Data Privacy Dilemmas in the Workplace

Microsoft AI Teams will soon tell your boss where you are. Starting December 2025, Teams can automatically detect when you connect to your company’s Wi-Fi and update your location to “in the office.” It sounds like a small feature. It isn’t. Location tracking through workplace networks is the newest frontier in digital surveillance, and it’s coming through your collaboration software. Microsoft says the feature is opt-in. That is very good. But, that decision will rest largely with employers and admins, not the average employee trying to meet deadlines. If you work for a Microsoft-using organization, now is the time to ask: Is our company planning to activate this feature? Has consent been properly documented? If you represent a union, this deserves to be on your next agenda. The GDPR and UK Data Protection Act require transparency, necessity, and proportionality for any location tracking. Under the EU AI Act, this may also fall under high-risk processing of biometric and personal data for workplace management. Employers must conduct a fundamental rights impact assessment before rolling it out. This isn’t paranoia. It is risk management, employee rights, and compliance. Workplace tracking without explicit, informed consent can violate privacy law in multiple jurisdictions, and it may open employers to liability under both GDPR and the EU AI Act’s risk provisions. If your organization uses Microsoft Teams with minors, such as schools or training programs, the stakes are even higher. Here’s what to do as an employee, parent, or guardian: 🔹 Ask your IT administrator if “location autodetection” is enabled. 🔹 Request a copy of the company’s Data Protection Impact Assessment (DPIA). 🔹 Ensure opt-in consent is voluntary and revocable. 🔹 Check that logs are deleted regularly and not used for performance evaluation. Transparency is not optional. #DigitalSovereignty #WorkplacePrivacy #AICompliance #GDPR #MicrosoftTeams Image source: SlashGear, https://lnkd.in/di5WvY2e From Microsoft: Microsoft 365 Roadmap: https://lnkd.in/dYc3N9TX Microsoft Learn (Configure auto-detect of work location): https://lnkd.in/dtEkYNqB

A recent issue has emerged where private ChatGPT conversations, once shared, have become publicly searchable on Google. This is a huge red flag for HR. Conversations containing sensitive information, like employee personal details from CVs, confidential business plans, or even legal advice, are now potentially exposed. My key takeaways: ▶️ Data Privacy Nightmare: This isn't just a technical glitch; it's a massive data privacy risk. Imagine employee PII, performance review details, or internal strategy documents showing up in a public search. This could lead to serious breaches and legal repercussions under regulations like GDPR or state privacy laws. ▶️ Policy and Training Gap: The root of the problem is a lack of awareness. Employees are using AI tools without fully understanding the privacy and security implications. This is a clear indicator that your AI policy needs to be robust and your training needs to be a top priority. Do your employees know what they should and shouldn't be putting into AI tools, or sharing from them? ▶️ Mitigation is Key: 🔸Audit Your Tools: Review which AI tools your employees are using and what data they might be processing. 🔸Revise Your Policy: Update your acceptable use policy to explicitly address the use of generative AI, including what types of information are strictly forbidden from being inputted or shared. 🔸Train Your People: Conduct urgent training sessions to raise awareness about the risks of sharing conversations from AI tools. This situation highlights the critical need for a proactive approach to AI governance in HR. It's no longer just about the tech; it's about the people using it and the sensitive data they handle. What's your biggest concern about employees using generative AI?

