Bytesize Legal Updates | Fieldfisher
Fieldfisher are experts in European digital regulation and guide businesses through the complexities of the EU’s rapidly evolving regulatory environment. Europe is one of the world’s largest internal markets - with our focus on digital regulation for online platforms, social media and emerging technologies (AI, automation, AR/VR etc.) we keep you up-to-date with the EU’s digital agenda, and latest impacting European legislation for the industry.
Bytesize Legal Updates | Fieldfisher
Bytesize Legal Updates: The French data protection authority fines Amazon France Logistique
The French data protection authority, the CNIL, has fined Amazon France Logistique €32 million for its use of excessively intrusive employee monitoring systems and failing to provide transparency and adequate security to personal data in relation to the use of video surveillance systems, in breach of the GDPR.
In our latest Bytesize Legal Update, Fieldfisher's Moira Campbell and Eilish Beeby discuss the key takeaways from the decision and what the practical implications are for businesses.
Bytesize Legal Updates: French DPA fines Amazon France Logistique
[00:00:00] Eilish Beeby: Hello, I'm Eilish and I'm a tech and data specialist.
[00:00:08] Moira Campbell: Hi, I'm Moira, and I'm an employment specialist, and we both work in Fieldfisher's Silicon Valley team.
[00:00:16] Eilish Beeby: Today, we're going to talk through the recent fine issued by the French data protection regulator, the CNIL, against Amazon France Logistique for 32 million euros, as a result of what the CNIL has deemed excessively intrusive employee monitoring systems and a lack of transparency and security in relation to the use of video surveillance systems in breach of the GDPR.
So, Moira, could you kick us off with a quick summary of what's happened here?
[00:00:52] Moira Campbell: Sure, thanks Eilish. So, following media articles and complaints by workers, the French authority carried out spot checks and commenced an investigation into the staff surveillance system used in Amazon's French warehouses that were run by Amazon France Logistique, or AFL, a subsidiary of Amazon EU S.a.r.l.
[00:01:14] Eilish Beeby: Can you tell us what kind of staff surveillance AFL used?
[00:01:18] Moira Campbell: AFL equipped its warehouse staff, whose role was broadly to receive items and prepare parcels for delivery to customers, with handheld barcode scanners. The staff were identified on the scanner and used it to receive instructions to carry out tasks in real time. But the scanner also continuously collected and recorded data relating to the activity of the workers.
AFL used quality metrics, such as the Stow Machine Gun Indicator, which tracked the speed at which workers scanned items and signified an error when an item was scanned too quickly, in less than 1. 25 seconds after scanning a previous item. AFL also monitored the productivity and periods of inactivity of each worker by using idle time and latency under 10 minutes indicators.
The data was stored for 31 days within computer tools for monitoring activity and used to track performance against detailed criteria. an outline of the employee monitoring system. But what were the issues with it? Eilish, perhaps you could outline some of the key GDPR breaches and privacy issues identified by CNIL.
[00:02:37] Eilish Beeby: Thanks, Moira. So, it was found that there was a failure to ensure lawful processing. For example, in respect to the Stow machine gun that you've already mentioned, this processing was deemed to be disproportionate. It was found to excessively interfere with the rights and interests of workers, and such precise monitoring was said to exceed the reasonable expectation of workers.
Whilst they may expect that their work will be subject to some degree of scrutiny, they cannot reasonably expect that they'll be monitored to the nearest second. The idle time and latency under 10 minutes indicators were found to be disproportionate for AFL's purposes of real time inventory and order management.
It was noted that AFL already had access to numerous aggregated data indicators of quality and productivity to sufficiently manage warehouses and their workflows. This continuous monitoring of workers was deemed by the CNIL to put the workers under constant pressure with potentially negative repercussions.
The fact they would potentially have to justify any period that their scanner was inactive, such as a short break, was deemed to be highly intrusive and disproportionate with regard to the fundamental rights and interests of the workers, in particular their right to protection of their private and personal life, as well as their right to working conditions with respect to their health and safety.
