Crossroads of Labour Law and Data Protection

Is there privacy at work in the 21^st century? If there is, where is it?

These and other questions were debated on March 20, 2026 at the Department of Legal Studies of Bocconi University that hosted a seminar entitled Employee Privacy at the Crossroads of Labour Law and Data Protection. The origin of this seminar was the 2023 publication of Privacy@Work (in which all guests participated), with a focus on the current state of the subject matter. (That this seminar arose only 3 years after the publication speaks to the rapid pace of technology.) The seminar was led by Elena Gramano of Bocconi University who invited three guests: Frank Hendrickx, David Mangan, and Marta Otto. This post reflects the discussion in that seminar with some prospective remarks about the future of employee privacy at this crossroads. Below there are three questions taken from the seminar. David Mangan has started the discussion in each question to give some scope to the conversation. Each of the other three speakers follows with their own comments.

What is protected when discussing privacy at work?

The first question posed to the speakers was: At what point does managerial control become a privacy problem rather than simply an organisational feature of work? In other words, what exactly is the normative boundary we are trying to protect?

Managerial control becomes a privacy problem when it is an issue of degree of control. Technology extends the reach of the exercise of control. The question is what is the threshold at which this control creep goes too far in a democratic society? Put another way, is employment inherently illiberal, with privacy being one example?

In employment discussions, we can fall into patterns of looking at issues as binary (employer/employee; employee/self-employed). Privacy is not simply a matter of no control versus absolute control. Employers have some degree of control. This is the accepted implication of subordination. The issue is one of extent of control. Technologies have created a situation in which employers intermediate the exercise of privacy to an extent that exceeds what was previously possible.

The justification of this arrangement has been the hierarchy that characterises the employment relationship: “[T]he inevitable subordination of employee to employer”.1 The fact of an employment relationship validates the exertion of control of employers over employees. Nevertheless, the extent to which information technology has extended control and abetted subordination should elicit some level of surprise.

Part of the difficulty in discussing privacy (in general) is that a right to privacy remains something that is less definite. For this reason, the point here about the force of the employment relationship may be better understood when discussing speech. The starting point is that “employees owe their employer a duty of loyalty, reserve and discretion”.2  In Palomo Sánchez and Others v. Spain,3 the balancing of interests between employees’ free speech and their duty of loyalty was articulated by the European Court of Human Rights in this way: “even if the requirement to act in good faith in the context of an employment contract does not imply an absolute duty of loyalty towards the employer or a duty of discretion to the point of subjecting the worker to the employer’s interests, certain manifestations of the right to freedom of expression that may be legitimate in other contexts are not legitimate in that of labor relations.” Loyalty grounds employer discretion to investigate the extent to which loyalty has been observed through online platforms, thereby raising questions about workers’ privacy rights.

Frank Hendrickx

Let us remind the conceptualisation of the right to privacy by Warren and Brandeis in their famous article in the Harvard Law Review (1890): “the right to be let alone”. Now in the 21^st Century, this conceptualisation is not only still valid, but perhaps more interesting than ever. If we ask ourselves what is protected in relation to privacy, it is exactly this right of having human space, integrity, identity, self-control, informational control, self-definition. Interpreted in light of the concept of the employment relationship, implying authority, supervision and control of the employer, the meaning of the right to be let alone becomes very apparent. The question is whether we automatically allow to have privacy diminished, and reasonable expectations of privacy reduced, because of this specific context of the employment relationship. I tend to say no. The right to privacy is a human right, and its limitations, at least in a European human rights context, are subject to strict conditions. This should mean that not every starting point of the employment relationship, often known by labour law scholars as ‘subordination’, has to be taken for granted. One may even wonder, and this is rhetorically, whether subordination is still an appropriate context in light of this.

Elena Gramano

The difficulty in identifying the normative boundary of privacy at work lies in the fact that managerial control is not, in itself, abnormal within the employment relationship. Labour law has historically been built around the idea that the worker’s activity is, to some extent, organised and controlled by the employer. The real question, therefore, is not whether control exists, but rather what exactly employers are entitled to control in contemporary forms of work.

