See Part 1 of this blog here: Over Four Decades of Data Protection: Unexplored History with Valuable Insights for the Future – Part 1 | OHRH
Significant Gaps in Current Law
The regulatory approaches of the US, Australia, and the EU offer unique insights and shared commonalities, effectively illustrating the gaps in existing laws concerning the regulation of workers’ data.
The US lacks a comprehensive federal privacy framework, instead relying on a patchwork of sectoral legislation. The privacy legal landscape in the US has been rapidly evolving in recent years. From 2023 to 2024 alone, more than six dozen federal privacy bills were introduced, most of which are sector-specific. The latest federal legislative effort is the ‘American Privacy Rights Act’ of 2024, a comprehensive bill which aims to afford Americans fundamental data privacy rights and eliminate the patchwork of state laws. However, even if adopted‒ an outcome which remains highly unlikely‒ the bill explicitly excludes ‘employee data’ from its scope. The US state privacy law landscape has also been evolving rapidly. Between 2018 and 2024 alone, nineteen US states have adopted comprehensive privacy laws, with more likely to follow. These comprehensive state privacy laws vary in their approaches, details, scope, and the matters they regulate. However, they share one commonality: with the exception of the California Consumer Privacy Act, all these laws explicitly exclude the processing of workers’ personal data from their scope of application.
We observe a similar pattern in Australia. Australia’s approach to workers’ data protection is complex, involving federal, State and Territory legislation with significant differences between public and private sector employees. The Privacy Act 1988, initially applicable only to government agencies and extended to the private sector in 2000, is the primary federal privacy legislation. However, private sector employees, comprising 84% of Australians in 2007, are not afforded the same rights and protections due to an exemption in the Privacy Act. This exemption means that private sector employers are not obliged to grant workers access to their personal data, can process it without consent, and are not accountable under the Privacy Act’s data breach notification scheme. Despite several inquiries and a comprehensive reform process, including a recommendation in the 2023 Privacy Act Review Report to extend enhanced protection to private sector employees, the reform bill introduced in September 2024 retained the exemption. Consequently, private sector employees are left without the rights and protections afforded to their public sector counterparts. This differential treatment remains a significant gap in Australian privacy law. The European Commission, criticising the employee data exemption rule, pointed out that the level of risk to individuals’ privacy rights depends on the nature, scale, and type of data processed rather than the size or type of the organisation handling it; thus, comprehensive data protection law should apply to all data processing activities.
The EU’s GDPR applies fully to the employment contexts in both the private and public sector, unlike its US and Australian counterparts. In fact, it has been crucial in challenging some of the most harmful workplace monitoring and algorithmic management practices. However, the GDPR has significant structural deficits in protecting workers’ data rights. Although it remains relevant to employment, the GDPR wasn’t designed with the unique features of labour relations in mind. It assumed that employment-related data processing would be regulated by separate rules. When recently asked if there was anything he regretted about the GDPR text in retrospect, Jan Philipp Albrecht, the rapporteur for the GDPR at the time, identified ‘employment’ as an area not fully regulated by the GDPR. The GDPR acknowledges the special nature of personal data processing in the employment context and grants Member States regulatory leeway under Article 88 to introduce more specific rules. However, research and court cases (CJEU, Case C-34/21 and national court, 1 ABR 14/22) show that Article 88 remains underutilised, or improperly used.
The lack of adequate protection of workers’ data rights under GDPR, US, and Australian privacy laws are attributed to different factors. The EU’s complex constitutional powers and diverse industrial relations traditions make harmonising workplace data protection challenging. Australia considers workers’ data rights a workplace relations (labour law) matter, while the US exemptions are often attributed to lobbying efforts. Consequently, workers’ data rights lack comprehensive protection under these jurisdictions’ omnibus data protection/privacy laws. Instead, a patchwork of Union/federal and state laws offer limited protections, some tailored to the employment context but limited in scope and the matters they regulate. For instance, at least 22 EU Member States have specific provisions (scattered in different legislation) regulating employee monitoring and surveillance to a limited extent. Similar fragmentation exists in the US and Australian laws. Labour legislation and collective agreements provide sometimes direct, indirect, or incidental protections. However, the overall protection of workers’ data rights in these jurisdictions remains inadequate, patchy, inconsistent, complex, and multi-layered, making it difficult to navigate.
This state of affairs highlights the need for standalone legislation specifically and comprehensively targeted at protecting personal data used for employment purposes and regulating employers’ workplace surveillance and algorithmic management practices.
See Part 3 of this blog here: Over Four Decades of Data Protection: Unexplored History with Valuable Insights for the Future – Part 3 | OHRH
0 Comments