Fundamental rights, within the framework of the labor provision of services, can be classified into two levels: specific fundamental rights and non-specific fundamental rights. Within these, we place the right to privacy. Under the premise already enunciated previously, by which each fundamental right does not constitute an absolute whole but must be reassessed under the principle of proportionality in relation to the rest of fundamental rights, the evaluation of the right to privacy, a principle with a clear connotation of personality, from the perspective of the right to freedom of enterprise, means that this second must always be exercised under criteria of suitability, necessity and proportionality in the strict sense. Thus, only by taking into consideration such performance criteria, assessable rules and conditions for the exercise of the right to privacy can be extracted from the freedom of the company.
The restriction that, in this way, begins to experience the privacy of the worker in the framework of a productive organization, is due to the presence of a legitimate and proportionate purpose that, in any case, does not cease to be respectful of the essential content of the right to privacy.
The recognition of privacy becomes visible, within the framework of remote work, and specifically teleworking, in a double perspective:
Right to privacy in the spatial context of the provision of services.
Right to privacy in the context of communications made by the remote worker.
This double perspective has not been contemplated from a parallel and contemporary jurisprudential and doctrinal development, especially when privacy in the context of the use of new information technologies has been present prior to the development of remote work as a formula for the provision of services.
In short, we already recognize defined and limiting privacy criteria within the framework of the use of new technologies, but not within the framework of the control of spaces outside the traditional areas of production.
4.1. The Channels of Control over the Space and Time Worked within the Framework of Teleworking
As we have come to analyze, new communication technologies are altering organizational models, thereby enabling a reduction in production and transaction costs by suppressing or reducing production units with a specific organization materialized (which is understood as the traditional physical work centers) and replaced with virtual communication models that operate from a single management unit to a diversity of production units (Navarrete 2017
Although it is true that this diversification process presents positive elements in a framework of improvement of production objectives, it is still true that, from a strict labor perspective, it brings together a whole series of problems whose resolution raises numerous practical controversies by implying, in the context of the current legal framework, a confrontation with constitutionally protected rights. One of these problems, if not the most important one, connects with the control to be carried out over the outsourced production units. This is both with regard to spatial control and temporary control.
As the Sentence of the Higher Court of Justice of Castilla y León, Social Chamber of Valladolid, Section 1
, of 3 February 20166
stated, “the control of the labor exercise by means of the verification of the connection of the employee to the intranet of the Company and its activity on the network does not, in principle and under normal conditions, imply an invasion of the protected space under the concept of place of residence and is also subject to inspection and control by the Labor Administration”. However, the verification by electronic means is one thing; physical verification is another.
It is true that articles 7.h and 22 of Law 10/2021 of 9 July recognize the right to business control concerning the provision of remote services. Now, the legislator has not wanted to raise directly or expressly how the exercise of this control is materialized, so it is manifested in a generic way. From such a generic exposition, one can even deduce a contradictory development between the two referenced articles. Thus, if article 7 conditions the means of control of the activity to the agreement adopted between the parties7
, article 22 recognizes the power of control as an exclusive power of the employer8
In this regard, despite the fact that it is true that conceptualizing a means of control is not the same as executing the control activity, it is still true that the second option is strongly conditioned by the criterion adopted in the choice of means, it being understood that the latter should be incorporated into the scope of the control activity itself.
To the apparent contradiction of criteria is added the absence of the specification of limits on the channels of control. In this way, the recognition of the right to privacy and the inviolability of home in article 18 of the Spanish Constitution, will absolutely condition the possibility of a face-to-face control of the employer. Such control, therefore, will be entirely linked to the employee’s own voluntary nature, because only the latter is responsible for authorizing the practice of the visit within their own home.
Recognizing this limit to the business control policy, the options for the control of work activity by the Labor and Social Security Inspectorate remain to be seen.
The Inspection has recognized the power of vigilance in the fulfillment of the norms of social order, understanding that, within these, we place the norms related to labor matters. Now, this supervisory power collides with the same limit that we previously stated for the employer. Thus, article 13.1 of Law 23/2015, of 21 July, Organizing the Labor and Social Security Inspection System9
, recognizes that inspectors, as a public authority, have the right to freely enter, at any time and without prior notice, any center of work, establishment or place subject to inspection. Now, if such place coincides with an address of a natural person, it will be mandatory to have the prior and express authorization of the resident person or, failing that, the appropriate judicial authorization, in order to carry out the inspection action.