📌 Employee Data under GDPR vs. CCPA: When Privacy Enters the Workplace Not all personal data belongs to customers. What about employees? Whether you're running HR for a European startup or a California tech firm, privacy law has plenty to say about the people behind the screen. Let’s break it down 👇 🇪🇺 GDPR: Full Rights for Employees In the EU, employees are fully-fledged data subjects - just like consumers. They enjoy the full suite of rights: ✅ Access to personnel files ✅ Rectification of errors ✅ Erasure (in some cases) ✅ Right to object - when processing (e.g. monitoring/profiling) is based on legitimate interest ✅ DPIAs - required when processing is high risk (e.g. surveillance, biometrics) 🧠 Consent? Not ideal. Per Recital 43, consent is unlikely to be freely given in situations of power imbalance - like between an employer and an employee. → Employers should rely on legal obligation or legitimate interest, with safeguards. 🧪 Example: A German company uses facial recognition to track attendance. This biometric data triggers a DPIA, requires a valid legal basis, and additional safeguards. 💡 Bottom Line: In Europe, workplace privacy is an extension of fundamental rights. Employers must justify why and how they process employee data. 🇺🇸 CCPA: Employees as Consumers California’s CCPA includes employees, contractors, and job applicants under the term “consumer.” This means California employers must now uphold: 📋 Right to know what’s collected 🧽 Right to delete (with exceptions) 🛠️ Right to correct 🚫 Right to opt out of sale/sharing 🛑 Right to limit use of sensitive personal info ⚠️ Key points: – No formal DPIA requirement – Consent is still valid in many cases – No specific rules yet on employee surveillance, though broader CCPA rules apply 🧪 Example: A California employer tracks geolocation via mobile app. This may count as sensitive personal info, and employees could limit its secondary use. 💡 Bottom Line: California now extends privacy rights to employees - but within a consumer rights framework, not a fundamental rights regime. 🎯 The Core Difference GDPR → Rights-based, principle-heavy, accountability-focused CCPA → Consumer-centric, flexible, still evolving 🌍 What This Says About Privacy Culture 🇪🇺 “An employee is a rights-holder - regardless of role.” 🇺🇸 “An employee is a consumer - now entitled to more transparency and control.” Same desk. Different philosophies. 👇 Want a follow-up on: 🔹 Vendor risk - how third-party liability plays out under GDPR vs. CCPA? 🔹 What businesses need to consider before EU-U.S. data transfers? #GDPR #CCPA #CPRA #EmployeeData #WorkplacePrivacy #HRCompliance #CIPPE #CIPPUS #PrivacyProfessional #EUUSPrivacySeries #DataRights #GlobalPrivacy #LinkedInLearning #InfoSec #DataProtection

Most new privacy professionals with fresh CIPP certifications are unprepared for this conversation "We want to track what customers look at on our website and send them targeted emails about those products. That’s fine since they’re already our customers, right?" You know the legal framework. You understand GDPR. You passed your certification. But now you're facing a room of marketing stakeholders who need answers that help them do their jobs. Knowledge tells you: This involves processing personal data for marketing - need to check lawful basis, likely legitimate interests with balance test, plus consider ePrivacy rules for tracking. Judgment asks: Does this specific use case make sense? → What exactly are they tracking? Page views or detailed behavior? → What does “personalization” mean here, recommendations or aggressive targeting? → What did customers expect when signing up? → Can they easily opt out? → Is this helpful to the customer or just to marketing? The legal answer is the same. The practical approach varies completely. This gap isn’t discussed enough in privacy education. We learn the "what" and "why" in certification programs, but day-to-day privacy work is all about the "when" and "how." → When to push back vs. find creative workarounds → How to get buy-in without a budget or authority → When "perfect" compliance isn’t realistic—and what to do instead → How to speak business language while holding privacy lines Many privacy professionals struggle here because we're: → Waiting for perfect info before acting → Speaking only in compliance terms → Afraid to make the wrong call and get blamed But here’s the reality: Judgment comes from experience and imperfect action beats perfect paralysis. The most effective privacy professionals aren’t those who memorize every regulation. They’re the ones who navigate gray areas and keep the business moving. Real examples of knowledge vs. judgment: → The Marketing Automation Dilemma Knowledge: Needs lawful basis, tracking consent, LI balancing test Judgment: Start with product category suggestions, include opt-out, test customer response before expanding → The Vendor Assessment Crisis Knowledge: DPA + security questionnaire needed Judgment: Vendor handles minimal data, go live now with essentials, full review in parallel → The Data Retention Debate Knowledge: Delete data when no longer needed Judgment: Tier retention by sensitivity/business value with review points, not a one-size policy Certifications teach you to spot problems. Experience teaches you to solve them. What’s the biggest gap you’ve faced between privacy theory and real-world practice? P.S. If you’re feeling this tension, you’re right on track. This isn’t a flaw in your education. It’s the start of real expertise. The most effective privacy professionals I know all went through this same shift.

