It is not unusual for Indian employers to collect extensive personal and sensitive personal data of their employees. From the more obvious personal identifiers, to sensitive information such as marital status, sexual orientation, health records, biometrics, etc, are collected and processed for various reasons, namely, pre-employment background checks, employee profiling, drug or alcohol abuse tests, and gender sensitization. Any internal or external misuse of such sensitive data can have serious ramifications for employees including identity theft, loss of employment and social discrimination. In fact, such privacy invasive practices could also expose employers to financial and reputational risks.
In a landmark decision related to unauthorized access to employee data, on October 1, 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (“Hamburg Commissioner”) imposed a fine of €35 million on Hennes & Mauritz Online Shop A.B. & Co KG (“H&M Online”), subsidiary of the Swedish multinational clothing retail chain Hennes & Mauritz AB (“H&M Group”).
1. Facts: H&M Online operates a service center in Nuremburg, Germany. In the past 6 years, H&M Online gathered extensive data related to its workforce at the service center. The data ranged from information related to their work, to intimate aspects of their personal lives such as religious beliefs and family issues. For instance, employees who came back from vacation or sick leaves were asked questions during the so-called “Welcome Back Talks” about their vacation experiences or illness and diagnoses. The data was procured through one-on-one meetings, corridor and floor talks. Thereafter, corresponding notes and comprehensive recordings were prepared and stored permanently on a network drive accessible to the supervising managers. The purpose of this surveillance was inter alia to obtain detailed profiles of the employees for performance evaluation and related decision-making. In October 2019, due to a configuration error, the aforesaid employee data became temporarily available in public domain for several hours.
2. Decision: After the data breach, the Hamburg Commissioner became aware of this massive data collection exercise through media reports. Initially, his office ordered that contents of the network drive where the alleged data was stored should be “frozen” and handed over to the data protection authority. H&M Online complied with this order and submitted data records for evaluation. Thereafter, several witnesses were examined who confirmed H&M Online’s practice of meticulously documenting employee data. Upon analyzing the data provided and witness testimonies, the Hamburg Commissioner found serious violations of the provisions of General Data Protection Regulations (“GDPR”). Accordingly, the commissioner imposed a fine of €35 million on H&M Online.
In the aftermath of the decision, H&M Group submitted a data protection implementation plan to the authority which primarily focused on compliance trainings at leadership and staff levels and an overall improvement and strengthening of internal processes in accordance with applicable data protection and privacy laws. It also issued apologies to those affected along with assurance of payment of adequate compensation. In fact, in a public statement, H&M Group emphasized its commitment to GDPR compliance and re-assured its customers and employees that protection of their personal data was a top priority. The Hamburg Commissioner termed H&M Group’s remedial actions as an unprecedented acknowledgment of corporate responsibility.
3. Analysis: It appears that the penalty has been imposed for violation of two key GDPR principles, namely, data minimization [Article 5(1)(c)] and integrity and confidentiality [Article 5(1)(f)]. While informational privacy is of paramount importance, collection and storage of employee data can facilitate companies to improve internal HR processes, enhance work productivity and maintain workplace discipline. However, extensive scrutiny of every aspect of employees’ lives may be considered as a grave violation of their right to privacy. In fact, GDPR encourages member States to frame separate rules enumerating specific measures for protecting employees’ fundamental rights (Article 88). This clearly demonstrates that GDPR puts processing of employee personal data on a higher pedestal. Going forward, employers will have to be mindful that excessive collection of employee data can also have consequences. They need to periodically assess and ensure that collected data has nexus with the purpose of collection. Employers can no longer wriggle out of their GDPR obligations under the garb of collection of employment related data. We hope that the precedent set by H&M Online decision will bring a shift in employers’ attitude from “over collection” to “data minimization”.
In this context, let us look at the consequences under the current draft of the Personal Data Protection Bill, 2019 (“PDP Bill”) if any Indian employer was collecting the same type of data as H&M Online. Section 13 of the PDP Bill provides that employee personal data, except sensitive personal data, can be processed without such employee’s consent, if processing is necessary for (a) recruitment or termination of employment; (b) provision of any service or benefit to the employee; (c) verifying attendance or (d) activities related to performance evaluation. Sensitive personal data which inter alia includes financial data, health data, biometric data and religious or political beliefs or affiliation cannot be processed without consent. This means that Indian employers cannot collect personal data which does not have nexus with the 4 limited purposes mentioned in section 13. So, for instance, if HR wanted to collect details of an employee’s vacation or personal trips, such data would not squarely fall under any of the 4 purposes mentioned above. Without getting into whether such data would qualify as personal data or sensitive personal data (that can be a subject matter of an independent analysis), Indian organizations could be in breach of not only section 13 but also sections 4 (lawful purpose), 6 (data minimization) and 11 (consent).
Till our PDP Bill is finalized, it is important for Indian employers to learn not only from their European counterparts and landmark GDPR precedents (like in the H&M Online case), but also consider a robust body of Indian jurisprudence which holds that certain data collection practices used by employers are inherently discriminatory. HR departments should consistently engage with top management to re-look at some of their current practices and assess how best they can comply with proposed section 13 and the overall spirit of the PDP Bill. After all, even Indian law can expose employers to a penalty of up to INR 15 Crore or 4% of their total worldwide turnover of the preceding FY, whichever is higher. The key is to remember that what was previously considered “normal” may no longer be the way forward in a world where processing of data will be regulated.