The Grand Chamber of the ECHR held that Spanish shop workers’ right to privacy under Article 8(1) of the ECHR was not violated when their employer obtained evidence of theft from covert CCTV footage of the employees.
employee privacy
Dutch DPA: Employers May Not Process Employee Health Data From Wearables
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “AP”) announced on March 8, 2016, that two companies agreed to stop processing employees’ personal health data after the AP initiated an investigation into the employers’ practices. The two companies provided their employees with wearable devices (or “wearables”), which allowed the companies to track their employees’ physical activity and sleep patterns. In addition to the two investigations, the AP issued guidance to employers emphasizing that employers are prohibited from engaging in these practice.
European Court of Human Rights: Private messages at work may be read by employers
On January 12, 2015, the European Court of Human Rights (ECHR) ruled that an employer in Romania did not breach its employee’s privacy rights by monitoring and reading the employee’s instant messages (Case of Barbulescu v. Romania; application no. 61496/08). Our Global Workplace Insider blog also reported on the decision.
NLRB asserts employers must bargain with unions on breach response
The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former postal employees. Specifically, in one of its complaints, the NLRB alleged that the postal service’s unilateral decision to provide credit monitoring and fraud insurance to affected employees without engaging in collective bargaining with the union on these issues violated Sections 8(a)(1) and (5) of the NLRA. These provisions of the NLRA mandate collective bargaining for any issue that relates to the “wages, hours, and other terms and conditions of employment.”
Employee privacy regulations on the agenda for Abu Dhabi Global Market
Omnibus data privacy laws are few and far between in the Middle East. None of the six states of the Gulf Co-Operation Council (GCC)—which comprises Saudi Arabia, Kuwait, Oman, Qatar, Bahrain and the United Arab Emirates—have issued national privacy legislation, although several have draft regulations under consideration.
By contrast, the financial “free zone” jurisdictions of Dubai International Financial Centre (DIFC) and Qatar Financial Centre (QFC) have both adopted European-style data protection regulations.
Abu Dhabi Global Market (ADGM) is the proposed new financial services free zone on Al Maryah Island in the UAE’s capital city of Abu Dhabi. Like DIFC and QFC, it will have independent courts of first instance and appeal to oversee the jurisdiction of the free zone.
Unlike its more established neighbours, though, ADGM has decided not to introduce general legislation regulating the handling and processing of personal data in the first wave of draft regulations issued for public consultation this month.
There are, however, proposals to place certain limited obligations on employers operating in ADGM in relation to personal data relating to their employees.