Regarding the supervisory position, the Judgment of the Supreme Court, Third Chamber, of the Contentious-administrative, Section 2
, Sentence 1231/2020 of 1 October 202010
, clearly defines the position of our courts regarding:
“(…), it should be remembered that the need for judicial authorization so that the public Administration can enter a property to forcibly execute a previous action of its own constitutes a constitutional and legal exception to the principle of administrative self-supervision, recognized by our legal system in favor of public administrations, due to the necessary effectiveness of the subjective fundamental right to domiciliary inviolability enshrined both in the constitutional and international order (see articles 18.2 of the Spanish Constitution, 12 of the Universal Declaration of Human Rights, 7 of the Charter of Fundamental Rights of the European Union, 17 of the International Covenant on Civil and Political Rights, and 8 of the European Convention on Human Rights)”.
The limitation in the capacity for control, not only business but even administrative, makes it necessary to answer two questions:
What is the meaning when we constitutionally recognize a place of residence?;
Does the meaning of a place of residence of a natural person recognized in the aforementioned article exclude any option of place of residence of a legal person?
The Spanish Constitutional Court has considered every home as a place of residence, even if it is not inhabited at the time of registration. Now, the constitutional consideration that is made of the place of residence not only affects the place of residence of natural persons, but also occasionally it has in relation to legal persons. For these purposes, it will enjoy the constitutional protection granted by article 18 of the Spanish Constitution, the places used by representatives of legal persons for the development of their internal activities, either because they exercise the usual management and administration of the Company, or because they serve as custody of documents or other supports of the daily life of the company or its establishment, and all this regardless of whether the tax home address is the main headquarters or the secondary headquarters (Judgment of the Supreme Court, 3rd Chamber, of the Cont. Adm., of 24 January 2012).
Therefore, it is obvious that the supervisory capacities of both the company and the Labor Inspectorate itself are currently constrained by the insurmountable limit of the right to the inviolability of the home, only being able to flank such a wall through the worker’s own authorization (embodied in an agreement detailing the days, hours, frequency, duration and need or not to give advance notice before carrying out the control visit11
) or through the judicial authorization that, on the other hand, must specify, through the order authorizing entry, the temporary aspects thereof, because they cannot be left to the unilateral discretion of the Administration.
Now, just as we refer to the recognition or authorization of the worker in cases of business visits or administrative interventions, we do not require such consent within the framework of judicial authorization. To this end, as stated in the Supreme Court ruling 1231/2020 previously referenced, “it is not necessary, in principle and in any case, the prior and contradictory hearing of the owners of the places of residence or buildings concerned by the entry, given that the possible judicial authorization is not the result of a jurisdictional process (Constitutional Court Orders numbers 129/1990 of 26 March, and 85/1992 of 30 March and Constitutional Court Ruling number 174/1993 of 27 May), nor is said prior hearing expressly required by Articles 18.2 of the Constitution, 91.2 of Organic Law 6/1985, 8.6 of Law 29/1998 or 113 and 142.2 of Law 58/2003.
Recognizing all of the above, we have to assess the possibility that the current limiting criterion may be altered in the near future, whereas the definition of the private sphere made by the Spanish Constitutional Court takes into account the prevailing social pattern (Ocón 2018
Therefore, it is the owner of the right to privacy who is empowered by the legal system to configure its limit (Zabala 2015
), although this power goes beyond the individual sphere and is interpreted from a social or collective dimension.
The rule of self-availability and social use according to which “it is up to each person to limit the scope of personal and family privacy that is reserved for the knowledge of others” (Giménez 2008, p. 299
), can pose a serious risk to entail a subjectivation of the right that would not violate the principle of the non-wavering of rights because what would be changing is the meaning of the right itself and not its availability.
However, we have to think that the contemporary principles of legality and proportionality are powerful enough to avoid any interpretation or assessment which is not accompanied by broad social and jurisprudential recognition.
