'There can be sanctions for an overstepping employer, and we see that in the context of data breaches,' says lawyer offering tips for HR
Employers could be at risk of a lawsuit if their policy for monitoring employee devices is too vague, an employment lawyer cautions.
Employee monitoring has become an increasingly hot-button issue as hybrid and remote work environments blur the lines between professional and personal lives. Companies are grappling with questions of how far they can go in tracking employee activity, especially when personal devices double as work tools.
This issue has resurfaced in the media, as Apple is facing a lawsuit alleging that it infringed on employee privacy by monitoring personal and company-managed devices. The lawsuit, filed by employee Amar Bhakta, accuses the tech giant of requiring staff to waive their privacy rights and subjecting their personal iPhones to searches, including location tracking and personal data collection, even during off-duty hours.
Bhakta also claims Apple enforces illegal wage clawback policies and restricts employees from publicly discussing topics in their areas of expertise, such as digital advertising. He further alleges Apple required him to edit or remove work-related information from his LinkedIn profile.
Apple has denied the allegations, asserting it "strongly" disagrees with the claims made in the lawsuit.
The case follows broader concerns about employee surveillance across major corporations. Amazon recently faced penalties in France for "excessive" monitoring of its workers, signaling growing scrutiny of workplace practices in the tech industry.
According to Richard B. Johnson, co-founder and partner of Ascent Employment Law, the general limitations, or entitlements, for an employer, are that they can reasonably monitor employees, their conduct and their information with the purpose of maintaining the integrity of the business and business data.
However, employers must ensure there's transparency with the employees and that they’re not unduly infringing on their legal rights.
Johnson acknowledged the inherent vagueness of this framework, noting that it often leaves room for interpretation, creating “a little bit of an open playing field.”
Employers face a dual challenge: protecting proprietary data without creating a workplace environment that feels invasive or mistrustful. Johnson pointed out that monitoring must be grounded in privacy legislation, whether federal or provincial, that dictates the need for transparency.
“If you’re monitoring employees, they need to be told how their data is being used, collected and disclosed, and that’s really where a lot of our concern comes from, from a legal perspective,” he said.
Personal devices often double as work tools, creating a murky overlap that complicates monitoring. Moreover, the digital nature of modern workplaces makes proprietary data more vulnerable to leakage.
“You end up in these inadvertent circumstances where, before you know it, the employer is saying, ‘The employee’s using their personal device for work, and we need access to the data on it.’ And employees are saying, ‘It’s my device, my accounts.’ It’s this tussle between employer and employee, where the lines between work and non-work time blur,” Johnson explained.
To address these risks, he underscored the importance of clear policies tailored to the specific needs of each organization. Transparency is not only a legal requirement but also a cornerstone of fostering trust.
“The policies should generally state what the monitoring will be. Is it GPS tracking? Is it a bot that reviews emails for keywords? Tell people the nature of the monitoring, why it’s being done, and what happens with the data,” he said.
Consent is another critical aspect of implementing monitoring policies. However, Johnson acknowledged the challenges this can present and the need for a careful balancing act between protecting business interests and maintaining a positive workplace culture.
“What do you do as an employer when you implement a policy, and you don’t get consent? You have to be prepared for some people to leave,” he said.
While the law provides a foundation, Johnson stressed the practical implications of monitoring policies. Employers must ask themselves whether their approach communicates a lack of trust, potentially driving talent away or creating a chilled environment.
“The trust component has got to be a part of the whole analysis,” he said. “Sometimes you'll have a situation where one person seems to be doing something untoward, and instead of addressing that one issue, the employer puts in a policy that affects all employees. It’s like going after an ant with a hammer.”
One of the most contentious areas is after-hours monitoring, especially when employees use personal devices for work, blurring the line between a work and home device. According to Johnson, this practice raises significant privacy concerns.
“Employers should only be tracking the data that really goes through their servers, the organization’s servers. They shouldn’t be tracking social media, personal phone calls, certainly not recording calls—things that are truly personal outside of work hours,” he said.
A critical legal benchmark is whether an employee has a “reasonable expectation of privacy.” Employers must navigate this expectation carefully to avoid overstepping and infringing on employee rights.
“Unless they have been put on notice that all information will be viewed or could be monitored by the company, employees have a reasonable expectation of privacy,” Johnson said.
When employers fail to provide notice or overreach, they expose themselves to legal repercussions. Employees who feel their privacy has been violated can file complaints with privacy commissioners, triggering investigations and potential sanctions. Beyond administrative penalties, privacy violations can also become part of broader legal claims, such as wrongful dismissal lawsuits.
“There can be sanctions for an overstepping employer, and we see that in the context of data breaches,” Johnson said. “Employees may add to an existing claim that there’s been a privacy breach, for example in the case of constructive dismissal cases.”
The end of the employment relationship can also create complexities around device monitoring. Johnson strongly advocated for addressing these scenarios in employment contracts and policies.
“If a company expects that people will be using a device to conduct work, provide the device. It’s a lot cleaner to say, ‘Here’s the work laptop, here’s the work phone,’ and then at the end of the relationship, those devices and all the information on them come back to the company,” he said.
Ultimately, Johnson urged employers to approach monitoring with a human perspective. While policies and technology can safeguard business interests, they must be implemented in a way that fosters trust and respects employee rights.