Traditionally, the physical workplace operated as a natural limit to managerial authority. Control was largely tied to the worker’s presence within the employer’s premises and, correspondingly, to a relatively identifiable working time. What digital technologies have progressively disrupted is precisely this spatial and temporal containment of managerial power. The issue is not simply that employers can monitor workers more intensively, but that control increasingly extends beyond the workplace itself and becomes detached from the worker’s physical presence.

In this sense, privacy at work is no longer only about protecting a secluded private sphere against intrusion, but it is increasingly about preserving a worker’s possibility of maintaining forms of privacy that are not entirely absorbed by the organisation. The problem emerges when managerial control ceases to concern the performance of work and begins instead to govern the worker’s person beyond the immediate execution of contractual obligations.

This is particularly visible in remote work and AI-driven management systems. Here, subordination no longer necessarily manifests itself through direct supervision in a specific place, but through diffuse forms of organisational control exercised via technologies.

For this reason, I believe the normative boundary we are trying to protect is ultimately not a rigid separation between work and private life but rather the existence of limits to the employer’s claim over the worker’s time and personhood. Privacy, in this context, becomes closely connected to the broader idea that the employment relationship cannot legitimately translate into the total functionalisation of the individual to organisational objectives.

Marta Otto

I would begin from a relatively straightforward proposition: managerial control becomes a privacy problem only when it ceases to remain limited, transparent, and clearly connected to a legitimate, task-related organisational function. Control has long been treated as a structurally necessary feature of the employment relationship precisely because it was traditionally understood to remain bounded in both scope and purpose.

The difficulty today is that the digitalisation of work is steadily destabilising those previously accepted boundaries. The contemporary workplace, shaped by rapid technological development, integrated digital infrastructures, and increasingly data-driven forms of organisation, has altered both the scale and nature of managerial oversight.

Viewed against the broader historical development of workplace surveillance, this transformation becomes easier to identify. In the phases described by Edwards, Martin, and Henderson4 as Surveillance 1.0 and 2.0, mechanisms of managerial oversight remained comparatively contained. Their function was relatively narrow: verifying physical presence, assessing performance, and documenting conduct through organisational records and observable managerial practices. Surveillance in this earlier form was generally episodic, visible, and linked to identifiable managerial objectives.

In the world of work 4.0 and 5.0 the architecture of managerial control is fundamentally transformed through networked infrastructures, integrated digital environments, and increasingly AI-driven systems. Oversight becomes continuous rather than episodic, distributed rather than dyadic, and thus increasingly opaque to the workers subjected to it. What emerges is therefore a qualitatively different model of labour governance, characterised by persistent data extraction, behavioural modelling, and algorithmic management.

The normative boundary that is at stake is therefore not merely a private sphere free from intrusion, but the integrity of the worker as a human subject. It is this boundary that prevents the employment relationship from reducing individuals to mere sources of data within a system governed solely by quantification and optimisation.

Workers as data subjects

The premise of the second question was that regulation of privacy at work involves discussing workers as data subjects. Does this nomenclature diminish workers as social subjects?

The General Data Protection Regulation (GDPR) uses the term “data subjects”. While it is not officially defined, the term seems to be defined in this Regulation as an “identified or identifiable natural person” (see GDPR, Article 4(1) “personal data”). There is an impersonal, detached tone to the term that betrays tension when applying technology to work: an impersonal term applied to a human domain.5 “Data subject” fits well with the idea that employees are interchangeable. The cumulative force of the technologies and the associated language effects a distancing and depersonalising of the individual suits commodification instead of humanisation.

Alluded to above, employment regulation operates on a premise that while the workforce are members of democratic society, the fact of being an employee justifies limitations of rights. Work relationships entail the relinquishing of personal privacy to an underdetermined extent.6 And so, employee is a status that may be separated from other identities the individual may have. Technologies, however, operate on the mixed identities of humans (prosumers, data subjects), thereby complicating the discussion. It may be asked whether labour law can meaningfully separate the “worker” from the “person”; or whether that distinction has become largely fictional?

