Employee monitoring costs Amazon €32m
Employers have increasingly sophisticated tools to help them monitor their workers. Amazon’s substantial recent fine from French data protection regulators shows that they don’t always get it right. Amazon says that it’s just trying to “support the work of our employees and help us meet customer demand”. Where should businesses draw the line when it comes to efficiency?
Amazon France Logistics manages a number of major warehouses in France. The national data protection authority, the CNIL, started an investigation after negative press coverage and complaints. It stemmed from concern about equipping workers with scanners which document in real time how employees carry out tasks such as packing. The data from scanners was used to calculate an individual’s quality of work, productivity and periods of inactivity. This information fed into training, but also into performance management.
What has this got to do with data protection? The central issue is that scanner information is “associated with the identity of the employee” and is therefore personal data. Use of the data comes under the meticulous rules in the GDPR about who is allowed to process personal data, and why. Very similar rules apply in the UK.
Under the gun
The scanners built up an incredibly detailed picture about employee behaviour. A “stow machine gun” indicator signalled when an employee scanned an item outside the optimum 1.25 second threshold, the “idle time” indicator showed interruptions of more than 10 minutes, and a further indicator picked up downtime less than this.
The CNIL found that this type of scanner system could be legal, but not where business interruptions were monitored so accurately by Amazon France that workers had to justify any work break at all. This degree of accuracy was held to be unlawfully excessive both under French national laws and the GDPR legitimate interests test, which is the “balancing act” used to assess whether or not the interests of the controller outweigh those of the individual in deciding how personal data can be used.
Keeping data and resulting statistical indicators for 31 days was also found to be excessive, “disproportionate” and outside GDPR data minimisation requirements. The CNIL’s position was that granular data could be used for coaching in real time but not for performance management, where it should be aggregated.
The big picture
The CNIL agreed that high-performance business objectives would be assisted by this scanner system but processing, retaining and analysing all the associated data in the interests of productivity was disproportionate overall. So the CNIL found that the scanning systems monitored employee productivity excessively, in violation of GDPR Art. 5(1)(c)(data minimisation), and Art. 6 (lawful basis).
While they were at it, the regulators also penalised Amazon France for providing privacy information to temporary workers only via the company intranet, and for poor CCTV practices and software inadequacies.
Amazon’s response
In response to the investigation, the CNIL has reported that Amazon France reduced the relevant retention period to 7 days and increased the break monitoring threshold from 10 to 30 minutes. It also stopped using data “in real time“. At the same time, Amazon France has issued a statement stating they “strongly disagree” with the CNIL’s findings and that use of such warehouse management systems “is a common industry practice.” The company has also reserved its right to appeal.
Other decisions
This is the first major fine for use of this type of scanning system, though regulators already issue regular fines for making employees feel over-scrutinised. In particular, excessive or poorly communicated CCTV use, not giving employees proper choice about biometric security systems such as fingerprinting and monitoring productivity using location data has already attracted substantial fines in France, Spain, Italy and Germany.
Arguably this decision is a development of existing regulator concern about other forms of excessive monitoring. During the pandemic, for example, they challenged over-intrusive monitoring of students during exams, and many regulators keep a watchful eye over monitoring of homeworkers. These situations show that extreme care must be taken when controllers use potentially uncomfortable monitoring in circumstances where genuine consent cannot be given because of a fundamental power imbalance.
The UK regulator, the ICO, has issued comprehensive guidance on monitoring workers which is a useful starting point when designing systems. At European level, the EDPB “design and default” guidelines state that “specific legal safeguards” are required when controllers “cross the threshold” into employee monitoring.
Key takeaways for controllers engaging in employee monitoring
- Check your monitoring serves a genuine business purpose.
- Clearly document the applicable lawful basis.
- Cross check against each of the Art.5 GDPR principles to assess privacy rights.
- You may be able to justify real time data use for employee safety or training, but there is likely to be less justification for productivity and performance management uses.
- A Data Protection Impact Assessment (DPIA) is always best practice, and must be carried out where there may be a high risk to employee interests, such as possible financial loss.
- Biometric scanning techniques need more detailed assessment.
- Investigations will be thorough, so check that all relevant policies, procedures and privacy statements are up to scratch.
- Personal data collected through monitoring must be provided to employees if they make a Subject Access Request (SAR).
- Intrusive systems can damage employee relations, bring reputational damage and cost more than fines. It’s probably fair to say that Amazon recognises it went over the top and says “we are proud of the work done by our teams”.
Link to article