I published a new case study on employee surveillance technology. It explores behavioral monitoring and profiling in the workplace, with a focus on indoor location and desk occupancy tracking. To illustrate wider practices, it investigates how the network technology giant Cisco offers to turn Wi-Fi access points installed in offices and other buildings into a system that tracks the location of employees, customers, smartphones, laptops and other devices for a wide range of purposes. Cisco's "Spaces" system goes far beyond aggregate analysis. The company promotes several applications that involve identifying, singling out and targeting individuals. Cisco claims that it has so far processed 24.7 trillion location data points on almost 100,000 devices collected via 3.8 million Wi-Fi access points. The fact that Cisco is able to provide these numbers raises the question about how a global core infrastructure vendor processes data for its own purposes. To make things worse, the system can also turn Cisco’s security cameras into sensors that help analyze indoor movement. Repurposing data collected from an employer's networking infrastructure or even from video surveillance systems for indoor location tracking raises serious concerns about the normalization of intrusive behavioral surveillance, privacy and data protection in the workplace. Juniper, another network technology vendor, offers a similar indoor location tracking system. Its Wi-Fi access points can locate people either via their devices or via Bluetooth/BLE badges carried by them. Juniper suggests to use the system to “track personnel and equipment”, “locate key human resources such as nurses, security guards, and sales associates”, “optimize workflows” and “enable data-driven decision making”. In my case study, I examine a second category of systems that also enable employers to profile employee behavior in physical spaces. Several vendors provide systems that use motion sensors installed under desks or in the ceilings of rooms to track desk and room attendance. The Belgian-German vendor Spacewell offers a system for “real-time office space monitoring” and “workplace analytics” that tracks how employees use desks, meeting rooms and entire offices. It uses motion sensors that detect heat emitted by humans and 'low-resolution' cams with computer vision. The 'workplace analytics' system offered by the Swiss vendor Locatee combines motion sensors with badge data and device location data, collected e.g. via Cisco Spaces. These systems mostly focus on aggregate analysis, but still utilize behavioral profiling based on extensive personal data. In my view, they do not adequately engage with the risks posed by behavioral monitoring. Not least, I summarize in my case study how employers installing under-desk motion sensors led to worker protests and media debates, ultimately leading to their removal. Here's my 25-page case study: https://lnkd.in/d_ZbjbYx

🚨 Your AI Meeting Assistant Might Be A Big Security Risk A quiet revolution is happening in workplaces everywhere: AI notetakers and transcription bots are joining meetings, capturing every word, and turning casual or sensitive conversations into permanent, searchable corporate memory, all of which may be outside your control. "The fundamental issue is not whether AI tools are useful. They clearly are. The issue is whether we understand the level of trust we are extending to them." (Len Noe) These tools record sensitive conversations, including product roadmaps, legal strategies, financial projections, M&A plans, even performance reviews, and upload them to third-party cloud servers. Once the data leaves your network: - How long is it stored (indefinitely) - It's structured, searchable, and AI-ready (making it far more valuable to attackers than raw audio) - It's governed by someone else's laws (and potentially accessible under foreign regulations) Think about it -Would you ever invite a stranger with a recorder into your boardroom, let them capture everything, store it forever, and walk away with the files? Most organizations would say no immediately. Yet that's exactly what many teams are doing and often without full awareness or governance. Real-world red flags are already emerging: unauthorized recordings leading to privacy breaches, lawsuits over lack of consent (including biometric data collection), accidental leaks of health or client info, and the ever-present risk of a single breach exposing years of executive-level intelligence. Productivity gains are real, but so are the risks. Before your next meeting bot joins the call, ask yourself (and your team): - If this data leaves our network, whose laws govern it? - Would we trust this provider with the keys to our most confidential discussions? - Do we have visibility into how long it's stored and who can access it? What’s your organization’s stance on AI meeting assistants? Blocked, restricted, vetted with strict policies, or wide open? Conversations need to happen before the breach does. #Cybersecurity #AISecurity #DataPrivacy #PrivacyRisks #AIinTheWorkplace #RiskManagement #TechEthics #ShadowAI