“Data subject” recalls another term of digitalisation, “prosumers”.7 Prosumers are users of information technology who are simultaneously producers and consumers of data. People are prosumers in this context. Both terms demonstrate the duality within information technology and its terminology. The term “data subjects” encapsulates how workers today produce data not only through their work activity but also through their digital identities and online presence. This data can be collected and processed, with decisions resulting therefrom. “Data subject” and “prosumer” are understood as terms of production which speak to outputs of a person, but not necessarily of the person as an individual.

The person as individual is something that can be found in earlier European Court of Human Rights case law, particularly Niemietz v. Germany.8 Consider the following passage.

The Court does not consider it possible or necessary to attempt an exhaustive definition of the notion of "private life". However, it would be too restrictive to limit the notion to an "inner circle" in which the individual may live his own personal life as he chooses and to exclude therefrom entirely the outside world not encompassed within that circle. Respect for private life must also comprise to a certain degree the right to establish and develop relationships with other human beings.

There appears, furthermore, to be no reason of principle why this understanding of the notion of "private life" should be taken to exclude activities of a professional or business nature since it is, after all, in the course of their working lives that the majority of people have a significant, if not the greatest, opportunity of developing relationships with the outside world. This view is supported by the fact that, as was rightly pointed out by the Commission, it is not always possible to distinguish clearly which of an individual’s activities form part of his professional or business life and which do not. Thus, especially in the case of a person exercising a liberal profession, his work in that context may form part and parcel of his life to such a degree that it becomes impossible to know in what capacity he is acting at a given moment of time.

Arguably Niemietz is a challenging decision to explicate because it embraces a duality of development; that is, an individual develops within the work setting and outside of it. This passage is dug up from the ECtHR case law because it seems as though, at present, the developmental dimensions of technology at work have been muted in favour of the production facets. Whether an employee is a data subject or prosumer, she remains a person, and not in her entirety a means of production. 

Frank Hendrickx

The terminology ‘data subject’ bears potentially an element of reductionism and perhaps even discipline. Human persons are requalified with a nomenclature that fits a digital world. This may overlook the totality of the holistic beings that we all are. Nevertheless, the data subject is a legal notion granting rights in relation to data processing, and it is related to a ‘natural person’ in the GDPR. It implies that personhood is explicitly recognised. So perhaps we have to say ‘so far so good’. What matters more, in my view, are the rights and legal positions actually granted to ‘natural persons’. The GDPR only regulates one dimension, information (flows) related to individuals, not necessarily private information, but every information related to an identified or identifiable person. Since the rise of data protection law in the 1990s, this is an important step and a very broad concept for protection. It is also the reason why the GDPR and its predecessor, the former 1995 EU data protection directive, have had so much impact on the employment relationship. The GDPR gives rather interesting, even powerful notions, such as for example data minimisation. If we would consider this as a proportionality principle, which it of course includes, then it accommodates human rights protection mechanisms. But ‘minimisation’ also looks at a more proactive meaning, or a ‘moderating’ principle, for data processing. It gives a new perspective on monitoring and control at work in comparison with, for example, an overall proportionality test in human rights law, which can evolve into a broader balance test of reasonableness or a means-end test. Data minimisation is, in my view, a significant concept under the GDPR for worker protection. I believe we should recognise that workers are data subjects, just ‘not merely’ data subjects. At the same time, one may wonder how far the social dimension of subjectivism is recognised through this lens. Here lies exactly a task for privacy law and labour law, which both give additional value to this GDPR context, in bringing the social context of human relations into the picture of data processing rights. The Niemietz-case fits with that. It recognises work as an aspect of privacy, a dimension of life which involves human relations that deserve authentic development and protection.

Elena Gramano

I think the expression “data subject” reveals an important ambiguity in the way contemporary regulation approaches workers. On the one hand, the GDPR undoubtedly represents a significant advancement because it recognises workers as holders of rights in relation to the processing of their personal data. In this sense, the category of “data subject” has an emancipatory dimension: it gives workers legal tools to challenge opacity, disproportionate monitoring, and uncontrolled data extraction.

