By judgment of 26 September 2023, no. 46188, the Italian Court of Cassation, Third Chamber, ruled on the components necessary for the offence referred to in Article 4 of Italian Law no. 300 of 1970 (the “Workers’ Charter”) stating that the installation of a video surveillance system without the authorisation required by law does not constitute an offence if there are no employees within the company premises and if the system does not imply effective monitoring of work activities.
The Court of Messina held the owner of a commercial establishment to be criminally liable for the offence referred to in Article 4 of Italian Law no. 300 of 1970 , ordering it to pay a fine of EUR 3,000 for having installed a video surveillance system inside its business premises in the absence, in this case, of authorisation from the Territorial Labour Inspectorate (Ispettorato Territoriale del Lavoro, “ITL”).
The owner appealed against this decision to the Italian Court of Cassation, on the ground, among others, of the breach of Article 4 of the Workers’ Charter arguing that the Court of first instance had not provided information on two central aspects of the offence, namely (i) whether the system was used to record images and (ii) whether employees were employed at the owner’s company.
The applicant stated that the system installed was closed-circuit, did not involve any image recording, and that its company had no staff.
In ruling on the case, the Italian Court of Cassation took the opportunity to briefly summarise the rules and principles in force regarding video surveillance and remote monitoring of workers.
First, it pointed out that the presence of employees in the place filmed by the video surveillance systems is “an essential requirement for the offence in dispute”, since the provision referred to in Article 4, paragraph 1, of the Workers’ Charter is specifically aimed at regulating the employer’s use of audio-visual systems – and other tools which may also enable remote monitoring – “of workers’ activities”.
Secondly, the Italian Court of Cassation noted that there is no breach of the legislation if a system, although installed in the absence of an agreement with the legitimate trade union representatives or an authorisation from the ITL, “is strictly for the purpose of protection of the company’s assets”, provided that (i) “its use does not imply significant monitoring of the ordinary performance of employees’ work activities” or (ii) “necessarily remains “confidential” to enable the investigation of serious unlawful conduct”.
However, the decision of the court of first instance did not clarify whether the conditions referred to in paragraphs (i) and (ii) above were fulfilled in the present case. Consequently, an assessment of the merits of those conditions required the Court to set aside the judgment and refer the judgment under appeal back to the same Court sitting in a different composition.
Other related insights:
Vittorio De Luca took part in the conference promoted by RSM Studio tributario e societario entitled: “The new whistleblowing law: small step forward or breakthrough?”.
In the course of his speech, Vittorio addressed the employment law aspects of the whistleblowing regulations: in particular, he examined the measures put in place to protect those who report unlawful acts that have come to their knowledge in the work context (so-called whistleblowers) by Italian Legislative Decree no. 24/2023, as well as the burdens and obligations imposed on companies to comply with the regulations in force and to be able to handle any reports received in the best possible way.
In particular, the following topics were addressed:
On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework ensuring that the United States of America guarantees an adequate level of protection of personal data comparable to that of the European Union.
The adequacy decision is one of the tools provided for by Regulation (EU) 2016/679 (the ‘Regulation’) to transfer personal data from the European Union to third countries that, upon prior assessment by the European Commission, offer ‘an adequate level of protection’, i.e. a level of protection of personal data equivalent to that guaranteed within the EU.
The consequence is that personal data can be transferred securely and can be managed in the same way as data transmissions that take place within Europe.
What does the new EU-US Data Privacy Framework entail?
The EU-US Data Privacy Framework is structured around a self-certification mechanism whereby US companies undertake to comply with a number of personal data protection obligations, including, but not limited to, compliance with the principles of purpose limitation, data minimisation and retention, as well as specific obligations regarding data security and data sharing with third parties.
The organisations’ undertakings will be renewed on an annual basis and are subject to checks and monitoring by the U.S. Department of Commerce, which will process certification applications and periodically verify compliance with the requirements by participating companies.