This Stanford study examined how six major AI companies (Anthropic, OpenAI, Google, Meta, Microsoft, and Amazon) handle user data from chatbot conversations.  Here are the main privacy concerns. 👀 All six companies use chat data for training by default, though some allow opt-out 👀 Data retention is often indefinite, with personal information stored long-term 👀 Cross-platform data merging occurs at multi-product companies (Google, Meta, Microsoft, Amazon) 👀 Children's data is handled inconsistently, with most companies not adequately protecting minors 👀 Limited transparency in privacy policies, which are complex and hard to understand and often lack crucial details about actual practices Practical Takeaways for Acceptable Use Policy and Training for nonprofits in using generative AI: ✅ Assume anything you share will be used for training - sensitive information, uploaded files, health details, biometric data, etc. ✅ Opt out when possible - proactively disable data collection for training (Meta is the one where you cannot) ✅ Information cascades through ecosystems - your inputs can lead to inferences that affect ads, recommendations, and potentially insurance or other third parties ✅ Special concern for children's data - age verification and consent protections are inconsistent Some questions to consider in acceptable use policies and to incorporate in any training. ❓ What types of sensitive information might your nonprofit staff  share with generative AI?  ❓ Does your nonprofit currently specifically identify what is considered “sensitive information” (beyond PID) and should not be shared with GenerativeAI ? Is this incorporated into training? ❓ Are you working with children, people with health conditions, or others whose data could be particularly harmful if leaked or misused? ❓ What would be the consequences if sensitive information or strategic organizational data ended up being used to train AI models? How might this affect trust, compliance, or your mission? How is this communicated in training and policy? Across the board, the Stanford research points that developers’ privacy policies lack essential information about their practices. They recommend policymakers and developers address data privacy challenges posed by LLM-powered chatbots through comprehensive federal privacy regulation, affirmative opt-in for model training, and filtering personal information from chat inputs by default. “We need to promote innovation in privacy-preserving AI, so that user privacy isn’t an afterthought." How are you advocating for privacy-preserving AI? How are you educating your staff to navigate this challenge? https://lnkd.in/g3RmbEwD

🚀 𝐄𝐌𝐏𝐋𝐎𝐘𝐌𝐄𝐍𝐓 𝐀𝐍𝐃 𝐀𝐈: 𝐍𝐄𝐖 𝐀𝐔𝐒𝐓𝐑𝐀𝐋𝐈𝐀𝐍 𝐑𝐄𝐆𝐔𝐋𝐀𝐓𝐎𝐑𝐘 𝐑𝐄𝐏𝐎𝐑𝐓🚀 AI is already reshaping our lives. One of the most profound transformations is happening in the workplace. AI is changing how we do our jobs—and soon, it will change which jobs exist at all. Some roles will disappear, while new ones emerge. Naturally, unions are concerned—not just about job losses, but about mental health, workplace safety, and the risks of unregulated AI adoption. They have been vocal in demanding that workers be at the centre of AI adoption decisions. We are at a crossroads: how do we balance AI-driven productivity gains with the impact on workers? 📢 The House Standing Committee on Employment, Education and Training has released a report on the digital transformation of workplaces, examining the rapid rise of automated decision-making and machine learning in employment. 107 pages of insights, challenges, and, crucially, 21 recommendations. There's a lot in there, but some key details include: 📌 Regulating AI in employment – The report recommends that AI used in employment decisions (such as hiring and termination) be classified as high-risk, ensuring stronger oversight and safeguards against unfair or biased outcomes. 📌 Strengthening worker privacy protections – It's clear the current privacy laws fail to protect workers’ privacy. At the same time, the Fair Work Act does not contain dedicated privacy protections. The report recommends: 🔹 Banning high-risk uses of workers data, such as providing it to AI developers. 🔹 Prohibiting the sale to third parties of workers’ personal data. 🔹 Requiring transparency in workplace surveillance and data use. 🔹 Empowering the Fair Work Commission to handle privacy-related complaints. 📌 Ensuring worker consultation on AI adoption – Employers should be obligated to consult workers throughout AI adoption, ensuring that new technologies are implemented fairly and do not unfairly disadvantage employees. 📌 Mandating independent AI audits – Government audits of AI are recommended to monitor bias, fairness, and compliance, ensuring AI decisions meet ethical and legal standards. The industrial relations fire has long been burning between unions, employees, and employers—and AI is accelerant. We must strike the balance between AI adoption and worker protections. The employee records exemption leaves many workers without real privacy protections. If AI is to be used fairly in workplaces, reforms here will be just as important as AI-specific regulation. It's inevitable that many workers will be impacted by the AI revolution, but get policies right—and Australia wins. Support AI-driven innovation while ensuring retraining, transparency, and fairness. Get it wrong—and we risk exacerbating job insecurity, discrimination, and workplace inequality - we all lose. #AI #FutureOfWork #Privacy #CyberSecurity #ArtificialIntelligence #EmploymentLaw #DigitalTransformation #AIRegulation

