Amazon France Fined €32 Million for Monitoring Staff
Amazon France Fined €32 Million for Monitoring Staff

Amazon France Fined €32 Million for Monitoring Staff

Kaamel LabJanuary 30, 2024

Case Overview Amazon France Logistique (hereafter referred to as "Amazon") operates large warehouses in France for the Amazon group. These facilities handle the reception, storage, and packaging of goods. The company employs around 20,000 people across eight major distribution centers in France. Each warehouse worker is equipped with a scanner, which tracks their activities in real-time, such as storing, packing, or removing items. This data is used to measure the worker's performance in terms of speed, quality, and efficiency. Following reports in the media about how Amazon monitors its employees, CNIL, the French data protection authority, started an investigation, receiving several complaints from workers during this period.
Key Findings of CNIL's Investigation
  • Amazon's monitoring of employee activities and performance is deemed excessive by CNIL for the following reasons:
      1. Excessive Monitoring of Idle Time on Scanners: CNIL found that Amazon’s system for tracking when employees are not working (idle time on scanners) is illegal. This level of surveillance forces employees to justify every break they take.
      1. Overly Intrusive Tracking of Scanning Speed: Amazon’s system to detect if goods are scanned too quickly (less than 1.25 seconds between scans) is considered unnecessary. Such a fast pace is judged as compromising work quality, but CNIL views this as excessive data collection.
      1. Extended Data Retention: Keeping all collected data and the resulting statistics for more than 31 days is considered excessive, as it includes information about all permanent and temporary workers.
Amazon's Stance Amazon argues that their scanning system is standard in the industry and necessary for maintaining safety, quality, and efficiency in their operations. They believe their practices comply with European and French laws and have expressed an intention to cooperate with CNIL while reserving the right to appeal against the fine.
GDPR and Employee Data Protection
GDPR applies not only to consumer personal data protection but also to personal data protection in employment relations. Article 88 of the GDPR specifically allows member states to enact specific rules through legislation or collective agreements to ensure the protection of employees' rights and freedoms when processing personal data in the employment context. Therefore, companies must balance personal data protection of employees while managing, planning, and organizing work.
According to CNIL's investigation, Amazon violated several GDPR provisions in inventory and order management, employee assessment, and video surveillance. These violations touch upon GDPR principles like data minimization and lawful transparency, detailed as follows:
  1. Failure to Adhere to Data Minimization Principle: GDPR Article 5.1.(c) mandates the data minimization principle, where personal data collected or processed must be limited to what is necessary and sufficient for the purpose. Amazon broke down inventory and order management into specific tasks and precisely managed each employee, using the data for task assistance, reassignment, work scheduling, and training. However, CNIL believes not every work quality and efficiency detail collected by scanners is needed for task assistance or performance assessment. Real-time data is sufficient for identifying employee challenges or task reassignments during peak activities. Weekly data summaries would suffice for assessing task proficiency and scheduling. Despite Amazon's legitimate management needs, its data monitoring measures are not the only means to achieve these ends. CNIL thus concluded that Amazon's data collection and retention beyond 31 days through scanners in inventory and order management and employee training violated the data minimization principle.
  1. Failure to Ensure Lawful Processing: GDPR Article 6 requires lawful grounds for personal data processing by controllers and processors. A controller or third party's legitimate interest is one such lawful basis. CNIL found Amazon lacked lawful grounds for collecting information on three metrics in inventory and order management:
      • "Put down scanner" metric: Error prompts when items are scanned "too quickly" (less than 1.25 seconds apart).
      • "Idle time" metric: Interruptions in scanner use lasting 10 minutes or longer.
      • "10-minute delay" metric: Interruptions in scanner use between 1 and 10 minutes. While CNIL didn't question Amazon's need to monitor work for safety and service quality, it pointed out that the collection and processing of these metrics led to excessive surveillance lacking a lawful interest basis. Amazon had access to many other real-time and aggregate metrics for service quality and safety. Monitoring the "put down scanner" metric could incorrectly flag employees' efficient actions as errors. The "idle time" and "10-minute delay" metrics meant even brief scanner interruptions might require employees to justify their work pauses. This level of processing is excessively intrusive and does not fall under "legitimate interests," violating lawful processing requirements.
  1. Failure to Comply with Notification and Transparency Obligations: GDPR Article 13 mandates notification obligations: controllers must inform data subjects about data collection, including controller identity, processing purposes, methods, and rights. Article 12 requires information transparency: controllers should provide clear, understandable, and accessible information using plain language. CNIL found that Amazon did not provide a privacy policy to employees before collecting personal data via scanners. As of April 2020, temporary workers were not informed about data collection through scanners. Amazon also used video surveillance in warehouses without adequately informing employees and visitors per GDPR Article 13. Amazon's collection of personal data through scanners and video surveillance without informing data subjects in privacy policies or notifications violated GDPR's notification and transparency obligations.
  1. Failure to Fulfill Data Security Obligations: GDPR Article 32 mandates that controllers and processors implement appropriate technical and organizational measures for reasonably expected security levels. CNIL noted security concerns in video surveillance software use, including weak passwords and shared accounts among multiple users, making it difficult to track access to video footage and identify operators. Amazon's failure to take appropriate measures to prevent illegal access, destruction, loss, or leakage of personal information collected through video surveillance did not comply with GDPR's data security obligations.
Implications for Businesses Since the introduction of GDPR, businesses need to pay close attention to how they collect and handle personal data, including that of their employees within the EU. From the moment an employee joins until they leave, a company often needs to process their personal data. This includes monitoring their work behavior and performance, sometimes using various tracking devices both in the workplace and remotely. While this kind of monitoring can improve work efficiency, it risks collecting too much personal data. The EU's data protection authorities have already penalized several companies for not handling employee data correctly. If a company does not manage employee data properly, respecting GDPR and other relevant laws, it could face serious fines and damage its business operations and reputation.
Best Practices for Companies When handling employee data, companies must base their actions on the employee's informed consent. This means explaining, clearly and thoroughly, how and why the data is collected and used, whether in contracts, privacy policies, or through direct communication. Employees should never feel forced to agree, especially not under the threat of negative consequences like losing their job or being demoted. The data collected should be for clear, lawful, and specific reasons, and should not be used for anything else without permission. The amount of data collected should be minimal, necessary, and as non-intrusive as possible. If there are less invasive ways to achieve the same goal, those should be used. Companies also need to put in place the right technical and organizational safeguards, tailored to the type of data processing they're doing and the associated risks to employees. These measures should comply with GDPR and be regularly reviewed and updated.