Is AI Monitoring of Employees Legal? What the Law Actually Says

Whether your employer can legally use AI to monitor your work, track productivity, analyse communications, or make performance decisions — by jurisdiction.

Key Takeaways

AI employee monitoring is generally legal in most jurisdictions — but with significant conditions around transparency, proportionality, and data protection.
Employers must typically notify employees about AI monitoring. Covert monitoring is restricted in most jurisdictions and prohibited in the EU for general surveillance.
EU GDPR requires lawful basis, DPIA, transparency, and purpose limitation for AI monitoring. The EU AI Act classifies workplace emotion recognition as a prohibited practice.
The NSW WHS Amendment (Digital Work Systems) Act 2026 in Australia is the first law specifically addressing AI monitoring as a workplace safety issue.
Employees generally have the right to know what data is collected, how it is used, and to challenge decisions made using monitored data.

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

AI employee monitoring — legal but conditional

AI monitoring of employees is one of the fastest-growing and most contentious areas of workplace AI. Keystroke logging, screen capture, email analysis, video monitoring, productivity scoring, sentiment analysis, GPS tracking, and AI-driven performance evaluation are all in active use. The short answer to "is it legal?" is: generally yes, but with significant conditions that many employers are not meeting.

United States

No comprehensive federal law specifically regulates AI employee monitoring. The Electronic Communications Privacy Act (ECPA) permits employer monitoring of company-owned devices and systems. State laws vary significantly: California CCPA/CPRA gives employees rights over their personal data including monitored data; Illinois BIPA requires biometric data consent; Connecticut, Delaware, and New York have workplace monitoring disclosure requirements; Colorado AI Act (effective 1 February 2026) requires transparency for high-risk AI employment decisions. The NLRA protects employees' rights to organise — monitoring that chills union activity may violate federal law.

European Union

GDPR imposes strict requirements: lawful basis (legitimate interest requires balancing test); DPIA for systematic monitoring; transparency (employees must know what is monitored and why); purpose limitation (data collected for one purpose cannot be repurposed); data minimisation (collect only what is necessary). The EU AI Act prohibits workplace emotion recognition as a prohibited practice (effective 2 February 2025). AI systems used in employment management are classified as high-risk under Annex III, requiring conformity assessment, risk management, human oversight, and transparency.

United Kingdom

UK GDPR applies with similar requirements to EU GDPR. The ICO's Employment Practices Code covers monitoring. The DUAA 2025 reforms don't fundamentally change the monitoring framework but update the ADM provisions. Employers must be transparent, proportionate, and conduct DPIAs for AI monitoring systems.

Australia

The NSW Work Health and Safety Amendment (Digital Work Systems) Act 2026 is the first Australian law specifically addressing AI monitoring as a WHS issue. It requires PCBUs to ensure workers are not put at risk by digital work systems including AI monitoring. Psychosocial risk assessment is required. The Privacy Act applies to AI monitoring of employees where personal data is processed. State workplace surveillance legislation (e.g., NSW Workplace Surveillance Act 2005) imposes specific notification requirements.

What employers must do to monitor legally

In all major jurisdictions: notify employees clearly about what is monitored, how, and why; ensure monitoring is proportionate to the legitimate business need; conduct risk assessments (DPIA under GDPR, psychosocial risk under WHS); limit monitoring to business purposes — do not monitor personal activities on personal devices; store monitored data securely and retain only as long as necessary; do not use monitoring data for purposes beyond the stated purpose; provide employees with access to their monitored data on request.

Primary sources: ICO — Employment Practices · SafeWork NSW · Fair Work Ombudsman