Lessons for global employers: Amazon France Logistique fined €32 million for 'excessively intrusive' employee monitoring

There is ever evolving opportunity to find new ways to monitor staff in the workplace. However, such monitoring must take place within the parameters of local law and a careful balance must be struck between the employer's commercial monitoring purpose and protection of the employee's privacy rights and interests.

The recent Amazon France Logistique ('AFL') decision is an example of a significant fine for HR data misuse. Although the monitoring which took place was fairly extreme, it highlights some important reminders for all employers monitoring employees in the workplace.

The decision

Following media articles and complaints by workers, the French authorities carried out spot checks and commenced an investigation into the staff surveillance system used in Amazon's French warehouses. The CNIL (Commission Nationale de l'Informatique et des Libertés - France's data protection authority) fined Amazon France Logistique €32 million for 1.) an 'excessively intrusive' surveillance system used to monitor staff activity and performance; and 2.) video surveillance implemented without sufficient information or security.

The surveillance

AFL, a subsidiary of Amazon EU SARL, provides logistics support services as part of its parcel delivery business in France. It manages the Amazon Group's large warehouses in France. Warehouse staff complete tasks such as receiving and storing items from suppliers (inventory) and preparing parcels for delivery to customers. Each of several thousand warehouse staff in AFL was issued with a handheld barcode scanner in which they identified themself and received instructions to manage stocks and orders in real time. The scanner continuously collected and recorded data relating to the activity of the workers. The data was stored for 31 days within computer tools for monitoring activity and used to 1.) assess performance, focusing on the quality, productivity and periods of inactivity of each worker; 2.) plan work schedules; and 3.) identify needs for training. AFL also deployed video surveillance at certain warehouses.

GDPR breaches

The following EU General Data Protection Regulation, Regulation (EU) 2016/679 ('EU GDPR') breaches were identified by the CNIL:

1. Failure to ensure lawful processing (Article 6 of the EU GDPR): AFL used 43 'quality indicators' to identify potential or actual errors committed by workers in the item routing process. It was found that there was no lawful basis for the processing of the following three indicators used to assess staff activity. They could not be based on AFL's proposed legitimate interests:      

i.) 'the Stow Machine Gun': processes raw quality data related to the speed of execution of a task. An error is reported when a worker scans an item too quickly (in less than 1.25 seconds after scanning a previous item). This processing was deemed to be disproportionate, since it led to excessive computer surveillance of the worker in relation to the objectives pursued. It was found to excessively interfere with the rights and interests of workers, in particular those relating to the protection of their private and personal life, and their right to working conditions that respect their health and safety. It was found that such precise monitoring exceeds the reasonable expectations of workers - whilst they may expect that their work will be subject to a certain degree of scrutiny, they cannot reasonably expect they will be monitored to the nearest second.

ii.) 'idle time': signals periods of scanner downtime of ten minutes or more; and

iii.) 'latency under ten minutes': signals periods of scanner interruption from one to ten minutes.

It was found that indicators ii.) and iii.) were disproportionate for AFL's purposes of real-time inventory and order management. It was noted that AFL already had access to numerous aggregated data indicators of quality and productivity to sufficiently manage warehouses and their workflows.

Cumulatively, the warehouse workers were found to be continuously monitored. This level of monitoring was deemed by the CNIL to put the workers under 'constant pressure', with potentially negative repercussions. The fact they would potentially have to justify any period of time their scanner was inactive, such as a short break, was deemed to be highly intrusive. The processing of this data was considered to be disproportionate with regard to the fundamental rights and interests of the workers, in particular their right to the protection of their private and personal life as well as their right to working conditions which respect their health and safety.

2. Failure to comply with the data minimisation principle (Article 5(1) (a), 5(1)(c) of the EU GDPR):

1. AFL stated that it used the data collected from the scanners regarding worker performance to assist with managing stocks and orders in real time. However, CNIL found that every detail of the worker's quality and productivity collected via the scanners over the last month was not required to meet this objective.
2. AFL also stated that it used the employee performance data and indicators to plan work schedules in the warehouses and to assess and train workers. Again, CNIL found that every detail of the performance data from the last month was not required in order to plan work and assess and train staff.

