In the final days of 2023, the Commission nationale de l’informatique et des libertés (CNIL), imposed a € 32 million fine on Amazon France Logistique. The CNIL is the authority responsible for protecting data and overseeing compliance with France’s adaptation of the European General Data Protection Regulation (GDPR), the Loi Informatique et Libertés. Amazon France Logistique (AFL) is the subsidiary of Amazon EU SARL tasked with managing the Amazon group’s warehouses in France.
In 2019, the CNIL was prompted to investigate AFL’s practices after articles appeared in the media describing potential violations of French privacy law, and the CNIL received complaints from employees. The investigation revealed that, as part of their jobs, AFL warehouse employees are use personal scanners to document the storage, packing, and removal of items in Amazon warehouses. The data collected by the scanners includes measures of work interruptions and the length of time between item scans – whether successive items were scanned within 1.25 seconds of one another or not. The data collected was preserved within the system for 31 days.
The CNIL found that the pressure placed on employees by the mandatory scanners contributed directly to the company’s profits, and gave AFL a competitive advantage over other companies in the market for online sales. The Commission concluded that AFL had breached several provisions of the GDPR:
- Article 5.1.c., which mandates the minimization of data collected. In this case, the CNIL considered that AFL could have obtained by less intrusive, less comprehensive means the information needed for management to determine whether employees required additional training or assistance. According to the CNIL, aggregated weekly data would suffice, along with real time data legitimately collected; it was not necessary to surveil every detail of employees’ quality and productivity indicators for an entire month. Additionally, the CNIL determined that AFL’s work schedule and planning needs could be met through the use of aggregated data rather than the collection and retention of every detail of the data and statistical indicators furnished by the scanners.
- Article 6, which requires that a legitimate and lawful purpose underlie the collection of personal data. Here, the CNIL found that the AFL’s processing of three indicators was unlawful: latencies of under ten minutes, latencies of over ten minutes, and very quick scanning times.
- Articles 12 and 13, due to the failure of AFL to inform temporary workers of the collection of personal data using the scanners, and the failure to properly inform employees and visitors of the use of video surveillance.
- Article 32, which requires companies to take adequate measures to secure the personal data it collects. The CNIL determined that access to AFL’s video surveillance software was not secure, not personalized, and not traceable.
Under Article 83 of the GDPR and as applicable here, infringements of Articles 5, 6, 12, and 13 of the statute may result in the imposition of administrative fines not exceeding €20 million or — for businesses — 4% of total worldwide annual turnover for the preceding year. Article 83 requires that fines imposed pursuant to the statute be effective, proportional, and have an appropriate deterrent effect, and that they take into account the nature, gravity, duration, and character of the infringement, attempts at remediation, and previous infringements, among other factors. In light of these considerations, the restricted committee of the CNIL decided to impose an administrative finer of €32 million and to publish its decision on the CNIL and Légifrance sites, where, after two years, the company will no longer be identified by name.