Background:

Amazon France Logistique (“AFL“), a subsidiary of Amazon EU SARL, is accountable for managing Amazon’s massive French distribution centres (the place parcels are acquired, saved and ready for supply).

Workers in AFL warehouses had been required to make use of particular person scanners, which frequently gather information on (i) how shortly gadgets are scanned and (ii) how a lot downtime between scans. The scanners enabled AFL to report potential or precise errors by workers and to observe their productiveness in actual time. AFL saved this information for 31 days and used it to plan work schedules, repeatedly assess its workers and to establish wants for coaching. AFL additionally deployed video surveillance at sure warehouses.

In November 2019, following a number of media stories on AFL’s practices, the French Information Safety Authority (the CNIL) started an investigation, together with a sequence of website inspections. In July 2023, the CNIL held that AFL had dedicated a number of breaches of the Common Information Safety Regulation (“EU GDPR“). Particularly:

• Article 5.1c – Failure to adjust to the precept of ‘information minimisation’ within the retention of all the info from scanners for 31 days, somewhat than retaining solely aggregated information which might obtain the identical consequence;
• Article 6 – Failure to have a lawful foundation for processing of non-public information gathered by means of the monitoring actions – the CNIL thought of AFL was unable to depend on official pursuits because the monitoring actions had been disproportionate;
• Articles 12 and 13 – Failure to offer entry to the privateness coverage for non permanent staff, and a failure to offer the mandatory info to workers and guests to these warehouses the place video surveillance was deployed;
• Article 32 – Failure to make sure that private information gathered was sufficiently safe the place the video surveillance software program had insufficient passwords and account sharing was prevalent.

Because of this, in December 2023 AFL had been issued with a advantageous of €32 million.

Key Factors:

1. Relevance for UK employers: Whereas the CNIL’s determination just isn’t binding on the UK, it raises a number of fascinating points for UK and European companies alike.

Firstly, the related elements of the EU GDPR and the UK GDPR are nonetheless considerably comparable. For instance, below each laws, employers can solely depend on the lawful foundation of official curiosity, supplied that it doesn’t trigger a disproportionate assault on the rights, freedoms and pursuits of workers. Private information have to be retained now not than obligatory, have to be saved safe and information topics ought to be knowledgeable of how their private information is processed. Employers within the UK can even must rigorously weigh such curiosity towards the extent of the intrusion into their workers’ privateness.

Secondly, the identical balancing act is important on UK employers in search of to hold out monitoring below the case legislation of the European Court docket of Human Rights, which nonetheless applies throughout the UK and was unaffected by Brexit.

The ICO produced stand-alone steerage on office monitoring in October 2023 which additionally refers back to the want for a balancing act and extra usually echoes the identical obligations as are thought of within the CNIL judgment. It’s clear monitoring of workers, together with specifically using applied sciences, are an space of curiosity for the UK regulator.

2. Affect on workers: It shouldn’t be assumed {that a} official enterprise curiosity will outweigh the impression of monitoring actions, as perceived from the workers’ perspective.AFL had sought to justify the monitoring by reference to the dimensions and complexity of its operations, and the tight timeframes and buyer expectations concerned, all of which rendered exact and widespread monitoring obligatory. The CNIL didn’t problem that AFL had a official enterprise curiosity in guaranteeing the standard and security of its processes in its logistics centres, each for its buyer and its workers.

Nonetheless the CNIL discovered that AFL’s practices amounted to extreme monitoring, leading to a disproportionate impression. This was notably due to the dimensions of the measures which affected a lot of individuals. Curiously the CNIL additionally took into consideration the impression on worker morale (i.e. the stress placed on workers on account of such intensive monitoring). The CNIL finally discovered that AFL may obtain its official curiosity by means of different, much less intrusive means (not least the quite a few different real-time information which was obtainable to AFL).

It could be thought that AFL’s measures (and its enterprise pursuits) had been particular to the calls for and expectations of the logistics sector, and had been accordingly way more invasive than what could be anticipated within the typical monitoring of workplace staff. Nevertheless, applied sciences for monitoring workplace staff may also be thought of invasive by these workers on the receiving finish, corresponding to computerized screenshots at common intervals or notifications that staff are idle or away from their desks. Many such applied sciences can entice press consideration within the occasion of problem by workers.

In 2023, the ICO revealed analysis which famous that 70% of individuals surveyed thought of that “they might discover monitoring within the office intrusive and fewer than one in 5 (19%) individuals would really feel snug taking a brand new job in the event that they knew that their employer could be monitoring them.”

This, and CNIL’s concentrate on morale, emphasise the necessity for employers to rigorously think about the impression on workers, together with from the workers’ perspective. It’s value remembering that the extra invasive the measures vis-à-vis people, the stronger the official enterprise curiosity have to be to outweigh the impression. This level turns into extra related with the event of expertise to allow employers to observe workers in a extra exact and intensive method.

3. Privateness Insurance policies and Data Rights: The CNIL notably discovered that, till April 2020, AFL’s non permanent staff had not been correctly knowledgeable of the info processing measures in place. While AFL had made the relevant privateness coverage obtainable by way of its intranet, the CNIL thought of that it was insufficient as a result of the coverage was neither immediately supplied to the non permanent staff, nor had been such staff invited to learn it.

Moreover the CNIL discovered that posters within the related warehouses which knowledgeable workers and guests of using video surveillance didn’t, per the necessities of the GDPR, point out (i) the period of knowledge retention, (ii) the best to lift a grievance with the CNIL, and (iii) the contact particulars of the info safety officer. These weren’t supplied in every other media or paperwork.Within the UK the ICO is at the moment consulting on draft steerage, which incorporates steps employers ought to take to carry privateness insurance policies to the eye of staff.

Employers within the UK ought to keep away from solely counting on intranet websites or different singular technique of communication to tell workers, and, on a precautionary foundation, could want to think about a ‘belts and braces’ method involving pro-actively promoting privateness insurance policies regularly throughout a number of platforms.

Conclusion: The important thing questions for firms popping out of this determination are: 1) is it essential to undertake the proposed monitoring (or would one thing much less intrusive be ample), and a pair of) is the extent of that monitoring affordable and proportionate? The CNIL judgment can also be a cautionary story about guaranteeing all workers (together with non permanent workers) have entry to the employer’s privateness coverage and the place third events are being monitored too (e.g. guests) that they’re made conscious of the monitoring and the entire prescribed info is contained in these communications.

Key Contacts