Introduction

The intersection of artificial intelligence (AI) and employment law is becoming increasingly complex, driven by rapid advancements in technology and corresponding regulatory responses. Recent events such as the serious breach involving AI technology at a tech giant and the legislative progression of the European Union’s Artificial Intelligence Act (EU AI Act) highlight the different facets of this dynamic. These instances shed light on how AI impacts both corporate security and regulatory landscapes, reshaping the employment relationship in the process.

Breach of business secrecy using AI

A major incident occurred at a leading technology company where several employees used generative AI tools, specifically ChatGPT, that led to the disclosure of highly sensitive data. This breach not only exposed critical corporate information but also highlighted the potential misuse of AI tools within a company. The incident led the tech giant to ban the use of generative AI tools on company-owned devices, covering computers, tablets and phones, as well as non-company-owned devices running on internal networks. The incident reflects the companies’ urgent need for internal governance of AI usage to prevent data leaks and manage the associated risks that come with powerful AI tools.

This breach has broad implications for employment law as it touches on issues of confidentiality agreements, employee monitoring, and the potential disciplinary actions for misuse of technology. The inappropriate use of AI tools may also give rise to civil liability on the part of the employer for damage caused to third parties by its employees especially if it results in a violation of the rights of others e.g. copyright infringement.

Employers must navigate the delicate balance between protecting their business interests and respecting employee privacy, a challenge that is magnified by the capabilities of modern AI.

The EU AI Act

The EU AI Act which was approved by both the European Parliament and the Council and is soon expected to enter into force creates a legal framework for AI technology throughout the European Union and brings substantial new obligations for both the developers and users of artificial intelligence. It classifies AI systems based on risk levels, imposing more stringent requirements on high-risk applications, including those affecting health, safety, and fundamental rights.

For employers, the EU AI Act necessitates a thorough understanding of how their AI systems are classified and the specific obligations that apply. Compliance involves risk assessments, data governance, cyber security, and human oversight, among other requirements. The Act also emphasizes transparency, demanding clear communication about AI use to employees, customers, and stakeholders, which is critical in maintaining trust and ethical standards in the use of AI.

The act’s phased implementation timeline means that businesses have a transition period to adapt their practices, integrate AI compliance into existing workflows, and ensure their AI technologies comply with the new regulations. This preparation will be essential not only for legal compliance but also for leveraging AI responsibly to gain competitive advantage.

Implications for Employment Relationships

As AI continues to evolve, so too must the strategies of businesses to harness its potential while mitigating its risks, ensuring a harmonious and legally compliant integration of AI into the workplace. 

Employers must now be vigilant in both securing their data against misuses of AI and ensuring compliance with evolving regulations like the EU AI Act. Updating IT and security policies, as well as raising awareness and training staff, are essential preventive measures. At the same time employers shall make sure that they secure the health and safety of employees, that is they properly deal with issues relating to technological stress and the right to disconnect and respect employees’ privacy and  rights with regard to monitoring in the workplace.

You can contact us for more information: info@2e-law.com

In its recent ruling issued in April 2024, the European Court of Justice (ECJ) in case C-741/21, addressed the liability for "non-material damage" resulting from GDPR infringements and the question of whether a controller can be held accountable for damages caused by errors made by individuals under its authority.

First, the ECJ reiterated previous case law which states that an infringement of a GDPR provision which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of Article 82(1) GDPR, irrespective of the degree of seriousness of the damage suffered by that person but rather three cumulative conditions must be met: (a) breach of a GDPR provision (b) the existence of damage (c) a causal link between the breach and the damage.

The Court then examined whether Article 82 of the GDPR must be interpreted as meaning that it is sufficient for the controller, in order to be exempted from liability to claim that the damage in question was caused by the failure of a person acting under his authority. It should be recalled that Article 82 of the GDPR states, in paragraph 2 thereof, that any controller involved in the processing is to be liable for the damage caused by processing which infringes that regulation and, in paragraph 3 thereof, that a controller is exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

The ECJ firstly noted that, the persons acting under the authority of the controller, such as its employees, who have access to personal data, may, in principle, process those data only on instructions from that controller and in accordance with those instructions. Secondly, under Article 32(4) the controller is to take steps to ensure that any natural person acting under the authority of the controller, does not process them, except on instructions from the controller, unless he or she is required to do so by EU or Member State law. Lastly, it is for that controller to ensure that his or her instructions are correctly applied by his or her employees. Accordingly, the ECJ held the controller cannot avoid liability under Article 82(3) of the GDPR simply by relying on negligence or failure on the part of a person acting under his or her authority.

Implications for Controllers and Data Subjects

This strict interpretation by the ECJ underscores the accountability of controllers in managing data protection within their organizations and enhances protection for individuals against data misuse. Controllers are urged to enforce rigorous data protection policies, train employees, and ensure their adherence to prevent breaches.

For data subjects, the ruling reinforce their right to seek compensation for non-material damages, contingent upon demonstrating a direct link between the GDPR breach and the actual damage.

You can contact us for more information: info@2e-law.com

Directive (EU) 2024/1069 of the European Parliament and of the Council of 11 April 2024 on protecting persons who engage in public participation from manifestly unfounded claims or abusive court (hereinafter, “the Directive”) has been published in the Official Journal of the European Union. Its purpose is to eliminate obstacles to the proper functioning of civil procedures, and at the same time to protect natural and legal persons who carry out public activities on matters of public interest, including publishers, media, public interest groups and human rights defenders, as well as civil society organisations, NGOs, trade unions, artists, researchers and academics, against legal proceedings initiated with the aim of preventing them from civic engagement.

The Directive shall be applicable to any type of legal claim or action of a civil or commercial nature, with a cross-border element, adjudicated within the context of civil proceedings, regardless of the type of court. This includes procedures for temporary and injunctive relief, and counterclaims or other special means of legal protection. In the event of civil claims within the context of criminal proceedings, this Directive shall be applicable where their adjudication is fully governed by civil procedural law. However, the Directive is not applicable when the adjudication of such claims is governed in whole or in part by criminal procedural law.

The Directive establishes minimum rules, thus allowing Member States to adopt or maintain more favourable provisions for persons carrying out public interest litigation, including national provisions establishing more effective legal guarantees, such as responsibility to protect freedom of expression and information. The application of the Directive shall not justify any backtracking in relation to the current level of protection that is already in place in each Member State.

Abusive legal procedures to discourage public participation typically include procedural tactics of the plaintiff done in bad faith, which may be related to the choice of jurisdiction, litigating partially meritless claims, raising excessive claims, and the initiation of multiple proceedings on similar matters, which cause disproportionate costs on the defendant in these proceedings. The plaintiff’s past conduct and, in particular, any history of legal intimidation should also be considered in determining the abusiveness of the judicial process. Such procedural tactics, which are often combined with various forms of intimidation, harassment or threats before or during the procedure, go beyond the purpose of obtaining access to justice or the actual exercise of a right and are intended to deter public participation in relation to the subject at hand.

The Directive complies with the protection of fundamental rights, the EU Charter and the general principles of Union law. Accordingly, this Directive must be interpreted and applied in accordance with fundamental rights, including the right to freedom of expression and information, as well as the right to an effective remedy, an impartial tribunal and access to justice. In the application of this Directive, all the public authorities involved must strike, in cases of conflict between the relevant fundamental rights, a fair balance between the relevant rights, pursuant to the principle of proportionality.

Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with the Directive by 7 May 2026.

by Alexandros Efstathiou