Can My Employer Use AI to Monitor Me? Your Rights Explained

The short answer: it depends on where you work and what you were told

Employer monitoring using AI is not uniformly permitted or prohibited. The legal position varies significantly by jurisdiction, and critically, by whether you were informed. In most major jurisdictions, your employer can monitor you using AI tools on employer systems — but only with adequate disclosure, proportionate purpose, and compliance with data protection law. Covert AI monitoring without your knowledge is unlawful in most jurisdictions.

What AI monitoring actually looks like now

Workplace monitoring has evolved well beyond tracking internet use and counting keystrokes. Contemporary AI monitoring tools can: analyse email and message content for sentiment, topics, or compliance risk; monitor computer activity including applications open, websites visited, and documents accessed; track productivity through document creation, communication frequency, and task completion; score call centre and customer service quality by analysing recorded calls; assess meeting participation and engagement through video analysis; measure physical location and movement in warehouse and retail settings; analyse biometric data (fatigue detection, emotion recognition in some contexts); and aggregate all of the above into employee risk scores or performance profiles.

Tools like Microsoft 365 Copilot, when deployed with full permissions, can analyse an employee's entire digital footprint across email, Teams, documents, and calendars. This capability is transformative — it means AI monitoring is now available to any organisation with a Microsoft enterprise licence, not just those who specifically procure monitoring software.

Jurisdiction-by-jurisdiction: what is and is not permitted

Australia: The Privacy Act requires open and transparent management of personal information (APP 1). Employers must tell you what personal information is collected and why — this includes monitoring data. State surveillance laws add further restrictions. The Workplace Surveillance Act 2005 (NSW) requires prior written notice of computer surveillance; overt surveillance must be disclosed through a written policy. South Australia, Queensland, and other states have similar requirements. Covert monitoring — monitoring without telling you — requires a court order in NSW and equivalent authority in most states. AI monitoring that collects sensitive information (biometric data, health information) requires your consent or a statutory exception.

UK: The ICO's Employment Practices: Monitoring at Work guidance requires disclosure of monitoring in your employment contract, staff handbook, or privacy notice. A Data Protection Impact Assessment (DPIA) is required before deploying monitoring technology that significantly affects employees. UK GDPR requires a lawful basis — typically legitimate interests, which must be balanced against employee privacy rights in a legitimate interests assessment. The balance is harder to strike the more intrusive the monitoring. Covert monitoring is only lawful for specific suspected criminal activity and even then must be documented and reviewed by a senior manager before use.

EU: GDPR applies to employee monitoring data. Most EU member states impose additional requirements. Germany requires works council consent or co-determination before introducing performance monitoring systems — this effectively gives employees collective power to negotiate the terms of AI monitoring. France's CNIL requires transparent disclosure of monitoring and regular review of necessity. Spain's Labour Law requires employee representatives to be informed about AI control mechanisms before deployment.

United States: Federal law (ECPA) has a broad employer exception permitting monitoring of employer-owned systems during work hours where employees have been notified. Several states require written notice — New York's Electronic Monitoring Law (effective 2022) requires employers to notify new employees at hiring and display a posted notice. Connecticut and Delaware have similar requirements. There is no federal prohibition on AI monitoring of employees on employer systems with notice. However, using AI monitoring to identify or retaliate against employees engaged in union organizing violates the NLRA regardless of disclosure.

What your employer cannot do regardless of jurisdiction

Across all major jurisdictions, there are limits. Your employer generally cannot: monitor your personal email accounts or personal devices without your specific, informed consent; use AI to monitor union organizing activity or retaliate against employees for engaging in protected concerted activity; monitor you using biometric technology without adequate disclosure and, in many jurisdictions, consent; use monitoring data for purposes beyond those disclosed (for example, using welfare monitoring data in performance management without disclosure); or use AI emotion recognition or biometric monitoring in the workplace without meeting specific legal requirements — prohibited in EU workplaces under the EU AI Act's prohibited AI provisions (Article 5, effective February 2025).

Your practical rights

In all major jurisdictions: read your employment contract, IT acceptable use policy, and privacy notice for disclosure of monitoring; make a subject access/data access request for your personal data including monitoring data; raise concerns with your employer's Data Protection Officer or HR department; contact the relevant supervisory authority (ICO in UK, OAIC in Australia, national DPA in EU member states) if you believe monitoring is unlawful; and in the US, contact the NLRB if you believe monitoring is being used to interfere with protected union activity.