Amazon Fined €32 Million for Employee Surveillance

The French Data Protection Authority (CNIL) made a significant ruling, imposing a huge €32 million fine on AMAZON FRANCE LOGISTIQUE on 27th December 2023. This penalty was a consequence of the company implementing an overly intrusive system to monitor employee activities and performance. The fine addressed issues related to insufficient information and security measures in the context of video surveillance.

The issue was that Amazon equipped warehouse employees with scanners to document real-time performance on various assigned tasks, such as storing or removing items from shelves, packaging, and more.

The CNIL initiated investigations following media reports and employee complaints about warehouse practices. It determined that the system employed to monitor employee activity and performance was excessive. 

Key Takeaways From This Case

Employers should exercise caution when implementing monitoring systems, ensuring that precision measures are reasonable, data retention is proportionate, and the overall monitoring practices respect employee privacy to avoid legal consequences and financial penalties.

Intrusive Monitoring

Amazon's monitoring system, using indicators to track scanner inactivity time, has been deemed illegal by the CNIL. Employers should be cautious about implementing precision measures that may create undue pressure on employees to justify breaks or interruptions.

Excessive Speed of Scanning Measurement

The CNIL found Amazon's system's measurement of scanning speed to be excessive. Employers should consider reasonable timeframes for task completion to avoid potential errors and ensure a fair work environment.

Data Retention Problems

Concerns were raised regarding the retention of all data and statistical indicators for employees and temporary workers for a 31-day period. Employers should be mindful of data retention practices, ensuring they are proportionate and in compliance with privacy regulations.

Disproportionate Data Monitoring

Despite recognising challenges in Amazon's business, the CNIL deemed the data retention and monitoring to be disproportionate. Employers should strive for a balance between monitoring practices and respecting employee privacy, considering the unique aspects of data processing in their operations.

The €32 million fine on AMAZON FRANCE LOGISTIQUE emphasises the importance of aligning data processing practices with regulatory requirements. Employers should be aware of potential financial penalties for non-compliance with data protection laws.

How Did Amazon Breach GDPR?

Data Minimisation Principle Violation (Article 5.1.c)

The company failed to comply with the data minimisation principle by excessively collecting and processing employee data through scanners. The company's use of employee data and indicators for stock and order management was considered excessive. The restricted committee found that real-time and data collected on a weekly basis would have sufficed for quality and safety objectives in warehouses. However surveillance for order management was considered excessive.

Unlawful Processing (Article 6)

The restricted committee identified three illegal indicators, including the "Stow Machine Gun," "idle time," and "latency under ten minutes." These indicators, while monitoring employee actions, were deemed excessively intrusive and lacking a legitimate interest basis.

Failure to Provide Information and Transparency (Articles 12 and 13)

Temporary workers were not adequately informed about privacy policies until April 2020, violating the obligation to provide information and transparency.

Video Surveillance Processing Breaches

Failure to Provide Information and Transparency (Articles 12 and 13)

Both employees and external visitors were not properly informed about video surveillance systems. Essential information required by Article 13 of the GDPR was lacking on notice boards and other media.

Failure to Ensure Security of Personal Data (Article 32)

The restricted committee found security flaws in the video surveillance software, including weak access passwords and shared access accounts among multiple users. This compromised the security of personal data and hindered the ability to trace access and identify individuals involved in software actions.

With this fine, the CNIL sends a strong message about the importance of balancing technology-driven operational efficiency with respect for individual rights in the workplace. Amazon and other companies are now urged to reassess their monitoring practices to align with privacy regulations and foster a fair and respectful work environment.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.