Once the interpretive limits have been established, and the problems that pivot on the spatial scope of the provision of the service have been identified, it is appropriate to contemplate the channels of control over working times, i.e., the working day.
With the entry into force of Royal Decree-Law 8/2019 of 8 March, it proceeded through its article 10 to modify article 34 of Royal Legislative Decree 2/2015 of 23 October, which approves the revised text of the Employees´ Statute Law (onwards ET), adding, for this purpose, a new ninth section.
This section imposes on the company the obligation to keep a daily record of the working day, through which the starting and ending times of the working day are specified. At the same time, such obligation also affects the duty of conservation of the control registration documents for a period of four years. These documents, in any case, remain at the disposal of the workers, their legal representatives and the Labor and Social Security Inspectorate.
Additionally, the standard links the setting of the criteria through which the channels of control of the working day are organized, to collective bargaining or to the company agreement (in the absence of both, to the decision of the employer after consultation with the legal representatives of the employees).
The new wording of article 34 ET does not foresee differentiated treatment for remote workers, in general, and teleworkers, in particular; therefore, it is to be understood that the criteria referenced in the standard apply to them as, on the other hand, our courts12
Now, having endorsed the ability to control working hours over remote workers and acknowledging the absence of differentiation with face-to-face workers, we arrive at an obvious consequence which, however, entails an effective control problem, namely, the linking of a job, which is increasingly linked to an execution by objectives, to a strict working day that can only be altered through the irregular distribution game (article 34 ET) or by the increase through the execution of overtime. Of these two options, however, the technological control that the company can practice provides greater justification for the figure of irregular distribution in that it allows the workday to be permanently redirected to more productive periods.
TThe obligatory nature of the recognition of rest periods and, therefore, the disconnection of the teleworker (see article 18.1 Law 10/2021 of 9 July13
) would impose that the control mechanisms over such a day be subjected to a special inspection. This responds in essence to the impossibility of guaranteeing an effective rest for a teleworker if it is not through an effective digital disconnection that guarantees respect for rest time, paid leave and annual leave. However, the digital disconnection does not conform a simple reality. As stated by García González, “the right to digital disconnection is presented as a multidimensional reality with innumerable edges and connotations, which makes it difficult to define the scope and content of the legal rights to whose guarantee it is directed” (González 2020, p. 57
Thus, the assessment of disconnection will have to consider the double variant of the worker not receiving communications or instructions outside of their working day, and not executing tasks outside of it, despite the possibilities offered by ICT; and from the business perspective, of the prohibition or non-execution of communications that imply control by means of digital instruments of their rest times (Tárrega and Blanco 2020, p. 66
The approach will come, therefore, from the hand, of how to understand the method to put into practice the enunciated digital disconnection, especially when “technology eliminates the coordinates of time and place, and blur the boundaries between work and rest, until the point of causing a perpetual connection” (Cuesta 2020, p. 186
), which translates into the consideration of the ideal or most valuable professional as the one who presents a greater capacity for availability, as well as a more transparent availability. This is despite the fact that the right to rest has, for years (see that the right to annual leave was already set forth in ILO Convention No. 132/1970), been at the very heart of the employment relationship (regardless of its consideration within the sphere of the public or the private.
Thus, from article 88 of the LOPDP, we can understand that the right to digital disconnection is going to protect different legal assets of both workers and public employees, namely, “rest time, leave and vacations”, “personal and family privacy”, the “right to reconcile work and personal and family life” and the “risk of computer fatigue”.
Based on all the above, how would the interrelation between the duty of business control and the worker’s right to privacy operate? In other words, how do we weigh the framework of action of article 20 ET against the right to privacy recognized in Art. 18 of the Spanish Constitution when the Constitutional Court has ruled (see Constitutional Court rulings 292/1993 and 186/2000) that “the employer is not covered to carry out, under the pretext of the powers of surveillance and control conferred on him by article 20.3 of the Employees´ Statute, illegitimate interference in the privacy of its employees in the workplace?”
To answer this question, it is necessary to link the analysis of the time control factor to the workspace control factor, under a management power adapted to the technological context.
