French CNIL imposes fine on Amazon for employee privacy breaches

Companies explore multifaceted approaches to boost performance. This may involve the implementation of faster and interconnected tools, fostering friendly competition among employees to increase their productivity, the collective or personalized monitoring of their work or the allocation of bonuses commensurate with performance milestones.

On the other front, the quest for security often entails a comprehensive strategy, encompassing cybersecurity measures, organizational protocols, and the deployment of video surveillance systems.

Despite the dual focus on safety and performance improvement, companies often find themselves grappling with the challenge of striking the right balance. Navigating the delicate line between these two imperatives becomes a tightrope walk, as excessive intrusion into the private lives of employees can occur, among other abuses. 

Instances of overreach can manifest in diverse ways, illustrating the delicate balance that must be maintained between business objectives and individual rights.

One prevalent scenario involves the pursuit of performance, where surveillance and pressure for results become pronounced. For instance, delivery personnel often find themselves subjected to constant scrutiny, facing heightened surveillance that not only monitors their professional activities, but may also encroach upon their personal space.

Furthermore, the implementation of security measures, while crucial, can lead to excessive intrusions affecting privacy. A pertinent example is the use of in-vehicle cameras, which, while serving security purposes, can raise valid privacy concerns. 

In the domain of performance statistics, a potential pitfall emerges in the form of profiling individuals without human intervention or automated decisions. Instances may arise where performance data, in its raw form, is used to create profiles without sufficient human oversight. This raises concerns about fairness, transparency, and the potential for biased decision-making. Are we ready to have possibly life-impacting decisions (such as in the HR sector) made by algorithms without any human intervention?

As a consequence, companies often find themselves in violation of labor law (and in particular the right not to be subjected to excessive surveillance) and non-compliant with the General Data Protection Regulation (GDPR). 

Crucial principles of the latter, such as: 

The decision rendered by the CNIL against AMAZON FRANCE LOGISTIQUE on December 27, 2023 serves as a stark reminder of several key points related to the abusive surveillance of employees and sheds light on the pitfalls that can arise when the quest for performance and security overshadows fundamental principles of privacy and data protection.

AMAZON FRANCE LOGISTIQUE, responsible for managing the large warehouses of the AMAZON group in France, implements a system where each warehouse employee is equipped with a scanner to document real-time performance in tasks such as storage, removal, packing, etc.

Each scan carried out by employees results in recording of data, which is stored for a period of 31 days and used to calculate indicators providing information on the quality, productivity and periods of inactivity of each employee: 

AMAZON FRANCE also uses video surveillance cameras, as is customary in this industry. 

The CNIL conducted several investigations after receiving multiple complaints from employees and becoming aware through the press of the practices of the company, and sanctioned AMAZON FRANCE for two types of breaches: first, relating to employee monitoring using scanners and second, relating to video surveillance processing. 

The CNIL did not dispute the fact that the service provided by Amazon to its customers involves exceptional constraints due to the volumes processed and the goals of short delivery times. This necessitates a very precise real-time monitoring of all object manipulations in the warehouse and the status of each workstation, hence each employee. This monitoring involves the processing of a large amount of data, including a significant amount of real-time personal data, each time a package is handled by an employee in the course of direct tasks.

Additionally, the CNIL did not generally question the real-time processing of raw data and indicators used by the company for the effective management of stocks and orders. 

However, as elaborated below, the CNIL contended that some of the indicators used violate the GDPR, as does the practice of retaining all data collected by the scanners for 31 days and utilizing this dataset along with all the extracted indicators. Management of data retention time is always a neglected factor in many data processing.

The CNIL found that AMAZON FRANCE had failed to comply with three essential obligations for the following reasons:

AMAZON uses indicators on employee activity and performance, in order to manage stocks and orders in its warehouses in real time. 

The stock and order management process breaks down into several tasks (receiving items, storing inventory, preparing and sending orders) and relies on the management of each employee in order to provide them, if necessary, with assistance in carrying out these tasks or to reassign them to other tasks if necessary.

