Remote Work Privacy Insights - Edition 9 The Right-to-Disconnect Revolution: When 'After Hours' Emails Become a Legal Liability

The Paradox That's Breaking Workplace Privacy

Here's the contradiction keeping HR leaders awake at night: Your company just spent $50,000 on employee monitoring software to track productivity. Your manager sends a "quick question" on Slack at 9 PM. Your employee reads it at 9:02 PM—your monitoring system logs it.

Congratulations. In Australia, you may have just violated the law. In California (soon), you could face fines. In France, you might owe damages.

Australia's new "right to disconnect" law, which took effect August 26, 2024, gives employees the legal right to refuse monitoring, reading, or responding to work contact outside their working hours unless that refusal is unreasonable Fair Work Ombudsman. Employers who violate Fair Work Commission orders face penalties up to $93,900 per violation.

Welcome to the right-to-disconnect revolution—where the same surveillance tools you deployed to "ensure productivity" are now generating the legal liabilities you were trying to prevent.

Welcome to the right-to-disconnect revolution—where the same surveillance tools you deployed to "ensure productivity" are now generating the legal liabilities you were trying to prevent.

Australia Leads the Charge

As of August 26, 2024, Australian employers of 15+ employees must respect employees' right to ignore after-hours contact. Small businesses (under 15 employees) get a one-year grace period until August 2025.

The law isn't a blanket ban on after-hours communication. Instead, it establishes a "reasonableness" test considering factors like:

Multinational organizations are uniquely affected due to cross-time zone collaboration creating after-hours contact by default, offshore managers unaware of Australian legal obligations, and international clients expecting immediate responses Clyde & Co.

The US Watches—and Waits

California's Assembly Bill 2751 would have been the first major US legislation granting workers a "right to disconnect," but it died in committee on May 16, 2024 Epstein Becker Green. The bill would have required employers to establish written agreements defining each employee's "nonworking hours" and prohibited contact except for emergencies or scheduling within 24 hours.

Don't breathe easy yet. The bill's sponsor, Assemblymember Matt Haney, explicitly designed it to address how "workers shouldn't be punished for not being available 24/7 if they're not being paid for 24 hours of work." Expect it to return in 2025.

France's Pioneering—But Toothless?—Law

France introduced the right to disconnect into its Labour Code in 2016, making it illegal for employers to penalize employees for not responding to work communications during off-hours Mayer Brown.

The catch? France's law is vague and requires employers to negotiate terms with employees, but there's no obligation to reach an agreement nor any penalty for noncompliance. However, in 2018, the French Cour de Cassation ordered a company to pay a former employee €60,000 for failing to respect his right to disconnect when he was required to be permanently reachable by phone but was only paid when actually contacted OnLabor.

To understand why this problem exists structurally — not just as a regulatory inconvenience — we need to run it through Helen Nissenbaum's contextual integrity framework. I've found that this analysis is what helps organizations understand the why behind the legal pressure they're experiencing, rather than just the what.

Recall the five principles: Context, Actors, Attributes, Transmission Principles, and Information Norms. Let me apply each to the specific collision between monitoring and right-to-disconnect.

Principle 1 — Context: Employment versus Personal Life Are Distinct Spheres with Different Norms

The employment context has always had its own established information flows: employers can monitor work activity during work hours because the employment relationship, the compensation structure, and the mutual expectations of the parties justify it. Personal time — evenings, weekends, leave — exists in a fundamentally different context, governed by different norms. When those contexts are clearly separated, the information flows within each is appropriate. The right-to-disconnect crisis emerges precisely because remote and hybrid work technologies have made context separation operationally difficult. The laptop on the kitchen table doesn't know it's 9 PM.

Principle 2 — Actors: The Transformation of the Employment Relationship

In the traditional employment context, actors were clearly defined: the employer monitored what happened at the workplace during work hours, and employees understood that. The introduction of always-on connectivity changed who the "sender" of behavioral data was and what relationship that data belonged to. When your monitoring system logs that an employee opened an email at 9:04 PM, it's collecting data about a personal actor — a person in their home, in their private time — and treating them as a work actor subject to work-context norms. That category shift is the root of the problem.

