The French Data Protection Authority, Commission Nationale de l'Informatique et des Libertés (CNIL), imposed a hefty fine of EUR 32 million on Amazon France Logistique in a decision dated 27 December 2023 for excessively monitoring its employees.

Background

Amazon France Logistique manages the warehouses and distribution centres in France for the popular online retailer Amazon. In these warehouses, customer packages are received, stocked, and prepared for shipment to the customer. There are 6,200 employees and 21,000 temporary workers on site. To perform their work, warehouse employees were equipped with a scanner to register the execution of their tasks in real time. This included recording data on placing or removing an item from shelves, storing or packing items, etc. These data were then used to monitor the employee's work for quality, productivity, and periods of inactivity. After this monitoring came to light in the press and employees filed several complaints, the CNIL initiated an investigation.

The CNIL decision

After thorough investigation, the CNIL concluded that there was excessive monitoring for the following reasons:

  • Implementing a system that measures periods of inactivity so precisely creates a situation where employees must justify every break or interruption.
  • The measurement of the speed at which certain products were scanned was deemed excessive; for instance, there was an indicator to show if a product was scanned within 1.25 seconds after the previous product was scanned.
  • CNIL deemed it unnecessary to retain all these data for a period of 31 days.

CNIL decided that this monitoring constituted a breach of the principles of minimal data processing, lawfulness, and transparency of the GDPR.

Violation of GDPR Principles

The data minimisation principle states that personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. Amazon claimed that this monitoring was necessary to identify employees who needed coaching or possibly to be assigned to a different task. However, the CNIL argues that it was not necessary to process every detail of the past month's activities for this purpose. According to the CNIL, this objective could also be achieved by consulting these data in real time, possibly in combination with a selection of data aggregated weekly. Consequently, a breach of the principle of minimal data processing is identified.

On three points, the CNIL ruled that the processed data were unlawful, namely the information regarding the scanning speed (whether a new product was scanned too quickly after a previous product), the measurement of downtime (interruptions of more than 10 minutes), and the reporting of interruptions between 1 and 10 minutes. The CNIL states that this level of monitoring could lead to employees having to justify every short interruption.

Finally, Amazon failed to adequately inform all employees and temporary workers about the monitoring. The information was included in the privacy notice for employees, but it was only available on the intranet. Since warehouse employees do not have access to the intranet in principle, the CNIL did not consider this as an adequate means of providing information and also found a breach of the transparency principle.

Deficient Video Monitoring

Lastly, breaches were also identified concerning video monitoring. The CNIL ruled that neither the employees nor external visitors to the warehouses were properly informed about the CCTV surveillance in the warehouses. For example, it was not clear how long the footage was retained, the contact details of the Data Protection Officer (DPO) were not provided, and no information was given about the right to lodge a complaint with the data protection authority.

Furthermore, Amazon also failed to adequately secure its video monitoring software. CNIL noted that the password to access this software was weak, and the login credentials were shared among several employees. In this way, according to the CNIL, it was virtually impossible to trace who had access to the video systems and what actions were performed.

Key message

Lessons for monitoring in Belgium

It is not prohibited to install cameras in the workplace or to monitor employees, as long as it is done with respect for the employees' right to privacy. In Belgium, it is also important to consider specific collective labour agreements (CAOs) that regulate e-monitoring and CCTV surveillance in the workplace.

Before a company in Belgium wishes to monitor its employees, it is crucial to critically assess the necessity of this action and always consider whether there are less intrusive alternative solutions.

In any case, the principles of the GDPR must continue to be adhered to, particularly:

  • Lawfulness: There must be a legal basis for each processing of personal data. Monitoring often relies on the legitimate interests of the company. However, these interests must be balanced against the rights and freedoms of the employees, including their reasonable expectations.
  • Transparency: Inform the affected employees completely and in a timely fashion about the how, what, and why of the monitoring.
  • Data minimisation: No more data should be collected than is strictly necessary to achieve the purpose.
  • Storage limitation: Data should not be retained for longer than strictly necessary to achieve the purpose.

Since monitoring often constitutes processing with a higher risk, it is usually advisable to conduct a Data Protection Impact Assessment (GEB). Furthermore, each processing must be included in the register of processing activities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.