Cameras in the workplace: beware of the temptations of surveillance

Cameras in the workplace: beware of the temptations of surveillance

In most countries, the presence of surveillance cameras must be clearly stated to the workers in an enterprise and to visitors, with a notice at the entrance to the premises. Here, at the entrance to a supermarket in the south of France, a sign says “For your security, this shop is under video protection”.

(Benjamin Hourticq)

They are everywhere, or so it seems. In the corner of the ceiling, behind the pharmacist’s counter, by the cashier, next to that computer technician. Like glass snowballs, hanging upside down and filled with black. Are these CCTV cameras there to protect you or to keep an eye on you?

“In business, we talk about ‘video protection’, because you are told that you are protected,” says Caroline Diard, doctor of human resources at the Normandy School of Management, and a specialist in the subject. According to the French Data Protection Authority (Commission Nationale Informatique et Libertés, or CNIL), the installation of cameras in a workplace can be carried out “for the security of property and persons, as a deterrent or to identify the perpetrators of theft, damage or aggression”. Installed at the employer’s discretion, this must be done in accordance with very detailed regulations. In France, they must comply with civil, criminal, labour and internal security regulations and the European Union’s General Data Protection Regulation (GDPR).

There are several basic criteria, the first of which is to respect the principle of “proportionality in relation to the desired purpose”. In practice, this consists of not filming employees continuously – except for those who handle money, but the camera is pointed at the cash register – and not in the toilets, on union premises or where workers take their breaks. This is in order to uphold the principle of respect for privacy.

In France, when a camera system is installed, an employer must inform their employees, first collectively, under the terms of the labour code, which stipulates there must be consultation with the works council. But this is not enough. Each employee must then be personally informed of the device, “no information concerning an employee personally [can] be collected by a device that has not been previously made known to them,” says the French labour code.

Abuses in small and medium-sized enterprises

With such a complex legislative framework, are the rules for using video surveillance in companies well respected? “In large companies, they do not take too many risks,” says Diard. “In general, they have a service that deals with these issues and are in compliance with the law. But on the other hand, we see bizarre things in small and medium-sized enterprises (SMEs), where a boss will find it normal to watch his employees from home. In my work, I have met people who are completely ignorant of the law and their obligations.”

Whether video protection regulations are flouted unintentionally or knowingly, however, the fact remains that it can have a real impact on employees. Laura (not her real name) has learnt from experience. For four months, she worked as a saleswoman in a bakery in Tarbes, a town in south-western France. After her first week at work, she learns from her manager “that the whole bakery is under video surveillance and the boss watches us very regularly work from home.”

When it comes to signing her contract, at the beginning of the second week, Laura reads it in detail. It duly refers - as the law requires - to the presence of cameras in the workspace open to the public, “for protection purposes, if ever something serious happens”. During a discussion with her employer, the latter told her employee that the cameras can also be used in the case of robberies or disputes with customers. While she finds the presence of the cameras “justifiable” in this instance, in everyday life on the other hand, it is a burden: “I felt as though I was being watched constantly and always had to be careful about how I looked and behaved. It made me feel uncomfortable.”

One event in particular upset the young woman. On a busy day in the bakery, she and her colleague were snowed under with work. From home, thanks to the cameras, the employer dictated instructions over the phone. “I was appalled,” says Laura. “It was supposed to be there to protect us, but ultimately it was there to keep an eye us.”

More cameras, more complaints of abuse

Every year, the CNIL receives complaints from people who believe that video surveillance devices do not comply with the law. In 2018, it received 848 complaints, compared to 635 in 2017 and 560 in 2016. The increase mirrors the steady expansion of the video surveillance market. According to a study by Markets & Markets, a company specialising in the analysis of growing markets, CCTV is expected to grow globally from US$37 billion in 2018 to US$68 billion in 2023, with annual growth of 13.1 per cent.

This is easily explained by the accessibility of the material, says Diard: “Video protection is now a relatively inexpensive technology. For practical reasons, its use has spread and companies have tended to get the equipment”. According to the website Travaux.com, while the most sophisticated devices can cost more than €5,000, it is possible to install a basic system for between €80 and €200.

