted to access employee’s emails, even personal ones that went through the employers’ computer system, although they might be required to have a valid business reason to do so.  Employers may also be permitted to track employees’ text messages on a company-owned phone. Employees should not have any expectation of privacy when they use company equipment to access the internet, social media or personal emails.

Employers should be aware that some states require employers to notify employees that they are tracking and monitoring employees’ internet use and emails.  And, there may be a need to get written consent.

Employers are also permitted to track and monitor employees’ business calls.  Federal law, however, restricts employers from monitoring their employees’ personal calls without permission.  This is the case even if the employee used a company phone.  Federal law also protects employees’ voicemail messages at work.

Employers are permitted to monitory employees by using surveillance cameras, with exceptions for locker rooms and bathrooms.

Finally, employers may require their employees to submit to drug testing, within limits set by state laws.

Employees generally should have no expectation of privacy with regard to actions taken related to work, or using work equipment.  Employers, however, would be prudent to establish policies expressly stating that such is the cases and how employee activities may be monitored, so there can be no question regarding what could be done.

Interestingly enough coming back to the United States, in the US, New York employers that monitor or intercept employee emails, internet usage, or telephone communications must provide written notice to those employees.

Recently, an amendment to the New York Civil Rights Act went into effect in May 2022 that will require private employers with places of business anywhere in the state to provide employees a written notice if the employer monitors or intercepts employee emails, internet access or usage, or telephone conversations. The written notice is required to communicate that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system . . . may be subject to monitoring at any and all times by any lawful means.”

In contrast, notice is not required for processes that are intended to manage the type or volume of incoming/outgoing e-mail, voicemail, or internet usage; that are not targeted to monitor or intercept the e-mail, voicemail, or internet usage of an employee; or that are performed solely for computer system maintenance and/or protection.

To comply with this law’s notice requirement, employers are obliged to maintain the written notice in electronic form and post the notice in a visible place where it is readily accessible for viewing by employees who fall within the scope. Covered employers must also obtain acknowledgment (either electronically or hard copy) of the written notice from new employees upon hiring; however, the law does not explicitly state that employers need to obtain acknowledgments from those already employed before the law’s effective date.

In conclusion, the law does not expressly grant employees a private right of action against covered employers who fail to comply with the notice requirement. However, the New York State Office of the Attorney General has authority to enforce the law. Employers who violate this law will be subject to a progressive fine schedule of $500 for the first offense; $1,000 for the second offense; and $3,000 for each offense thereafter. Remarkably, the New York law mirrors similar electronic monitoring laws that are already in effect in Delaware and Connecticut.