/ INTRODUCTION
Thanks to the advent of the telephone in the 19th century it was possible to lay the groundwork towards the intense use of the Internet at work today, allowing for the merger of the public and the private sectors, thus resulting in routinely computerized environments.
From the legal perspective, there are many challenges for regulating the new conditions at work as provided by the progress in technology and communications. This article will approach remote work, popularly known as home office, recently regulated in the Labor Law Reform, and protection of workers’ personal information.
/ REMOTE WORK
A report[1] issued by the International Labor Organization (ILO), published in early 2017 regarding remote work, concluded that the topic raised less interest in Brazil than in other countries the world over, despite the benefits of the practice for large urban agglomerations, such as São Paulo, and for employee’s performance and life quality.
Notwithstanding, the remote work regime was regulated by the Labor Law Reform dated 2017 so as to determine the absence of limits in the working hours dedicated by the worker under such conditions, which, at one end, is supposed to encourage adoption of the modality by the companies, but at the other, implies risks to employees’ life quality.
Article 75-B of the Brazilian Consolidated Labor Laws (CLT)[2], inserted by the Labor Law Reform[3], defines remote work as “the provision of services primarily away from the employer’s facilities, by using information and communications technologies which, due to their nature, are not characterized as external work”. Despite the exception by which an employee attends the workplace for specific activities, remote work classifies within the regime. At the same time, remote work is not different from the work inside the employer’s facilities, provided that the assumptions of the employment bond are characterized[4].
On the other hand, employees under the remote work regime were included into the list of employees not included in the work shift regime[5], as well as the employees in management positions[6]. The justification, in this case, is that remote work does not match with the fixation of working hours, which is not true in all cases.
It should be pointed out that, although no control is maintained on shifts in remote work, it is advisable to prevent abuse. In January 2017, an Act providing for the right to disconnection was put into force[7] in France, for employees to be able to enjoy their resting period and balance both their professional and personal lives.
In Brazil, in October 2017, the Superior Labor Court (TST) granted[8] to right for indemnity to a system analyst for damages to his right to disconnect. The employee in question worked on-duty shifts for 14 continuous days and still remained on demand by the company in his resting days, under a non-remunerated on-call framework.
Dossier no. 428 of the TST considers as “worker on demand” the employee who, at distance and subject to employer control by telematic or computerized instruments, remains on duty or on an equivalent regime, waiting to be called at any time for service during the resting period.”
Although there is no effectiveness of the law on disconnection in Brazil, the grounds for the decision were based on the constitutional law for leisure time[9], as well as evidenced[10] acknowledgement of the right to disconnect by Brazilian jurists such as Volia Bomfim Cassar and Jorge Luiz Souto Maior, to the sense that the on-call period prevents the worker from going to places deprived of Internet access, which also impairs the worker in disposing of their own spare time.
/ PROTECTION OF WORKERS’ PERSONAL INFORMATION
National Perspectives
Although Brazil does not have a general regulation for protection of personal information yet, the Documentation Coordination Office of the Superior Labor Court has compiled an extensive bibliography[11] on privacy and has assured intimacy in the workplace, being possible to find studies specifically focused on the matter of the workers’ personal information since 2012.
Notwithstanding, the Federal Constitution under its art. 5, paragraph X, provides that inviolability lies upon “intimacy, private life, honor and image of persons who must be assured the right to indemnity for property damage or pain and suffering deriving from violation thereof”. In such regard, in May 2017, the Superior Labor Court sentenced[12] a bank to indemnify its employee for pain and suffering for having accessed her current account in order to ascertain that she complied with the internal regulations that prohibit bank employees from conducting remunerated activities other than theirs with the bank.
In the example, the conclusion was reached as to undue breach to the bank secrecy, because such exceptional measure requires the presence of sufficient evidence of non-compliance with the norm by the employee. Thus, the mere internal inspection to employee’s bank account is undue even for the purpose of verifying exercise of another remunerated activity, or the receipt of deposits arising out of other earnings.
The Federal Constitution, in its art. 5, XII, also determines as “inviolable confidentiality of mail and telegraphic communications, data and telephone communications, except, in the last case, to court order (…)”. At the workplace, it becomes real in the inapplicable monitoring of the employee’s personal email, which may often justify the prohibition to access personal contents in the workplace. However, the caselaw usually concludes that such right is not extensive to the corporate email, since that is a work instrument which may be used by the employer even as legal evidence for dismissal with cause[13].
eSocial
A recent challenge to the protection of workers’ personal information is the System for Digital Bookkeeping of the Fiscal, Social Security and Labor Obligations (eSocial)[14], instituted in 2014 by Decree no. 8373.
eSocial unifies the provision of information concerning bookkeeping of fiscal, social security and labor obligations, by standardizing their transmission, validation, storage and distribution. Currently, 15 different fiscal, social security and labor obligations are required for execution, to be fully concentrated in such new registration system of the government.
Since October 2015, the platform has been used by the domestic employer. The system shall be implemented for companies within two stages, the first one in January 2018, focused on employers and taxpayers with their calculated revenues in the year 2016 exceeding BRL 78 million. The second stage shall begin in July 2018 and comprise the remaining employers and taxpayers.
Decree no. 8373/14 determines that “the Managing Committee members shall have shared access to the information comprising the national environment of eSocial and shall use them to the extent of their respective competencies and assignments, not being authorized to transfer them to third parties or to disclose them, unless otherwise legally provided for.”[15] Notwithstanding, the tax and Severance Guarantee Fund (FGTS)-related information shall comply with the fiscal and banking confidentiality norms[16].
