Designed by FreePik

By: Aissatou Toure

Recently, PwC has implemented a mandate requiring its U.K. employees to track their locations during work hours to ensure compliance with the company’s three-day-per-week in-office policy.[1] This new directive has raised significant concerns regarding employee privacy. For context, exploring PwC’s decision in detail and examining the potential implications for privacy rights and, more specifically, the General Data Protection Regulation (“GDPR”) provides clarity on the privacy implications of the policy. The GDPR, a European Union law in force since May 25, 2018, is one of the world’s strictest privacy and security provisions.[2] The GDPR is enforced by the European Data Protection Board (“EDPB”) and imposes severe fines on any organization globally that targets or collects data related to EU residents.[3]

Covid-19 has introduced and significantly expanded the possibility of remote work on a large scale.[4] As the initial concerns about the pandemic eased, many companies shifted to a hybrid model, where employees worked from home on certain days and in the office on others.[5] This transition sometimes led to friction between employers and employees, as many workers preferred the benefits of remote work and questioned the need to return to the office full-time.[6] Employers first attempted to force the employees to return or face the consequences. Still, that ultimatum eventually failed, leading to a compromise: the hybrid work model.[7] The hybrid model’s relaxed and unenforceable guidelines, such as requiring employees to be in the office for a certain number of days each week without specifying which days or the duration of their presence, presented unique challenges for companies.[8] The model’s flexibility often led employees to remain completely at home and caused companies to struggle with enforcing or monitoring compliance effectively, even as employers rated work-from-home productivity positively.[9]  PwC’s recent approach to address this issue requires employees in its U.K. office to share their locations, enabling the company to ensure compliance with the established guidelines.[10] The company’s circulated memo specifically stated, “With that in mind, we will start sharing your individual working location data with you on a monthly basis from January as we do with other data such as chargeable hours. This will help to ensure that the new policy is being fairly and consistently applied across our business.”[11]

Implementing monitoring systems to track employees’ locations raises a broader concern: how does the collected data invade employee privacy? Tracking employees’ office attendance using location data without employees’ knowledge, explicit consent, or a valid legal basis could violate GDPR regulations.[12] The GDPR requires organizations to collect data transparently, limit it to necessary purposes, and respect individuals’ privacy rights.[13] Importantly, GDPR applies to all European residents but not United Kingdom citizens since Brexit.[14] However, PwC’s announcement raises important questions for their French, Irish, German, or nationals from any other EU member state working at PwC’s UK office.

The GDPR requires transparent data collection; this means that organizations must fully inform employees about what data is being collected and why.[15]  The regulation also mandates that organizations base their data collection on employees’ explicit consent or legitimate interest.[16] Therefore, PwC’s approach to tracking location data must ensure that all employees know of and consent to the data collection practices or provide a clear, GDPR-compliant justification for the data processing.[17] The memo that PwC shared with its employees informing them of the location tracking can satisfy this requirement if it has areas in which the employees need to expressly agree, such as an acknowledgment page or signature requirement.[18]

The GDPR also stipulates that organizations must collect personal data only for specific, legitimate purposes.[19] PwC must clearly define the purpose of tracking location data, which its memo states is to ensure accountability of employees and guarantee that the data is not used for any unintended purposes.[20] The GDPR also requires that companies may only collect the minimum amount of data necessary to achieve the intended purpose.[21] PwC would need to evaluate whether tracking their employees’ locations is the least intrusive method to guarantee compliance with office attendance policies.[22] Devices like clock-in and clock-out machines at physical locations may qualify as a less intrusive alternative to physical tracking.[23] Given the potential impact on privacy, PwC may need to conduct a Data Protection Impact Assessment (“DPIA”) to assess the risks associated with their location tracking practices and implement measures to mitigate those risks to assure that it complies with the GDPR.[24] While PwC’s location tracking mandate aims to enforce office attendance policies, it must carefully balance these efforts with the critical importance of safeguarding employee privacy and data or face considerable fines by the EU and discontent from its employees.

[1] Micheal Popke, PwC Mandates More Office Time, Tracks Employee Location Data, Benefits Pro (Sept. 17, 2024, 7:14 AM), https://www.benefitspro.com/2024/09/17/pwc-mandates-more-office-time-tracks-employee-location-data/.

[2] See Ben Wolford, What is GDPR, the EU’s new data protection law? GDPR (last visited Sept. 20, 2024), https://gdpr.eu/what-is-gdpr/; Data Protection in the EU, Eur. Comm’n, https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en (last visited Sept. 23, 2024).

[3] Id.

[4] Tim Smart, Remote Work Has Radically Changed the Economy – and It’s Here to Stay, U.S. News and World Rep. (Jan. 25, 2024, 3:28 PM), https://www.usnews.com/news/economy/articles/2024-01-25/remote-work-has-radically-changed-the-economy-and-its-here-to-stay.

[5] See Ben Wigert et al., The Future of the Office Has Arrived: It’s Hybrid, Gallup (Oct. 9, 2023), https://www.gallup.com/workplace/511994/future-office-arrived-hybrid.aspx

[6] See KVUE, Remote Workers Fighting Back Against Mandates Forcing Them to Return to the Office, YouTube (July 3, 2024), https://www.youtube.com/watch?v=f07we_tQ6Ys (reporting on thousands of Philadelphia workers who are opposing mandates requiring them to return to the office).

[7] See Cheryl Winokur Munk, The CEO ‘Return to Office or Else’ is Having Limited Success in 2024, CNBC (Feb. 5, 2024, 10:07 AM), https://www.cnbc.com/2024/02/04/the-ceo-return-to-office-or-else-is-having-limited-success-this-year.html.

[8] See id.

[9] See generally, Ayako Russell & Breck Weigel, Compliance Risks for Remote and Hybrid Working Models, Squire Patton Boggs (Jan. 4, 2023), https://www.globalinvestigations.blog/compliance-program/compliance-risks-for-remote-and-hybrid-working-models/; see also, Lianne Kolirin, PwC Tells Employees It Will Use Location Data toPpolice ‘Back-to-Office’ Rule, CNN (Sept. 6, 2024, 9:15 AM), https://www.cnn.com/2024/09/06/business/pwc-tracking-employees-office-gbr-scli-intl/index.html.

[10] See Lianne Kolirin, supra note 9.

[11] Id.

[12] See generally, Michael L. Rustad & Thomas H. Koenig, Towards a Global Data Privacy Standard, 71 Fla. L. Rev. 365 (2019); Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] O.J. (L 119) 4.5.2016, p. 1–88. [Hereinafter GDPR].

[13] See Rustad & Koenig, supra note 12, at 375-81, 446, 452-53.

[14] Eur. Comm’n, supra note 2.

[15] See GDPR at Art. 12.

[16] See GDPR at Art. 6.

[17] See generally, id.

[18] See id.

[19] See GDPR at Art. 5 (1)(b).

[20] See generally, id.

[21] See GDPR at Art. 5 (1)(c).

[22] See generally, id.

[23] See e.g., timetac, https://www.timetac.com/en/time-clock/ (last visited Sept. 20, 2024).

[24] See GDPR at Art. 35.

Share this post