Principle 3 — Attributes: Work Productivity Data vs. Personal Availability Data

There is a critical attribute distinction that most monitoring discussions completely overlook. An application usage log collected during a standard Tuesday workday contains information about work productivity — a category of data that fits naturally within the employment relationship. The same log collected at 11 PM on a Saturday contains fundamentally different information: it's a record of personal availability, a measure of how much of someone's private life the employment relationship has colonized. These are different attributes. They belong to different contexts. The fact that the same technological system collects both doesn't make them the same kind of information.

Principle 4 — Transmission Principles: Consent Doesn't Cross Contexts

Employees who sign monitoring acknowledgment forms at onboarding are consenting — implicitly or explicitly — to the monitoring of their work activity. They are not consenting to the surveillance of their personal time. This is the precise violation that right-to-disconnect laws are codifying: the transmission principle that should govern monitoring data is "within the employment relationship and during work hours." When monitoring crosses into personal time, it violates the transmission principle under which consent was given, even if the technological collection itself is continuous and automatic.

Principle 5 — Information Norms: The Expectation of Separation

The information norm that employees bring to the employment relationship — and that employment law in most jurisdictions has historically respected — is that work time and personal time are separate spheres. Collective bargaining agreements, working time directives, and overtime law all reflect this norm. Right-to-disconnect legislation isn't creating a new norm; it's codifying the defense of an existing one against technological erosion.

This is why the monitoring-disconnect collision was inevitable. The moment organizations began deploying tools that collected behavioral data continuously, including during personal time, they were violating the information norms of the employment context. The law is now catching up to what contextual integrity predicted.

An Australian technology company with an engineering team in Sydney and product management in London has always operated across time zones. For years, this worked fine through disciplined asynchronous communication and clear documentation practices. Then pandemic-era pressure on velocity led the London team — genuinely unaware of the time difference implications — to start sending Slack messages at 5 PM London time, which arrives as 2 AM Sydney time, and follow-up messages at 8 AM London when Sydney is at the end of their working day.

The monitoring system logs that several Sydney engineers are reading and responding to messages outside their standard working hours. When one of those engineers raises a concern and is subsequently passed over for a promotion, the adverse action risk becomes concrete.

Run this through the contextual integrity analysis. Context: Two different employment contexts with different working hours — London employment norms and Sydney employment norms are being treated as a single unified context by a global communications platform. Actors: London managers operating as senders in their work context; Sydney engineers receiving those messages in their personal time context. Attribute violation: Messages sent as work communications are being received as intrusions into personal time — a category shift that neither party fully intended, but both the technology and the monitoring system have formalized. Transmission principle violation: The Sydney engineers' after-hours activity data is being logged in a system that could be used to assess their "availability" — an information flow they never consented to in a personal time context. Information norm violation: The reasonable expectation that a Sydney engineer's midnight is not their employer's business is being systematically overridden.

What compliance requires under Australian law: Per the Fair Work Ombudsman's guidance, the organization needs to establish explicit protocols distinguishing urgent from non-urgent cross-timezone communication, implement delayed-send defaults for non-urgent messages that would arrive outside the recipient's working hours, and ensure that no after-hours monitoring data is used in any performance, availability, or responsiveness assessment. The documentation of when each employee's ordinary working hours begin and end is no longer an HR formality — it's a legal requirement for determining when the right to disconnect applies.

This scenario is drawn from the kind of fact pattern that plaintiffs' attorneys dream about, and I want to be specific about the mechanism because it's genuinely important.

A customer service team manager in a company with Australian operations has a habit of sending "just keeping you posted" messages to her team on Sunday evenings — genuinely well-intentioned, she sees it as keeping people informed for the week ahead. The company's monitoring software logs email send and open times. It logs Slack activity. It produces weekly reports on "responsiveness metrics" that track average time-to-reply, including during evenings and weekends.

When a team member raises concerns about after-hours contact and is subsequently given a formal performance improvement plan — citing, among other things, "lack of responsiveness" — several things happen simultaneously. First, the employee's union representative files a right-to-disconnect dispute with the Fair Work Commission. Second, the performance improvement plan's reference to "responsiveness" becomes evidence that after-hours availability was being monitored and factored into employment decisions. Third, the company's own monitoring logs — which it produced as evidence of the employee's "low performance" — instead demonstrate that the company was systematically tracking after-hours activity across the entire team.

