Data Protection and Employee Monitoring in the UAE
Employee Monitoring can be defined as a series of initiatives taken by the employers to keep an eye on the activities of their employees through the use of surveillance methods. Some of the common ways through which employees can be monitored are telephone tapping, email monitoring, video surveillance, software monitoring, and location monitoring. Corporations and business organisations engage in employee monitoring primarily in order to keep a track of performance, to limit risks by protecting trade secrets, to avoid potential legal liabilities, and to ensure data security. However, these practices may have some negative bearings on employee’s satisfaction, and thus must be used cautiously by the employer.
Owing to the global Covid-19 pandemic, UAE has temporarily lifted its ban on the use of certain free video calling services (voice over internet “VoIP”) such as Zoom Video and Microsoft Teams to manage the impact and challenges that have arisen due to the pandemic. However, with the increasing use of webcams and video conferencing there are increased instances of cyber-crimes such as video-hacking, identity theft, invasion of privacy and phishing scams through hacking.
There is a no specific federal data protection law in the UAE as such, however, there are various other federal laws that contain provisions relating to privacy and protection of personal data that are set out in various federal laws such as the UAE Penal Code, the UAE Cybercrime Law and some sector specific laws.
UAE Laws on Data protection and Privacy
The UAE has various legislations in place for ensuring that data and privacy of individuals is protected. A constitutional right of privacy has been guaranteed by Article 31 of the UAE Federal Constitution which states that an individual enjoys ‘freedom of communication by post, telegraph or other means of communications and the secrecy thereof shall be guaranteed in accordance with the law’. Article 378 of the Penal Code of UAE (Federal Law No. 3 of 1987 as amended) specifies that the act of violating personal and familial privacy of an individual is a punishable offence. The recently amended, Federal Law No. 5 of 2012 on Combatting Cybercrimes and its amendment by the Federal Law No. 12 of 2016 (“Cybercrime Law”), makes it an offence for persons to intentionally and without permission capture and/or intercept communications online. The Cybercrime Law is of prime importance as crimes such as hacking, phishing involve commercial or highly sensitive data are governed by the Cybercrime Law. In the e-commerce platforms, the electronic transactions and e-commerce laws generally provide that electronic transactions should be completely secure, and also assures that electronic data is credible in order to prevent any cybercrimes and violation of data privacy whilst online.
Various Surveillance Methods:
(i) Monitoring through Telephone
Monitoring employees by keeping a check on their telephone use is used by organisations as a way to manage risks, and record customer interactions (for banks, insurance and brokerage companies, etc). Other purposes include monitoring conversations for training purposes and further analysis of such conversation to improve services.
However, it must be ensured that consent of the employees must be obtained beforehand, as the Cybercrime Law prohibits recording the conversation without the consent of concerned parties.
Accordingly, the practice being followed is that at the commencement of any recorded conversation of employees with customers of employers in the matter of providing services, an alert message (often a recorded one) is given/played to inform such customers that the conversation is being recorded for purposes of training/analysis to improve the services.
(ii) Electronic Surveillance/Webcam Usage
Since the email servers and accessing devices such as mobiles, laptops etc. are technically company property, it is authorised to monitor it for purposes of training and for further analysis. However, as per general norms, it must be ensured that employees are aware about such practices of the organisation. Furthermore, monitoring of such devices and emails should be limited only to work related purposes and should not extend to personal life/matters of the employees whatsoever.
(iii) CCTV Surveillance
CCTV monitoring is required for maintaining the security of the company. Article 378 of the UAE Penal Code forbids taking of photos or recording of conversations and their transmission without consent. This can be interpreted to means that appropriate signage should be displayed if a CCTV is installed in any premises or that prior written consent must be obtained from individuals who may be recorded by CCTV in a specific area, including the workplace.
It is preferable for the companies not to rely on implicit consent of employees instead prior written approval should be obtained from them. It must be ensured by the companies that CCTVs should not be placed in private areas, such as washrooms.
(iv) Biometric Surveillance
Federal Laws in the UAE do not regulate biometric surveillance as of now, therefore the position of law on it stands ambiguous. However, if a company is engaging in Biometric Monitoring, it should have a written policy in place.
The laws of UAE have specified certain penalties if the legal compliances are not met by the employers during monitoring employees. Penalties are extremely severe and can include imprisonment, fines or both. In general, the UAE is very strict when it comes to cybercrimes and privacy, and such crimes constitute severe repercussions. Modern Technology and applications are being encouraged to be used within the society however is being carefully monitored by the UAE Government Authorities and with appropriate regulations and sanctions in place.
It can be seen that while laws regarding traditional modes of monitoring (telephonic monitoring, CCTV surveillance, email monitoring) are sufficiently well developed, there is still lack of clarity regarding the subject of Biometric monitoring. Also, it is preferable for employers to intimate employees about monitoring policies through written policies rather than relying on their implied consent. It can also be seen that there is no law on federal level authorizing employees to access the data collected by the employers. Thus, it can be seen that employers can engage in employee monitoring activities whilst abiding by all the rules and regulations in place and ensuring that all their employees are aware and their consent obtained wherever required about these monitoring policies and activities.