In view of its up to 70 'opening'clauses and predominantly vague provisions, the GDPR epitomises a certain tendency in EU legislation to blur the distinction between directly applicable Regulations and implementable Directives. The many possibilities – and occasional obligations – for Member States to make or keep their own rules within the scope of the GDPR have spurred the lucid remark that if this is harmonisation, one wonders what diversity would look like. Indeed, diverging national rules on salient matters such as age limits under Article 8 GDPR, automated decision-making under Article 22, representative action under Article 80, freedom of expression and information under Article 85 (see here), or employment-related processing under Article 88 make EU data protection law appear as a patchwork of regimes.

Since the clauses' raisons d'être vary, ranging from limited EU competencies over tributes to specific subject matters or failed legislative agreements, every single one needs to be interpreted individually. This being said, whether they oblige Member States to enact provisions or merely allow them to, in view of national particularities or to grant enhanced protection, most of these clauses do not permit exemptions from the GDPR rules and principles. Rather, the latter still apply to and within their remit. As the Court has just confirmed in Hauptpersonalrat(C-34/21, paras 68 – 70), all processing of personal data must comply with the processing principles in Article 5 GDPR and be lawful within the meaning of one of the hypotheses exhaustively listed in Article 6 GDPR. In particular, the last requirement was found to oust a national legal basis for processing employee data without consent.

While the Court has thankfully corrected some misguided conceptions about Article 88 GDPR in its judgment, the very purpose of this provision, i.e. the adoption under national law of specific rules for employee data protection, still gives rise to a number of problems.

It starts with the absence of any such rules in many Member States. A recent study counted 11. But even where specific employee data protection rules exist, they do not necessarily govern the most contentious issues. It indeed appears that, just like in other difficult matters (in the field of data protection, one would mention the data retention or ePrivacy files), Member States' failure to agree on EU rules mirrors internal divergences of opinion which, in turn, complicate efforts to legislate.

This leads to the eternal question of whether employee data protection rules should not rather be harmonised at EU level once and for all.

In the employment context, data protection inevitably intersects and overlaps with employment law, the precise nature of which differs from the abstract GDPR rules and principles. In itself, that intertwinement does not mandate Member State rather than EU level regulation, since any sector-specific rules would do the trick. Even though Article 153 TFEU allows only complementary EU legislation in employment matters, workplace data protection is predominantly the latter within the meaning of Article 16 TFEU and has thus correctly been included in the GDPR, although quite sneakily – letting the Member States decide on the specifics.

The modalities of data processing and the specific vulnerability of employees faced with ever more sophisticated processing and surveillance technology are the same in all Member States, thus calling for a common approach.

For multinational companies and all those simply doing business abroad it can be a costly burden to adjust internal procedures to a wide array of different national rules, particularly since half of all processing operations in a company typically concern employee data. HR are understandably surprised at being allowed to process racial data for diversity monitoring or to perform extensive background checks including an employee's criminal record in some jurisdictions (only). Online platforms for personnel management need to be reprogrammed in order to comply with local rules.

The absence of common rules on important aspects of employee data processing is tainting the opportunities provided by the EU's internal market. As Simitis noted some 25 years ago, the flow of employee data and the centralisation of their processing are natural characteristics of an entrepreneurial activity adapting its organisational structures to a transnational, common market. In current business practice, the diversity of legal regimes sees affluent companies paying for legal advice while smaller companies tend to apply uniform rules and hope to get by.

The many delicate data protection questions arising throughout the COVID-19 pandemic have only confirmed that there should be one comprehensive EU-wide standard.

Alas, renewed attempts to harmonise employee data protection at EU level did not survive the GDPR's lengthy (pre-)legislative process. The European Commission had notably envisaged to lay down harmonised rules for employment relations in the GDPR, but finally resented. Also the initial idea of complementing the 'General' Regulation with more specific rules in matters such as employee data by way of delegated acts fell through. For its part, the Parliament did not succeed in its endeavor to see a catalogue of minimum standards included in the Regulation.

What remained as a compromise solution was Article 88 GDPR, which allows Member States to provide, by law or collective agreements and for a number of non-exhaustively listed purposes, for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context (paragraph 1). Those rules shall include suitable and specific measures to safeguard employees' human dignity, legitimate interests and fundamental rights (paragraph 2) and be notified to the European Commission (paragraph 3).

