EU and UK Data Protection Regulatory Trends so far in 2024: a focus on employee surveillance and biometric in the workplace

2024 has seen behavioural advertising and cookies continue to dominate the agenda of data protection authorities (DPAs) in the EU and for the ICO in the UK. Alongside that, DPAs have started to consult about guidance on Artificial Intelligence (AI), particularly Generative AI and Large Language Models (LLMs). After the initial flush of AI enforcement actions in 2023, we have not yet seen clarifying precedent emerge from the DPAs in 2024. We have also seen an increasing focus from DPAs on employee surveillance, particularly use of biometric technologies. We have also seen a sting in the tail of enforcement related to EU-US data transfers, with a major fine issued for breaching GDPR. 

This blog focuses on employee surveillance and biometrics in the workplace. 

DPAs are also taking action on the use of biometric technologies in the workplace and recognising that such systems are likely to be processing special category data as defined under Article 9 GDPR. 

In February 2024 the ICO issued an enforcement notice against Serco Leisure, to prevent them from using facial recognition and fingerprint technology to monitor attendance of leisure centre employees. The notice centred on Serco’s reliance on legitimate interests and the ICO’s finding that that Serco had not undertaken an effective analysis of legitimate interests as the lawful basis. The ICO found that that Serco had not demonstrated or evidenced that it was necessary and proportionate to use a biometric system, which contained a heightened risk of privacy intrusion compared to other mechanism to record attendance such as key fobs. There was also no clear way for staff to opt out of the system.  The ICO has also issued new guidance on using biometric data. 

The Spanish DPA, the Agencia Española de Protección de Datos (APED), issued a fine of 360,000 Euro against a controller that was processing employees’ fingerprint data because it failed to disclose processing and storage information to employees, lacked security measures ensuring confidentiality and failed to carry out a DPIA.

The Italian DPA, the Garante, DPA fined a controller 120,000 Euro for use of a facial recognition system to monitor workplace attendance of its employees. The Garante found that the controller could not satisfy Article 9(2)(b) GDPR which allows an exception to the prohibition on the use of special category data in the field of employment and social security as there was no national law authorising the activity. 

These 2024 cases illustrate the high bar that GDPR sets for use of biometric technologies in the workplace and that DPAs will take action to address non-compliance. Organisations will need to have a comprehensive assessment of the data protections risks, demonstrate necessity and proportionality, meet lawful bases under Article 6 and 9 GDPR, recognise the likely imbalance of workplace relations between employers and employees, and enable effective transparency methods.

Look out for our next round up on international data transfers.