On December 27, 2023, the French Data Protection Authority (CNIL) fined AMAZON FRANCE LOGISTIQUE €32 million for setting up an excessively intrusive system for monitoring employee activity and performance. The company was also fined for video surveillance without information nor sufficient security system.
The CNIL’s decision is being published today, January 23, 2024 (decision, in French language, available at Délibération SAN-2023-021 du 27 décembre 2023 - Légifrance (legifrance.gouv.fr)).
Below is a summary of the core elements of the decision.
AMAZON FRANCE LOGISTIQUE manages the AMAZON group's large warehouses in France, where it receives and stores items and then prepares parcels for delivery to customers. As part of its activities, each warehouse employee is given a scanner to document the performance of certain tasks assigned to them in real time.
Each scan carried out by employees gave rise to the recording of data, which was stored and used to calculate a series of indicators providing information on the quality, productivity and periods of inactivity of each employee.
In November 2019, the CNIL launched investigations, after several employees filed complaints. The CNIL was also informed of press articles which were questioning the legality of the monitoring system set up by AMAZON FRANCE LOGISTIQUE.
The examination of the case ended up with a detailed report issued, on April 4, 2022, by the CNIL’s rapporteur. Several violations were outlined and the publication of the decision was suggested by the rapporteur to the CNIL.
The CNIL handed down its decision on December 27, 2023. It considered that the system for monitoring employee activity and performance was excessive, in particular for the following reasons (violation of Articles 5.1 c), 6, 12 and 13 GDPR):
- The company used indicators on employee activity and performance, collected thanks to scanners used to manage in real time stocks and orders in its warehouses. The CNIL ruled that it was illegal to set up a system measuring work interruptions with such an accuracy, potentially requiring employees to justify every break or interruption.
- The CNIL held that the system for measuring the speed at which items were scanned was excessive.
- More generally, the CNIL considered excessive to keep all data collected by the system, as well as the resulting statistical indicators, for all employees and temporary workers, for a period of 31 days.
Moreover, the CNIL ruled that the warehouse’s video surveillance system violates the obligations of information and transparency, as well as the security obligations, imposed by the GDPR:
- Employees and visitors were not properly informed about the video surveillance systems, since certain mandatory information (listed by Articles 12 and 13 GDPR) was not provided either on notice boards (or on other media), or through documents;
- The access to the video surveillance software was not sufficiently secure, since the access password was not sufficiently robust and the access account was shared between several users (violation of Article 32 GDPR).
One of the pillars of the CNIL’s strategic plan for 2022-2024 is the protection of data subjects, in particular employees when facing geolocation and video surveillance.
On the first issue, the CNIL pointed out that the continuous recording of geolocation data, with no possibility for employees to stop or suspend the system during break times, is, unless there is a specific reason, an excessive infringement of employees' freedom to come and go and right to privacy.
With regard to the second issue, the CNIL reaffirmed its position on the deployment of video surveillance systems which, for no particular reason, constantly film employees at their workstations. Indeed, the prevention of accidents in the workplace and the gathering of evidence do not legitimate the implementation of continuous video recording.
As part of a dissuasive and proportionate repressive policy, and within tighter deadlines, the CNIL will be issuing sanctions under the simplified sanction procedure (implemented in 2022), and report on them on its website.
Set up in 2022, the simplified sanction procedure may be launched for matters that do not raised any specific complex issue, and for which a fine of up to 20,000 euros may be imposed.
It enables the CNIL to increase the effectiveness of its repressive plan in response to the complaints received, which increase every year. More than 12,000 complaints in 2022, i.e. +72% since the GDPR came into force in 2018.