But the recent €32 million (£27 million) fine imposed on Amazon in France emphasises the importance of lawful, proportionate and transparent employee monitoring practices. The case raises key lessons for HR leaders.
The French data protection authority, the CNIL, fined Amazon France Logistique (AFL) €32 million for "excessively intrusive" surveillance.
The CNIL's decision was prompted by media reports and worker complaints, leading to spot checks and an investigation into Amazon's staff surveillance practices in French warehouses. AFL, a subsidiary of Amazon EU SARL, manages large warehouses in France, and its surveillance methods raised concerns about data misuse and privacy violations.
Key lessons for HR:
While this is a French decision, global HR practitioners should take note, as similar principles will be applicable under UK and EU GDPR and local data protection laws. Some important lessons include:
- Comply with local law and guidance:
- Comply with local data protection legislation and review relevant guidance, such as the UK ICO guidance on workplace monitoring.
- Transparency, lawful processing, and compliance with data protection principles are crucial.
- Conduct assessments:
- Conduct a data protection impact assessment before implementing monitoring systems to assess proportionality and minimise risks.
- Establish a lawful ground for processing. When relying on 'legitimate interests,' carry out a proper assessment.
- Data minimisation:
- Limit workplace monitoring to what is strictly necessary and consider less invasive methods.
- Inform employees about monitoring, providing detailed information in workplace privacy notices.
- Retention periods:
- Implement strict retention periods, which is no longer than is necessary for the specified purpose.
- Security of data:
- Ensure robust security measures, including strong passwords, to avoid GDPR breaches.
- Employment law considerations:
- If employee monitoring is 'excessive' or disproportionate, this could lead to health and safety and constructive dismissal claims.
- Be cautious about using data from employee monitoring for employee appraisals and be aware of the risk of misuse of private information and discrimination allegations.
The CNIL identified the following EU GDPR breaches relating to the processing of AFL's employee data:
Failure to ensure lawful processing (Article 6 EU GDPR):
- AFL equipped its warehouse staff with handheld barcode scanners to monitor and record their activities continuously. AFL's use of quality indicators, such as the stowing 'machine gun' error, which signified an error when an item was scanned too quickly, was deemed disproportionate, infringing on workers' rights to privacy and health and safety.
- Monitoring of 'idle time' and 'latency under 10 minutes' was found excessive for AFL's purposes and highly intrusive, creating constant pressure on workers.
Failure to comply with data minimisation principle (Article 5 EU GDPR):
- AFL's retention of detailed performance data for 31 days was considered excessive. A selection of aggregated data would have sufficed.
- The granularity and methods of consulting collected indicators were deemed inappropriate.
Failure to comply with information and transparency obligations (Articles 12 and 13 EU GDPR):
- There was a lack of sufficient information provided to temporary workers and external visitors about the video surveillance systems.
Failure to ensure security of personal data (Article 32 EU GDPR)
- An insufficiently robust password used for video surveillance software and the sharing of the account between several users resulted in security breaches.
Relevant factors in determining the fine:
The CNIL considered the criteria set out in Article 83 of the EU GDPR when determining the €32 million fine, equivalent to almost 3% of AFL's 2021 gross annual turnover. Relevant factors included the close and detailed nature and the wide scale and scope of the monitoring, lack of transparency, the disproportionate pressure caused by the constant surveillance and security breaches.
In summary, the AFL case serves as a stark reminder for HR to navigate the intricate balance between monitoring practices and privacy rights, emphasising the need for compliance with local laws and transparent, proportionate monitoring methods.
By Moira Campbell, employment director at Fieldfisher