Lawyers need to tread carefully on employee implants

The practice of fitting employees with microchips is still in its very early stages, but lawyers would be wise to prepare for a time when it becomes much more widespread, reports Jonathan Watson.

Swedish firm Biohax attracted a lot of attention late last year when a United Kingdom newspaper reported that it was in discussions with several British legal and financial firms about fitting their employees with microchips.

‘Is this real?’ asked Yvette Cooper, the British Member of Parliament who chairs the House of Commons Home Affairs Committee. ‘If so, it is extremely troubling.’ The idea of employers microchipping workers raises ‘massive ethical questions,’ she said, adding that there is ‘huge potential for exploitation’. The Confederation of British Industry (CBI), which represents 190,000 UK businesses, also spoke out against the notion. ‘This makes for distinctly uncomfortable reading,’ the organisation said.

Peter Talibart, Co-Chair of the IBA Employment and Industrial Relations Law Committee and a partner at law firm Seyfarth Shaw, questioned how they would deal with the data protection risks that they are taking. In the UK, any data from microchips would have to be processed lawfully in accordance with the data protection principles in the European Union General Data Protection Regulation (GDPR) and the Data Protection Act 2018 – including keeping the data up to date and secure.

Jowan Osterlund, the chief executive of Biohax, says the journalist who wrote the report rather overstated the scale of his immediate plans, ‘creating a media circus, which I very much enjoyed’. He understands why people are wary. ‘They should be. It’s scary. I need to be the antagonist as much as the protagonist in all of this because if I’m not, I’m going to fall in the sinkholes.’

Everyone gets nervous when they hear about technology being inserted into people’s bodies. ‘Pop culture has ingrained the fact that everything that has to do with an implant is either KGB polonium, GPS or an explosive device,’ Osterlund says.

Think of The Tripods, for example, the 1960s series of young adult novels that formed the basis of a science fiction TV series broadcast on Saturday afternoons in the UK in the 1980s. It presented a world in which humans had been enslaved by gigantic three-legged walking machines, piloted by unseen alien entities. They were controlled from the age of 14 by implants, known as ‘caps’, which were designed to suppress curiosity and creativity.

Current uses

The reality of what ‘integrated technology’ can offer today’s workplace is somewhat more prosaic. UK firm BioTeq, which offers implants to businesses and individuals, recently said it had fitted 150 implants in the UK. ‘There is no data as such,’ says its founder and owner Stephen Northam. ‘The current trend is using the implants for access systems, so the implant is simply an eight-digit code which interacts with the outside system to then allow access to doors – exactly the same way as a staff ID card. The “data” is stored on the companies’ systems, linking the implant ID with a person for example.’

Charlie Thompson, an employment lawyer at UK law firm Harbottle & Lewis, says the current practice of microchipping employees does not raise significant concerns. ‘Microchipping needn’t necessarily involve the processing of personal data,’ he says. ‘If it is used solely for gaining access to premises, for example, it could be “safer” from a data protection perspective than security technologies used in some workplaces like fingerprint or retina scanning, as anonymisation and security is more straightforward.’

Used in this simple way and with freely given consent, employee microchipping can offer tangible positives, says Leon Deakin, a partner and head of the technology sector team at UK law firm Coffin Mew. ‘One of the benefits is security,’ he says. ‘You’re not going to leave your microchip on the train, for example. There could also be some health and safety benefits. If you’re doing a high-risk or demanding job, it could be useful for your employer to have some data about the times when you’re stressed, or your heart rate’s elevated or something else is indicating that there’s a problem. That’s all information that good employers would want to have.’

In the hands of an unscrupulous employer, however, such information could be used in a different way. They might conclude that an employee suffering from stress could eventually turn into a personal injury claim and start to look for a way to ease them out of the company.

The real worries would begin if microchipping were to be used for something more comprehensive, such as tracking an employee’s location. In this case, there are not only potential data protection and privacy concerns, but serious industrial relations issues.

‘It’s hard to see how microchipping staff as we would our pets is the simplest, easiest and least intrusive way to guarantee company security,’ says Scott Gilfillan of the UK’s Trades Union Congress (TUC). ‘And given that each chip costs between £70 and £260 per person, microchipping is hardly justifiable on a cost basis either.’