At the same time, the number of cases made public has also increased, such as the recent case of the consumer giant Fnac, in Metz, in the east of France, which shows that in large companies too, abuses sometimes persist. In this case, the employees realised that a camera was continuously filming the corridor leading to the offices of the staff representatives. The management had not informed them, as the law requires, of the CCTV system. Faced with such obvious abuses, the works council and the health, safety and working conditions committee lodged a complaint with the Metz public prosecutor for “obstructing” the prerogatives of the staff representatives and “undermining the privacy of employees”. In France, according to the penal code, non-compliance with formalities in the collection of personal data can be punished by five years in prison and a fine of €300,000.

Administrative sanctions can also be imposed by the data protection authorities, in this case, the CNIL in France. Since the GDPR came into force in May 2018, supervisory authorities in European Union member states can impose penalties of up to 4 per cent of global annual turnover or €20 million.

Supposedly designed to harmonise European data protection, this regulation should, according to Florence Chafiol, a lawyer in the Parisian law firm August Debouzy, “leave less room for manoeuvre” for EU member states than the previous European Directive of 24 October 1995 on personal data protection. “The authorities tended to interpret this Directive as they wished. There were also a lot of differences between them. In Belgium, for example, it [the authority] could not impose penalties on companies.”

The regulation should also make it possible to clarify legislation at European level. So far, the decisions of the European Court of Human Rights (ECHR) have sometimes given rise to surprising case-law, depending on the country. In 2010, for example, the ECHR ruled in favour of the dismissal of a cashier in Germany, for theft, following evidence obtained through hidden cameras, installed by private detectives. The judges considered that the balance between the privacy of the employee and the economic rights of the employer had been proportionate. The device was installed after suspicions of theft for a limited period of two weeks and targeted only two people.

On the other hand, in a similar case, in 2018, the ECHR found that the dismissal of four Spanish cashiers, also for theft, was “illegal”. The employer had become suspicious and installed some visible cameras, and others that were hidden, thanks to which he obtained his evidence. The Court’s judges relied on several grounds, one of which was that at the time of the case, “the [Spanish] legislation in force,” clearly indicated that each data collector had to inform the persons concerned about the existence of means for collecting and processing personal information concerning them.” Another reason was that the cameras targeted “all employees at the checkouts, for weeks, without limitation and during all hours of work.”

Self-monitoring of the companies in question

From now on, with the GDPR, information is supposed to be clearly brought to the attention of the workers of a company and visitors, by displaying at the entrance of the premises the relevant details of the device: name of the person in charge, legal basis of the purpose, the retention period of the images (not more than one month, in principle), access to recordings concerning their own person and the possibility of recourse to the Data Protection Authority. And last but not least, another change: it is no longer necessary to declare the installation of cameras to the authorities for places not open to the public, such as warehouses or areas dedicated to staff.

“Now the onus is on companies to take responsibility for their own actions,” says Chafiol. “That means that when the data protection authorities arrive – CNIL in the case of France – it is in their interests to be in compliance and be able to justify everything.” According to a legal expert from the French trade union Force ouvrière (FO) – who did not wish to give his name – the decision to give the monitoring authorities greater powers “is a good thing”.

He regrets, however, that in French jurisprudence, the Court of Appeal “allows an employee to be punished for serious misconduct as a result of video surveillance”. He refers here to the case of a supermarket employee who was fired for stealing a customer’s mobile phone, in a remote area away from his workstation, and outside his working hours. For these reasons, the employee could not use his employer’s lack of information in his defence, which the FO legal expert regrets: “Even if the goal is not to control the activity of employees, at FO we recommend that the employer inform employees about the functionality and purpose of the device,” he continues.

Another problem, he feels, is that when the data protection officer is internal to the organisation, their independence can be questionable. “This is why we think that they should have the status of a protected employee,” just like the elected staff representatives.

As someone more in contact with those in the field and the problems encountered by employees, Alain Comba, FO’s departmental secretary in Bouches du Rhône, has doubts about the concept of self-monitoring by companies. He is particularly worried about the weakening of checks and balances in the workplace: “Many companies that have put in place means of control to guard against external interference or ensure compliance with certain specific manufacturing processes, drifting more or less towards policing. Where there is good union representation, there is a counterbalance. But in companies where the anti-union fight is very strong, the negative tendencies get stronger.”

Like his union’s legal expert, Comba thinks the legal framework is enough to protect employees from the excesses of video surveillance. But, he believes, “there need to be more check-ups by the labour inspectorate, whose means are dwindling”. In Diard’s view “so far, the jurisprudence has not been as binding as one might have thought. That might change with higher penalties. It could make things happen.”

This article has been translated from French.