• The pandemic saw a steep increase in the accumulation of workplace data.
• Most workers are poorly protected with respect to data access and portability under current regulatory regimes.
• Data portability is particularly pressing for platform workers.
A lot of data is collected on the job. Yet the workplace is not currently at the forefront of data governance. Data rights, collection, access and sharing issues remain unresolved, affecting the privacy of workers, their career mobility and job quality. The same goes for the need to enforce collective data rights since, according to global philanthropic organization Luminate, “regulators continue to focus on protecting individuals or, at best, protected classes like people of particular genders, ages, ethnicities or sexual orientations”. While this is extremely important, it is not enough to enable true agency for data subjects and producers.
The COVID-19 pandemic opened up new on-the-job data sources via the collection of health data and teleworking. Data from Gartner shows that the number of workers using online collaboration tools doubled to 80% from 2019 to 2021:
Typically, workforce data is gathered during recruitment and on the job (via communication tools, human-machine interfaces, sensors, etc.). The French data protection regulator CNIL lists standard ways employers collect and process human-resource data including: (1) recruitment; (2) employee administration; (3) compensation management and administrative formalities; (4) provision of professional tools; (5) work organization; (6) career and mobility management; (7) training; (8) compulsory records and management of relations with employee representatives; (9) internal communications; (10) social benefits; and (11) auditing and (pre)litigation management.
Have you read?
This data pertaining to the worker generates value for the employer (either by enhancing productivity or by monetizing derived information). In an ideal world, such gains should be distributed through higher wages or adjustments in working time. But in the real one, the agency of workers is limited due to technological complexity, lack of transparency, but also missing pathways to claim their individual and collective data rights.
The workplace data imbalance
Current legal frameworks limit the agency of individuals, including workers, with regard to data. It is difficult not to provide consent if you enter a recruitment process, start a new job or are asked to agree to new processes at your current place of work (if you are indeed informed of those). Unless trade unions are able to negotiate collective agreements or workers’ representatives are able to intervene at firm level, individuals are left on their own.
The European Social Partners Framework Agreement on Digitalisation (2020), for example, foresees that workers’ representatives are able to engage on matters regarding consent, privacy protection and surveillance guided by the General Data Protection Regulation (GDPR). However, the GDPR (and the DPA) only concern access to personal data. This is limiting, as inferred and observed data – both heavily collected at the workplace – do not fall under this definition. The legal base is also blurry concerning “sensitive data” that includes a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual orientation and genetic or biometric data. Employers can use such data in the realms of the employment contract and for their legitimate interests (that may include intellectual property rights) without many restrictions.
Under these circumstances, the balance of power tilts towards the employer – who with more information at hand can modify remuneration and working arrangements, or make firing decisions. In August, Xsolla (a Russian e-payment company) laid off 150 employees based on insights from big data analytics. According to the Guardian, home care workers in the US state of Arkansas have not received their full wages due to glitches of the electronic visit verification (EVV) via the AuthentiCare app. The app tracks daily work output, physical location and hours. It comes out of a legislation “requiring that EVV be implemented to manage all in-home personal care services paid for by Medicaid”.
If workers, their unions and worker representatives are not sufficiently informed and consulted over such data use, and cannot negotiate collective terms, it affects employment security, wages (since the data value is not disclosed or shared) and, importantly, the ability to switch jobs – if data portability is only limited to one-off personal data transfers.
Platform worker lock-in
Workers should be able to control their online reputation (work history) and make use of data portability rights on an instant and regular (if not continuous) basis. If they can’t, this could be considered an anti-competitive non-poaching practice. Enforcement of proper data portability rights is particularly important for platform workers. Their performance is being rated and reviewed, resulting in what is basically an online CV. If workers are not able to access and use it, they are tied to a unique platform. As the OECD writes: “Personal ratings are usually lost when switching platforms. Given that platforms de facto favour workers with good ratings, the loss of individual ratings represents a strong barrier to worker mobility, and may limit competition for workers across online platforms.”
This data might also become an important base for social protection, pension and training rights. In the absence of enforcement of data portability rights and of data transparency, workers are faced with a choice: staying on one platform to build up their reputational profile or switching toother platforms to seek better working conditions or higher pay. Yet, it is hard for clients on multiple platforms with disparate (non-portable) profiles to compete with those workers who stay on the same platform. Hence, there is a lock-in effect. Some existing legislation, such as the GDPR, covers casual workers, agency workers and other independent contractors with the same rights as all data subjects, including data portability. Yet, as discussed above, the consent and access parameters do not meet real-life needs conducive to job mobility.
What needs to change
The current system is limited to certain types of data, provides one-off consent as a legal basis for portability and does not fully apply to workplace challenges. It thus limits data rights for workers in terms of content, recourse and control over data processing and sharing. More tailored data policy could allow workers and their representatives (unions) to claim access to and information on the use of data sets.
An update of regulations paired with sector-specific guidance is needed. It could focus on specific groups (consumers, workers) and allow for a greater agency of data subjects and producers by expanding coverage to all relevant data types as well as the scope of transfers (e.g. on a continuous basis). For this, some framework conditions should be considered including:
• Creating industry standards for data transfers (including their formats), followed by an obligation for data holders to ensure that they are met (for now, they can refuse a request if it is not technically possible) including via trustworthy data management systems and interoperability solutions.
• Lower transaction costs for data subjects by allowing for collective data rights (intermediaries claiming access), leaner approaches to transparency and simpler consent mechanisms.
Data circulates fast and in novel formats, on new platforms and via more and more complex systems. So, while no one can keep up with that, the workplace issue is so evident that it needs more recognition in policy and business decisions. Actions on four fronts could be considered:
• A regulatory guidance and oversight mechanisms for the workplace dimension.
• A right for workers and trade unions to bargain over “collective data” and to obtain information and consultations on data collected, used and shared in the workplace context.
• Greater consideration of workplace data as a category in revisions of privacy laws and the development of data access and sharing regulations.
• Competition and regulatory policies that enforce data access and sharing obligations, engage on the separation of data sets and similarly limit data use, if it goes against workers’, citizen and consumer interests.