An employee got hold of the payroll report… which included everyone's salaries. Ouch. Talk about a data breach. It was an internal system mistake. After discovering that she could see everyone's salary information, this employee showed it to another coworker. Now the company had two problems: 1. The system administrator who left payroll data unsecured 2. The employee who found it and spread it around Different levels of responsibility. Different conversations. Here's what we addressed: The system administrator made a serious mistake. Payroll data should never be accessible to random employees. That's a fundamental security failure that needs immediate fixing. But the employee who found it? She also made a choice. When you stumble across information you're not supposed to have, you have two options: -Report it: "Hey, there's a data breach. We need to fix this." -Share it: "Look what I found! Can you believe that this person’s making so much more than me?" She chose wrong. This reminds me of something my boss told me years ago when I started doing payroll: "You're going to see what everyone earns. Some people make more than you. You're not always going to like it. But handling this information is a responsibility. It requires maturity. You protect people's privacy, period." That stuck with me. Whether you're the person securing the data or the person who accidentally finds it, you have a responsibility. System admins: Lock down sensitive information. Payroll, personal data, anything confidential should not be sitting in a place where any employee can stumble across it. Employees: If you find something you shouldn't have access to, do the right thing. Report it. Don't gossip about it.

A year ago, I analyzed the confusing state of AI privacy (https://lnkd.in/dDY7RdEZ). My updated analysis, published today, shows this confusion has resolved into a stark and structural divide with important consequences for businesses. I think that the generative AI market has split into two incompatible ecosystems. On one side, consumer services are governed by terms of service that treat your corporate data as raw material for their model training. On the other, enterprise platforms are governed by legal DPAs that treat your data as a protected liability. This has created a "Shadow IT" crisis. Every time an employee uses a personal AI account for work, they are potentially leaking competitive intelligence and trade secrets into models that will be used by competitors. This is not a hypothetical risk but it is a strategic liability happening now. It has become meaningless to focus on the capabilities of AI if the underlying service treats your sensitive data as a free asset. The "no-train" guarantees and legal firewalls of enterprise-grade AI are no longer optional, they are the mandatory standard for any serious organization. My new article breaks down this divide in detail, analyzes the philosophies of each major provider, and explains why a zero-tolerance policy for consumer AI in the workplace is now essential for safe and secure operational autonomy. Full analysis here: https://lnkd.in/dYVqDQX6 #AIPrivacy #GenerativeAI #DataProtection #RiskManagement #ShadowIT #BusinessStrategy #ArtificialIntelligence #AI #Safety #Security Simula Research Laboratory