At the same time, however, there is a risk that this language subtly reframes the worker primarily through the lens of data processing. The employment relationship risks being understood less as a social relationship characterised by economic dependency and asymmetries of power, and more as a relationship between formally equal actors exchanging information and consent. This is problematic because the workplace is not a neutral environment in which individuals freely negotiate the terms under which their data is collected and processed. What concerns me is that the language of data protection tends to individualise problems that are in reality deeply collective and structural. The worker is treated as an isolated rights-holder capable of exercising control over their personal data through transparency, information, or consent mechanisms.

On the contrary, what is really at stake is broader than privacy in a narrow sense: it concerns the preservation of spaces of autonomy that remain essential to human dignity within the employment relationship. This is also why I believe that labour law and data protection law should not be seen as alternative regulatory frameworks, but as necessarily complementary. Data protection offers important tools for limiting and governing information processing, but labour law remains indispensable because it addresses the collective and relational dimensions of power that the language of individual data rights alone cannot fully capture.

Marta Otto

The principal difficulty with the prevailing terminology is that it tends to shift attention away from the worker as a social and economically dependent subject, towards an atomised conception of the worker as an autonomous and active individual data rights-holder.

Yet the evolving algorithmic and AI-driven systems of data processing operate simultaneously along both vertical and horizontal dimensions.9 On the one hand, they directly monitor individual workers through personalised systems of tracking, evaluation, and behavioural assessment. On the other, they aggregate and compare collective datasets in order to generate behavioural benchmarks, productivity norms, and predictive risk indicators. In practice, the data generated by one worker may shape algorithmic assumptions subsequently applied to others.

In practice, many of the risks generated by contemporary data processing operations at work are thus collective in nature, affecting not only personal privacy, but also collective ‘expectations of privacy’, organisational power relations, and the capacity of workers to negotiate working conditions. It is precisely for this reason that the harms generated by workers’ surveillance, as a growing body of research demonstrates, cannot be adequately addressed solely through mechanisms grounded in individual data rights.

What is increasingly required are governance structures capable of incorporating collective rights and enforceable mechanisms of redress. Existing regulatory models remain poorly equipped to address this challenge. In particular, they lack meaningful structures of digital co-determination through which workers may exercise genuine decision-making power over systems that directly shape their working conditions and their ‘reasonable expectations of privacy’.

Equally problematic is the absence of effective forms of collective recourse. Current frameworks rarely provide workers representatives with binding oversight powers capable of collectively challenging unfair, discriminatory, or opaque systems of algorithmic and AI governance. 10As a result, the asymmetries of power generated by digital management systems remain largely intact, even where formal individual rights exist.

AI and control at work

The final question focuses on artificial intelligence. The question posed was: Does AI change the nature of control in the workplace, or does it make existing forms of managerial power more scalable and less visible?

AI in work is not a singular topic. There is the use of AI within work. Here, there may be employer-subscribed AI systems such as Harvey (Open AI), CoCounsel (Thompson Reuters), Lexis+ with Protégé, Clio Work. Alternatively, employees may use their own AI system subscriptions. (There are further issues here, such as what is permissible according to the employment contract, that extend beyond this post.)

The focus, here, is on the intrusion of AI as it relates to privacy at work. Workplace surveillance has not arisen recently because of AI. And yet, present day monitoring is increasingly embedded in automated decision-making systems. In the early 21^st century, there has been a change. Surveillance has moved from being of the workplace, to being of the workforce. The distinction is between the orthodox fixed location of work and the broad capture area of 21^st century surveillance technologies. Digitalisation of work has not only extended the scope of the managerial gaze, but it has also expanded the type of information collected.

The Digital Omnibus Bill adds a new element to this discussion because it allows for an exception for AI development. Adding to the considerations, the Bill inserts this exception into the amendments to Article 88 of the GDPR.

