TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, 25 June 2021 Related reading: Notes from the IAPP Europe Managing Director, 18 June 2021



Greetings from Brussels!

If you missed it, there was a particularly alarming privacy case going through the French courts involving IKEA Retail France. In a court ruling handed down last week, the French subsidiary of the iconic household brand was ordered to pay more than one million euros in fines and damages after being found guilty of excessive and unlawful staff surveillance and data collection.

This was not an isolated incident; French IKEA executives, along with outside assistance from private detective agencies, engaged in elaborate systematic surveillance of more than 400 employees as well as customers between 2009 and 2012. Following a lengthy criminal investigation, prosecutors concluded the surveillance started in the early 2000s.

The French group's former CEO received a suspended two-year prison sentence and a 50,000 euro fine. The former head of risk management was at the center of the illegal activity, who in turn received a suspended 18-month sentence and a fine of 10,000 euros. Both executives were found guilty of receiving "personal data by fraudulent means." There were 15 defendants in the dock, all of whom received varying degrees of sanctions and suspended sentences for collusion and involvement in the surveillance activities.

This was an extraordinary case, and despite what one may think, cases and complaints of this nature have form here in Europe. In France alone, complaints about spying or abusive monitoring represented a little more than 10% of all the complaints received by the CNIL in 2019; the French regulator has been actively investigating and acting on complaints. For example, in June 2019, the regulator imposed a fine of 20,000 euros on a small Parisian translation company for intrusive and continuous video surveillance of staff. Germany has also had some high-profile cases; in 2008 and 2009, two internal espionage scandals rocked the German discount retailer Lidl. Lidl installed miniature cameras, hired private detectives and collected information on employees' health. The group agreed to pay significant fines. Several other cases of internal surveillance surfaced in Germany after that. Companies including Deutsche Bahn and Deutsche Telekom were the subject of complaints. Finally, in a more recent case, H&M, the Swedish fashion retailer in Germany, was on the receiving end of a 35 million euro fine handed down by the Hamburg DPA for illegal surveillance and collection of employee personal data in 2020. It begs the question: How many such cases are going undetected?

Regardless of the company size or the nature of their business, employees are entitled to a right to privacy in the workplace. However, it is equally relevant to state those rights need to be fairly balanced against the employer's rights to ensure the proper functioning of the business to protect the interests of the company — a balance that needs to be reflected in good transparent governance practice. As a general rule, employers have a duty to notify employees of the types of data they gather about employees. To gather data through covert means of collection or monitoring — and without specific purpose or limitation — is generally unlawful in most European jurisdictions under data protection, privacy and other laws. More often than not, security or productivity is used to justify the deployment of monitoring activity and technology. Moreover, it is a fact that there has been a proliferation of analytical and monitoring-based software tools in recent times. Multiple pre-pandemic research reports from companies such as Gartner and Accenture highlight the notable increase in non-traditional monitoring of employees by employers over the last five years. 

With the GDPR and the DPO or equivalent function in play, coupled with possible criminal convictions for legal compliance failures, one would expect more rigorous privacy programming to deter unethical data collection practices and reduce such risks. We can only expect the enforcement of the legislative data protection framework will continue to protect employee and customer rights and personal data.


If you want to comment on this post, you need to login.