The CNIL considered that providing assistance to an employee or reassigning them in real time does not require access to every detail of the employee's quality and productivity indicators collected using the scanners over the last month. 

It pointed out that supervisors can already rely on the data reported in real time to identify any difficulties an employee may be experiencing that may require coaching, or to identify employees to be reassigned to a task in the event of a peak in activity. 

It therefore believed that, in addition to real-time data, a selection of aggregated data, on a weekly basis for example, would have been sufficient.

AMAZON also uses the employee activity and performance data and indicators collected by the scanners to plan work in its warehouses, assess employees each week and train them.

Again, the CNIL considered that the work schedule in the warehouses, along with the assessment and training of the employee do not require access to every detail of the data and statistical indicators provided by the scanner used by the employee and reported over the last month, and that, therefore, statistics per employee, aggregated over the week for example, are sufficient to assess an employee's mastery of a task and to put together relevant teams. Such statistics provide an overview of an employee's performance and are sufficient to assess and identify training needs or to monitor the employee's progress.

Lastly, the CNIL considered that the objective of monitoring the employee's actual work, evaluating or training them did not justify recording any time of inactivity of more than ten minutes:

Without questioning the need for precise monitoring of the handling carried out and the situation of each employee, in order to ensure the quality of service and safety in its warehouses, the CNIL nevertheless noted that the processing of the three indicators could not be based on legitimate interest, as it led to excessive monitoring of the employee regarding the objective pursued by the company.

First, the processing of the Stow Machine Gun indicator means that any storage carried out by an employee can be constantly monitored to the nearest second, and an error can be associated with it if the employee tidies up too quickly.

Second, the use of the “idle times” and “latency under ten minutes” indicators makes it possible to constantly monitor any time an employee's scanner is interrupted on a direct task, even for a very short time.

Therefore, the CNIL noted that the company already has access to numerous indicators in real time, both individual and aggregated, in order to achieve its objective of quality and safety in its warehouses. It also pointed out that the processing of these two indicators means that the employee is potentially required to justify at any time that he is interrupting his scanner, even for a very short time. 

Therefore, the CNIL considered the processing to be excessively intrusive as implemented:

AMAZON FRANCE's privacy policy applicable to human resources was only indirectly available to temporary workers on the intranet. 

The CNIL argued that temporary workers were therefore not adequately informed about the processing carried out through scanners, since they neither directly received the policy nor were they invited to become acquainted with it in any way. 

In response, the company asserted that providing information to temporary workers via the intranet was sufficient and that the CNIL itself recommends the use of the intranet as a valid communication method. 

However, the CNIL rejected this argument and clarified that it recommends information to be provided “in the most appropriate manner based on the organization and operation of the company.” 

As a consequence, information on the intranet for employees working daily in warehouses, without a natural inclination to use a computer, and without any encouragement to access it, did not constitute a satisfactory method of information.

The CNIL found that AMAZON FRANCE had failed to comply with two essential obligations: 

Neither employees nor external visitors were adequately informed about the video surveillance systems on notice boards. 

Indeed, the CNIL found that contact details of the Data Protection Officer (DPO), the duration of data retention, and the right to lodge a complaint with the CNIL were indeed missing from said notice boards. 

Further, they were not provided on any other document: (1) the privacy policy related to human resources merely mentioned the existence of video surveillance processes involving the processing of security data and images, (2) the internal regulations posted within the relevant warehouse indicated merely that “employees must submit to control measures for entries and exits”, including video surveillance, and (3) the welcome booklet informed employees about the existence of a video surveillance system for their safety and that each exit is subject to control. As for the video surveillance installation guide that the company mentioned in its defense, the CNIL noted that the content of this document, written in English, pertains to the internal procedure for installation and use of video surveillance and is evidently not intended for employees.

This breach provides a first opportunity to briefly revisit the guidelines provided by the CNIL regarding information to data subjects with regard to video surveillance: data subjects (employees and visitors) must be informed through permanently displayed, visible signs in the relevant areas. 