However, the Brazilian government has to progress even more when it comes to security policies and efficient provision of services offered through the Internet[17]. For instance, in 2015, there was an attempt to adopt the Digital Work Card, which would fully replace the printed card, but until today it is only used as support[18] due to countless system failures, usually reflecting into the analog modus operandis, quite different from digital.
International Scenario for Protection of Personal Information in the Workplace
European Union
Europe is acquainted with the discussion and regulation surrounding information security for longer, providing more accurate limitations as to protection of workers’ personal information.
The European Union General Regulation of Data Protection (Regulation (EU) 2016/679) shall be effective as of May 2018, but broad personal information protection is not a recent legislative concern of EU, because the Regulation shall be replacing the European Directive for Protection of Personal Information (Directive 95/46/EC), dated 1995. Notwithstanding, studies concerning protection of data in the workplace, taken as reference for the European Commission[19], are dated 1999.
In June 2017, the European Union adopted Report 2/2017[20] concerning data processing at the workplace, supplementing other reports on the topic, produced before the General Regulation of Data Protection. The Report is based on three principles, based on the Directive, for data processing at the workplace: legality, transparency and automated decisions.
Due to the asymmetrical power existing in labor relationships, the Report construes that the legal baseline for data processing at the workplace should not depend on worker’s consent, since this tends to grant it regardless of the purpose, for the purpose of maintaining his/her job. Notwithstanding, data gathering usually occurs for compliance with legal requirements by the employer in relation to an existing labor agreement, so as to require the consent. Thus, the employer cannot only use the authorization given by means of the labor agreement to gather and handle employee information, having to use other authorization methods, such as legal interests or legal requirement, otherwise employee’s data handling may be construed as illegal.
However, the employer should consider that data processing needs to be based on lawful interests, while the methods and technologies used should be as less intrusive as possible, only to the extent necessary for compliance with the lawful interest.
Processing operations should also care for transparency, i.e., employees shall be clearly advised of the processing of their personal information, including monitoring at the workplace. Finally, the report points out that legal or sensitive decisions should not be based only on automated processing, since such method often benefits personal aspects such as the worker’s performance, unless otherwise such procedure is required for compliance with an agreement or in case of explicit consent of the data owner.
The comparative study herein proves to be important, because much of what the Report presents as best practices, or as legal compliance restricted to Europe, is seen in the bills for protection of personal information in Brazil.
As to the Regulation, the Report points out that the legal requirements of the Directive were maintained, and includes new liabilities also comprising the labor relations, such as:
- implementation of Data Protection from conception and purpose of processing thereof, prioritizing techniques such as the anonymous character[21].
- prior analysis of impacts upon Data Protection in implementation of new technologies[22].
Article 88 of the Regulation approaches specifically data handling at the workplace, releasing the member-States to establish norms aimed at Data Protection to the extent of recruitments, enforcement and termination of the labor agreement, work arrangement and management, diversity, equality, health, safety and personal property protection, prioritizing the legal interests and essential rights of the employee.
In such regard, the Report points out monitoring risks as well as excessive and unjustifiable data storage, providing the example of the good practice of required anonymity to report abuse at the workplace and immediate destruction of the data owned by non-selected holders in recruitment processes, which were supposed to be disposed of as soon as this decision had been taken.
In such regard, in September 2017, the Great Chamber of the European Court of Human Rights rejected[23] the dismissal for cause of an employee who, in spite of being found non-compliant with the internal regulation, used the company’s Internet for personal communication. The decision was based on the fact that, despite the express prohibition, the employee was not aware of the company’s monitoring for such purpose, and even if she was so aware, an internal regulation does not authorize the company to breach the right to personal privacy and mail confidentiality of the employee.
The company used the whole contents of the conversations to require explanations by the employee, dismiss her for cause and use the situation as an example of misconduct to its remaining employees.
United Kingdom
The United Kingdom has the Data Protection Act dated 1998, still in force, which implemented the European Directive for Protection of Personal Information. iCO (Information Commissioner’s Office) is also maintained, which is the independent governmental authority for protection of personal information in the country.
In relation to protection of workers’ personal information, the Authority produces several guides[24] purporting the clarify the applicable legal requirements for companies of all sizes. The guides handle issues such as the rights of employees, consequences of the law in recruitment and selection processes, storage of the employees’ background (including as regards sensitive data such as those in the healthcare area), monitoring practices, etc.
Although the United Kingdom is leaving the European Union, there are also guides supporting compliance with the Regulation to be effective as of the next year. The fact that a regulation replaces a Directive, to the extent of the European Union, evidences the importance the issue has gained over the last years, since differently from the Directive, a regulation needs to be applied by the EU member-countries with no exceptions.
Such detailed liabilities and legal remedies by the employer are not mandatory in Brazil yet, since there is no general regulation for Data Protection in Brazil, it is not possible to conclude that there are no rights and liabilities for protection to privacy and personal information in the country.
/ CONCLUSION
Throughout this study, it was possible to notice that the highly automated workplace in Brazil still lacks greater regulation and reflection. However, one needs to pay constant attention to the protection of intimacy, personal information, mail secrecy and the right to leisure as assured by the Federal Constitution.
In respect of protection of the employee’s personal information, may gaps would be settled upon approval of a general law for protection of personal information, which is currently subject to several bills being analyzed before the National Congress.
Until there, Baptista Luz Advogados takes one step forward in discussions with Privacy Hub, a website produced with partners, providing Data Protection as a competitive differential for companies worried about adopting the best practices concerning the issue. At the labor level, such strategy may produce positive results in attracting and retaining the best professionals, as well as mitigating risks deriving from occasional labor complaints based on the undue use of personal information.