European citizens will benefit from several independent and impartial remedies in the event that their data is processed in a non-compliant manner, including the newly established Data Protection Review Court (DPRC).
US law will provide a number of safeguards, including limiting access to personal data by public authorities to what is necessary and proportionate to protect national security or to enforce criminal law.
In any case, the Data Privacy Framework will be subject to periodic revisions by the European Commission together with representatives of the European data protection authorities and the competent US authorities. The first review will take place within one year of the entry into force of the adequacy decision.
The other instruments provided for by the Regulation
It is worth remembering that in addition to the adequacy decision, the Regulation also provides for other tools to ensure the correct transfer of data outside the European Union, including:
◊◊◊◊
As most recently pointed out in the information note of the European Data Protection Board (EDPB) of 18 July 2023, all the protections provided by the US government in the field of national security apply to all transfers of personal data made to companies in the United States, regardless of the transfer mechanisms used. Therefore, these guarantees also serve to facilitate the use of the other instruments provided for by the Regulation.
Other related insights:
Workers must be informed of the use of fully automated decision-making or monitoring systems. In particular they must be informed of the aspects of the relationship involved, the purposes and purposes of the systems, and how they operate.
The emergence of technologies using artificial intelligence systems and their increasing use has ushered in a new round of debate on the key ethical, social and legal issues surrounding the use of such technologies and their consequences.
At EU level, the need has emerged to ensure that new technologies develop while respecting the fundamental rights and dignity of individuals, to achieve goals that do not conflict with the interests of the community. To this end, the European Commission put forward a Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence launched in Brussels on 21 April 2021 and approved on 14 June 2023 (Artificial Intelligence (AI) Act).
The work environment is not immune to such changes, if we think, for example, of the systems used for logistics management in warehouses as well as the platforms employed by riders.
The AI Act classifies as ‘high-risk systems’ those used ‘in employment, workers management and access to self-employment, [intended to be used] for recruitment and selection of natural persons […] for making decisions on promotion and termination […] for task allocation, and for monitoring and evaluating performance […] of persons in such relationships’. This classification stems from the fact that ‘those systems may appreciably impact future career prospects and livelihoods of these persons’.
In relation to the rapid development in the work environment of automated systems and the associated risks, the European Union has also stressed the importance of workers being fully and promptly informed of the fundamental terms and conditions of their employment. To this end, the national legislature implemented Directive (EU) 2019/1152 on transparent and predictable working conditions. This has resulted in employers being required to provide workers and employment organisations with information regarding the use of automated decision-making or monitoring systems (Article 1-bis of Italian Legislative Decree No. 152/1997, introduced by the Transparency Decree, Italian Legislative Decree No. 104/2022). The purpose, as outlined in the introduction and Article 1 of the EU Directive, is to improve working conditions by promoting more transparent and predictable employment, while ensuring labour market adaptability to new technologies. Specific disclosure is required when the manner in which workers’ services are performed is organised through the use of automated decision-making and/or monitoring systems, which provide relevant information regarding the recruitment, assignment, management or termination of employment, assignment of tasks or duties, and supervision, evaluation, performance, and fulfilment of workers’ contractual obligations.
The full version can be accessed at Norme e Tributi Plus Lavoro of Il Sole 24 Ore.
1. DIGITAL REVOLUTION AND LAW
The emergence of technologies using artificial intelligence systems has ushered in a new round of debates on the key ethical, social and legal issues surrounding the use of such technologies and their consequences.
Modern technologies – with their increasing impact on society and customs – pose the issue of devising instruments to protect fundamental rights, security and data protection in order to ensure that technological advances are carried out in keeping with individual and collective protection needs, while at the same time ensuring a human-centred approach.
Indeed, it is clear that the development of new generation algorithms and increasingly sophisticated automated data processing techniques offer new opportunities but, at the same time, present complex challenges that affect almost every area of law.