Some employers already ask staff to wear location-tracking devices and the TUC fears that microchipping would allow them to monitor their every move even more accurately. ‘It could also be used to stockpile surveillance data on employees they don’t like, allowing bosses to micromanage staff out of the company,’ claims Gilfillan. A recent report from the TUC found that over half of UK workers (56 per cent) think it’s likely that they are being monitored at work, while 70 per cent think surveillance is likely to become more widespread in the future.

Those surveyed may have been aware that in January 2018, Amazon submitted a patent request for a wristband that would track employees and use haptic feedback (vibrations that help to provide instructions for those wearing them) to guide their hands to the precise item they are expected to pick from the shelf. Microchipping doesn’t seem like too big a leap from there and when people are desperate for work, they may feel they have no choice but to agree to that kind of monitoring. 

There are also concerns about dignity and the right to privacy in the workplace. ‘We’ve already heard stories of employees being forced to justify the length of their toilet breaks – and of female workers on their periods in Norway having to wear red bracelets to account for extra time,’ Gilfillan says.

Northam emphasises that microchipping currently is simply an option. ‘Essentially it’s no different from wearing a staff ID card – it’s just that the card is inside your hand. No one is forcing staff to be microchipped as a condition of their employment. I think we are a long way from that – the ethical and legal arguments would be considerable.’

The TUC wants a requirement to be placed on employers to consult with staff before introducing any new forms of surveillance. Employers must be able to provide a convincing justification for such a move, and clear workplace policies need to be negotiated to set out where staff can use workplace technology for private use and where there are restrictions in place.

‘Perhaps the most important thing with employee microchipping, from my perspective, is that there doesn’t seem to be much of a point to it,’ says Thompson. ‘It’s not clear to me what specific problems are solved by employee microchipping which cannot already be addressed by existing and less intrusive technologies.’ It’s like using a sledgehammer to crack a nut. If security passes get lost or stolen, you can cancel them. It’s not very difficult.

Talibart does not believe employees stand to gain very much from being microchipped. ‘I guess that if you don’t show up at work and you need help, then someone can find you,’ he says. ‘But that’s about the only upside I can think of.’

Do in-house lawyers need to be worrying about this?

The limited use of microchipping so far begs the question of whether it is something in-house lawyers really need to be thinking about at the moment. ‘I think it’s still some way off in the future,’ says Thompson. ‘I doubt that it’ll be viable unless and until microchipping is more widespread and normalised in society outside of the workplace. If, for example, it becomes widespread for consumer technology to be implanted, then I can see the workplace following suit. However, that seems to be a long way off.’

Wearing technology is now a lot more widespread than it used to be, and so is having a piercing or a tattoo. Who knows how things may change in the next ten years or so? ‘Some people like to be as up-to-date as possible and keep up with all the latest technology,’ says Deakin. ‘Fitting vehicle trackers used to feel very wrong and intrusive but now it’s par for the course, and I wonder if there may be a mind shift in the future. People are already tracked a lot, so if an employer is up front about the purpose of it and the employee consents there is no problem.’

For now, though, significant practical obstacles remain. ‘An obvious one is that it is easier for a departing employee to hand back a security pass than it is for the employee to remove it from them,’ Thompson says. Also, anyone who’s ever had a security pass knows that sometimes, they don’t open the gate they’re supposed to, for no apparent reason. If your pass is actually in your body, what are you supposed to do? How easy is that to fix?

Another obstacle Thompson identifies is implementation. ‘In order for an organisation to roll out a microchipping scheme, it would almost certainly need to be to a receptive workforce who give free, voluntary and unequivocal consent to doing so,’ he says.

The GDPR demands a very high standard of consent from workers, which must be given by clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the worker’s agreement to their personal data being processed. If the employer wants to use personal data for new or different purposes, it must update its privacy notice and obtain a new consent if relying on consent to justify personal data processing.

Where employees don’t want to be microchipped, it’s difficult to envisage on what grounds an employer could legitimately insist on it as a condition of employment. ‘Any microchipping scheme would have to be voluntary, and so the technology it would purport to replace would still need to be maintained for those who, understandably, don’t want their employer to implant a microchip in them,’ says Thompson.

