AI and Employee Monitoring: What the Law Actually Allows
The EU AI Act has banned emotion-reading AI at work since 2 February 2025. Other AI monitoring stays legal, but only under the GDPR and strict conditions.
Short answer: some AI monitoring is banned, and the rest is tightly framed. Since 2 February 2025, the EU AI Act prohibits AI systems that infer a person's emotions in the workplace. The only carve-outs are medical or safety reasons. The rest of the monitoring is not a free pass either. AI used in employment and worker management is classed as high-risk under Annex III of the same regulation. And the GDPR still governs every piece of data collected. You need a lawful basis, necessity and proportionality. Employee consent is rarely valid: the power imbalance breaks it.
Banned: AI that claims to read your staff's emotions
Article 5 of the AI Act, Regulation (EU) 2024/1689, lists the prohibited practices. One of them targets AI systems that infer a natural person's emotions in the workplace. Education institutions are covered the same way. Article 3(39) defines these systems: they identify or infer emotions or intentions from biometric data. The face. The voice. Body signals.
This prohibition has applied since 2 February 2025. It is not theoretical. A breach of Article 5 falls into the regulation's top fine band. It can reach 35 million euros or 7 percent of worldwide annual turnover. Whichever figure is higher applies. The European Commission adopted non-binding guidelines in early February 2025 to explain how the prohibitions are read.
The scope deserves precision. The ban covers inference of emotions from biometric data. Detecting a physical state, such as pain or fatigue, sits under a different regime. Medical and safety exceptions exist: a fatigue-detection system for a driver or a machine operator, for example. But a tool sold as reading an employee's mood, stress or sincerity from their face falls inside the ban. "Safety" is a narrow exception, not a licence to score team morale.
One geographic note matters. This prohibition is European. It does not apply in the United Kingdom. UK employers are governed by the UK GDPR and by ICO guidance. The ICO does not ban emotion recognition outright. But it makes it very hard to justify: biometric data is special category data, a DPIA is required, and consent is unreliable. Conversely, an EU group deploying such a system on EU staff is caught, wherever the vendor sits.
High-risk: HR AI is not banned, it is regulated
Annex III, point 4 of the AI Act classes AI used in employment and worker management as high-risk. Four uses are named.
- Recruitment and selection: targeted job ads, filtering applications, evaluating candidates.
- Decisions on the terms of the working relationship, promotion or termination.
- Allocating tasks based on individual behaviour or on personal traits.
- Monitoring and evaluating the performance and behaviour of workers.
High-risk does not mean banned. It means obligations. Risk management. Data governance. Logging. Effective human oversight. Transparency towards the organisations deploying the system. Information for the workers affected.
The timeline shifted in 2026. These obligations were due to apply from 2 August 2026. The EU's "Digital Omnibus" package defers them to 2 December 2027 for stand-alone Annex III systems. The political agreement came on 7 May 2026. Parliament endorsed it on 16 June 2026, and the Council approved it on 29 June 2026. The Article 50 transparency duties still start on 2 August 2026. And again: the Article 5 prohibitions were not delayed.
The GDPR governs the data, whatever the tool
Monitoring means processing personal data. The GDPR, Regulation (EU) 2016/679, requires a lawful basis (Article 6). The processing must stay necessary and proportionate. Biometric and health data are special category data: they also need an Article 9 condition. And a fully automated decision that affects someone's job falls under Article 22.
Employee consent is a trap. The ICO says so plainly. It is not usually appropriate in the employment context, because of the imbalance of power. A worker rarely feels free to say no. Most employers therefore fall back on legitimate interests. That basis demands a balancing test, written down and documented.
The impact assessment comes before deployment, not after the complaint. Article 35 of the GDPR requires a DPIA (Data Protection Impact Assessment) where the risk to people is high. Systematic monitoring is the classic trigger. The ICO gives telling examples: worker biometric data, keystroke logging, and monitoring that could cause financial loss. The process includes consulting the workers themselves.
| What the employer assumes | What the rule says |
|---|---|
| “We can analyse team mood over webcam” | Banned in the EU since 2 February 2025 (AI Act, Art. 5) |
| “Staff signed the policy, so they consented” | The ICO says consent is rarely valid at work (power imbalance) |
| “We'll run the impact assessment if there's a problem” | The GDPR (Art. 35) requires it BEFORE systematic monitoring |
| “Technically, we can log everything” | The ICO asks for the least intrusive means, not the most available |
| “An AI can decide a dismissal on its own” | GDPR Article 22 frames fully automated decisions |
Transparency: covert monitoring is the exception
The ICO is the UK's data protection regulator. Its guidance on monitoring workers sets a simple principle. Workers have the right to be informed. The information must be accessible and easy to understand. Except in very exceptional circumstances, the employer must say what it monitors.
