The short answer: usually yes, but the law follows the worker
If you run a distributed team, the instinct is to assume your company’s home jurisdiction sets the rules. It usually does not. For employee monitoring, the law that applies tends to key on where the employee physically sits and where their data is processed — not where the company is incorporated or where the head office sits. A Pune-registered IT services firm with a developer working from Berlin and a support agent in California is, in practice, touching three legal regimes at once.
That does not make monitoring illegal. Across almost every jurisdiction, an employer may monitor work on company-issued accounts and devices when there is a legitimate work purpose, advance notice, and proportionality — you collect what the purpose needs and no more. What changes from place to place is the notice format, whether consent is required or merely advisable, how long you may retain the data, and whether you may transfer it across borders. The risk is rarely “can I monitor at all”; it is “did I meet each location’s specific notice and proportionality test.”
Which laws apply when your team is distributed?
A single remote team can trigger several frameworks simultaneously. The frameworks that matter most for Indian IT services, GCCs and BPOs serving global clients are below. They are not mutually exclusive — a worker can sit under two or three at once.
- India — DPDP Act 2023: applies to processing personal data of individuals in India, and to processing outside India connected to offering goods or services in India. It centres on notice and consent for each category of data, purpose limitation, and retention limits.
- EU/UK — GDPR: applies when the employee is in the EU/UK or when you monitor people there. It requires a documented lawful basis (employee consent is treated as weak because of the power imbalance, so legitimate interest plus transparency is more common), data-minimisation, and rules for transferring data outside the EU.
- EU — AI Act: where AI systems are used to evaluate or monitor workers, the EU AI Act may add transparency, human-oversight and documentation duties on top of GDPR. If any monitored staff sit in the EU, assume AI-driven scoring may be in scope.
- United States — federal + state: there is no single federal privacy law; instead the ECPA governs interception, and a growing list of state statutes (California, Connecticut, Delaware and others) add consent and disclosure rules. Recording laws also split between one-party and all-party consent by state.
The practical consequence: the more locations you hire from, the more the strictest applicable standard tends to set your floor, because building a different posture per person rarely scales.
Does it matter which state the employee lives in?
Yes — within a country, the sub-national rules can differ enough to matter. In the United States this is the most common trap. Consider call recording or screen recording: some states require only one party to consent (often the employer), while others require all parties. A monitoring configuration that is perfectly lawful for an employee in a one-party state can be a violation for a colleague two states over.
India is more uniform because the DPDP Act is a national statute, so a developer in Bengaluru and one in Indore sit under the same core rules. The EU is harmonised by GDPR, but member states retain some discretion on employee-monitoring specifics, so a worker in Germany may face stricter works-council and proportionality expectations than the GDPR baseline alone implies.
Rule of thumb: within a country, assume the employee’s state or region can add obligations on top of the national baseline — and when two locations disagree, default to the stricter one rather than the more convenient one.
Cross-jurisdiction decision table
Use this as a starting map, not a legal conclusion. The right-hand column is the practical default that tends to keep a distributed team defensible; confirm the specifics for each worker with counsel.
| Where the employee sits | Primary law(s) | Consent posture | Practical default |
|---|---|---|---|
| India | DPDP Act 2023 | Notice + consent per data category | Written notice, outcome signals, short retention |
| EU / UK | GDPR (+ EU AI Act if AI scoring) | Lawful basis + transparency; employee consent weak | Legitimate-interest assessment, no covert capture |
| US — one-party state | ECPA + state law | Employer consent often sufficient to record | Still give written notice; limit to work accounts |
| US — all-party state | ECPA + state law | All parties must consent to recording | Disable recording or obtain explicit consent |
| Mixed / multiple | Whichever apply per person | Strictest applicable standard | Per-location notice + global minimum-capture policy |
A practical playbook for distributed teams
You do not need a different tool per country. You need one defensible policy with local addenda and a configuration that respects the strictest rule each person triggers.
- Map locations first. Build an inventory of where every monitored worker physically sits. You cannot apply the right law to a person whose location you have not recorded.