The main legal challenges to the use of chips in the workplace would be based on data protection and human rights legislation, according to a study compiled in 2018 for the European Parliament’s Employment and Social Affairs Committee. ‘Even where… chip use was truly voluntary this legislation would still be relevant, especially in respect of data protection,’ the report says. ‘In the case of voluntary applications, it would be necessary to ensure that the use was genuinely voluntary and that no disadvantage was seen to accrue to those individuals who declined to have a chip implanted or that any pressures (direct or indirect) were exerted on those invited to participate.’

And that’s before one even begins to consider the ethical concerns that would stem in part from Articles 1 and 3 of the Charter of Fundamental Rights of the EU relating to the inviolability of human dignity and the human body.

One recent case in the Illinois Supreme Court in the United States offered an insight into the kind of problems companies could face. ‘It involved a mother suing the owner of a theme park on behalf of her teenage son after he was fingerprinted in connection with the purchase of a season ticket for the park,’ says Avi Gesser, a partner in Davis Polk’s litigation department. ‘Neither the son nor the mother consented in writing to the taking of the fingerprint or signed any written release. In addition, the park did not provide any documentation about their retention schedule or guidelines for retaining and then destroying the data. The court found that individuals possess a right to privacy in and control over their biometric identifiers.’

Microchipping employees amounts to ‘a whole new level of biometrics,’ Gesser says. But for now, the key question for general counsel to answer is whether a partial implementation of microchipping is better than no implementation at all. US-based software firm Three Square Market, for example, said it was offering microchip implants to employees in August 2017, beginning with a cohort of 50. One year later, reports suggested that 80 of the company’s 250 staff had been microchipped, leaving 170 who were still apparently not interested. Is it really worth the effort?

Northam believes the main challenge for general counsel (GCs) is to understand the technology properly and its assistive uses. ‘If an organisation wishes to offer the option then we see no issue with this,’ he says. ‘We already provide implants for a wide range of people who wish to replace their staff, gym or university ID card.’ 

But what happens to the implant when the employee leaves the company in question? The implant belongs to the employee, not the company, says Northam. ‘The company isn’t fitting the implant, it’s by the choice of the person – who may then choose to use the implant for their staff ID access, along with gym access, access to their house, keys for their car, Oyster card and hopefully soon also Visa or Mastercard payments.’

Law needs to keep up with technology

‘Surveillance is almost as old as work itself, but new techniques represent a growing threat of a different kind for workers and unions,’ wrote Michael Ford QC in a report published by the Institute of Employment Rights in 1998. This remains true today and could clearly be a major barrier to some forms of employee microchipping.

There are signs that politicians and regulators are taking an interest. In the US, several states (California, Missouri, North Dakota, Oklahoma and Wisconsin) have passed legislation prohibiting the mandatory implantation of microchips. And in Arkansas, a member of the state legislature recently proposed a bill clarifying that no employer can require an employee to be microchipped as a condition of employment. It would also require employers to tell those being microchipped what the data is being collected for. The bill, which has been cleared by a committee to be voted on in the legislature, places any costs associated with microchipping on the employer and allows employees to have the chip removed at any time.

For technology entrepreneurs like Osterlund, this kind of engagement is essential, because employee microchipping is definitely going to happen. ‘Technocracy is knocking on the door, and integrated technology is and will be the only form of trust you can have in the future because it’s the only thing robust enough to prove immutably that you are you,’ he says. ‘Embedded technology is definitely the future and legislation needs to be proactive.’

According to Talibart, this is easier said than done. ‘There is an inevitable momentum about convergent technologies,’ he says. ‘One can see the integration of security, entertainment and health management technology resulting in more embedded and wearable devices. However, this will create a privacy and data protection minefield for the data controller and for legislators.’

Technology still makes a joke of working time legislation, he adds. ‘I cannot imagine what the potential exposure to an employer would be of a major breach of biometric data related to a large global workforce. Legislative proactivity sounds great but we already know it is incredibly difficult to deliver. Technology evolves much more quickly than good law based on experience ever can. For that reason legal systems will always be catching up with it.’

The ‘legal schmegal’ doesn’t move as fast as technology, says Osterlund. ‘We need to rev it up a bit. We need a new generation of barristers and lawyers and we need to digitise this Stone Age industry.