The recently proposed Article 88c permits processing of personal data where it “is necessary for the interests of the controller in the context of the development and operation of an AI system as defined in Article 3, point (1), of Regulation (EU) 2024/1689 or an AI model, such processing may be pursued for legitimate interests within the meaning of Article 6(1)(f) of Regulation (EU) 2016/679)”. The proposal would recognize AI development and operation as a potentially legitimate interest under Article 6(1)(f), thereby lowering the threshold for reliance on that legal basis compared to the original framework. Such processing is subject to “safeguards for the rights and freedoms of the data subject”.

Considering the employment setting implications with regards to speech and privacy, there remain questions:

·      Could this suggested provision be used to train an AI system used by an employer (deployer in AI Act terms) regarding, for example, speech of employees?

·      What protections would be in place to ensure freedom of expression and privacy?

·      Does the proposed Article 88c interact with the Digital Omnibus on AI, particularly the introduction of Article 4a of the AI Act, which permits the processing of special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, trade union membership) for bias detection and correction, in a manner that could enable the training of AI systems on highly sensitive employee data?

Frank Hendrickx

As I argued before under a “privacy 4.0.” approach (I know Marta Otto is already at stage 5.0!), artificial intelligence significantly modifies the issue of technological control. It brings in another layer, connected with a human-centred concern and generally the role of humans in work relations. The right to privacy fits with a human-in-command approach, and both research and policy makers, as already shown by the ILO Commission on the Future of Work, confirm the link between privacy, AI and algorithmic accountability in the world of work. Artificial intelligence systems are often called ‘black boxes’, complex systems that remain difficult to grasp and are opaque. One of the solutions for this could be to make sure that both employers and workers understand, and are able to explain, how intelligent machines use data or prepare decisions. This issue of transparency, which is problematic, may be solved in the future. Maybe AI-tools themselves will be able to explain what exactly they are doing. However, the issue of human intervention, humans in command, is difficult to solve without involving real humans and making sure they are in command. And this looks to be key: how do we define ‘to be in command’. Control cannot mean just pushing a button and taking a screen shot of an AI driven evaluation of workers. Just as we would agree under more classic technological monitoring, such as using CCTV surveillance, humans have decided to install it, have communicated about it, and control the operation and the results. That seemed a logical part of the use of this technology, and the expectation of the legislator or the courts over this technology seemed almost logical. Smart systems, algorithmic programmes, or intelligent robots, as mechanical creatures, can function autonomously, organise work, define needs and pace, make improvements, define and implement evaluations and assessment criteria. In this context, I am less concerned with the legitimisation threshold, but rather with how “safeguards for the rights and freedoms of the data subject” are to be read. It should at least entail a human-in-command approach at significant stages of performing worker and employer functions in the employment relationship. We are back to the Niemietz-discussion with which this debate was opened above. It is in working life, following this case, that individuals have the “opportunity of developing relationships”. We know that, over time, the European Human Rights Court accepted privacy as the right to develop one’s social identity. This right to privacy perspective recognises the right to develop human relations, the right to human interaction, also in the work environment.

It brings me to the part of the question that is related to speech. The role of AI in work and the influence by employers on people’s free speech share the fear of total control over all aspects of life, a context of permanent supervision where work and non-work life are continuously blurred and where the employer’s authority is ‘always on’. I would think that this is, indeed, a ‘legitimation’- or ‘justification’-question, as implied in the question. However, the legitimacy question still would need to be complemented with necessity, proportionality and minimisation requirements, as they appear under the GDPR. This is nevertheless an example of why the human rights background of the right to privacy, and the freedom of expression, is important. This would not only guarantee free speech, but also an autonomous space for individuals, a right to be let alone.

Elena Gramano

I believe AI does more than simply intensify existing forms of managerial control, but it changes their nature by making control less detached from direct human supervision. Traditional managerial authority was typically exercised through identifiable individuals and concrete organisational acts. On the contrary, AI systems embed managerial power into automated processes that continuously direct workers’ behaviour.

