When the GDPR goes wrong…

One movie which I empirically realise its trueness is the “Das Experiment (2001)”. It is based on a real experiment, conducted by Dr Philip Zimbardo, and it is more than a film with its straightforward concept. Its main message is how the people change when they were assigned with any power. It is a matter of mere conjectural, how exactly the experiment would be different if we swap the police with forest guards, bureaucrats, etc.

This article discusses the misuse of powers of GDPR and the data privacy concept. It engages and looks into the Decision of Cypriot Data Protection Authority (DPA) of 25th Oct 2019¹, although the reference to this case is indicative; the primary goal of this article is to formulate broader commentaries and worries. The facts of this case are straightforward enough: it regards a trade union (Cyprus Workers Confederation) and a Cypriot Companies Group (Louis Group), which among other things offer passenger handling services to local Airports. The general secretary of the trade union demands from the company to stop using the Bradford Factor as a management procedure, due to privacy concerns. The Cypriot Data Commissioner intervened and imposed penalties of 82.000 euros.

Bradford Factor is a mathematical formula that scores the absence behaviour of employees in the most simplistic term. That formula uses two parameters as variables. The S variable, which represents the total number of an employee’s instances of absence over a set period (usually 52 weeks), and the D variable, which is assigned with the total days of absence of that employee over the same period. The calculation could not be more complicated than the S multiplied by itself and then multiplied with D (SxSxD).

The idea that the various elements of a scoring formula are weighted is not something radical, taking to account what we want to measure. What the Bradford Factor seeks to manage is the fake short-term absences. How possible is it for someone to stage a pregnancy? Under this kind of assumptions, we consider highly desirable that an employee with one absence of ten days be scored with 10 Bradford points and, in contrast, an employee with ten absences of one day each, is scored with 1000 Bradford’s points.

However, there is one more crucial point that shall be taken into account; Bradford Formula does not fulfil the role of a criterion. Quite the opposite, that mathematical calculation is acting as red-flag. In practical terms, the formula is accompanied by graduated ranges and when a worker reaches a prescribed level, the HR department is encouraged to follow the corresponding guidance. As a first step, it is suggested that only talking to the employees in question is adequate. It is expected that at this stage the real reasons for frequent short-term absences are revealed, for example, eldercare responsibilities or an unacceptably heavy workload. When an HR department is armed with this information, it can go on with implementation appropriate measures absence, like readjust roles, workload, etc. In other words, the Bradford Formula does not constitute a judging function in finding if a member of the staff shall have (or not) the requested time off. The Bradford Factor is activated after any employee’s request and works as a passive tool for the company in order to be guarded against the extremely costly short-time absences, without wasting the company’s ability to provide unexpected absences where it is necessary.

Of course, Bradford Factor is not the ideal trigger to decide whenever an employee abuses the facilities specified by the law or the generosity of the HR Department, or any internal policies and proceedings. Besides viewing employees as untrustworthy and dishonest, the dangers of transmissible infections could lie even in diarrhoea cases or any other small annoyances. In the post-COVID era, the Bradford formula maybe has become obsolete.

However, our discussion shall be radically different. Almost all national (sometimes even the supranational or federal level) legal orders include labour courts and recognise trade union organisations. Of course, you can somehow peel an orange with a screwdriver, that does not mean that the effort is not silly. The merit behind the Bradford Trigger has nothing to do with personal data; each variable of the formula is a piece of information, which a company shall record, inter alia as required under the labour laws. So, all that discussion would not have started if the Data Commissioner stopped at the examination of who has access to these data and how securely these records are saved.

Of course, behind the questions, which is the proper amount of data and which is the proper degree of data processing, the historical standing conflict between employers and workers also emerges. In May of this year, the well-known psychologist Dr Jordan Peterson during a podcast² observed that anthropological sciences have a political left tilt, meaning that if these fields have a bias, indisputably this a left-wing bias. If that is true for law field too, of course nothing safeguards that a different competent body would act more objectively. Extending the line of that argument, a Data Protection Commissioner has no tool to solve that type of conflict with no bias. Recording events of the merchant’s activities is an ancient fact; employees’ absences create data which are meaningful for the company too. Like a moment of a young couple; it belongs on both memories.

GDPR has already been criticised. First of all, for excessively vague terms and costly requirements. One requirement of a data controller is a continuous evolution of the risks for rights and freedoms of natural persons to be potentially violated. Similarly, at least four times the Regulation refers to the term disproportionate effort, mainly to describe varying exemptions, without even the EU legislator specifying if it is a qualitative or quantitative criterion. Most important, the legislator ignores the texture and other habits of the digital world: users, creators and service providers used to avoid strictly pricing plans, especially for daily digital facilities. Furthermore, the “Privacy Paradox”³, a Journal Article of 2007 with more than 1000 citations, concludes that (a) the consumers freely provide their personal data, and (b) the relation between the intention to disclosure and the actual behaviour of disclosing seems like a postmodern paradox. In the era of GDPR, using personal data became more expensive, and the entrepreneur is forced to embrace traditional business strategies (e.g. paywalls on news-sites), even where the consumer is unwilling (or unable) to pay the price or in the cases of less personalised services; who needs a non-personalised AI digital assistant?

Repeatedly, we have witnessed when the fort’s walls are extremely high, and the King is arbitrary. I’m debating here the unseen danger when the EU data-commissioners start capriciously implying the vague text of GDPR on whimsical circumstances. Unfortunately, the Cypriot data-authority’s Decision of October 2019 lurked of these social risks. If Louis Companies Group violates some rules, these rules are on labour laws, and a data commissioner’s office has no authority to judge such cases.

