CNIL Imposes €32 Million Fine on Amazon France Logistique for GDPR Violations

The French data protection authority, CNIL, has fined Amazon France Logistique €32 million for serious violations of the General Data Protection Regulation (GDPR). The penalty comes after several investigations prompted by employee complaints and media reports about the company's practices in its large warehouses.

The CNIL found the system implemented by AMAZON FRANCE LOGISTIQUE for monitoring employee activity and performance to be excessive. Specifically, the regulator objected to indicators tracking scanner inactivity time and the speed at which items were scanned. The meticulous monitoring of work interruptions and scanning speed was deemed intrusive, potentially requiring employees to justify every break or rapid scanning.

The CNIL considered it disproportionate for the company to retain all data collected by the system, along with resulting statistical indicators, for a period of 31 days for all employees and temporary workers. While acknowledging the challenges faced by Amazon's business, the CNIL emphasized that the extensive data retention and detailed monitoring created continuous pressure on employees, contributing to the company's economic gains.

Key GDPR Breaches Identified by CNIL:

1. Data Minimization Principle Violation: AMAZON FRANCE LOGISTIQUE failed to comply with the GDPR's data minimization principle, especially concerning the excessive processing of detailed data related to employee quality and productivity indicators.
2. Failure to Ensure Lawful Processing: The processing of certain indicators, such as the "Stow Machine Gun" and "idle time" indicators, was considered illegal as it led to excessive monitoring of employees, exceeding the legitimate interest pursued by the company.
3. Obligation to Provide Information and Transparency: Until April 2020, temporary workers were not properly informed about data collection practices, violating the obligation to provide information and transparency under Articles 12 and 13 of the GDPR.
4. Security Flaws in Video Surveillance Processing: The CNIL identified security defects in the video surveillance system, including a weak access password and shared access accounts, compromising the security of personal data.

The €32 million fine takes into account the unprecedented scale of data processing through scanners, involving several thousand employees. The CNIL acknowledged the unique challenges faced by Amazon but stressed the need for proportionate and balanced data processing in line with GDPR principles.

The CNIL also criticized the use of employee activity and performance data for work scheduling, employee assessment, and training. The regulator emphasized that real-time data, supplemented with aggregated data on a weekly basis, would be sufficient for achieving quality and safety objectives without excessively intrusive monitoring.

Takeaways for Cybersecurity and Data Privacy Experts

‍The case highlights the importance of aligning data processing practices with GDPR principles, particularly the need to minimize data, ensure lawful processing, and prioritize transparency. Organizations handling large-scale data processing, especially in the context of employee monitoring, must carefully evaluate the proportionality of their systems to avoid legal consequences. The CNIL's decision underscores the significance of maintaining a balance between business objectives and respecting the rights and privacy of individuals.

As the regulatory landscape continues to evolve, cybersecurity and IT professionals are reminded of the critical role they play in ensuring compliance with data protection regulations. The case serves as a reminder that even in high-pressure business environments, organizations must prioritize ethical and legal considerations in their data processing practices.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.