The French Commission Nationale de L'Informatique et des Libertés (CNIL) has fined Amazon France Logistique (Amazon) €32 million for several GDPR breaches as a result of ‘excessive’ and ‘illegal’ surveillance of employee activity.
Context
Following complaints from employees, and a number of press articles detailing Amazon’s warehouse practices, the CNIL conducted several investigations. Upon inspection, the CNIL found that Amazon’s system for monitoring employee activity and performance was excessive and imposed a €32 million fine on Amazon.
The severity of this fine was mainly attributed to three practices implemented as part of Amazon’s surveillance systems, namely:
- the illegal tracking of employees’ inactive time.
- the excessive measuring of the speed at which items were scanned.
- the excessive retention period of 31 days.
GDPR Breaches
Article 5.1(c) – failure to comply with the data minimisation principle
The CNIL appreciated the need to use data to assist employees with their role, including their schedule and training, but this does not require access to the types of data set out below over the course of a month. They suggested that real-time data and a selection of aggregated data on a weekly basis would be sufficient.
Article 6 – failure to ensure lawful processing
The restricted committee found that three indicators processed by Amazon were illegal:
- Signalling an error when an item is scanned too quickly (i.e. less than 1.25 seconds after scanning the previous item, which may lead to errors ).
- Signalling when a scanner has a period of downtime of ten minutes or more.
- Signalling when a scanner is interrupted for a period between one and ten minutes.
This level of tracked activity was so severe that employees were forced to potentially justify each break. The CNIL considered this to be excessively intrusive.
Articles 12 & 13 – failure to comply with the obligation to provide information and transparency
The CNIL noted that neither employees nor external visitors were sufficiently informed of the video surveillance systems, nor were temporary workers provided with Amazon’s privacy policy before their personal data was collected using the scanners. They were therefore unaware of the extent of the data collection.
Article 32 – failure to comply with the obligation to ensure security of personal data
The CNIL found that the password to access the video surveillance software was not strong enough which, coupled with the access account being shared between numerous users, meant access was not sufficiently secure.
Response
In response to the CNIL’s findings, an Amazon spokesperson said, “We strongly disagree with the CNIL's conclusions which are factually incorrect and we reserve the right to file an appeal.”
Reported practices in the UK
Unsurprisingly, Amazon has come under scrutiny for their surveillance systems in the UK. In January 2023, Amazon UK staff went on strike for the first time in history when staff from their warehouse in Coventry took to the picket line citing unattainable targets and abusive surveillance technologies as reasons for their actions.
This strike follows European Amazon boss, Brian Palmer, admitting to parliament in December 2022 that its workers can be dismissed for not meeting targets, which includes meeting a certain rate per hour and to not spend too much idle time. You can read more about this in the Business, Energy and Industrial Strategy Committee’s report here.
Given the CNIL’s findings and the significant fine issued, the ICO may well begin to consider whether action should be taken in the UK to ensure individuals’ rights are not infringed. Watch this space…
unknownx500