It is common sense that employers know or record the absences of their employees and the prohibition of the Bradford Factor is outwith the scope of privacy. The Commissioner did not go into on the data aspect. She did not examine for how long an employer should maintain the absences list, in which way this list shall be saved, or which departments should have access to it. Quite the opposite, she judged the Bradford Factor as a form of punishment and stated that labour law itself includes enough limits for absences.

Labour and private law are mandatory mostly in terms of lower and minimum limits. An employer maybe wants to give some more days-off as benefits and most important, labour law does not regulate all procedures step-by-step. A part of the relationship between worker and employer is subject to the discretion of the company. It is exactly this dimension that creates the need of an ex-ante and an ex-post judgement for what happens inside and outside of the certain business unit.

Another argument by Cypriot Commissioner’s Decision arises from the comparison other circumstances, such as when the employer monitors the internet traffic inside the company’s network, defends himself against workers who are making excessive personal use of tech properties. That scenario was pre examined from European Union Bodies, and there the conclusion was: “Even if the employer has a legitimate interest in limiting the time spent by the employees visiting websites not directly relevant to their work, the methods used do not meet the balancing test of Article 7(f). The employer should use less intrusive methods (e.g. limiting accessibility of certain sites)”. The EU body, before rejecting the questioning for monitoring as an inappropriate solution, points to specific less-intrusive alternatives (like domain blocking). The balancing test is neither a hypothetical nor ideal criterion. We should accept the invisible elephant in the room; which is none other than the massive risk that GDPR has become the new colosseum of bread and circuses, so that EU bureaucrats gained time, understand the tech-titans deeply and finally regulate the new digital world. Cypriot Commissioner was unable to describe any alternatives to a management system of absences monitoring, which would need less data.

Let’s change our scenario a bit and let’s say HR used a different workflow and didn’t record per employee the reason of an absence, but calculated a Bradford Factor per department or per geographical unit. Under that workflow, days-off were recorded as general company’s events, and none can go backwards and find a specific reason for a specific employee. Another alternative could be that periodically an HR staff subjective, randomly and on-the-fly examines employees’ files and if he finds any suspicion, he then moves forward with further investigation, interviews or other measures. Under all these scenarios, the Cypriot Commissioner’s reasoning entirely collapses, without the conditions really being changed and without the employee position changing for the better or fairer. It is also vital to consider that the Bradford Formula only takes an integer number as input to the parameter of instances of absence (aka the S variable) and not each instance detailed; but only as an amount of different instances of absence per employee. The Commissioner did not analyse what happened on these health details after the variables were calculated, and she has not suggested any alternative procedure. The questions if the health data of employees are unsecured and easily accessed remain unanswered. It is possible that these pieces of health information do not exist at all after a while.

Inside the Decision, we meet an experiential blog post which is the Commissioner’s reference for the argument that the Bradford Factor mainly functions as a punishment. However, if it does or does not function as such, is irrelevant to data and privacy; the signatory decision-maker is a Data Protection Commissioner. On the flip side, Bradford Factor was the subject on innumerable journal papers. A last sufficient consulting arises by public health scientists Merekoulias and Alexopoulos. They point that the factor “was developed as a way of highlighting the disproportionate level of disruption on an organisation’s performance that can be caused by short-term absence compared to single incidences of prolonged absence and is related to greater tendency of absence. Short-term absences are usually […] self-reported. […] [A] significant proportion of short-term sick leaves […] has been monitored in various settings […] making BF a useful tool. It was originally designed for use as part of the overall investigation and management of absenteeism but occasionally its field implementation provokes staff disaffection and scientific debate. BF is an easily applicable tool, […] also easily applied”.

In terms of data and privacy, we are living through a digital middle age. We are still unable to answer a series of questions and we continue to discuss countless aspects on GDPR. For example, we are talking about data portability, but seldomly take into account aspects of the innovation and competitiveness. We are even unable to comprehend why the government’s bureaucrats are better suitable than the economics forces, to decide when a digital service shall or shall not offer portability features (aka the laissez-faire argument). In addition, if we read between the lines, the “Cambridge Analytica” scandal classified also as a data portability case. Last but not least, social engineering as a security matter becomes known to the masses from the books written by Kevin Mitnick. Nowadays, the Associate Professor Jean Yang (link) found that her Spotify account has not only been compromised, but the person also used the GDPR and the 15th article’s provision, which is related on the Right of Access, to gain even more deep access on her data by asking a full copy of her account.

As societies, we shall resolve key matters on the concept of privacy. In the meanwhile, if public authorities abuse that concept and seize power in the name of the GDPR and social protection, the end of the digital middle age is far away. Irish Data Commissioner with a remarkable presence of mind, wrote: “The GDPR does not provide an exact roadmap […]. However, a balanced, common sense approach will go a long way towards ensuring that individuals’ rights are respected”⁴.

That Cypriot Reasoning is crucial to stay an isolated incident and never recur. In most jurisdictions, including Cyprus, the principle of Separation of Powers that requires administrative courts did not substitute the public authorities on the merit of the case. That means that an Administrative Court is often limited only to deplore the legality, and not the correctness of a decision of a public body. Only by chance some redolent of incompetence rise in these particular circumstances. The Louis Group of Companies has already brought an action to the Cypriot Administrative Court, but the outcome remains totally doubtful.

Kindly proofreading by Eleni Liapi, BSc Biologist, MSc Forensic Science, MSc Biotechnology and Law