Labour law is not immune to this profound transformation, which necessitates constant adaptation to new demands stemming from practical experience. It has been noted, in this regard, how this renders labour law ‘a necessarily dynamic law, since the basis of the employment contract is functionally connected to productive organisations and structured in such a way so that the contents of the employment relationship change in accordance with organisational and productive changes’.
One of the factors changing the organisation and performance of work is undoubtedly that particular IT branch known as artificial intelligence (now referred to as A.I.).
2. ARTIFICIAL INTELLIGENCE IN MANAGING THE EMPLOYMENT RELATIONSHIP
In a precise effort to focus on the endless variations and multiple applications of the phenomenon, several definitions of A.I. have emerged over time. The definition of Artificial Intelligence provided by the European Commission in its Proposal for a Regulation of the European Parliament and of the Council of April 2021 laying down harmonised rules on Artificial Intelligence (A.I.Act) is particularly interesting, in view of its origin.
The Proposal for a Regulation, in Article 3, defines the ‘artificial intelligence system’ as ‘a system that is designed to operate with a certain level of autonomy and that, based on machine and/or human-provided data and inputs, infers how to achieve a given set of objectives using machine learning and/or logic- and knowledge based approaches, and produces system-generated outputs such as content (generative AI systems), predictions, recommendations or decisions , which influence the environments with which the AI system interacts’.[LT1]
The specific function of the Regulation, in the terms formulated by the Proposal, is to set out the specific requirements for A.I. systems and the obligations to be complied with by those who place this type of product on the market, right down to the user, in order to ensure that A.I. systems which are marketed and used are safe and respect the EU fundamental rights and values.
The relevant provisions are based on a ranking of the potential level of impact of the systems on the wider community, with particular attention to applications of A.I. formally qualified as ‘high risk’ (i.e. which have ‘a significant harmful impact on the health, safety and fundamental rights of persons in the Union’.
For the purposes hereof, it is noted that the A.I. Act qualifies, inter alia, as ‘high-risk systems’ those used ‘in employment, workers management and access to self-employment, notably for the recruitment and selection of persons, for making decisions on promotion and termination and for task allocation, monitoring or evaluation of persons in work-related contractual relationships’.
This classification stems from the fact that ‘those systems may appreciably impact future career prospects and livelihoods of these persons’.
2.1 ARTIFICIAL INTELLIGENCE IN THE RECRUITING PHASE
Already in the preliminary phase of the employment relationship, A.I. is growing in importance: indeed, algorithmic hiring, understood as a personnel selection procedure wholly or partially entrusted to algorithms, is undergoing great development.
The widespread perception is that such automated procedures are faster, more reliable and cheaper than ‘conventional’ selections, thereby enabling the effective identification of candidates’ personal characteristics and aptitudes through analysing a large amount of data collected during virtual interviews.
While A.I. represents a great opportunity, when it is not properly controlled, it can be adversely affected by an inherent insidious issue, namely human prejudice that inevitably is reflected in the algorithms. In referring to the A.I. Act cited above, the following are in fact considered ‘High-Risk’:
With reference to the risks associated with the use of artificial intelligence in the workplace, it was in fact found that ‘throughout the recruitment process and in the evaluation, promotion, or retention of persons in work-related contractual relationships, such systems may perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation. AI systems used to monitor the performance and behaviour of these persons may also impact their rights to data protection and privacy.’
Depending on the way the software is constructed, even a company that has no discriminatory purposes could unwittingly introduce so-called biases in the processing, which, with a knock-on effect, would affect the outcomes of the process, thus resulting in discriminatory effects.
This is because software, however artificially intelligent it may be, is still programmed by human beings and is therefore affected by the judgmental dynamics of its own programmers.
In addition, data entered into the software remains stored within the programme, thus influencing future predictive analyses that will be affected by outdated data.
Interestingly, the well-known case of Amazon should be mentioned in this regard.
