excerpt: Microsoft’s plan to auto set a Teams user’s “work location” via corporate WiFi raises GDPR concerns in Europe because it turns routine workplace presence into personal data that enables secondary uses and sensitive inferences. In an employment context, even opt in mechanisms may not mitigate the power imbalance and the risk of building behavioral records.
Why Microsoft’s “Work Location” Feature Runs Into a Wall in Europe
Microsoft’s plan to have Teams automatically set a user’s “work location” based on whether they are connected to an organization’s WiFi looks, at first glance, like ordinary product housekeeping. It removes a manual step, it standardizes a field, it helps with room booking, desk hotelling, and the small administrative frictions of hybrid work. The controversy is not really about a dropdown being filled in automatically. It is about what the dropdown enables, who controls it, and what new secondary uses become possible once workplace presence becomes a routine attribute of work activity.
In Europe, that implication matters because the GDPR does not treat employee data as a casual byproduct of productivity software. It treats it as personal data processed within a relationship that is structurally imbalanced, and it demands that employers justify, limit, and govern that processing in ways that many workplace monitoring features struggle to satisfy.
Location at work is still personal data
Under the GDPR, personal data is any information relating to an identified or identifiable natural person. “Work location” tied to a named account clearly qualifies. It is not necessary that the data be GPS precise. A building level location, inferred from corporate WiFi association, still reveals where a person is, at least within the working day. It can also reveal patterns, such as who is regularly remote, who travels, who comes in late, who stays late, who is present during certain events, and who is not.
The GDPR is formally about processing personal data, not about data collection in the abstract. The reason inference risk matters is that fairness and purpose limitation problems arise because of the inferences and secondary uses the data enables. In an employment context, the risk is rarely the single data point. It is the gradual construction of a behavioral record, assembled from small signals that were originally introduced as administrative conveniences.
“Opt in” is not a safe harbor at work
Recent reporting suggests that the feature is off by default, and that tenant administrators decide whether to enable it, with end users asked to opt in. In consumer contexts, consent can sometimes be a workable legal basis. In employment, it is usually a poor fit.
European regulators have been consistent on this point. Because of the power imbalance between employer and employee, consent is often not considered freely given. If refusing consent leads to disadvantage, awkwardness, suspicion, or policy conflict, the consent is not really voluntary. Even if the UI says opt in, the reality of workplace pressure can make it effectively mandatory.
That is one reason many European employers avoid relying on consent for employee monitoring features. They instead try to justify processing under other legal bases, and those come with their own constraints.
The employer playbook, and where it runs into the hard edges of necessity
Most employers who want to deploy something like this reach for “legitimate interests” or “performance of a contract” as the legal basis. In some regulated contexts they may also point to “legal obligation,” for example where safety, access control, or audit requirements are genuinely imposed by law. In practice, many organizations combine a lawful basis claim with an internal policy that treats the feature as normal operational telemetry. The problem is that the GDPR still forces the same question: is this processing necessary and proportionate for a specific purpose, or is it simply convenient?
If the argument is legitimate interests, the employer must show a real, specific interest, then demonstrate that the processing is necessary for that purpose, then balance it against the employee’s rights and expectations. A feature that can be used to check compliance with return to office policies, or to infer attendance and behavior, is exactly the kind of processing that tends to fail the balance unless it is tightly scoped, strongly justified, and protected against reuse.
If the argument is necessity for the employment contract, the bar is higher than convenience. “Nice to have for facilities planning” is not the same as “necessary to perform the contract.” European practice tends to treat routine location tracking as unnecessary unless the job itself requires it, for example certain safety critical roles, mobile field work where dispatch is essential, or regulated environments with strict access controls. Even then, the expectation is that the employer uses the least intrusive method that achieves the purpose.
This is where the narrative tends to break down. Employers start with a benign stated purpose, then necessity is contested, then the possibility of reuse makes the original purpose less credible, then minimization and retention become the practical battleground.
Purpose limitation, function creep, and the secondary uses the data enables
GDPR’s purpose limitation principle requires that data be collected for specified, explicit purposes, and not further processed in incompatible ways. In workplace monitoring, function creep is not a hypothetical. It is the default failure mode. A feature is introduced as a convenience, then used for attendance enforcement, then becomes an input into performance management, then is pulled into investigations, then retained longer than anyone intended.
The Microsoft feature is contentious precisely because it lowers the friction for that creep. Once “work location” is reliably populated, it becomes tempting to join it with other signals, meeting attendance, message timestamps, calendar activity, VPN logs, badge access. The combined dataset can become a shadow time and attendance system, without the governance that time and attendance systems normally require.
