On 27 December 2023, the French supervisory authority (CNIL) issued an administrative fine of €32 million against Amazon France Logistique (AFL). The penalty stemmed from AFL’s implementation of an excessively intrusive system for monitoring employees’ activity and performance, as well as the deployment of a video surveillance system lacking adequate information and security measures.
In a nutshell, each warehouse employee is given a scanner documenting the performance of certain tasks in real time (eg, storage or removal of an item from the shelves, putting away or packing, etc) in order to (i) manage stocks and orders in the warehouses (by ensuring the speed of execution and a good reassignment and coaching in real time of the employees); and (ii) plan work in the warehouses, assess employees each week and train them.
In particular, the system is:
- monitoring the inactivity time of employees' scanners with precision, generating indicators for interruptions lasting between one and ten minutes or more than ten minutes. The CNIL considers that such indicators might pressure employees to justify even very brief breaks or interruptions (referred to as the ‘inactivity’ indicator);
- tracking the speed at which items were scanned, by generating an indicator measuring whether an item had been scanned in less than 1.25 seconds after the previous one in order to signal any risk of error (if the item was scanned too fast). According to the CNIL, this could lead to monitoring employees’ activity to the nearest second and have negative moral repercussions on the employee (referred to as the ‘quality’ indicator);
- tracking the number of items processed per hour, the last scans performed and their exact time, the item type, size and quantity (referred to as the ‘productivity’ indicator).
According to the CNIL, having access to the productivity and quality indicators over the last 31 days for the purposes of providing assistance to employees, reassigning them, assessing them and planning work in the warehouses, violates the principle of minimisation enshrined in Article 5(1)(c) of the GDPR. Indeed, according to the CNIL, statistics per employee aggregated over the week would have been sufficient for such purposes.
It also considers that the processing of the inactivity and quality indicators could not be based on the legitimate interest of the company to ensure safety and quality in its warehouses and to assess the employees (enshrined in Article 6(1)(f) GDPR) as it leads to a massive and intrusive monitoring of the employees which is disproportionate. In particular, it notes that the company already has access to numerous other relevant indicators in real time.
It is interesting to note that the CNIL recognises in the decision the exceptional challenges faced by Amazon due to its high-volume operations, where millions of items are prepared daily, often requiring same-day delivery, which “make it necessary to monitor very precisely, in real time, all handling of objects in the warehouse and the situation of each workstation”. Nonetheless, it considers that the monitoring implemented by AFL was excessive.
The CNIL also identifies non-compliance with the information and transparency obligations enshrined in Articles 12 and 13 GDPR. These include:
- failure to ensure that temporary workers received a privacy policy before their personal data was collected using scanners (until April 2020). Merely making the policy available on the intranet was deemed insufficient, especially considering that temporary workers operate in a warehouse environment without easy access to computers;
- inadequate notification of the video surveillance systems to both employees and external visitors. Essential information such as the duration of data retention, the right to file a complaint with the CNIL, and the contact details of the data protection officer were not provided on notice boards or in any documents. The CNIL emphasises that such information is crucial to guarantee fair and transparent treatment in the context of continuous filming of employees in their workplace.
Finally, the CNIL identifies two breaches of Article 32 of the GDPR. Firstly, the access to the video surveillance software is deemed insufficiently secure, since the access account to the video surveillance software is shared between several users while not having shared accounts is among the essential precautions to guarantee effective traceability of access and actions carried out in an information system. Second, the access password to connect to the video surveillance software is considered as not strong enough, with twelve characters composed only of lowercase letters and numbers and no additional security measures (such as a delay in access to the account after several failures).
As a result, the CNIL calculates the amount of the fine based on the annual turnover of AFL, while the rapporteur was suggesting referring to the annual turnover of the parent company, Amazon.com Inc. The reason is that the CNIL considers that the economic unit to be taken into account with regard to the activity linked to the processing in question is AFL.
Interestingly, in order to determine the final amount of the fine, the CNIL indicates that it took into account the fact that the constraints imposed on employees through this monitoring contributed directly to the company’s economic gains and gave it a competitive advantage over other companies on the online sales market.
This decision reminds companies of the necessity to use proportionate means of monitoring employees’ activities in the workplace and to have strong security measures when using any video surveillance in the workplace. Indeed, as mentioned in its 2022 annual report, the CNIL received 663 complaints from employees in 2022 arguing they were subject to unlawful surveillance measures under the GDPR. In addition, video surveillance devices were in 2022 the tools most often reported to the CNIL (542 complaints).