Amazon is today a global online sales giant with a colossal market capitalization of $1,600 billion. To rise to these heights, the multinational relies in particular on cutting-edge expertise in logistics.
His concern for performance undoubtedly also explains, in part, his results. And each element of its immense machinery must participate in this obsession with performance. At the risk of crossing the boundaries of legality?
An intrusive scanner and indicators
This is the conclusion reached by the CNIL concerning the surveillance system deployed in France by Amazon Logistics, the company in charge of managing the group’s large warehouses in France.
For the implementation of a system for monitoring the activity and performance of employees deemed “excessively intrusive”, but also for “video surveillance without information and insufficiently secure”, the company is condemned by the authority to a fine of 32 million euros.
To carry out their tasks, warehouse employees are equipped with a scanner. The device allows them to document in real time the execution of certain tasks, including the storage or removal of an item, put away or packaging.
“Each scan carried out by employees results in the recording of data, which is kept and which makes it possible to calculate series of indicators providing information on the quality, productivity and periods of inactivity of each employee, individually,” notes the Cnil.
The CNIL alerted by articles and complaints
It was following press articles relating to “certain practices” and several complaints from employees that the personal data policeman carried out checks. These interventions made it possible to identify excesses.
Thus, the company, using indicators, measured the inactivity time of employee scanners. For the authority, such a “system measuring interruptions of activity so precisely and leading the employee to potentially have to justify each break or interruption” is illegal.
The system for measuring the speed of use of the scanner when putting away items was also considered excessive. Thus, “an indicator measured whether an object had been scanned within 1.25 seconds of the previous one.”
Overall, “the CNIL considered it excessive to keep all the data collected by the system as well as the resulting statistical indicators, for all employees and temporary workers, by keeping them for 31 days.”
Insufficiently secure video surveillance
The conviction does not sanction Amazon’s quest for performance nor does it call into question “the very strong constraints” weighing on its activity or its high performance objectives. On the other hand, she considers “that the retention of all this data and the resulting statistical indicators was overall disproportionate.”
For the authority, Amazon’s activity tracking methods stand out from usual practices because of the scale at which they apply. Their exhaustiveness and permanence also have the effect of “very tight and detailed monitoring of employees’ work.”
For the CNIL, several breaches of the GDPR therefore justify a sanction. These relate to the principle of data minimization and the lawfulness of processing. Amazon is also being singled out for failure to comply with the obligation of information and transparency and failures linked to video surveillance processing.
In addition to a lack of information on the use of video surveillance, the regulator considered that access to video surveillance software was insufficiently secure. The cause is an insufficiently strong password and an account shared between several users.
“This accumulation of security defects makes the traceability of access to video images, as well as the identification of each person having carried out actions on the software, more difficult,” concludes the CNIL.