Wearables, sensors and neurotech at work: where is the line?

Short answer: Wearables and sensors at work are not banned outright, but they touch two heavy regimes at once. As soon as a system infers employees' emotions or mental states — stress, engagement, fatigue as a mood — the emotion-recognition ban in Article 5 AI Act comes into play. And you will almost always be processing health or biometric data, which Article 9 GDPR prohibits in principle. The room is therefore narrow, and "the employee consented" is usually not a valid basis.

What we mean by wearables and neurotech

This is a growing family of devices:

• fitness trackers and smartwatches measuring heart rate, sleep and activity;
• stress or "wellbeing" sensors that estimate tension from skin conductance, heart-rate variability or tone of voice;
• smart badges logging movement, location, speaking time or proximity to colleagues;
• EEG and brain monitoring: headbands or headsets measuring brain activity to gauge focus, fatigue or cognitive load.

The pattern is always the same: a physical signal is translated into a statement about how someone feels or performs. That translation is the legally sensitive part.

Where the emotion-recognition ban begins

Article 5 AI Act prohibits AI systems that infer employees' emotions or intentions, with a narrow exception for medical or safety purposes. A stress sensor or EEG headset that returns a "tension level" or "engagement" score infers an inner state and therefore falls into the heaviest category of the law. Simply measuring heart rate does not; labelling that heart rate as "stressed" or "unmotivated" does. See Emotion recognition at work: the ban that already applies for the precise line. A safety exception — fatigue detection for a train driver, say — may apply, but is read narrowly: wellbeing or productivity monitoring does not qualify.

The GDPR layer: special-category data

Alongside the AI Act sits the GDPR, and here it is often decisive. Heart rate, sleep, skin conductance and brain activity are health data; if you use a unique bodily signal to identify or track someone, it is biometric data. Both fall under Article 9 GDPR: processing is prohibited in principle unless a specific exception applies. For the workplace those exceptions are scarce — consent is one, but it is precisely the weakest in an employment relationship. See GDPR and employee data when using AI for the wider context.

"Voluntary" in an employment relationship

The standard justification is that the programme is voluntary and the employee said yes. European data-protection authorities almost never accept this: there is a power imbalance between employer and worker, so consent is rarely "freely given". Anyone who says no fears consequences — which makes the consent invalid. Beyond consent, every processing must be proportionate and necessary: if you can reach the goal without harvesting bodily data, the wearable is hard to defend. This connects directly to AI employee monitoring, where the same proportionality test applies.

What this means for employers and works councils

• Start with the purpose. What concrete, legitimate aim does the device serve — and can it be met without bodily data?
• Test against Article 5. Does the system infer emotions or mental states? Then it is probably prohibited, even branded "wellness".
• Test against Article 9. Are you processing health or biometric data? Find a real exception; do not lean on consent alone.
• Involve the works council. Introducing monitoring or registration systems requires its consent; it assesses purpose, necessity and safeguards.
• Separate individual from group. Aggregated, non-identifiable wellbeing figures are something quite different from individual stress profiles.

With wearables and neurotech the temptation is large and the evidence of necessity small. Anyone who turns employees' bodies into a data source carries the burden of proof — and with emotion AI the answer is often simply: don't.