National rules adopted pursuant to Article 88 GDPR thus appear to be strictly framed.

This is confirmed by the Hauptpersonalrat judgment. You may wish to disagree with the Court's labelling of the specification faculty in Article 88 as an 'opening clause' comparable to, say, Article 85 GDPR, but what counts is that it finds, first, that the rules referred to in that provision must have a normative content specific to the area regulated, which is distinct from the general rules of that Regulation, second, that their objective is to protect employees' rights and freedoms in respect of the processing of their personal data in the employment context, third, that these rules may cover all the purposes for which the processing of personal data may be carried out in the context of an employment relationship and, fourth, that the Member States have a margin of discretion as regards the processing which is thus subject to those more specific rules. It therefore clearly follows from the wording of Article 88 GDPR, that 'more specific' may not mean less protective.

For the Court of Justice, the very wording also indicates that paragraph 2 circumscribes the discretion of the Member States insofar as it requires them to include suitable and specific measures to protect the data subjects' human dignity, legitimate interests and fundamental rights. Even though, from a purely semantic standpoint, that conclusion is not compelling, it is accurate from a systemic and purposive point of view. Indeed, Article 88 GDPR differs from both the substantive provisions of that Regulation and from its genuine opening clauses like Article 85 GDPR to the extent that it confers bounded discretion: Member States may only adopt more specific rules that meet at least the standard which the GDPR would have set if it had established such rules itself.

However, contrary to what the Court of Justice suggests, the lack of harmonisation ensuing therefrom is not sufficiently counterbalanced by the requirement that the remaining differences 'are accompanied by specific and suitable safeguards intended to protect employees' rights and freedoms with regard to the processing of their personal data in the employment context'. As long as those safeguards are adopted unilaterally by the Member States (such as e.g. Article L. 261-1 of the Luxembourg Labour Code), they may well, thanks to guidance received from ECtHR case law and WP 29's Opinion 2/2017, ensure the protection sought by the GDPR, Article 16 TFEU and the applicable fundamental rights, but no harmonisation.

Scholars have recently identified a number of issues in need of 'more specific rules' within the meaning of Article 88 GDPR, i.e. collective rights for employees, the exclusion of certain categories of data or processing purposes, data access rights, limits to the reliance on consent and enhanced protection with regard to algorithmic management. They suggest that a common approach to the latter could be derived from the upcoming Platform Work Directive, the rules of which could be extended, under national implementing laws, to all employees. This would certainly be a viable way of coming up with 'more specific' rules to be applied and interpreted uniformly by the Court of Justice. But of course only in respect of those Member States that choose this option. So still no harmonisation in sight. And beyond the issue of algorithmic management, a patchwork with big holes.

While, with regard to the issue of collective rights, the different traditions of worker representation across the Member States may still stand in the way of common rules fiercely advocated for by scholars, it is hard to see why such rules cannot be adopted in order to impose restrictions on categories of data or processing purposes, or on recourse to employee consent.

But in view of the discretion granted by Article 88 GDPR, even the adoption of such rules in all Member States would not guarantee their consistency. On top of that, judicial discretion adds another layer of incertitude (as always). The uncertainties companies are facing under this state of play may be illustrated by a recent case involving Amazon Warehouses in Germany and, specifically, workflow monitoring by means of the company-owned hand-scanners. Personal data thus obtained were used to manage logistics and evaluate employee performance. Earlier this year, the Hannover administrative court annulled a decision by the Data Protection Authority for Lower Saxony finding Amazon's practice to be in breach of employee data protection rules. While still applying a national provision (section 26 BDSG) which, following the Hauptpersonalrat judgment, is poised to be voided, the administrative court found with common sense that such processing of employee data was necessary and appropriate for the purpose of steering logistics, qualifying and objectively evaluating employees and taking personnel management decisions accordingly. Presuming that the same reasoning can ultimately be based on 'more specific rules' enacted in Germany, there is no certainty that courts in other Member States will use similar common sense when interpreting their domestic rules. Whither consistency?

Originally Published by EU Law Live

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.