On January 23, 2024, the French data protection authority (CNIL) published Decision No. SAN-2023-021, as issued on December 27, 2023, in which it imposed a fine of €32 million on Amazon France for violation of the General Data Protection Regulation (GDPR) following an investigation.

Background to the decision

CNIL clarified that Amazon France manages Amazon warehouses in France. As part of this, each warehouse employee is equipped with a scanner by which they document the execution of certain tasks. Each scan carried out by employees results in the recording of data which can then be used to calculate indicators as to the quality, productivity, and periods of inactivity of each employee.

CNIL noted that it carried out its investigation following press articles on practices implemented by Amazon France and multiple complaints from employees.

Findings of CNIL

Following its investigation, CNIL found that the data collected from employee actions was collected in real time and that all data reported was kept for 31 days. Specifically, CNIL noted that the precise management of each employee in real time, though nominally to provide employees with assistance in their workplace tasks, does not require access to the smallest details of the employee's productivity indicators. Notably, CNIL determined that supervisors may instead rely on data reported in real time to identify any difficulties encountered by employees and that a selection of aggregated data, which is already collected in addition to other data, should be sufficient. Therefore, CNIL found Amazon France in violation of Article 5(1)(c) of the GDPR for the failure to process personal data in a way that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it was processed.

In addition, regarding the precise monitoring of employees, CNIL recalled three indicators by Amazon France. Namely the Stow Machine Gun which signals an error when employees scan an item too quickly, the idle time indicator which signals interruptions of 10 minutes or more, and latency times of less than 10 minutes. CNIL outlined that the three methods of monitoring cannot be based on legitimate interest since the methods are excessively intrusive and ensure that employees must justify very short interruptions of their scanner. Accordingly, CNIL considered Amazon France to have violated Article 6 of the GDPR for the absence of the stated lawful basis.

Further, CNIL detailed that many Amazon France workers were contracted on a temporary basis. However, CNIL found that the confidentiality and privacy policy were not provided to temporary workers before the collection of their personal data. Notably, CNIL considered the provision of information to temporary workers via the company intranet as insufficient given that temporary workers were not invited to read it and it was not the most appropriate method of informing temporary employees who did not have access to an office computer when working. Similarly, CNIL held that employees and external visitors were also not properly informed about video surveillance, with notices relating to video surveillance failing to have been changed following January 2020. Further, the video surveillance installation guide, noted by Amazon France, was written in English and related to the internal procedure for using video surveillance, and therefore clearly not intended for employee use. CNIL consequently found Amazon France in violation of Articles 12 and 13 of the GDPR.

Finally, CNIL considered that access to video surveillance was not sufficiently secure since password access was not robust and access accounts were shared between multiple employees. Accordingly, with regard to the characteristics of the processing in question and the risks involved, CNIL found Amazon France in violation of Article 32 of the GDPR for failing to guarantee a level of security appropriate to the risk of processing.

Outcomes

In light of the above violations, CNIL imposed a fine of €32 million on Amazon France.

You can read the press release here, the decision here, both only available in French, and the European Data Protection Board summary here.