The GDPR and Privacy in the Workplace

One of the success stories of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR) is the harmonized, consistent, and comprehensive regulation of personal data processing. In the employment context, however, the GDPR falls short in fulfilling this promise. Data protection rules in the employment context are far from harmonized, consistent, and comprehensive. This fragmentation emanates from the GDPR itself as it leaves the issue of employee data protection to be addressed at the Member State level.

According to Article 88 of the GDPR, Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context. By giving the Member States a wide discretion to determine the specific rules regulating workers’ personal data processing, Article 88 does three things:

1. Recognises that data processing in the context of the employment relationship has distinct features that cannot adequately be addressed by an omnibus data protection regime, and hence the need for ‘more specific rules’
2. Explicitly identifies collective agreements as alternative instruments in which such rules might be articulate
3.  Recognises for the first time the collective rights and benefits of employees, which were once treated exclusively under the realm of labour law, as data protection issues

The logical outcome of this opening clause is that workers’ personal data would be regulated by a patchwork of divergent legislative and quasi-legislative instruments across the 27 Member States. However, how and to what extent the Member States utilise this opening clause remains unclear. When asked in 2018 whether there was ‘a danger of European data protection law becoming fragmented as a result of the piecemeal use of the opening clauses in the GDPR’, the Commission suggested that it was ‘launching a study to evaluate the use of some of the specification clauses by Member States’.  To date, no such report has been released.

My recent paper published in the International Data Privacy Law fills this gap by systematically mapping how the Member States have utilized the permissive clause in Article 88(1), examining the extent to which national regulatory instruments provide suitable and specific safeguards within the meaning of the conditional clause in Article 88(2).

The paper argues that while the compromise has delivered on some of its promises in promoting diverse and innovative regulatory approaches, it also runs counter to the fundamental objectives of the GDPR itself by creating further fragmentation, legal uncertainty, and inconsistent implementation, interpretation, and enforcement of data protection rules.

Halefom Abraha is a Postdoctoral Researcher at the Bonavero Institute of Human Rights, University of Oxford.