These signs should include, at a minimum, in addition to the camera pictogram indicating video protection:

To ensure that the displayed signs remain legible, all necessary information for public awareness can be provided through alternative means, such as a website. This additional information must include:

Furthermore, in compliance with the GDPR, a company has to provide information to its employees and occasional visitors through two levels of disclosure: not only on an information panel within the premises but also through company’s internal regulations or intranet. A comprehensive information notice regarding personal data management and individual rights has to be provided to employees (via email to all personnel or given to employees upon hiring, during the contract signing). This notice should also be accessible on the company’s intranet or in its internal regulations. In the absence of an intranet or internal regulations, this information must be provided at any time upon request from employees. 

If service providers or occasional visitors may be recorded on the company’s premises, this information should be accessible to them as well (when they enter the premises or if they make a request):

The CNIL observed that the access account for Amazon's video surveillance software was shared among all individuals authorized to access surveillance images, and that the password associated with this account consisted of twelve characters, comprising only lowercase letters and numbers (no numbers and special characters). 

The CNIL found that this accumulation of security flaws complicated the traceability of access to video images and the identification of each person who has interacted with the software.

Therefore, it found that access to the video surveillance software lacked adequate security measures and that AMAZON failed to fulfill its obligation. 

This breach provides a second opportunity to reiterate the CNIL’s standpoint with regard to video surveillance: access to the images must be organizationally and technically secured to prevent unauthorized viewing by anyone. 

Therefore, only individuals authorized by the employer within the scope of their duties are allowed to view recorded images. These individuals must undergo specific training and awareness programs regarding the implementation rules of a video surveillance system. On the other hand, access to the video surveillance software must be safeguarded through technical and measures like a robust password and secure HTTPS connection. 

The CNIL's decision only addresses the two abovementioned issues, but we advise companies to also bear the following points in mind.

Video surveillance is considered legitimate for ensuring the security of assets and individuals but should not lead to subjecting employees to constant and permanent monitoring. 

Therefore, cameras can be installed at building entrances, exits, emergency exits, and traffic routes and can also film areas where goods or valuable items are stored. 

However, cameras should refrain from filming employees (i) at their workstations, except in specific rare circumstances, such as when an employee is handling money (in which case, the camera should focus more on the cash register than the cashier) or in a warehouse storing valuable goods where handlers are working; (ii) on a break in rest areas or in restrooms; or (iii) on union premises or areas designated for employee representatives (including access points solely leading to these spaces).

With regard to data retention periods, the employer must determine the duration for which images from the cameras will be retained, but this duration should be aligned with the objective pursued by the cameras. Generally, this period does not exceed one month. As a rule, keeping images for a few days is usually sufficient unless exceptional circumstances require further scrutiny in case of an incident, potentially triggering disciplinary or legal procedures. In the event of such procedures, the relevant images are then extracted from the system (after recording this operation in a specific log) and stored for the duration of the procedure. Companies should also keep in mind that the maximum retention period for images should not be based on the technical storage capacity of the recorder.

In view of the abovementioned breaches, the CNIL has imposed a significant Euro 32 million fine on AMAZON FRANCE. The fine, equivalent to approximately 3 per cent of the French company's revenue, underscores the seriousness of the breaches, which were determined by considering the system's scale and intensity (resulting in constant surveillance), the impact on a considerable number of individuals, the economic gains generated, and the competitive advantage gained in the online sales market.

This substantial fine constitutes one of the CNIL's record fines, marking a notable instance where the sanction approaches the maximum threshold. This nearly unprecedented penalty highlights the CNIL's commitment to enforcing data protection regulations, in particular in the HR sector, with the imposed fine reaching close to the maximum allowable limit of 4 per cent of the worldwide turnover, emphasizing the regulatory authority's dedication to upholding stringent standards in the digital age.

This significant penalty should serve as a stark warning to companies, emphasizing the need for a thorough audit of both direct and indirect surveillance tools they have implemented or plan to implement. 

Ensuring compliance with GDPR is not just a legal obligation but a strategic imperative in today's data-centric landscape, where regulatory adherence not only safeguards individual rights but also protects businesses from potentially crippling financial penalties.