The reverse onus of proof under Australian adverse action law means the company now has to affirmatively prove that the PIP had nothing to do with the employee exercising disconnect rights. The monitoring logs they created to manage performance have become the primary evidence of a compliance failure.

The contextual integrity failure here is structural. The monitoring system treated personal-time activity data (after-hours email opens, Sunday Slack reads) as equivalent to work-time activity data in its performance calculations. When that data informed a "responsiveness" metric that in turn informed a performance review, it transmitted personal-time information into the employment decision context — a transfer that violates the transmission principle under which that data was collected. The employee consented to the monitoring of work activity. They did not consent to their Sunday evening email behavior being scored as a performance indicator.

What compliance requires: Every organization with Australian employees needs to audit its monitoring system's data collection scope against working hours definitions right now. Any metric that incorporates data from outside contracted working hours needs to be identified and removed from performance systems. The Fair Work Ombudsman's guidance is explicit: dispute resolution about the right to disconnect should happen "at the workplace level" first, but the Commission's stop order authority is real, and adverse action claims carry no cap on damages.

A professional services firm in France has a rigorous client service culture where senior consultants are expected to be "responsive" — a word that, in practice, means available by phone and email at essentially all hours for their assigned clients. The firm employs roughly 200 people across Paris and Lyon. The partners' view is that this is simply the nature of consulting: clients pay for access, and access means availability.

A senior consultant takes an extended sick leave for anxiety and burnout after three years of this arrangement. His medical documentation explicitly cites the constant availability requirement as a contributing factor. His union files a complaint. The firm insists that "availability" was part of his role's commercial requirements and points to his compensation as implicitly covering it.

The court doesn't agree. French employment law — and the Cour de Cassation's 2018 precedent — requires that permanent availability be separately and explicitly compensated if it forms a genuine work obligation. The "he's well-paid" argument doesn't satisfy the legal standard that additional compensation must be provided for genuine stand-by obligations. The firm is ordered to pay damages.

The contextual integrity analysis: The context of the employment relationship establishes a norm that contracted hours are compensated, and additional obligations carry additional compensation. The firm's availability expectation transmitted information about the employee's obligations — specifically, that he was required to be personally contactable at all times — in a way that violated the norms of the employment context: it created an obligation without the corresponding compensation structure. The French Labour Code's Article L.2242-17 framework exists precisely to force the negotiation that should have happened — the articulation of what "availability" means, when it applies, and how it's compensated — before the burnout, not after the litigation.

What compliance requires under French law: Organizations with 50 or more employees in France must engage in formal negotiation with employee representatives about disconnection rights, produce either a negotiated agreement or a company charter (after consultation), and that charter must define specific hours of non-availability, responsibilities of both parties regarding digital tool use, and any awareness or training arrangements. Not having this documentation isn't a technical oversight. It's a failure to comply with the Labour Code, and it becomes an aggravating factor in any subsequent worker health or compensation claim.

I want to return to the scenario I opened with, because I think the monitoring-as-evidence problem is genuinely underappreciated by the organizations most exposed to it.

Your monitoring system doesn't know that it's building the case against you. It's just logging what it's designed to log. But in an Australian right-to-disconnect dispute, or a French worker's compensation claim, or a Belgian collective bargaining enforcement action, the question before the tribunal or the court is going to be: what evidence exists that this employee was expected to be available during their personal time?

The answer, in most organizations that have deployed comprehensive monitoring software, is: a great deal. Timestamped logs of after-hours email opens. Records of Slack activity during evenings and weekends. "Responsiveness metrics" that incorporate after-hours data. Productivity reports that, by their structure, imply that after-hours work is expected and measured.

Research from the University of Nottingham published in 2024 quantified what most people working in these environments already know from experience: the fear of missing important information — what researchers call "information FoMO" — is itself a significant driver of burnout and mental health deterioration, independent of the volume of actual messages received. The mere existence of a monitoring system that logs after-hours activity creates anticipatory stress. Employees don't need to receive messages at 11 PM to experience surveillance anxiety; they need only to know that the system is watching and that the data it collects could be used against them.