Covert monitoring is still possible, but the ICO calls it unlikely to be justified. Where it is used, it is tightly bounded.
- Authorisation from senior management.
- A data protection impact assessment carried out first.
- Grounds to suspect criminal activity, or an equivalent such as gross misconduct.
- The shortest possible duration.
- No covert audio or video where workers reasonably expect privacy: toilets, changing rooms.
- No capture of communications workers can reasonably believe are private.
“We can log it” is not “we may analyse it”
This is the heart of the matter. Technical capability does not create a legal right. The ICO puts it plainly: just because a form of monitoring exists does not make it the right one. The employer must be clear about the purpose. It must then pick the least intrusive means to reach it.
The ICO's own example says it all. A few remote staff mis-record their start times. The employer rolls out webcam capture across the whole team. To the ICO, that response is likely excessive. The intrusion has to be weighed against the real benefit. And workers can request access to the personal data monitoring produces.
The steps to take
For employers, the order of operations matters more than the tool you pick.
- 1Run the impact assessment before deployment, never after the complaint.
- 2Identify a lawful basis that is not employee consent.
- 3Tell workers what you monitor, why, and for how long.
- 4Choose the least intrusive option that actually meets the aim.
- 5Never deploy emotion recognition on your staff.
- 6Keep a competent human in the loop for any decision affecting a job.
- 7Plan ahead: HR AI is high-risk, with obligations landing on 2 December 2027.
For workers, the rights are concrete. You have the right to be informed about monitoring (GDPR Articles 12 to 14). You can request access to the personal data it produces (Article 15). And in the EU, AI that claims to read your emotions at work is prohibited, today.
One blind spot remains, and it is common. Many employers now pipe text about their staff into an external LLM. Annual appraisals. HR notes. Internal tickets. The employer stays the data controller, with every GDPR duty attached. That is where ONYRI Sanitize fits. The engine detects names, email addresses, identifiers and sensitive data, then replaces them with reversible tokens before sending. Detection and the mapping stay in your browser. The model sees only tokens, never your employees.
Frequently asked questions
- Can an employer monitor employees with AI?
- Only in part. Since 2 February 2025, the EU AI Act prohibits AI systems that infer a person's emotions at work, except for medical or safety reasons. Other HR uses — recruitment, task allocation, performance monitoring — are not banned, but Annex III classes them as high-risk. The GDPR applies on top: lawful basis, necessity, proportionality, informing workers, and an impact assessment.
- Is employee consent enough to make monitoring lawful?
- Almost never. The ICO explains that consent is not usually appropriate in the employment context, because of the imbalance of power between employer and worker. Staff rarely feel free to refuse. Most employers therefore rely on legitimate interests, which requires a documented balancing test before anything is deployed.
- Does the emotion-recognition ban apply in the UK?
- No. The AI Act prohibition is European and does not apply in the United Kingdom. UK employers are governed by the UK GDPR and ICO guidance. The ICO does not ban these systems outright, but makes them very hard to justify: biometric data is special category data, a DPIA is required, and employee consent is unreliable.
Sources & references
- Regulation (EU) 2024/1689 (EU AI Act) — Article 5 (prohibited practices, including emotion inference at work), Annex III (employment as high-risk), Article 113 (application dates) — EUR-Lex (Official Journal of the European Union)
- Employment practices and data protection: monitoring workers (informing workers, consent unsuitable, least intrusive means, covert monitoring) — Information Commissioner's Office (ICO), UK
- Regulation (EU) 2016/679 (GDPR) — lawful basis (Art. 6), special category data (Art. 9), automated decisions (Art. 22), DPIA (Art. 35) — EUR-Lex (Official Journal of the European Union)
Keep your sensitive data in your browser
ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.
Anonymize my prompt