Amazon France Logistique has been fined €32m ($35m) by the French Data Protection Authority Commission Nationale de l’informatique et des libertés (CNIL) for setting up an “excessively intrusive system” to monitor the activities and performance of several thousand of its employees.
The company, which manages Amazon’s large warehouses in France, was also found to have conducted video surveillance of the employees without obtaining informed consent and without adequate security in place to protect the video data that had been collected.
“The retention of all this data and the resulting statistical indicators were disproportionate overall.”
CNIL
CNIL’s investigation, which started following the receipt of complaints from employees as well as press articles about the company’s surveillance practices, found that the employees were monitored when they were using their work scanners. Each scan resulted in the recording and storing of data on the staff members, which was then used to assess the quality of work including gauging productivity and inactivity periods for each employee.
“Such systems kept employees under close surveillance for all tasks carried out with scanners and thus put them under continuous pressure,” CNIL said.
Breached several GPDR rules
CNIL found Amazon France Logistique’s system for monitoring employee activity and performance was excessive and that “the retention of all this data and the resulting statistical indicators were disproportionate overall.”
The authority ruled that it was “illegal to set up a system measuring work interruptions with such accuracy, potentially requiring employees to justify every break or interruption”, and found that the company breached several GPDR Articles by failing to comply with:
The data minimisation principle – Article 5.1.c
In addition to managing stocks and orders in its warehouses in real time, the data obtained was also used as an indicator of employee activity and performance.
“Providing assistance to an employee or reassigning them in real time does not require access to every detail of the employee’s quality and productivity indicators collected using the scanners over the last month”, CNIL’s restricted committee said.
The regulator, in its decision, remarked that possible peaks and dips in a months’ work can be adequately assessed used a selection of employee data aggregated over a defined period (e.g. a week).
Ensuring lawful processing – Article 6
Three indicators processed by the company were found illegal:
- the “Stow Machine Gun” indicator, which signals an error when an employee scans an item “too quickly” (in less than 1.25 seconds after scanning a previous item);
- the “idle time” indicator, which signals a scanners’ downtime of ten minutes or more; and
- the “latency under ten minutes” indicator, which signals scanner interruption between one and ten minutes.
CNIL said that the capture and processing of this detailed performance data and the monitoring of the employees was ”excessively intrusive”, particularly as the company already had “access to numerous indicators in real time, both individual and aggregated”.
The data minimisation principle – Article 5.1.c
The restricted committee, the CNIL body responsible for issuing sanctions, said that “the work schedule in the warehouses, along with the assessment and training of the employee do not require access to every detail of the data and statistical indicators provided by the scanner used by the employee and reported over the last month”.
The obligation to provide information and transparency – Articles 12 and 13
The restricted committee also found that until April 2020 the company breached GDPR Articles 12 and 13 because of its failure to properly inform temporary workers of its data collection practices. In addition the company did not ensure that the applicable privacy policy was shared with staff before their personal data was collected using the scanners.
Neither the employees nor external visitors were properly informed of the video surveillance systems in place.
The obligation to ensure security of personal data – Article 32
The restricted committee also noted breaches connected with how the video surveillance was subsequently processed. Specifically, the video surveillance software was insufficiently secure with account and password shared between multiple people.
GRIP comment
This decision provides some useful detail on what differentiates legitimate monitoring of employee performance and illegitimate and overly intrusive surveillance.
Moving away from the specific fact pattern here and its warehouse context, it is probable that the same principles underpinning CNIL’s decision would be considered germane by other regulators (such as the UK ICO) when assessing the monitoring of employees working from home for example.
For some useful additional guidance take a look at New standards for UK workplace monitoring by our contributor Nigel Miller.