The renowned US giant had developed an experimental automated talent finding programme with the aim of assessing candidates according to a ranked scoring system. However, with specific reference to IT roles, the system did not select applications in a gender-neutral manner: female candidates were automatically excluded. The reason was due to the fact that the software was based on data collected over the last 10 years, and the majority of the resources hired during that time in the IT field were, in fact, male.
The algorithms thus identified and exposed the biases of their own creators, thereby demonstrating that automated systems training on unbiased data leads to future non-neutral decisions.
The case of Amazon is an interesting insight into the limits of Artificial Intelligence learning and the extent to which so-called human biases can be reflected in automated systems, thereby influencing their algorithms.
2.2 LEADERSHIP POWER THROUGH ALGORITHMIC MANAGEMENT
In addition to the pre-hiring phase, A.I. systems are also an important factor in organising work, e.g. systems for managing warehouse logistics as well as platforms used for managing riders.
In these sectors, decisions on how best to manage activities and human resources are increasingly being delegated to algorithms, which are able to analyse an infinite amount of data and identify the most effective management and organisational solution: algorithms that determine the assignment of tasks according to certain parameters, automated monitoring systems, geolocalisation systems that provide alerts or automatic intervention in case of danger.
In this rapidly changing working environment, the European Union has emphasised the need for workers to be fully and promptly informed as to the essential conditions of their work.
In order to ensure that employees and trade unions are aware of the digital systems in individual business organisations, the legislator, by transposing Directive (EU) 2019/1152 on transparent and predictable working conditions into national law, has introduced a disclosure obligation for the employer in cases where automated decision-making or monitoring systems are used (Article 1-bis of Italian Legislative Decree No. 152/1997 introduced by the so-called Transparency Decree, Italian Legislative Decree No. 104/2022).
The purpose of the new legislation was that, as can be seen from the reading of the recitals and Article 1 of the EU Directive, to ‘improve working conditions by promoting more transparent and predictable employment while ensuring labour market adaptability’.
A practical interpretation of a sometimes difficult jargon is that the worker must be able to know whether automated techniques are used, whether the employer uses algorithmic decisions and similar means; furthermore, the worker is entitled to know the way these techniques operate, their logic and their impacts, including in terms of security risks to personal data.
From a combined reading of Article 1(1)(s) and Article 1-bis, para. 1 of Italian Legislative Decree 152/1997, it results that the provision of such specific disclosure is required in cases where the manner in which workers’ services are performed is organised through the use of automated decision-making and/or monitoring systems, which are designed to ‘provide information relevant to the recruitment or assignment of the management or termination of the employment relationship, the assignment of tasks or duties as well as information affecting the monitoring, evaluation, performance and fulfilment of the contractual obligations of workers’.
The scope of the rule contained in Article 1-bis of the Transparency Decree created interpretative uncertainties and applicative difficulties relating to the identification of which systems were to be included among those that were subject to this additional disclosure as opposed to remote control instruments, with respect to which the disclosure obligations are conversely governed, as is widely known, by Article 4 of Italian Law No. 300/1970, i.e. by a provision expressly spared from the reform and which appears to retain some degree of its autonomy.
With reference to the types of tools to be regarded as automated systems, the Circular of the Italian Ministry of Labour and Social Policies (Ministero del Lavoro e delle Politiche Sociali) No. 19/2022 has attempted to provide some clarifications on the innovations introduced by Italian Legislative Decree. 104/2022. In particular, the Circular excluded the obligation to disclose information where badges are used, i.e. automated tools for recording the attendance of employees upon entry or exit, provided that such recording does not automatically trigger an employer’s decision, while, purely by way of example but not limited to, it provided for such an obligation in the case of the use of automated systems for managing shifts, determining pay, tablets, GPS, wearables and other devices.
Continue reading the full version published on Guida al lavoro of Il Sole 24 Ore.
