Insights

Employee Monitoring: Lessons from CNIL’s EUR 32M fine against Amazon France Logistique

Employee Monitoring: Lessons from CNIL’s EUR 32M fine against Amazon France Logistique

30 January 2024
Download PDFDownload PDF
Print
Share

Summary

Following the publication of several press articles and employee complaints, the French data protection regulator (“CNIL”) carried out an investigation at the Amazon France Logistique’s (“Amazon”) warehouses.

The CNIL's investigation focused on the monitoring of employees’ activity and video surveillance systems. Below are the key takeaways from the CNIL’s decision to fine Amazon.

Disproportionate Surveillance – Amazon employees are given scanners to identify themselves and receive instructions. Using those scanners, Amazon continuously collects data relating to the activity of employees to analyze their work against detailed criteria.

Amazon employs quality metrics like the "Stow Machine Gun" indicator that tracks if employees scan items at a rapid pace, as well as productivity measures such as the hourly rate of item processing and the amount of idle time. The indicators processed by Amazon are reported in real time, for each employee, within the activity monitoring tools available to line managers, and all these indicators are kept for 31 days.

While the CNIL did not challenge Amazon’s legitimate interest to monitor each employee’s activities precisely, in real time, it found that such processing disproportionately affects the rights, freedoms and interests of employees working in the warehouses  – in particular their right to protection of their private and personal lives, and their right to working conditions that respect their health and safety.

In its decision, the CNIL found that these indicators are highly intrusive and that its processing is likely to have negative moral impacts on the employees. The balance between the interests of the employer and those of the employees therefore appears to be against the employee, leading the CNIL to consider that the data processing therefore has no legal basis and is therefore unlawful.

In addition, the CNIL considered that it is not necessary to store and access all the data used over 31 days  – simply consulting the data and indicators for the working day, in real time, appears sufficient. Amazon has therefore also breached the principle of data minimization.

In response to the CNIL’s sanction, Amazon stated that they chose to disable the Stow Machine Gun indicator and extend the time limit for triggering the inactivity indicator from 10 to 30 minutes.

Right of Information – the CNIL also found that Amazon failed to comply with the provisions of Article 13 of the GDPR, which stipulates that the controller must provide data subjects with information about the processing of their personal data no later than the time their personal data is collected, in a form that is accessible.

Temporary workers were indeed neither provided with a copy of the employee privacy notice, nor were they invited to read it on the intranet. According to the CNIL, the availability of such notice on the company's intranet was insufficient.

In addition, the information boards relating to of the use of CCTV, posted in the warehouses to inform employees and any visitors, did not indicate the contact details of the data protection officer, the retention period of the data, or the right to lodge a complaint with the CNIL.

Data security – the CNIL further noted that access to the video surveillance software was not sufficiently secure, since the access password was not strong enough (twelve characters, comprising of only lower-case letters and numbers was deemed insufficiently robust). According to the CNIL, the password must, at least, contain twelve characters including four series of characters (lower case, upper case, numbers and special characters).

The account was shared between several users making it more difficult to trace access to videos and to identify each person who has carried out actions on the video surveillance software.

The Sanction – the CNIL justified the level of the fine as follow:

  • the processing of personal data leads to disproportionate pressure on employees, infringing their rights and freedoms to a disproportionate extent in relation to the company's economic and commercial objectives;
  • the large number of employees affected by the breaches: the excessive data processing systems were implemented at all of Amazon’s sites in France, which had 6,200 employees on permanent contracts at the time of the investigations, (with a total of 21,000 temporary workers in 2019); and
  • the pressure exerted on warehouse employees via these processing operations contributes directly to the economic gains generated for Amazon and enables it to benefit from a competitive advantage over other companies in the online sales sector.

The fine imposed is particularly high, EUR 32M – which is equivalent to 3% of Amazon’s turnover in France. The CNIL also considered that these serious breaches justified for the decision to published.

This decision expands the CNIL's case law on the processing of employees' personal data by their employers, and reiterates that employees' rights and freedoms must be taken fully into account when assessing the lawfulness of such processing.

CNIL’s press release on the decision.

Related Practice Areas

  • Data Privacy & Security

Meet The Team

Pierre-Emmanuel Froge
+33 (0) 1 44 17 76 21
Geraldine Scali

Geraldine Scali

Co-Author, London

+44 (0) 20 3400 4483
This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.