Background:
Amazon France Logistique (“AFL“), a subsidiary of Amazon EU SARL, is responsible for managing Amazon’s large French distribution centres (where parcels are received, stored and prepared for delivery).
Employees in AFL warehouses were required to use individual scanners, which continually collect data on (i) how quickly items are scanned and (ii) how much downtime between scans. The scanners enabled AFL to report potential or actual errors by employees and to monitor their productivity in real time. AFL stored this data for 31 days and used it to plan work schedules, regularly assess its employees and to identify needs for training. AFL also deployed video surveillance at certain warehouses.
In November 2019, following several media reports on AFL’s practices, the French Data Protection Authority (the CNIL) began an investigation, including a series of site inspections. In July 2023, the CNIL held that AFL had committed several breaches of the General Data Protection Regulation (“EU GDPR“). In particular:
- Article 5.1c – Failure to comply with the principle of ‘data minimisation’ in the retention of all the data from scanners for 31 days, rather than retaining only aggregated data which would achieve the same result;
- Article 6 – Failure to have a lawful basis for processing of personal data gathered through the monitoring activities – the CNIL considered AFL was unable to rely upon legitimate interests as the monitoring activities were disproportionate;
- Articles 12 and 13 – Failure to provide access to the privacy policy for temporary workers, and a failure to provide the necessary information to employees and visitors to those warehouses where video surveillance was deployed;
- Article 32 – Failure to ensure that personal data gathered was sufficiently secure where the video surveillance software had inadequate passwords and account sharing was prevalent.
As a result, in December 2023 AFL were issued with a fine of €32 million.
Key Points:
1. Relevance for UK employers: While the CNIL’s decision is not binding on the UK, it raises several interesting issues for UK and European businesses alike.
Firstly, the relevant parts of the EU GDPR and the UK GDPR are still substantially similar. For example, under both legislation, employers can only rely on the lawful basis of legitimate interest, provided that it does not cause a disproportionate attack on the rights, freedoms and interests of employees. Personal data must be retained no longer than necessary, must be kept secure and data subjects should be informed of how their personal data is processed. Employers in the UK will also need to carefully weigh such interest against the extent of the intrusion into their employees’ privacy.
Secondly, the same balancing act is necessary on UK employers seeking to carry out monitoring under the case law of the European Court of Human Rights, which still applies within the UK and was unaffected by Brexit.
The ICO produced stand-alone guidance on workplace monitoring in October 2023 which also refers to the need for a balancing act and more generally echoes the same obligations as are considered in the CNIL judgment. It is clear monitoring of employees, including in particular the use of technologies, are an area of interest for the UK regulator.
2. Impact on employees: It should not be assumed that a legitimate business interest will outweigh the impact of monitoring activities, as perceived from the employees’ perspective.AFL had sought to justify the monitoring by reference to the scale and complexity of its operations, and the tight timeframes and customer expectations involved, all of which rendered precise and widespread monitoring necessary. The CNIL did not challenge that AFL had a legitimate business interest in ensuring the quality and safety of its processes in its logistics centres, both for its customer and its employees.
Nonetheless the CNIL found that AFL’s practices amounted to excessive monitoring, resulting in a disproportionate impact. This was particularly because of the scale of the measures which affected a large number of people. Interestingly the CNIL also took into account the impact on employee morale (i.e. the pressure put on employees as a result of such extensive monitoring). The CNIL ultimately found that AFL could achieve its legitimate interest through other, less intrusive means (not least the numerous other real-time data which was available to AFL).
It might be thought that AFL’s measures (and its business interests) were specific to the demands and expectations of the logistics sector, and were accordingly much more invasive than what might be expected in the typical monitoring of office workers. However, technologies for monitoring office workers can also be considered invasive by those employees on the receiving end, such as automatic screenshots at regular intervals or notifications that workers are idle or away from their desks. Many such technologies can attract press attention in the event of challenge by employees.
In 2023, the ICO published research which noted that 70% of people surveyed considered that “they would find monitoring in the workplace intrusive and fewer than one in five (19%) people would feel comfortable taking a new job if they knew that their employer would be monitoring them.”
This, and CNIL’s focus on morale, emphasise the need for employers to carefully consider the impact on employees, including from the employees’ perspective. It is worth remembering that the more invasive the measures vis-à-vis individuals, the stronger the legitimate business interest must be to outweigh the impact. This point becomes more relevant with the development of technology to enable employers to monitor staff in a more precise and extensive manner.
3. Privacy Policies and Information Rights: The CNIL notably found that, until April 2020, AFL’s temporary workers had not been properly informed of the data processing measures in place. Whilst AFL had made the applicable privacy policy available via its intranet, the CNIL considered that it was inadequate because the policy was neither directly provided to the temporary workers, nor were such workers invited to read it.
Additionally the CNIL found that posters in the relevant warehouses which informed employees and visitors of the use of video surveillance did not, per the requirements of the GDPR, indicate (i) the duration of data retention, (ii) the right to raise a complaint with the CNIL, and (iii) the contact details of the data protection officer. These were not provided in any other media or documents.In the UK the ICO is currently consulting on draft guidance, which includes steps employers should take to bring privacy policies to the attention of workers.
Employers in the UK should avoid solely relying on intranet sites or other singular means of communication to inform staff, and, on a precautionary basis, may wish to consider a ‘belts and braces’ approach involving pro-actively advertising privacy policies on a regular basis across multiple platforms.
Conclusion: The key questions for companies coming out of this decision are: 1) is it necessary to undertake the proposed monitoring (or would something less intrusive be sufficient), and 2) is the extent of that monitoring reasonable and proportionate? The CNIL judgment is also a cautionary tale about ensuring all staff (including temporary staff) have access to the employer’s privacy policy and where third parties are being monitored too (e.g. visitors) that they are made aware of the monitoring and all of the prescribed information is contained in those communications.
For further information, please contact:
Christine Young, Partner, Herbert Smith Freehills
christine.young@hsf.com