08/04/2024
Briefing

In the case of Amazon’s monitoring practices, scanners were put in place for its warehouse workers to document how long it took them to carry out certain tasks, and to quality check articles within a certain minimum time frame. This information was stored and used to calculate indicators providing information on the quality, productivity, and periods of inactivity of each employee, and was further utilised as part of employee coaching and performance reviews[1].

The CNIL found that Amazon’s practices failed to comply with the data minimisation principle pursuant to Article 5(1)(c) of the GDPR, and a failure to ensure lawful processing under Article 6 of the GDPR. 

Regarding the type of personal data processed, three indicators processed by the company were found to be non-compliant:

  • the “Stow Machine Gun” indicator, which provided an error message when an employee scans an item “too quickly” (i.e. in less than 1.25 seconds after scanning a previous item);
  • the “idle time” indicator, which signalled periods of scanner downtime of ten minutes or more;
  • the “latency under ten minutes” indicator, which signalled periods of scanner interruption between one and ten minutes.

The CNIL found that the processing of all three indicators could not be based on legitimate interest, as it led to excessive monitoring of the employee, when balanced against the commercial objectives pursued by Amazon.

The CNIL noted that Amazon already had access to numerous indicators in real time, both individual and aggregated, to achieve its objective of quality and safety in its warehouses, and that as implemented, the processing required employees to justify every break or interruption to their work. Accordingly, the processing was found to be excessively intrusive. The decision also found that the company had failed to properly inform employees that their personal data would be processed by the scanners in advance of their data being collected, leading to a breach of its obligation to provide information and transparency pursuant to Articles 12 and 13 of the GDPR, and a failure to comply with the obligation to ensure the security of personal data captured, pursuant to Article 32 of the GDPR.

DPC guidance

The DPC has noted in previous guidance on data protection in the workplace that employers have a legitimate interest in protecting their business, reputation, resources and equipment. The DPC cautioned within this guidance that any limitation of employee’s right to privacy in the workplace, particularly with regards to monitoring software, should be proportionate to the likely impact to the employer’s legitimate interests. The DPC further notes that in the ordinary course of business, employers should consider implementing other less intrusive means of monitoring employees.

Lawful Basis

Employers must have a lawful basis to process personal data under Article 6 of the GDPR (such as consent, contractual necessity, legal obligation, vital interests, legitimate interests).  In addition to identifying an appropriate Article 6 ground, and to the extent an employer is processing health data (for example information regarding reasonable adjustments requests, ergonomic assessment information, or details of medical leave), the employer will also need to ensure it complies with one of the exceptions in Article 9 GDPR.

As noted by the CNIL, employers also need to tell their employees in an appropriate privacy notice of the legal basis relied upon to collect personal data, and the purposes for which they are collected.

Practical Guidance for Employers

Consider the use of AI carefully, conduct a data protection impact assessment and a legitimate interests assessment.

With regards to the legal basis for monitoring, the DPC notes that while legitimate interests is the most flexible legal basis to rely on, employers should exercise caution before doing so. In relying on legitimate interests, employers should undertake a full legitimate interests test noting: (i) the existence of a legitimate interest justifying the processing; (ii) the processing of the personal data which are necessary for the realisation of the legitimate interest; and (iii) that the interest prevails over the rights and interests of the data subject. Examples of legitimate interests cited by the DPC include; fraud prevention, commercial interests, or broader benefits to wider society. If a controller is unsure of the outcome of the balancing test, it may be safer to consider another lawful basis for processing, especially where processing is unexpected, or poses a high level of risk.  If processing activities involved in the monitoring involve high risk processing (e.g., monitoring of turnstile data, the use of a large-scale CCTV programme, or tracking of employee vehicles[2][3]), a data protection impact assessment will also be required.  In addition, if employers are using AI to undertake monitoring activities consideration will need to be given to compliance with the obligations of the forthcoming AI Act[4]. In particular where the employer’s activities involve a “high-risk” AI system, at a minimum employers will need to consider how transparency is provided to employees, embedding human review in the process and ensuring risk management is incorporated into the AI system’s lifecycle.

Conclusion

The CNIL decision demonstrates the readiness of data protection authorities to impose fines for the unlawful monitoring of employees in the workplace, where monitoring has a disproportionate impact on worker privacy. It reinforces the need for employers to demonstrate compliance with their existing data protection obligations when processing employee data, and, critically, for employers to undertake appropriate risk assessments in advance of commencing any employee monitoring measures. Employers may find it challenging to justify any measures which have a high impact where less intrusive measures are available.

The CNIL’s decision is currently under appeal so employers should watch this space for further guidance.


[1] See the DPC’s guidance on Employer Vehicle Tracking – Employer Vehicle Tracking_May2020.pdf

[2] See the DPC’s guidance on the use of CCTV in the work place – CCTV Guidance Data Controllers_October19_For Publication_0.pdf

[3] The AI Act was approved by the European Parliament on 13 March 2024  and is expected to be finally adopted in the coming months, pending a lawyer linguist check through the corrigendum procedure.