Amazon shipping box showing GDPR fine for employee monitoring

€32 Million GDPR Fine to Amazon for Excessive Employee Monitoring

The system of employee monitoring Amazon uses in its warehouses has drawn a €32 million GDPR fine in France, with the national Data Protection Authority (CNIL) finding several different breaches of the regulation.

Amazon was penalized for excessive monitoring, insufficient data minimization, and failing to meet transparency and security requirements. Much of the fine centers on the hand scanners that are issued to warehouse employees, which puts sometimes severe restrictions on how quickly workers can scan items or how long the device can be idle or offline for.

Amazon employee monitoring, data collection draws big fine

CNIL found that three specific qualities of the warehouse employee monitoring system are illegal under GDPR law: an indicator that flags employees if they scan items less than 1.25 seconds after a prior scan, another that reports in if the scanner is idle for at least 10 minutes, and one that flags any interruption that lasts between one and ten minutes.

The scanner was also the source of some violations related to data processing. CNIL found that the scanners collect too much information about employee activity as relates to the work schedule and job requirements, prompting a GDPR fine for failure to properly minimize collected data. The company’s use of video for employee monitoring also fell short of GDPR requirements, both for transparency about the extent to which the workplace is monitored and failure to secure personal data.

Amazon’s warehouses have taken criticism around the world for pushing employees to work too hard and too quickly. This has led to prior actions by the US Department of Labor, OSHA, and EU antitrust officials among others. And in 2023, strikes and walkouts occurred at locations across Europe in conjunction with the annual “Black Friday” shopping event. The criticism has centered on the company’s mandatory pace for warehouse workers contributing to avoidable physical injuries and mental stress, workplace safety issues, and the use of intrusive surveillance technologies to keep workers moving.

CNIL’s decision addresses many of these common points of criticism. Indeed, the agency says  that it was in part prompted to initiate the investigation by various articles in the media about Amazon warehouse conditions. The injury factor did not appear to play a significant role in the GDPR fine decision, unsurprising given the scope of the agency’s enforcement actions. CNIL instead took Amazon to task primarily for potentially requiring employees to justify every small stoppage in work, and for keeping the data that scanners collect for over 31 days. The final decision also considered that Amazon gains a competitive advantage from the pace it demands from employees, and that thousands of workers across France are impacted.

On the video front, CNIL said that access to the system was insufficiently secure due to weak password requirements and sharing of login credentials between users. The company thus could not keep sufficient records of who was accessing the system and what actions they were taking. Additionally, the company failed to put up sufficient notification to employees and visitors that video surveillance was taking place.

Previous Amazon GDPR fines included record-setter

While companies like Google and Meta regularly absorb GDPR fines of comparable amounts without blinking, the situation is a little different for Amazon. Fresh off a settlement reached with the European Commission in 2022, the company moves forward in constant peril of a fine of up to 10% of its annual turnover if it breaches agreed-upon terms governing transparency for platform buyers and sellers and anticompetitive practices. Amazon is as dominant in e-commerce in the EU as it is in the US, bringing in revenue of about $40 to $50 billion in recent years. But this present GDPR fine for employee monitoring applies within the boundaries of France, where its revenue has been estimated at about $5.4 billion in 2022. That means the CNIL fine is not far off the 4% maximum that could be levied under the circumstances, and the door is open for other countries in the bloc to bring similar cases.

Amazon has said that it reserves the right to appeal the GDPR fine, and that the conclusions about its employee monitoring are “factually incorrect.” However, it did concede that it would remove the 1.25 second scanning delay requirement and extend the idle time reporting to 30 minutes as a result of the investigation.

In addition to the recent employee monitoring and data transparency actions, Amazon was hit with a record-setting GDPR fine in mid-2021. This was levied by the Luxembourg National Commission for Data Protection (CNPD) after an investigation initiated in 2018 found that Amazon’s consent process for targeted advertising was inadequate. That fine was €746 million, or the equivalent of about $887 million at the time. That fine remains under appeal, with Amazon appearing in court to contest the amount about a month ago. The final verdict on that case is expected sometime in the next few months.