Shoosmiths LLP
  February 16, 2024 - Milton Keynes, England

Employee monitoring costs Amazon €32m
  by Shoosmiths LLP

Amazon France Logistics has been fined €32m in France for being “grossly negligent” about European data protection law when it comes to monitoring its workers. How can companies do the right thing by workers and by regulators?

Employers have increasingly sophisticated tools to help them monitor their workers. Amazon’s  substantial recent fine from French data protection regulators shows that they don’t always get it right. Amazon says that it’s just trying to “support the work of our employees and help us meet customer demand”. Where should businesses draw the line when it comes to efficiency? 

Amazon France Logistics manages a number of major warehouses in France. The national data protection authority, the CNIL, started an investigation after negative press coverage and complaints. It stemmed from concern about equipping workers with scanners which document in real time how employees carry out tasks such as packing. The data from scanners was used to calculate an individual’s quality of work, productivity and periods of inactivity. This information fed into training, but also into performance management. 

What has this got to do with data protection? The central issue is that scanner information is “associated with the identity of the employee” and is therefore personal data. Use of the data comes under the meticulous rules in the GDPR about who is allowed to process personal data, and why. Very similar rules apply in the UK.

Under the gun 

The scanners built up an incredibly detailed picture about employee behaviour. A “stow machine gun” indicator signalled when an employee scanned an item outside the optimum 1.25 second threshold, the “idle time” indicator showed interruptions of more than 10 minutes, and a further indicator picked up downtime less than this. 

The CNIL found that this type of scanner system could be legal, but not where business interruptions were monitored so accurately by Amazon France that workers had to justify any work break at all. This degree of accuracy was held to be unlawfully excessive both under French national laws and the GDPR legitimate interests test, which is the “balancing act” used to assess whether or not the interests of the controller outweigh those of the individual in deciding how personal data can be used.  

Keeping data and resulting statistical indicators for 31 days was also found to be excessive, “disproportionate” and outside GDPR data minimisation requirements. The CNIL’s position was that granular data could be used for coaching in real time but not for performance management, where it should be aggregated. 

The big picture

The CNIL agreed that high-performance business objectives would be assisted by this scanner system but processing, retaining and analysing all the associated data in the interests of productivity was disproportionate overall. So the CNIL found that the scanning systems monitored employee productivity excessively, in violation of GDPR Art. 5(1)(c)(data minimisation), and Art. 6 (lawful basis). 

While they were at it, the regulators also penalised Amazon France for providing privacy information to temporary workers only via the company intranet, and for poor CCTV practices and software inadequacies.

Amazon’s response 

In response to the investigation, the CNIL has reported that Amazon France reduced the relevant retention period to 7 days and increased the break monitoring threshold from 10 to 30 minutes. It also stopped using data “in real time“. At the same time, Amazon France has issued a statement stating they “strongly disagree” with the CNIL’s findings and that use of such warehouse management systems “is a common industry practice.” The company has also reserved its right to appeal. 

Other decisions

This is the first major fine for use of this type of scanning system, though regulators already issue regular fines for making employees feel over-scrutinised. In particular, excessive or poorly communicated CCTV use, not giving employees proper choice about biometric security systems such as fingerprinting and monitoring productivity using location data has already attracted substantial fines in France, Spain, Italy and Germany.

Arguably this decision is a development of existing regulator concern about other forms of excessive monitoring. During the pandemic, for example, they challenged over-intrusive monitoring of students during exams, and many regulators keep a watchful eye over monitoring of homeworkers. These situations show that extreme care must be taken when controllers use potentially uncomfortable monitoring in circumstances where genuine consent cannot be given because of a fundamental power imbalance. 

The UK regulator, the ICO, has issued comprehensive guidance on monitoring workers which is a useful starting point when designing systems. At European level, the EDPB “design and default” guidelines  state that “specific legal safeguards” are required when controllers “cross the threshold” into employee monitoring.  

Key takeaways for controllers engaging in employee monitoring

Read full article at: