Skip to content

Beyond Privacy: Changing the Data Power Dynamics in the Workplace


Matthew Bodie (@matthewtbodie) is the Robins Kaplan Professor at University of Minnesota Law School and coauthor of Reconstructing the Corporation: From Shareholder Primacy to Shared Governance.

This post is part of a symposium on Worker Surveillance & Collective Resistance. Read the rest of the posts here.


Workplace surveillance not only intrudes upon employees’ privacy—it is also a method of mass data collection and value creation. By generating huge data sets to feed increasingly sophisticated algorithms, employers draw even more value out of the employment relationship without any recourse or rights for those workers who provide the data in the first place. Because the power of these new Big Data systems comes from their scale, workers also need to scale up and wield their own collective power over these systems. And there are many ways for the law to facilitate this.

The New Dilemma for Workers

The past twenty years have seen a dramatic leap forward in the ability to collect and use massive sets of quantitative data. Employers have deployed “Big Data” and advances in data analytics to collect almost infinitely more information from their workers. The development and widespread use of the electronic methods of interaction have made the collection of communication relatively costless for employers. Video and audio recordings are now created digitally, making them significantly easier to record and store. Other electronic devices can record employee locations, browser history, heart rate, temperature, conversations, and eye movements. This data is then analyzed using automated decision systems, driven by algorithms, data analytics, machine learning, and artificial intelligence. The pairing of data with sophisticated techniques to parse and understand it has given employers a powerful new tool for managing workers.

These dramatic changes in information flows have changed the power dynamics within the employment relationship. Employers have always had the right to control within employment—that is the nature of the traditional common law test—and employers have always monitored their employees to exercise that control. But Big Data has amped up that control in two important ways. First, the traditional line between business-related information and personal information, blurry as it always has been, threatens to be smudged beyond recognition. All sorts of personal information may now be relevant to our individual workplace performance, our relationships with co-workers, or the business’s overall reputation: our health, our political opinions, our caffeine intake, our disposition towards conflict. Second, the accumulation of information has become even more essential to most businesses. As companies collect data on workers, those workers become embedded within those companies because their data is now collected, analyzed, and owned by them, making it difficult to leave. A variety of intellectual property regimes—trademark, copyright, patent, and trade secrets—take the informational value created by employees over time and funnel that value to employers.

One instinctual response to this dilemma for workers, drawing from the existing set of available legal instruments, would be to bolster privacy protections within the workplace. Dating back at least to Prosser’s contributions on privacy common-law protections under the Restatement (Second) of Torts, courts have found liability for intrusions upon seclusion and public disclosures of private facts. But these causes of action are fairly limited within employment, as they require that the violations be “highly offensive to a reasonable person” and they can generally be waived through consent or notice. Privacy-related federal statutes like HIPAA or FERPA do not have much application within the employment relationship, as HIPAA applies to the health care industry (excluding worker data) and FERPA covers schools. Certain statutory regimes protect workers under limited circumstances: the Americans with Disabilities Act requires employers to keep worker health data confidential; the Electronic Communications Privacy Act limits undisclosed employer access to employee communications; the Fair Credit Reporting Act requires employers to notify employees about the use of consumer reporting agency data to make employment decisions; and workers have successfully sued under state privacy laws (e.g., Illinois’s Biometric Information Privacy Act) for the use of their biometric data without notice, consent, and a plan for managing and destroying the data. But these restrictions can generally be circumvented through notice, consent, or other procedural means.

What about intellectual property? To counterbalance employers’ advantages in aggregating worker data, we could afford employees property rights in their data. But individual workers are ill-equipped to manage the legal complexities that ownership rights would engender. Workplace data is powerful because it is collectivized. Information about any one worker is relatively useless from a Big Data perspective. It is when that data is combined and compared with data from other employees that it becomes much more powerful. And data needs analytical tools as well. Employers have the resources to purchase and use the software and hardware necessary to get the value out of the data. Like the extractive industries of the past, businesses need access to the valuable resource and the tools necessary to access it, harvest it, and refine it. Employers can wring revenue from worker data because they serve as focal points for its accumulation and analysis.

Unfortunately, the data relationship just keeps getting more lopsided. The new platform economy has distilled the relationship down to its bones: the platform gets the data, and the workers get a portion of the proceeds assigned by the algorithm. Companies like Uber and Lyft fancy themselves technology companies, not transportation service providers: the companies collect information from the drivers and passengers and then use that information to set prices and allocate drivers. Despite the importance of their work and their data, the drivers find themselves disempowered through their data relationship. In many jurisdictions, they are not even considered employees—just one example amongst many of the workplace fissuring that has allowed businesses to escape from the traditional legal responsibilities for workers. For their daily work, drivers interact primarily with an algorithm and supply the raw material that builds and sustains that algorithm. It is a black box that the workers fuel but management controls.

