Dr. Michelle O'Sullivan:

There are two approaches. The first is that regulation has to address the question of whether monitoring should take place at all. There is legislation in other countries where, for example, there are very strict limits on the level of technological surveillance that can take place. For example, in Germany, legislation provides that employer monitoring of the Internet and emails can only take place where there is a suspicion of criminal activity. In Portugal, biometrics, which are physical or behavioural characteristics that are unique to the employee such as fingerprints or eye scans, can only be used to record attendance or to get access to buildings. Here, we are all familiar with instances of waitresses and waiters using their fingerprints to access tills.

Legislation has to address whether there should be monitoring in the first place. If a level of flexibility is given to monitoring, a lot of international policy documents talk about the need for co-governance with worker representatives. For example, the European Agency for Safety and Health at Work talks about co-governance with worker representatives on the development, acquisition, introduction and implementation of any kind of artificial intelligence systems. There is a range of difficult legal questions. A lot of companies would buy in third party software, and there are legal questions as to who is responsible. A lot of legal scholarship says that in regulation there has to be accountability to the companies who are the employers of the employees, and not diverse responsibility to the software companies. There are more far reaching proposals. For example, some law experts in the field of technology argue that there should be a licensing of technologies involved in surveillance to ensure they are compliant with employment laws before they are introduced into organisations. Most international policy documents talk about co-governance of these systems. For example, unions and worker representatives should be involved. We have GDPR and there are impact assessments. However, GDPR would not go far enough and is not specific enough when it comes to employment relation issues. For example, should worker representatives be involved in the development of impact assessments? There is currently no transparency about when companies have to develop impact assessments on data protection. The International Labour Organization, ILO, code of practice on the processing of personal says that the extent of people's protections against risks of personal data depends on collective rights. It is important. There are a lot of developments at EU level. The EU is developing an AI Act. It would categorise employee monitoring through technology as a high-risk category. The current difficulty with the AI Act is that it only places responsibility on the developer of the technology to assess themselves. There is no emphasis on workers and little on employers. This is one of the first studies in Ireland about technological, so we are behind other EU member states in terms of regulation.