CNIL found that, in addition to real-time data, a selection of aggregated data, for example on a weekly basis, would be sufficient for the outlined purposes. The retention of the quality and productivity data and resulting statistical indicators, for all employees and temporary workers, for 31 days, was found to be excessive in the light of the economic and commercial interests pursued by AFL. Additionally, the granularity and methods of consulting the collected indicators was deemed to be inappropriate. There was found to be a disproportionate infringement of the workers' private and family life as well as working conditions that respect their health and safety.

3. Failure to comply with the obligation to provide information and transparency (Article 12 & 13 of the EU GDPR): neither workers nor external visitors were properly informed of the video surveillance systems. The CNIL found that several items of information required by the EU GDPR, such as the indication of the data retention period, the right to file a complaint with the CNIL and the contact details of the data protection officer, were not provided by AFL.
4. Failure to comply with the obligation to ensure security of personal data (Article 32 of the EU GDPR): the password to access the video surveillance software, which consisted of two sets of characters, was deemed to be insufficiently robust: CNIL recommends that the password must be at least twelve characters long and contain four sets of characters (lower case, upper case, numbers and special characters).The account was also shared between several users, meaning access to the video surveillance was not sufficiently secure.

What were the relevant factors when considering the level of the fine?

The fine was equivalent to almost 3% of the 2021 gross annual turnover of AFL. When determining the level of the public fine, the CNIL took into account the criteria set out in Article 83 of the EU GDPR, including the following factors:

1. the processing of employee data using scanners was different to traditional activity monitoring methods;
2. the scale and wide scope of the monitoring;
3. the very close and detailed nature of the monitoring;
4. the precise and constant surveillance put the workers under disproportionate permanent pressure;
5. the lack of information about data monitoring provided to temporary workers, who are often in a precarious professional position;
6. the large number of people monitored – more than 6,000 permanent employees and a significant number of temporary workers;
7. the security breaches regarding access to the video surveillance software and the insufficient robustness of the password for access to the account was deemed to show negligence in the implementation of the basic principles of the GDPR; and
8. the constraints put on the workers directly contributing to AFL's economic success and giving it a competitive advantage over other undertakings in the online sales sector.

Whereas, the partial compliance adopted by AFL regarding informing temporary workers and implementing security measures after the initial inspections were carried out, mitigated AFL's sanction to some extent.

What are the key lessons for global employers?

Although this is a French decision and is not binding on the UK, global employers, including those seeking to monitor staff in the UK and the EU should take note of this decision, as similar principles can be applied under the UK and EU GDPR and local data protection legislation. 

Some points to note include:

1. Comply with local law and guidance: Any personal data collected through monitoring will need to be processed, stored and retained in accordance with local data protection legislation. A lawful basis for processing will need to be established, full transparency and notice must be provided in advance of any monitoring and the data protection principles must be complied with. Employers considering implementing a workplace monitoring system should ensure they not only comply with relevant legislation but also review and comply with relevant guidance, such as the ICO guidance on workplace monitoring in the UK. As the AFL decision shows, a failure to comply with applicable data protection law could result in a substantial fine.
2. DPIA: A data protection impact assessment should be carried out prior to implementing an employee monitoring system to weigh up the employer's interests against the risk to workers.  This will help to assess how proportionate and necessary the form of monitoring is and to minimise the potential risks. The AFL decision shows the importance of proportionality and avoiding being excessive or intrusive but instead only monitoring at a level which would meet the reasonable expectation of workers.
3. Lawful processing – a lawful ground for processing any personal information will need to be established before implementing any employee monitoring system. Typically, this will be under the 'legitimate interests' ground and a legitimate interests assessment will be required to demonstrate that the processing is necessary to achieve the legitimate interest which has been identified, balanced against the employees' rights, freedoms and interests.
4. Data minimisation: Workplace monitoring should be limited to what is strictly necessary and consideration should be given to how to limit the scale and scope of the data obtained. If an employer wants to use workplace monitoring to assess employee performance, other less invasive methods which could achieve that aim, should be considered first. Before implementing a close monitoring system, carefully consider will anything new be gained from obtaining more detailed or precise information, or is there already sufficient existing data available?
5. Transparency: Before employee monitoring is implemented, employees (and any agency staff, visitors or other individuals who will be monitored) should be informed about the monitoring and given detailed information including but not limited to information about the nature and extent of the data processing, when and how the data will be obtained, why and how it will be used, who it will be disclosed to, who the data protection officer is, retention periods, the right to lodge a complaint and how confidential or sensitive information will be handled. This should be clearly outlined in accessible workplace privacy notices and relevant internal policies such as 'Acceptable Use/ IT Communications' policies.
6. Retention periods: ensure there is a strict retention period, which is no longer than is necessary for the specified intended purpose.
7. Security of data: insufficient security and weak passwords will be considered to be very serious GDPR breaches and will impact the level of any fine.
8. Employment law considerations:

• Health & Safety: When implementing a workplace surveillance system, it is important to consider the potential impact on an employee. If it is likely to put 'constant pressure' on an employee or would lead to them having to justify every short break, then consider how the processing can be minimised. The AFL decision shows that it will not be necessary or proportionate to accurately measure all employee work breaks/ interruptions and transmit them in real time to the line manager. Such close and precise monitoring could lead to employee sickness absence and health and safety issues such as complaints or claims relating to workplace stress. The main lesson of this decision if that any permanent monitoring of employees is prohibited in France. The CNIL has previously established this principle that applies to all employee monitoring systems, including for remote work. In a Q&A published on November 12, 2020, the CNIL had already prohibited the use of keyloggers, which record keystrokes, permanent screen sharing and software that takes photos of employees behind their screens every five minutes.
• Employee appraisal: The employer must be careful in defining the data used to appraise employees and subsequent measures (career development, demotion, dismissal, etc.). If appraisals are based on a disproportionate recording of data relating to the productivity and quality of the employee's work, the employer runs the risk of being challenged by the employee.
• Constructive unfair dismissal: Disproportionate employee monitoring practices could also lead to distrust in the workplace and additional employment law complaints or claims. For example, in England and Wales, the term of 'mutual trust and confidence' is implied into all employment contracts. This means that the employer must not, without reasonable and proper cause, conduct itself in a manner calculated and likely to destroy or seriously damage the relationship of trust and confidence between the employer and employee. If an employee is able to demonstrate that the employer has breached this implied term, they are entitled to resign and claim 'constructive dismissal'. This is effectively a breach of contract claim, whereby the employee claims they had no choice but to resign and are treated as dismissed due to the alleged fundamental repudiatory breach of contract by the employer. An employee could seek to claim that workplace surveillance which puts them under constant pressure constitutes a breach of the implied duty of mutual trust and confidence and thereby resign and claim constructive unfair dismissal.
• Misuse of Private Information: Employees could seek to bring a tort law claim for 'misuse of private information' in the civil courts, if they can show they had a reasonable expectation of privacy, a positive action has taken place leading to a misuse of their information and there has been a disproportionate interference with that privacy.
• Discrimination: There are various types of discrimination claims which can be brought in relation to employee monitoring. For example, UK employees may allege employee monitoring activities have unfairly targeted them or treated them less favourably/disadvantaged them when compared to employees who do not share their protected characteristic. If they are disabled for the purposes of the Equality Act 2010, depending on their individual circumstances, they may request reasonable adjustments or claim there has been a failure to make reasonable adjustments in respect of monitoring activities. To avoid such allegations, it is advisable to (i) ensure the monitoring is rolled out across the board and does not target or disadvantage certain groups of employees; and (ii) avoid making any disciplinary or performance-related decisions based on the information obtained from the proposed monitoring without following a fair and proper process.

What next?

Amazon has issued a statement in which it denied any wrongdoing, disagreed with the CNIL's findings and reserved the right to appeal. The decision may be appealed to the Council of State within two months of its notification.

The CNIL announced on 7 November 2023 that it had imposed ten new sanctions under its new simplified sanction procedure, addressing recurring concerns related to video surveillance of employees and data minimization. This decision can therefore be seen as a continuation of a trend of French enforcement actions.