The 2025 NAMI Workplace Mental Health Poll found that one in four employees say they have considered quitting their jobs due to mental health concerns, and 7% did quit. The High5Test 2025 data puts U.S. workforce burnout at 59% — nearly six in ten workers reporting burnout in 2024. The Mind Share Partners/Qualtrics 2025 Mental Health at Work Report found that employees who work at companies supporting their mental health are twice as likely to report no burnout or depression. Work-life balance — not compensation, not benefits — was rated as workers' top priority for wellbeing improvement.

Organizations are building the case for right-to-disconnect regulation with every monitoring log they generate and every after-hours responsiveness metric they include in a performance review.

Let me be specific here, because the compliance obligations differ meaningfully depending on where your employees are.

Australia (immediate obligation): If you employ people covered by the national Fair Work system, you must stop treating after-hours responsiveness as a performance metric today. You must configure monitoring tools — or document monitoring policies — such that after-hours activity data is neither collected nor used in any employment assessment. When managers send after-hours messages, those messages must carry no implied expectation of response. When after-hours contact is genuinely urgent and justified under the reasonableness factors in the Fair Work Act, document why. Build that documentation practice into your management operating model, not as a post-hoc defense but as a pre-emptive compliance record.

Practically speaking: enable delayed send as a default in your email and Slack configurations, document each employee's contracted working hours, train managers that "quick question" messages outside those hours need to genuinely wait, and audit your performance review process to remove any metric that incorporates after-hours activity data.

France (ongoing obligation): If your organization employs 50 or more people in France, you need a right-to-disconnect negotiation on file — either a concluded collective agreement or a company charter drafted after consultation. If you don't have one, you're already in technical non-compliance. The charter needs to specify defined hours of non-contact, the roles and responsibilities of both employees and management around digital tools, and any training or awareness arrangements. The €60,000 damages figure from the 2018 case and the criminal prosecution exposure for union rights obstruction are the stakes.

Belgium (now applying to the private sector): Organizations with 20 or more employees in Belgium must have right-to-disconnect provisions in their collective bargaining agreement or work rules, filed with the local labour inspectorate. The framework must cover the practical arrangements for non-contactability, instructions on digital tool use, and training for both workers and managers.

Portugal: This is the most stringent in the EU. Portuguese law outright prohibits employer contact with employees outside working hours, with direct financial penalties. If you employ people in Portugal, this is not an "establish a policy" situation. It's a hard operational boundary.

European operations generally: The EU Working Time Directive (2003/88/EC) sets minimum daily and weekly rest period requirements that monitoring of after-hours activity can undermine, especially when that monitoring creates de facto working time through the anticipatory stress of constant availability. Any EU jurisdiction where your monitoring practices effectively extend working time beyond the directive's limits creates legal exposure independent of country-specific right-to-disconnect laws.

United States (prepare now, not after): No federal right-to-disconnect law exists. California AB 2751 failed; similar legislation in New Jersey has not passed. But the underlying legal pressure is real in other forms. The NLRB's documented concern about monitoring practices that chill Section 7 protected activity applies to after-hours monitoring just as it does to in-work surveillance. State wage-and-hour laws may create underpayment exposure if after-hours responsiveness constitutes compensable work time. And the reputational and retention cost — which the NAMI data quantifies directly — is an operational reality regardless of legal obligation.

I want to close the compliance section with something that I don't see discussed often enough in the HR and privacy literature, and it's the most practically important point in this entire edition.

Your monitoring logs are discoverable. In Australian Fair Work proceedings, in French employment litigation, in NLRB proceedings, in U.S. wage-and-hour suits, in European Works Council disputes — the logs your monitoring system generates about employee activity are evidence. If they contain data from outside working hours, they're evidence of after-hours monitoring. If they contain responsiveness metrics that incorporate after-hours data, they're evidence that you expected after-hours availability. If your performance reviews reference metrics drawn from those logs, they're evidence of adverse action based on monitored personal-time behavior.

"We didn't require them to respond" is a reasonable defense when you can demonstrate you actually had systems in place to honor that commitment — monitoring tools configured to exclude after-hours data, performance frameworks that don't incorporate after-hours activity, and managers trained to understand the legal boundary. It collapses when your own monitoring logs show continuous surveillance regardless of the hour.

The first step in right-to-disconnect compliance isn't drafting a policy statement. It's auditing what your monitoring systems are actually collecting and whether any of that data is finding its way into assessments, metrics, or decisions that affect individual employees.

What a compliant approach to after-hours communication and monitoring looks like, across all the jurisdictions we've discussed, has more in common than the jurisdictional variation suggests.

Define working hours explicitly, per role and per person. This isn't a philosophical exercise — it's a legal necessity. In Australia, the definition of "working hours" determines when the right to disconnect applies. In France and Belgium, it determines when the right to non-contact applies. In U.S. wage-and-hour law, it determines what time is compensable. Get this in writing, keep it current when arrangements change, and make sure managers know what the working hours of their reports actually are.

Configure your tools to honor the boundary you've defined. Delayed send defaults for email and Slack. Notification silencing during off-hours. Monitoring configurations that either don't collect after-hours activity or explicitly exclude it from performance analytics. These are technical decisions that legal and HR teams need to be driving, not defaulting to whatever the software vendor ships.

Train managers on what after-hours contact actually costs. Not with a compliance lecture, but with the concrete scenarios of how well-intentioned Sunday Slack messages become evidence in adverse action claims. Most managers sending those messages are not malicious — they're operating on old norms in a new legal environment. The training needs to update those norms, not just add a policy.

Remove after-hours data from every performance system. Audit every metric currently used in performance reviews, productivity reports, or management dashboards for evidence that it incorporates after-hours activity data. If it does, redesign the metric. This is not optional in Australia or the EU countries with strong frameworks, and it's prudent practice everywhere else.

Document the emergency exception carefully. Right-to-disconnect laws — in Australia, France, Belgium, and elsewhere — recognize that genuine emergencies may require after-hours contact. "Genuine emergency" means something specific: not a client who prefers immediate responses, not a senior leader's anxiety about a presentation tomorrow, not a habit of treating everything as urgent. Build an explicit escalation process that defines what constitutes a genuine emergency, requires that characterization to be documented, and creates a record that shows proportionate use of the exception rather than systematic reliance on it.

I want to end where I usually end when I'm discussing this topic in a seminar, because I think it reframes what's at stake in a way that the legal discussion alone doesn't quite capture.

The right to disconnect isn't fundamentally about law. The law is the consequence of what happened when the law wasn't there — when organizations deployed surveillance tools that treated human beings as continuously observable assets, when "availability" became an unspoken prerequisite for employment without being compensated as one, when workers were expected to carry their office in their pocket twenty-four hours a day while being paid for eight.

The burnout crisis those conditions created is documented and severe. The mental health consequences are measurable. The research on anticipatory availability stress is peer-reviewed and consistent. The legal frameworks emerging across Australia, Europe, and — eventually — the United States are responses to a human problem that organizations created when they decided that the power to monitor was the same as the right to monitor at all times.

Contextual integrity told us this collision was coming. The employment context was never designed to encompass personal time. The information norms of that context were never compatible with continuous surveillance. When organizations violated those norms — with the best of intentions, in most cases — the consequences followed as predicted: eroded trust, rising burnout, declining performance, and now legal liability built from the logs of the very systems that caused the problem.

The organizations that will navigate this well aren't the ones that do the minimum required by the jurisdiction with the strictest law. They're the ones that understand why the law says what it says, and build their practices around that understanding rather than around the enforcement calendar.

📚Order the book: Intrapreneurship: How to Create a Company of Intrapreneurs. A comprehensive guide on fostering intrapreneurship within organizations. The book emphasizes the importance of identifying and nurturing intrapreneurs, who are the innovative employees within the company.

📚 Order the book: Rethinking Workplace Privacy, Power, and Productivity in the Age of Remote Work. It includes comprehensive compliance frameworks, policy templates, and step-by-step implementation guides for achieving regulatory compliance through contextual integrity.

Disclaimer: Remote Work Privacy Insights is a newsletter that looks at privacy issues in the workplace using academic ideas. It's meant to educate and is not legal advice. For advice tailored to your company, talk to a qualified privacy or employment lawyer. The opinions shared are the author's and not those of any employer.