Compliance Roundup: 2022's Biggest Employee Monitoring Regulatory Developments

The Regulatory Tide Turns

When we published our January outlook predicting that 2022 would be a pivotal year for monitoring regulation, some thought we were being alarmist. Ten months later, the regulatory activity has exceeded even our expectations.

2022 saw more new laws, enforcement actions, and regulatory proposals targeting employee monitoring than any previous year. The message from regulators worldwide is consistent: the era of unregulated workplace surveillance is ending.

Here’s what happened and what it means for your organization.

New York Sets the Standard

The biggest development was New York’s employee monitoring notification law, which took effect on May 7, 2022. As we covered when it launched, the law requires employers to provide written notice to new hires (and existing employees) if they monitor telephone conversations, email, or internet access on company devices.

Six months in, the law’s impact has been broader than the text suggests. Even organizations outside New York are using its requirements as a baseline for their monitoring policies — because if you’re compliant with New York’s law, you’re ahead of whatever comes next in other states.

Key lessons from the first six months of enforcement:

• The notification requirement is specific — vague language like “we may monitor company devices” isn’t sufficient. You need to describe the types of monitoring, the data collected, and the purpose.
• Electronic notice is acceptable, but it must be acknowledged by employees.
• The law applies to all employers with operations in New York, regardless of where the employer is headquartered.

EU AI Act: The Coming Earthquake

The EU AI Act continued to advance through the legislative process in 2022, with the European Parliament and Council negotiating final text. While full adoption is expected in 2023-2024, the provisions relevant to employee monitoring are becoming clearer:

Emotion recognition in the workplace is increasingly likely to be classified as prohibited or high-risk. Multiple drafts have specifically called out workplace emotion detection as an area of concern.

AI-powered performance scoring will likely require transparency obligations — meaning employees must be told when AI systems contribute to decisions about their performance, promotion, or continued employment.

Biometric categorization (including behavioral biometrics like keystroke dynamics) faces heightened scrutiny and potential prohibition in employment contexts.

GDPR Enforcement Gets Specific About Workplaces

GDPR enforcement authorities issued several significant decisions specifically addressing workplace monitoring in 2022:

• France (CNIL): Fined a company €32,000 for continuous keystroke logging without adequate legal basis or employee notification. The decision clarified that “legitimate interest” alone is insufficient for invasive monitoring — proportionality is required.
• Italy (Garante): Ordered a company to delete two years of employee email monitoring data collected without proper legal basis, even though the company argued it was for security purposes.
• Germany (State DPA — Lower Saxony): Issued guidance clarifying that GPS tracking of employee vehicles outside working hours is prohibited and that even during working hours, continuous tracking requires a specific, documented justification.

The pattern across these decisions is consistent: EU regulators expect employers to demonstrate proportionality (monitoring must be the least invasive means to achieve a legitimate purpose), transparency (employees must know what’s monitored and why), and data minimization (collect only what’s necessary).

What to Do Now

If your organization uses employee monitoring of any kind, here’s a compliance checklist for Q4 2022:

1. Audit your monitoring scope. Document exactly what data your monitoring tools collect, how long it’s retained, who can access it, and what it’s used for.
2. Review employee notifications. Even if you’re not in New York, update your monitoring notifications to be specific and comprehensive. Generic notices won’t survive regulatory scrutiny.
3. Assess AI features. If your monitoring tool uses AI or machine learning, document what those features do and evaluate them against the EU AI Act’s emerging requirements.
4. Check data retention. Many monitoring tools retain data indefinitely by default. Review your retention periods and reduce them to the minimum necessary for your stated purposes.
5. Establish a monitoring policy. If you don’t have a formal, written employee monitoring policy that covers all the above, create one. If you do have one, review it against current regulatory expectations.

The regulatory environment around employee monitoring is only going to get stricter. Organizations that get ahead of compliance now won’t just avoid fines — they’ll build the employee trust that makes monitoring actually effective. 2023 will bring more legislation. Be ready.