Take care with your employee monitoring

Every scan you take, every move you make, every time you have a break - Amazon will be watching you!

?Amazon France Logistique (AFL), a subsidiary of Amazon EU SARL, was recently ?fined a huge €32 million (￡27 million) by the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (CNIL), for breaches of Articles 5(1)(c), 6, 12, 13 and 32 of the General Data Protection Regulation (EU GDPR). ?The case highlights the importance of ensuring that your business is GDPR compliant and some of the pitfalls associated with monitoring employees.?

Background

?AFL manages Amazon’s large warehouses in France, where it receives and stores items and then prepares parcels for delivery to customers. An integral part of its operations requires employees working at the warehouses to be equipped with a scanner to document the real-time performance of certain tasks, including item storage or retrieval, shelving, and packaging.

The data collected from the scanners is stored for 31 days and utilised to calculate indicators providing information on the quality of work, productivity levels, and periods of inactivity of each employee. AFL’s technology could monitor its employees down to the second, flagging errors if tasks were completed in under 1.25 seconds.

Following press articles in November 2019 about practices of AFL in its warehouses, and several complaints raised by its employees, CNIL carried out investigations which focused on the monitoring of employee’s activity and video surveillance systems.

Upon conclusion of those investigations in July 2023, CNIL held that AFL had committed several breaches of the EU GDPR. The breaches related to the implementation of an overly invasive system which monitored employee activity and performance, as well as conducting video surveillance without providing adequate information or ensuring sufficient security measures. CNIL found the surveillance system to be “excessively intrusive”.

?

As a result, in December 2023 the CNIL restricted committee – the body responsible for issuing sanctions – imposed a fine of €32 million (￡27 million), equivalent to 3% of Amazon’s turnover in France, for:

1.??? Failure to comply with Article 5(1)(c) of the EU GDPR (data minimisation) – in the retention of the data from each employees’ scanner for a period of 31 days, instead of retaining only aggregated data which CNIL’s restricted committee argued would achieve the same result. In addition, the restricted committee concluded that monitoring the employee’s actual work, evaluating their performance, or providing training did not justify any time of inactivity of more than ten minutes.

2.??? Failure to comply with Article 6 of the EU GDPR (lawfulness of processing) – CNIL’s restricted committee concluded that the three indicators (“Stow machine Gun”, “idle time” and “latency under ten minutes”) processed by AFL could not be based upon legitimate interest, as the monitoring activities of employees were excessive. This is because AFL already had in place accessibility to other real-time indicators, both individual and aggregated, that allowed AFL to achieve its objective of quality and safety in its warehouses.??

3.??? Failure to comply with Articles 12 and 13 of the EU GDPR (information to individuals and transparency) - by not providing the information mandated by the EU GDPR about the video surveillance systems to employees or visitors as some of the information required was not provided either on the notice boards or by other means. Until April 2020, AFL also failed to provide access to its privacy policy for temporary workers before their personal data was collected.??

4.??? Failure to comply with Article 32 of the EU GDPR (data security) – as access to the video surveillance software lacked adequate security measures, since the access password was not strong enough, and the access account was shared among multiple users.

?

What does this mean for UK employers:

Whilst this decision is not binding on the UK, it does raise several interesting issues for UK employers, including:

·???????? the relevant parts of the EU GDPR and UK GDPR are substantially similar. Under both the EU GDPR and UK GDPR, employers can only rely on the lawful basis of legitimate interests, provided that it does not cause a disproportionate attack on the rights, freedoms and interests of employees. AFL’s system kept its employees under close surveillance for all tasks carried out using the scanners and therefore put them under excessive pressure.

·???????? Personal data must be retained no longer than necessary. It must be kept secure and data subjects should be informed of how their personal data is processed. UK Employers will also need to carefully weigh such interest against the extent of the intrusion into its employee’s privacy.

·???????? a balancing act is necessary on UK employers seeking to carry out monitoring under the case law of the ECHR.

·???????? the ICO produced guidance on workplace monitoring in October 2023, which specifically refers to the need for a balancing act and echoes the same obligations as are considered in CNIL’s decision. It is clear that the monitoring of employees, including the use of technologies, are an area of interest for the UK regulator.

?

Employers should not automatically assume that a legitimate business interest will outweigh the impact of monitoring activities, as perceived from the employee’s perspective.

?

Bring privacy policies to the attention of your staff

In the UK, the ICO is currently consulting on draft guidance, which includes steps UK employers will need to take to bring privacy policies to the attention of its staff.

Employers in the UK may wish to avoid solely relying on intranet sites or other singular means of communication to inform its staff, and, on a precautionary basis, should consider advertising its privacy policies on a regular basis across multiple platforms as well as implementing awareness training.

There are several key questions for UK employers to consider, should they wish to implement a system or policy to monitor its employees including:

1.??? Is it absolutely necessary to undertake the proposed monitoring or is there something sufficiently less intrusive? and

2.??? Is the extent of the proposed monitoring reasonable and proportionate?

?

?Employers also have an implied legal duty to maintain their employees’ trust and confidence, and will need to be mindful of how their employees might react to the mass roll-out of monitoring software. Employers should ensure they have clear guidance for its managers and safeguards in place to prevent any misuse or excessive monitoring.

?

For more information or assistance about monitoring employees and GDPR please contact [email protected]