French Watchdog Slams Amazon with €32m Fine for Spying on Workers
Amazon France Logistique, a subsidiary of the e-commerce giant that manages its large warehouses in France, has been fined €32m ($35m) for infringing its workers’ privacy.
Following an investigation into Amazon France Logistique’s surveillance system which was set up to monitor staff performance, France’s information regulator, considered it to be “excessively intrusive.”
The French data watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL), informed Amazon of the fine on December 27, 2023. It was subsequently made public on January 23, 2024.
Infringement of GDPR’s Data Minimization Principle
The regulator specifically pointed to some features embedded in scanning devices used by Amazon workers for performing several tasks, including storing an item, picking it up, and sending it to be packaged.
These devices record all data relating to the nature and status of Amazon products as well as employee activity and performance.
The CNIL ruled some of these features unlawful, including the following:
- Inactivity indicators are “too precise,” meaning that employees potentially have to justify every break or interruption
- The system used for measuring the speed at which the scanner is used to store items is “excessive”
- The 31-day data history policy was deemed “excessive”
The CNIL said that some of these practices were infringing the principle of data minimization introduced in Article 5.1 of the EU’s General Data Protection Regulation (GDPR) and others breached compliance with the lawfulness of data processing detailed in Article 6.
Lack of Transparency and Security in Amazon’s Surveillance System
Additionally, the CNIL judged that employees and visitors were not correctly informed of the details of the surveillance system in place in Amazon’s French warehouses, meaning the company was breaching Articles 12 and 13 of GDPR.
Finally, the CNIL also noticed that the surveillance software’s security was not up to the standards required in GDPR’s Article 32.
The CNIL’s investigation was prompted by several news reports and employee complaints.