Why DPDPA 2023 is more practical than GDPR

It is reported that the French Supervisory Authority CNIL has imposed a penalty of 32 million Euro (Around Rs 290 crores) because it considers that there is an excessively intrusive system of monitoring employee activity.

See the report here

The fine is not based on any “Data Breach”. It is about a corporate practice involving performance evaluation of its employees in the ware house.

In a strange ruling CNIL opined that it was illegal to set up a system measuring work interruptions with such accuracy, potentially requiring employees to justify every break or interruption.

The CNIL ruled that the system for measuring the speed at which items were scanned was excessive.

Based on the principle that items scanned very quickly increased the risk of error, an indicator
measured whether an item had been scanned in less than 1.25 seconds after the previous one.

More generally, the CNIL considered excessive to keep all the data collected by the system, as well as the resulting statistical indicators, for all employees and temporary workers, for a period of 31 days.

It is not clear if CNIL is a supervisory authority for data privacy or an employee union by itself.

If the employees had any complaints on the way the collected data was used to take action against the employees, it should be taken up as an Employee Union or labour issue and not a privacy issue.

This is an excessive and inappropriate use of the powers of a supervisory authority under GDPR and needs to be challenged.

Fortunately, Indian law is very specific in providing employee performance evaluation as a “Legitimate use” and hopefully such instances donot occur in India.

In EU the supervisory authorities are using GDPR as a fund raising tool and indiscriminately fining large organizations even when the underlying problem has no “Public Privacy Cause”.

The employer-employee relationship needs to be treated on a different plane than the company-public relationship. The employment rules should be respected by the employee and if it is unfair it is for the labour authorities to intervene and not supervisory authorities.

The employer-employee contract is between two parties with mutual respect and understanding and improving productivity is one of the basic rights of an organization. The objection raised on monitoring inter-scan period not to be too quick, nor idle time not too much etc are legitimate data that an employer should be able to collect.

Employment with a specific company is not a right and if an employee is not happy with the employment conditions, there is no compulsion for him to stay. For CNIL to say that this is an unfair measure to reduce work force and force them to leave voluntarily is ridiculous.

I hope CNIL reviews its decision and remains within its jurisdiction.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.