Amazon has been fined €32m (£27m) by the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) for excessive monitoring of employees at its warehouses in France, on 27 December 2023.
The investigation was initiated following employee complaints and revealed that Amazon France Logistique employed an intrusive system to monitor work performance, breaks, and productivity.
Employees were provided with scanners to document tasks, including activities such as placing or taking an item from a shelf or packaging an item and the scans were utilized to assess work quality and periods of inactivity.
CNIL deemed the implementation of an overly accurate system measuring work performance unlawful, potentially requiring employees to justify every break. The scanning speed, considering the risk of errors in quick succession, was also scrutinized. Further, CNIL considered the retention of system data by Amazon for 31 days excessive.
Amazon strongly disagreed, underscoring the essential role of warehouse management systems for safety and efficiency, and reserved the right to appeal.
The following breaches of the General Data Protection Regulation (GDPR) were identified by CNIL:
- Non-compliance with the data minimization principle (Article 5.1.c of the GDPR): The principle of data minimization emphasizes that organizations should limit the collection and processing of personal data to only what is necessary for the specified purpose. Amazon retained every detail of employees’ quality and productivity indicators from the previous month, using it to determine coaching or reassignment. Supervisors only needed real-time data or aggregated data to identify any employee difficulties, argued CNIL.
- Failure to ensure lawful data processing (Article 6 of the GDPR): Certain performance indicators required employees to justify any interruptions to scanner use, considered intrusive by CNIL.
- Violations related to work schedules and employee evaluations: The company utilizes data and indicators obtained from employee activity and performance, as collected by the scanners, for scheduling work in its warehouses, weekly employee assessments, and training.
- Non-compliance with the obligation to provide information and transparency (Art. 12 GDPR and Art. 13 GDPR): Temporary workers were inadequately informed about personal data collection through scanners until April 2020. Information regarding video surveillance was not properly communicated to employees or external visitors.
- Failure to safeguard the security of personal data (Article 32 of the GDPR): The access password for video surveillance data was weak, and the account was shared among several users, making it challenging to trace access to video images.
- In 2023, it was indicated to the Business, Energy, and Industrial Strategy Committee by Amazon’s European policy chief that three productivity flags could lead to employee termination. However, Amazon later clarified that while the system’s algorithms identify performance issues, they don’t independently make firing decisions; rather, they assist in recognizing performance-related concerns.
- Around 20,000 individuals work at the French warehouses of the online retail giant Amazon France Logistique.
- The UK is amending its data protection legislation through The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023, incorporating elements of EU regulations, such as the GDPR, into the UK statute book.