4.2. The Means of Control of the Provision of Services
Article 20.3 WS recognizes the employer’s ability to adopt “the measures it deems most appropriate” in controlling compliance with labor obligations. Such power does not present any limit other than respect for the condition due to the human dignity of the employee14
. Now, we are faced with a diluted limit, at the moment in which we do not enter to reference which are those means of control and, what is more pernicious, assess the restrictive nature or not that such means can present. In this way, we start from a rhetorical statement that leaves in the hands of the employer, despite the fact that an agreement can be defined to specify the means to be used, and the effects that the use of such means can present to the employee. This reality, which can be criticized from a legal perspective on the premise of the legal uncertainty that it can generate, is not exclusive to the Spanish legal system. Thus, article 4 of the Italian Labor Code, together with the explicit reference to audiovisual installations, make a generic reference to “other control instruments”. Such a generic reference will also be found in article 20 of the Portuguese Labor Code, which uses the formula “remote surveillance means”.
If the right to privacy constitutes a limit to the setting of the means and the control over them, we can affirm that the business control is subject to the impossibility of meddling in the sphere that exceeds the fulfillment of the labor obligation, which translates into the impossibility of installing and making use of equipment that extends the control of the work activity beyond it (Villar 1992
). This limitation does not operate exclusively on the employer, but also on all the workers or middle managers that make up the company’s chain of command, given that their activity is conditioned to a prior delegation of management power by the company.
The problem, in this way, will come from the need to assess whether the installation of control equipment is adjusted to the law, when these, beyond establishing control over the organizational and productive guidelines set by the company, affect “at one time” in a more general and remote control of the employee´s activity. The “computer privacy”, therefore, should generally conform with the framework of the use of telephones, emails, WhatsApp and computer equipment.
Now, how can understand computer privacy be understood when the very concept of privacy, due to lack of unambiguous conceptualization, is difficult to specify (Pérez 1991, p. 327
) (even more so, when Article 18 of the Spanish Constitution does not constitute the only precept dedicated to privacy, but constitutes, together with Articles 20.4 and 105.b) of the Spanish Constitution, a “peculiar hermeneutical circle” (Pérez 1991, p. 341
If we take as a point of reference article 4.2.e) ET, where the worker is recognized “respect for their privacy and the consideration due to their dignity, including protection against harassment on the grounds of racial or ethnic origin, religion or beliefs, disability, age or sexual orientation, and in the face of sexual harassment and gender-based harassment”, it is still true that this conceptualization is poor to accommodate the right to “computer privacy” of the employee, especially when it is often confused with the right to secrecy in the communications.
In any case, the scope of the right to privacy has changed considerably as a result of technological development, because it cannot be denied that computer programs to assist in business control today enable an almost exhaustive monitoring of the normal work of employees (Padrón 2017
At this point, it is crucial to analyze the impact that the judgments of the ECHR, of 3 April 2007 (Copland case against the United Kingdom15
) and of 12 January 2016 (Barbulescu case against Romania16
) have had on the right to computer privacy. Both judgments are limited to the world of work inasmuch as they affect the effectiveness of business control over the monitoring of workers’ communications.
4.3. The Right to Computer Privacy and Its Assessment by the Doctrine of the ECHR
The function of the European Court of Human Rights is to ensure that the member States integrated into the Council of Europe comply with the European Treaties on Human Rights and their additional protocols, to the extent that non-compliance with their resolutions may lead to expulsion from the State of the Council of Europe.
Spain, as a member State of the Council of Europe, accepts the jurisdiction of an ECHR, which, by reason of the right to private and family life, recognizes the full applicability of article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms. This standard, entered into force in 1950, sets out the civil and political rights and freedoms that the European States ensure are guaranteed to citizens under their jurisdiction.
This statement allows us to give maximum relevance to the different resolutions issued by the ECHR in this matter, as they will condition the iteration of both the interpretive criteria applied by our courts and the meaning to be recognized in our regulatory framework.
Starting from the stated premises, there are three judgments of the ECHR that we understand should be analyzed: on one hand, and interrelated, are the judgments of 3 April 2007 and 12 January 2016; and on the other, is the judgment of 17 October 2019.