What particularly concerns me is that these systems tend to normalise a form of control that is both permanent and predictive. Workers are no longer monitored only for what they do, but increasingly evaluated for what they might do, and how they can conform to algorithmically generated directives.

In this context, transparency alone is not sufficient. Even when workers are informed that AI systems are being used, the actual capacity to understand or negotiate these systems often remains limited. This is why the discussion cannot be reduced to a question of technical compliance under the GDPR or the AI Act.

At a deeper level, the issue concerns the risk that managerial authority becomes increasingly automated, while responsibility becomes increasingly difficult to identify. The more control is exercised through opaque technological systems, the more difficult it becomes to preserve meaningful human autonomy and accountability within the employment relationship.

Marta Otto

AI does not merely scale supervision – it transforms it, making control anticipatory, dispersed, and networked across both individual and group levels, extending well beyond the traditional dyadic relationship between manager and worker. AI-driven and algorithmically mediated systems introduce a mode of control that is continuous, predictive, and distributed across technical infrastructures operating in real time, often with limited human legibility at the point where decisions are effectively produced.

This transformation is increasingly mirrored in emerging regulatory trajectories. In this regard, the proposed amendments in the Digital Omnibus Bill concerning Article 22 of the GDPR are particularly significant, as they recalibrate its original protective architecture on automated decision-making. The shift from a quasi-prohibitive model towards a more conditional, permission-based framework effectively weakens the original assumption that automated decision-making should remain exceptional rather than routine. In parallel, the removal of the requirement that such processing be “necessary” for the performance of a contract further lowers the threshold for lawful deployment.

The practical consequence of removing the necessity requirement is a subtle but important reconfiguration of control. Automated decision-making becomes less a legally constrained exception and more a matter of managerial discretion. In this setting, the right to human intervention risks being displaced in practice into a largely procedural, ex post safeguard. Human involvement may still formally exist, but only after automated systems have already produced the relevant outcome. As a result, oversight shifts away from meaningful participation in decision-making towards post hocexplanation – contrary to the protective intent of the current regulatory framework.

Taken together, these changes signal a broader shift in regulatory optics: from treating automated decision-making as a practice requiring justification and constraint, towards normalising it as a standard organisational tool.

References

• 1P.L. Davies and M.R. Freedland, Labour Legislation and Public Policy: A Contemporary History(Oxford: Clarendon Press, 1993), 24.
• 2Guja v. Moldova (App no 14277/04), para. 70.
• 3Palomo Sánchez and Others v. Spain(Applications nos. 28955/06, 28957/06, 28959/06 and 28964/06), para. 76.
• 4L. Edwards, L. Martin and T. Henderson, ‘Employee Surveillance: The Road to Surveillance is Paved with Good Intentions’ (August 18, 2018), http://dx.doi.org/10.2139/ssrn.3234382.
• 5In calling work a human domain, reference is being made to one of the founding principles of the International Labour Organization, “labour is not a commodity”. This is found in Part 13 of the Treaty of Versailles (1919) and was reaffirmed by the Declaration of Philadelphia (1944).
• 6F. Hendrickx and A.Van Bever, “Article 8 ECHR: Judicial Patterns of Employment Privacy Protection” in F. Dorssemont, K Lörcher, I. Schömann (eds), The European Convention on Human Rights and the Employment Relation(Hart Publishing, 2013, 183-208), 185.
• 7Prosumer is a term originating with Alvin Toffler: A. Daly, Private Power, Online Information Flows and EU Law: Mind the Gap (Hart, 2016), 16.
• 8Niemietz v. Germany (16 December 1992), Series A no. 251-B.
• 9S. Viljoen, ‘A Relational Theory of Data Governance’ (2021) Yale Law Journal 131/2, 573-653.
• 10G. Gaudio, J. Nogarede, Worker data rights under GDPR and beyond : enforcement and legal mobilisation across the EU, Friedrich-Ebert-Stiftung (FES), 2025, https://collections.fes.de/publikationen/content/titleinfo/1954711