[00:03:59] Moira Campbell: Interesting. This continuous level of monitoring could have employment law implications too. as indicated in the CNIL decision, the impact on staff should always be considered. For example, such close and precise monitoring could lead to immense pressure on staff, resulting in employee sickness absence and health and safety issues, such as complaints relating to workplace stress or failure of the employer's duty to provide a safe working environment.
Also, disproportionate employee monitoring practices could lead to distrust in the workplace and employee complaints or claims. For example, in England and Wales, the term mutual trust and confidence is implied into all employment contracts. An employee could seek to claim that workplace surveillance, which puts them under constant pressure, constitutes a fundamental repudiatory breach by the employer of the implied duty of mutual trust and confidence.
So the employee could resign and claim constructive unfair dismissal. Now back to the AFL decision. Eilish, are there any other GDPR breaches we should talk through?
[00:05:15] Eilish Beeby: Absolutely. So essentially AFL argued that it needed such extensive and constant data collection in order to assist with stock management and real time ordering and to prepare work schedules and identify the training needs in workers. The productivity data was retained and used to prepare statistical indicators for 31 days.
However, the CNIL was not persuaded that AFL needed every detail of each worker's quality and productivity statistics over the previous month in order to do this. Helpfully though, the CNIL weighed in on what would be acceptable from a data minimization perspective. It indicated that these objectives could be met by aggregating data on perhaps a weekly basis instead.
Moving on to the transparency findings, AFL used extensive video surveillance systems throughout its warehouses, and its temporary workers and external visitors were not properly informed of this fact when they attended the site. as a result, individuals were not provided with certain information they were entitled to receive under the GDPR, including the data retention period of the video footage. The contact details of AFL's data protection officer and the right to file a complaint to a regulator regarding AFL's data processing.
The video surveillance system used in AFL's warehousing was deemed to provide inadequate security. The password used to access the software consisted of two sets of characters, just lowercase and numbers. That was insufficiently robust according to the CNIL, which recommends that passwords are at least 12 characters long with four sets of characters that include lowercase, uppercase, numbers, and special characters.
Also, the software account was shared between several users, meaning it would be difficult to identify which user had accessed or taken action on the system. So overall, not particularly good security practices.
[00:07:09] Moira Campbell: Some quite significant breaches of the GDPR then, resulting in AFL being fined 32 million euros, which is just over 34 million US dollars. Eilish, could you outline some of the relevant factors for determining the level of the fine?
[00:07:28] Eilish Beeby: Sure, so just as a reminder, under the GDPR, regulators can issue fines of up to 4 percent of global annual turnover. Here, the fine was equivalent to almost 3 percent of the 2021 gross annual turnover, but interestingly, this was of AFL rather than the worldwide turnover of the Amazon Group. This is because the CNIL found that the processing took place within the economic unit of AFL.
When determining the level of the public fine, the CNIL considered the criteria that set out in the GDPR. And justified the fine based on a number of different factors. So, this includes, first, the very close, detailed, precise, and constant nature of the monitoring that put the workers under a disproportionate, permanent pressure that infringed their rights and freedoms to a disproportionate extent in relation to the company's economic and commercial objectives.
Second, the lack of information about data monitoring that was provided to temporary workers who are often in a precarious professional position anyway. Third, the large scale and wide scope of the monitoring. It resulted in excessive numbers of people being monitored.
So, for example, at the time of the investigation, AFL had approximately 6, 200 employees on permanent contracts and over 21, 000 temporary workers. Fourth is the security breaches regarding access to the video surveillance software and the insufficient robustness of the password for access to the account, which was deemed to show negligence in the implementation of some of the basic principles of the GDPR.
And lastly, the constraints that were put on workers directly contributing to AFL's economic success and giving it a competitive advantage over other companies in the online sales sector. However, AFL mitigated its position to some extent, by showing partial compliance following the initial inspections, by providing information to temporary workers and implementing certain security measures.
[00:09:33] Moira Campbell: AFL has taken some measures to address the concerns raised. AFL has also disabled the Stow Machine Gun indicator. and extended the time limit for triggering the inactivity monitor from 10 to 30 minutes in response to the CNIL sanction.