Through the judgment of the ECHR of 3 April 2007, a restrictive criterion was articulated in the control and monitoring of workers’ telephones, in such a way that the control was conditioned to the following rules:
Telephone calls made by the worker from the workplace, are part of their private life, in the terms indicated by article 8.1 ECHR (Carrizosa 2016
). In this sense, it will be understood that there is interference in the private life of the employee if, without the consent of the latter, personal information related to telephone calls, emails and Internet browsing is collected and stored;
The right to privacy cannot be understood as an absolute right, which is why it is recognized that the employer is entitled to establish control channels during work, provided that the employee is notified of the performance of such controls;
The control channels will be legally articulated. Thus, the channels through which interference in the worker’s privacy can be admitted, as well as the purpose pursued with it, will have to be expressly referenced (Carrizosa 2016
These rules are extended to the control channels being articulated under criteria of suitability, necessity and proportionality in the strict sense, criteria that we have already stated previously.
The judgment of the ECHR of 12 January 2016 proceeded to modify the criteria of the previously referenced judgment while the business control over the provision of services was expanded.
For this, control over the media and computer equipment was related to the presence of internal company regulations that expressly prohibited the use of such media for purposes other than the strict provision of services.
In any case, the criterion referenced by the new judgment of the ECHR cannot be considered as a jurisprudential milestone with the significance presented by the preceding 2007 judgment, although the monitoring of communications in the company had already been contemplated by different national courts as respectful of Directive 95/46/CE of the European Parliament and of the Council of 24 October 1995, regarding the protection of natural persons with regard to the processing and free circulation of personal data.
In this sense, the Judgment of the Constitutional Court, First Chamber, no. 115/2013 of 9 May, formulated that, in relation to the access of the company to the emails issued and received by the worker, it comes to recognize within its FJ 5:
“It was, first of all, a justified measure, since (…) its practice was based on the existence of suspicions of irregular behavior by the employee. Secondly, the measure was suitable for the purpose sought by the company, consisting of verifying whether the worker was actually committing the suspected irregularity (…). Thirdly, the measure could be considered necessary, given that, as an instrument for transmitting said confidential information, the content or text of the e-mails would serve as evidence of the aforementioned irregularity in the event of a possible judicial challenge to the business sanction”.
Therefore, the regularity of the auditing action will be conditioned to its being justified and suitable.
It is precisely here where the third of the judgments to comment comes into play, namely, the judgment of the Grand Chamber of the ECHR of 17 October 2019, which, revoking its previous judgment of 9 January 2018, comes to recognize before a particular case, the extinction action taken by the company against some employees whose control and recording had not been made known to them.
The ruling, as we have indicated, revokes a previous ruling (López Ribalda Case), according to which it was considered that the surveillance adopted was not proportional inasmuch as it did not comply with the Organic Law on Data Protection (prior to the current Organic Law 3/2018), and it was at the same time discriminatory (in that the recordings continued throughout the entire day).
What leads to understand that such reasoning is lacking is the seriousness of the facts that made it possible to detect the commission of an offense such as the presence of video surveillance posters. That said, the key for us is to know if such criteria can be extrapolated to teleworkers, especially when article 89.1, second paragraph of LO 3/2018 of 5 December, on Protection of Personal Data and Guarantee of Digital Rights, recognizes that “in the event that the flagrant commission of an illegal act by the employees or the public employees shall be deemed to have fulfilled the duty to inform when there is at least the device referred to in article 22.4 of this Organic Law”.
The referenced Art. 22.4 recognizes that the duty of information will have been fulfilled provided that the Company proceeds to place an information device in a sufficiently visible place. Now, at this end, it recognizes that “a connection code or internet address to this information may also be included in the information device.” Does this mean that the information device must always be physical, or does it open the door for such a device to appear as a reference notice through a computer or telematic work medium?
Analyzing a possible extrapolation to the field of workers would raise new questions such as access to the image or, exclusively, access to the movements presented by the company accounts employed by the worker.
From the onset, it could be affirmed that the capture of images inside the employee’s home would break the prevalence of the right to privacy so that they could not be recognizable despite the commission of an offense, because any control in such a case would go through the necessary judicial authorization. Another element of debate would be how to assess the traffic carried out by the employee who was subject to control through channels outside the control of the image as long as the commission of illegal acts was deducted from such traffic.