A European employer that enables this would need to be able to say, in plain language, why it is being collected, who can see it, how long it is kept, and what it will not be used for. “Because it is available in Teams” is not an answer the GDPR accepts.
Data minimization and retention are where the real governance work sits
GDPR requires data minimization, collect what is adequate, relevant, and limited to what is necessary. For location, minimization is not only about precision, it is also about frequency, retention, access, and visibility.
A compliant design tends to look like this: location is not collected by default, is not stored longer than needed, is visible only to those with a clear need, and is not repurposed. The moment a tenant admin can enforce it across the workforce, the “off by default” story becomes less meaningful. The GDPR cares about what happens in practice inside organizations, not just what the product team intended.
Microsoft’s claim that Teams will not update after working hours and will clear location at the end of the day is directionally helpful, but it is not sufficient as a compliance argument by itself. The organization still needs to understand what telemetry and audit data exists, who can access it, and how long it is retained. Under the GDPR, retention must be defined and enforced end to end, not implied by a front end behavior.
A permissible scenario, and a problematic one
It helps to make the trade off concrete.
A relatively defensible deployment is a voluntary desk booking flow where a user explicitly sets “in office” to reserve a desk, the signal is visible only to facilities or the booking system, it is retained for a short operational window such as 24 hours, and it is contractually and technically blocked from HR or managerial use. Here the purpose is narrow, the user action is intentional, and the retention period is short enough that the data does not quietly become a behavioral archive.
A clearly problematic deployment is always on inference of presence from WiFi, visible to managers by default, retained for months, and used in HR investigations or attendance enforcement. Even if the stated purpose begins as “hybrid coordination,” the structure invites secondary use. It is difficult to argue necessity for typical office roles, hard to square with minimization, and likely to fail fairness expectations once employees realize the data can be used against them.
Transparency, works councils, and DPIAs often become the gating items
Even if an employer finds a plausible legal basis, European deployment typically requires more than a toggle in an admin console.
Employees must be informed in a clear and accessible way about what data is processed, for what purposes, under what legal basis, and with what rights. Many organizations will need to update internal privacy notices and policies, and sometimes employment agreements or collective agreements.
In several EU countries, employee representatives and works councils have consultation or co determination rights on monitoring technologies. Germany is the obvious example, but not the only one. A feature that effectively reports whether someone is on corporate premises often triggers labor law processes even before GDPR questions are settled.
And because location related monitoring can create high risks to rights and freedoms, particularly in an employment setting, a Data Protection Impact Assessment is often expected or, at minimum, prudent. Whether a DPIA is strictly required depends on national authority guidance and the specifics of the processing, but the operational value of doing one is the same. It forces the organization to confront misuse scenarios, access controls, retention, disciplinary use, and whether less intrusive alternatives exist.
The right to object is real, and hard to square with enforced tracking
When processing is based on legitimate interests, employees have a right to object. The employer then must demonstrate compelling legitimate grounds to continue. In practice, that pushes organizations toward narrow, role based deployment, not blanket rollout.
If the tool is deployed as a mandatory policy, the organization is implicitly claiming that it has compelling grounds to process every employee’s location in this way. That is a difficult claim to sustain for typical office work, where the job can be performed without this data being continuously inferred and exposed.
So is it “not allowed” in Europe?
The more accurate statement is that it is not straightforwardly deployable in Europe in the way it might be elsewhere, especially if the goal is attendance enforcement or behavioral monitoring.
The GDPR does not ban workplace location processing outright. It does, however, force employers to treat it as a high responsibility activity, tightly justified, minimized, transparent, governed, and contestable. Many organizations will conclude that the compliance, labor relations, and trust costs outweigh the operational convenience. Others may deploy it only for specific use cases, such as safety, emergency mustering, or voluntary desk booking, with strict access controls and short retention.
The feature becomes legally and practically fragile when it is turned into a generalized mechanism for telling managers where people are, and when it becomes difficult for employees to refuse without consequences. That is the point where European data protection law tends to stop being an abstract compliance framework and starts functioning as a real constraint.
The deeper issue is not GDPR, it is trust
Hybrid work runs on an implicit bargain. Employers accept that not all work is visible, employees accept that outcomes and collaboration still matter. Tools that turn presence into a measurable signal shift that bargain. They invite managerial habits that many organizations have been trying, sometimes sincerely, to move away from.
The GDPR cannot solve that cultural problem, but it does something useful. It forces organizations to name their purpose, justify their necessity, and live with the governance burden of surveillance. In that sense, Europe is not uniquely hostile to the feature. It is simply less willing to treat workplace monitoring as a default setting.