- Write per-location notice. A single global monitoring policy with country-specific addenda (India DPDP notice, EU transparency statement, US state disclosures) is easier to defend than ad-hoc tools.
- Default to the strictest standard. Set your baseline capture to what the most protective applicable law allows, then relax only where you have documented grounds.
- Prefer outcome signals over content capture. Measuring work from calendar, repository, ticket and focus artefacts avoids most of the highest-risk capture categories — screenshots, keystrokes, content recording — that draw scrutiny everywhere.
- Keep retention short and purpose documented. For each data category, write down why you collect it and how long you keep it. This is the single most useful artefact in any DPIA or audit.
- Disable capture per region. Choose tooling that lets you switch off recording or screenshots for people in jurisdictions that forbid them, rather than applying one global setting to everyone.
Where gStride fits
gStride is built for exactly this problem: measuring whether work is moving without importing the forensic capture surface that makes cross-border monitoring hard to defend. Productivity is scored from outcome signals — calendar, repo, ticket and focus artefacts — rather than screenshots or keystroke logging, so the heaviest capture categories are simply not part of the design. Capture settings can be configured per region, and notice templates help you meet per-location disclosure duties. That makes a single distributed policy far easier to hold together across India, the EU and the US. It does not replace legal advice — map your team and confirm each location with counsel — but it removes the configuration choices most likely to cause a problem.
Frequently asked questions
Can my employer legally monitor me if I work from a different state than the company?
Generally yes, where there is a legitimate work purpose, advance notice and monitoring limited to company accounts or devices. The complication is that your home state may add its own consent or privacy rule on top of the employer’s state, and the stricter standard usually wins. In the US, state laws differ on one-party versus all-party consent for recording. Verify with counsel.
Which country’s law applies when I monitor an employee abroad?
Usually the law of the country where the employee physically works and where their data is processed, not only where the company is headquartered. A worker based in the EU or UK brings GDPR; a worker in India brings the DPDP Act 2023; a US-based worker brings federal and state rules. A distributed team commonly triggers several of these at once, so map each person’s location first. Verify with counsel.
Do I need consent to track remote employees across borders?
It depends on the jurisdiction. The DPDP Act 2023 centres on notice and consent for each data category; GDPR allows monitoring on a lawful basis with transparency but treats employee consent as weak because of the power imbalance; several US states require consent for recording. The practical answer is per-location notice plus a documented lawful purpose. Verify with counsel.
Does the EU AI Act affect monitoring of remote workers in Europe?
It can. The EU AI Act treats certain AI systems used to evaluate or monitor workers as higher-risk, which adds transparency, human-oversight and documentation duties on top of GDPR. If any of your monitored staff sit in the EU, or you serve EU clients, assume the AI Act may be in scope for AI-driven scoring. Verify with counsel.
How do I stay compliant with a team spread across many locations?
Inventory where every worker physically sits, apply per-location notice, then default to the strictest applicable standard across the group. Prefer outcome-based productivity signals over covert content or keystroke capture, keep retention short, and document the purpose for each data category. A single global policy with local addenda is easier to defend than ad-hoc per-country tools. Verify with counsel.
Can I use the same monitoring tool for employees in India, the US and the EU?
Technically yes, but the configuration must respect the strictest applicable rule for each person. The same screenshot or keystroke setting that is defensible in one location may be unlawful in another. Choose a tool that lets you disable capture categories per region and that supports localized notice. The tool is rarely the problem; the configuration and notice are. Verify with counsel.
Map your distributed team before you deploy
See how gStride measures outcomes — not keystrokes — with per-region configuration and notice templates for India, the EU and the US. Book a walkthrough, or read the cross-border law guide first.
Disclaimer: This article is general information, not legal advice. Privacy and monitoring obligations under the DPDP Act 2023, GDPR, the EU AI Act and US federal and state law are fact-specific and change over time. Confirm which laws apply to each worker, and any penalties or consent requirements, with qualified counsel before acting.