However, Amazon has publicly disagreed with the findings and reserved the right to appeal. The CNIL also announced back in November 2023 that it had imposed 10 new sanctions under its new simplified sanction procedure. These were all addressing recurring concerns related to video surveillance of employees and data minimization.
So this decision can be seen as a continuation of a trend of French enforcement actions. So watch this space. before we wrap up today's podcast, Eilish, could you talk us through some of the main takeaways from this decision from a privacy perspective?
[00:10:32] Eilish Beeby: Thanks Moira. So first I'd say conduct a data protection impact assessment. A DPIA should be carried out prior to implementing an employee monitoring system to weigh up the employer's interest against the risk to workers. This will help to assess how proportionate and necessary the form of monitoring is and to minimize the potential risk.
The AFL decision here shows the importance of proportionality and avoiding being excessive or intrusive, but instead only monitoring at a level which would meet the reasonable expectation of workers. Another point is around the lawful processing in this case. You must establish a lawful ground for processing personal data before implementing employee monitoring systems.
Think carefully about whether you could rely sufficiently on the legitimate interest ground and conduct a legitimate interest assessment to demonstrate that the processing is necessary to achieve the legitimate interests of the business, balanced against the rights and freedoms of employees. Here, the CNIL didn't challenge AFL's legitimate interest of using monitoring tools or monitoring employee activities with some degree of precision, but rather it considered that the extent of the monitoring by each of the monitoring tools for each employee to provide real time reports that are then kept for 31 days, that would disproportionately affect the rights and freedoms of interests of workers.
So the message here isn't don't use monitoring tools, but rather engage with the assessments when considering the use of legitimate interest as a lawful basis and consider a true balance between the interest of the business and of employees. If the balance is truly against the employees, then you may not have an adequate lawful basis for data processing and such processing could be deemed unlawful.
[00:12:19] Moira Campbell: What about transparency?
[00:12:21] Eilish Beeby: Well, transparency is key, so when using monitoring and surveillance systems, be sure to inform individuals and provide the key information that's required under the GDPR. The CNIL noted that it's not sufficient that notices are simply made available, such as on the company intranet. So consider how privacy notices can be proactively provided to individuals.
So, workers could be provided a copy by email or invited to read the notice on the company intranet. Also, be mindful of the principle of data minimization. The CNIL's view is that storing and accessing all data used for 31 days is excessive by AFL, and its objective of managing stock and identifying training needs could be achieved by consulting the real time data and statistics.
So think about your data collection practices and whether the same objective could be achieved in a manner that's less intrusive for individuals and employees. ensuring the security of personal data is a must. Ensure that personal data is adequately protected by using sufficiently robust passwords.
And don't share passwords and account access. This will be taken into account by regulators when it comes to enforcement and issuing fines.
So are there any other employment law learning points Moira?
[00:13:35] Moira Campbell: Yes, employers must also be cautious when utilizing employee monitoring data for employee appraisals and performance management. Decisions relating to career development, demotion or dismissal, for example, should not be based on data from employee monitoring alone.
If appraisals are based on disproportionate recording of data relating to the productivity and quality of the employee's work, the employer runs the risk of being challenged by the employee and complaints or grievances might be raised. However, the key learning points from this decision are quite simple, really.
Firstly, the more invasive the measures towards individuals, The stronger the legitimate business interest must be to outweigh the impact. Employers must consider, is it necessary to undertake the proposed monitoring, or would something less intrusive be sufficient? And, is the extent of that monitoring reasonable and proportionate when balanced against the impact on employees?
Without these considerations, Any permanent and continuous monitoring of employees could be subject to challenge and could result in a substantial fine.
[00:15:02] Eilish Beeby: Thank you for joining us on this latest episode of Fieldfisher's Bite Size Legal podcast, your source for concise legal updates on the key legal developments in technology and data protection law. If you have any questions about today's update, don't hesitate to reach out to us. And if you found it useful, do make sure to give us a like or review on your podcatcher of choice.
Thanks for taking the time to listen and we'll see you again next time.