A Collective Solution

We need to change the dynamics of the employment data relationship. One possible avenue would be to pursue stronger data protections for employees. But we have to move beyond old notions of privacy as secrecy. The employment relationship requires too strong of a stream of data to ever hope to shut it off. Instead, workers need more rights over their data and its use. The rights afforded to European Union workers over their data extend well beyond confidentiality. These rights, as provided under the General Data Protection Regulation (GDPR), include: the right to transparency and notice; rights of collection specification and purpose limitation; rights of access to data; rights of erasure or deletion; rights to data portability; and rights to object about certain kinds of automated decision-making. To be sure, these rights are somewhat general in theory and can be applied narrowly in practice, depending on the countervailing employer and public interests. But they recognize that interests in data privacy go beyond the idea of a wall surrounding that data. Instead, E.U. data subjects are empowered within the data relationship in a number of ways. U.S. workers would greatly benefit from the extension of these rights into employment.

But greater data protection rights are only a starting point. Collective action is necessary if employees want to participate in the management of their data and tap into it as a source of value. More data is likely collected from professional athletes than any other occupation. “People analytics” began in baseball in 1859 with the first box score; ever since, professional athletes have been observed in every aspect of their performance on the field. But Big Data has considerably amplified that engagement. Player movements are now chronicled with video recordings that capture 25 frames per second. Monitoring can now go on twenty-four hours a day, collecting data on body and eye movements, elbow stress, skin temperature, heart rate, oxygen levels, glucose levels, hydration, and sleep rhythms. The avalanche of data techniques and analytics has led to the idea of the “hyperquantified athlete.”

Immersive levels of surveillance can create the impression that workers are trapped in a dystopian, Orwellian environment. And to be sure, players have chafed at the invasiveness of many protocols. But data analytics can also play a positive role in sports, and professional athletes have often benefitted from their use. Because of the interest surrounding professional sports, these athletes are well compensated, with minimum salaries in the four U.S. men’s sports leagues all in the range of a half million dollars. Because these leagues are unionized, players have a collective voice to negotiate the methods, manner, and scope of data collection by the teams. Their collective bargaining agreements also provide players with control and ownership over certain kinds of data, such as the rights to their names and likenesses.

The use of data to improve athletic performance demonstrates that invasive data collection can at times be a process that workers will tolerate or even welcome. Players in less well-funded leagues have seen the absence of analytics as problematic and have advocated for their leagues to invest in the techniques. After all, the purpose of these analytics is to improve the players’ performance, maximize playing ability, and prevent injury. These technologies can make players safer and healthier, stronger and swifter, smarter and savvier. They should be a win-win. But voice and power are necessary to avoid the opportunistic and voyeuristic aspects of monitoring and data analytics when controlled exclusively by employers.

Unions have the power to negotiate on behalf of workers about terms and conditions of employment, which includes the collection and use of employee data. Labor organizations can negotiate with employers to manage the flow of information from employees, install appropriate protections for private data, and share the value created by the use of the data. But only a little over six percent of private sector employees are unionized. That leaves workers who lack collective representation in a much more precarious position. They are unable to exercise collective power over their data collection, use, and disclosure, and as a result are subject to the employer’s discretion within the thin set of legal regulations that apply.

Along with lifting the many roadblocks to collective bargaining, we should consider other organizational structures that could facilitate worker participation in the governance of workplace data. Industries with high levels of worker data management could reorient their organizational structures to facilitate employee ownership. Gig workers, for example, could own the platforms upon which they work through a workers’ cooperative or nonprofit association. Codetermination, which provides for employee selection of representatives within companies’ governance structure, could facilitate employee voice at the highest levels of power and would allow employees to push the governing board for better data policies. Another option would be works councils—firm-level or worksite-level organizations that consult with management on issues of day-to-day employment. “Data councils” could empower workers to participate in the review and approval of any collection or use of employee data. Data councils could also be tasked with creating employee data privacy policies which—like consumer data privacy policies—could render the employer liable in the event that the policy was violated. The law could promote the creation of a data councils by giving deference to its determinations and allowing it to serve as a safe harbor against employee claims of privacy intrusion and data confiscation.

Workers need to assert collective power to protect their private data, ensure that they receive the benefits of that data, and carve out spaces for entrepreneurial opportunities and autonomy. It is a critical step on the path to a better future. Expecting our old models of privacy to protect workers from opportunism and exploitation is asking too much of these models. We need to empower workers with opportunities to have a say in data management and rights over the data they provide.

This post is based in part on The Law of Employee Data: Privacy, Property, Governance, Indiana Law Journal (2022).