1. Introduction: Amazon and its warehouses

Many of the products stored in Amazon’s Barcelona BCN3 warehouse can be ordered by a customer in Milan and received within 24 hours. In fact, several flights a day operated by Amazon Air depart from Barcelona-El Prat (Terminal 2B), to land in Milan Malpensa and reach the Amazon centre in Malpensa MXP6. Handling very high volumes of orders and shipments requires Amazon to have a fleet of 90 aircraft and hundreds of thousands of employees on the roads with vans; or in the warehouses to pack goods. To support such a volume of orders per day, Amazon needs warehouses with tight management and organisation. The slightest error or slowdown in the shipping chain threatens the sustainability of deliveries within hours from every corner of Europe. This organisational model results in constant surveillance of warehouse workers and micromanagement: a warehouse worker at Amazon must complete tasks in intervals of no less than 1.25 seconds and scan goods regularly – if the scanner detects unjustified short pauses, warning letters are sent off to unproductive employees.

In recent years, questions have been raised as to whether such pressing surveillance of the workforce constitutes data collection for a legitimate employer interest in organising its economic activity. On 27 December 2023, the French Data Protection Authority (Commission Nationale Informatique & Libertés, from now on: DPA) finally put on paper what had become an open secret: Amazon’s surveillance of warehouse workers is illegitimate under the General Data Protection Regulation (GDPR, EU Reg. 2016/679); the French subsidiary of Amazon (AFL) received a fine of EUR 32 million.

More specifically, the DPA found that Amazon was not applying the data minimisation principle (Article 5(1)(c) GDPR) and no legal basis was provided, since most of the data collection did not represent a legitimate interest (Article 6(1)(f) GDPR). According to France’s DPA, Amazon’s warehouse logistics can still be sustained without collecting such a large amount of personal data of each worker in the warehouses.

In this contribution I analyse the decision of the French DPA and then draw some conclusions on the impact this measure will have on Amazon in Europe and on a much-debated labour law interpretation of the GDPR.

  1. About Amazon surveillance in warehouses: the French DPA inspection

The French DPA in 2019 inspected the warehouses of Lauwin-Planque and Montélimar. These two warehouses (fulfilment centres, as named by Amazon), at the moment of the inspection, had a total of 2714 employees and over 3000 temporary workers. The DPA found that, overall, in 2019 Amazon warehouse workers in France were 6200, with 21000 temporary workers.

The moment they punch in, these warehouse workers are assigned to direct tasks or indirect tasks. Amazon defines a direct task as any activity directly associated with operational processes in the warehouse. These tasks include receiving and storing items from suppliers, picking and packaging items for customer orders. Tasks such as reception, storage, picking, and packing are considered direct processes, and they are handled through the scanners provided to all employees, which are recording certain data. These scanners – the Stow Machine Gun – identify and give instructions to each employee. They include also a barcode reader to scan the items’ labels. On the other hand, indirect tasks are the ones not entirely monitorable through the scanners. These tasks may include activities such as transporting bins to picking areas, checking for process errors, or training new employees (para. 19). By means of scanners each item is followed through preparation and distribution. Amazon declares that through the scanners as 43 quality indicators are monitored (para. 22).

The Stow Machine Gun allows warehouse supervisors to access: the latest error made; the time of each scan; the number of items scanned in the last hour; working time of the employee; and interruptions in the use of the scan (para. 28). If no data are received from the scan for more than 10 minutes time this produces an indicator of idle time – i.e. an interruption on the flow of tasks assigned with no justification. Amazon explains that idle time occurs typically in three situations: 1) Technical problem preventing the execution of a task; 2) The employee does not master the direct tasks and needs support; 3) Excessive unauthorized breaks (para. 78). Finally, the scanners record latency time of less than 10 minutes in ‘critical moments of the day’; i.e. at the start/end of the shift or breaks. This would be necessary according to Amazon, since human supervisors cannot personally check whether thousands of workers are staying at their work station (para. 24 and 80). All idle times appear on supervisors’ dashboards represented by a blue bar (para. 78).

All of this data is retained for 31 days and is available for consultation to supervisors in the form of raw data or hourly, daily, or weekly statistics (para. 29). If an excessive amount of idle time is accrued, or if the weekly performance drop is higher than 10% compared to the previous week, Amazon sends an awareness letter to discuss whether retraining is necessary (para. 30).

  1. Data collection purposes and their compliance with the GDPR

The DPA finds that, to discuss the application of the GDPR in such context, we can divide Amazon’s surveillance purposes in two fundamental sets:

  • management of orders in real time: this set of purposes concerns inventory (reception, storage) and orders (picking, packaging, shipping) management. Amazon want to identify anomalies as quickly as possible to ensure the quality and safety of the process. Then, the company aims also to advise or reassign employees accordingly (para. 34).
  • work planning and performance evaluation: in this case, no real time analysis of data occurs, since it is mainly based on past data. It concerns ex ante work planning and ex post weekly evaluation and individual training (para. 35).

Below I analyse in detail the decision of the French DPA, which identifies violations of Articles 5 and 6 GDPR by Amazon. Specifically, the Authority sanctions the company for not having correctly applied the principle of personal data minimisation and of not having a legitimate interest in processing a certain category of employees’ data. In the decision, there are also less relevant objections regarding video surveillance privacy notification and cybersecurity standards (Articles 12, 13, 32 GDPR) on which I will not focus (paras. 139-160).

Data collection for management of orders in real time: no legitimate interest (Breach of Article 6(1)(f))

Amazon claims that for its inventory and orders management, the speed of execution of tasks with the Stow Machine Gunindicator is necessary. This indicator tracks whether between any task at least 1.25 seconds occurs. Statistically, if an employee takes less time than 1.25 seconds to store an item, that will likely result in a safety risk or an inventory error. This is because a few actions are expected from the employee: scan an item, scan the location and so on. While the DPA acknowledges a legitimate interest under Article 6 (1)(f) GDPR to ensure rapid succession of tasks and prevent errors in scans, the DPA highlights how, nevertheless, such constant monitoring of the direct tasks reveal too much of the behaviour of the employee. While an employee can expect a certain degree of surveillance, (s)he cannot reasonably expect that their actions are followed to the nearest second (para. 72). It therefore disproportionately serves a legitimate interest to ensure quality and safety in the logistical centres to the detriment of the right to privacy and to fair working conditions. The DPA, finally, states that there is no legal basis Article 6 (1)(f) GDPR. Amazon, during the procedure before the DPA, announced they will stop processing the data from the Stow Machine Gun (paras. 74-75).

The DPA finds no legitimate interest also in the data collection of latency times (idle time) of more or less than 10 minutes (para. 88). Despite the logistic needs claimed by the company, the DPA reckons that the same goals could have been pursued by aggregating data. For instance, the company could check weekly on each employee (and not in real time) the accrual of idle time and take action on the basis of such weekly statistic. With the Amazon real time surveillance, the employee is pushed to justify any non-productive moment during working time; and they should not be in a position to justify short interruptions. Therefore, the DPA stresses that these are the kinds of unjustifiable negative repercussions on the data subject as outlined in the Article 29 Working Party Opinion n. 6/2014 on legitimate interest of the data controller (para. 83). Also in this case, Amazon announced it will increase up to 30 minutes latency times for both cases, yet, at the time of inspection the new measure was not enforced and the DPA deems the company accountable for a violation of Article 6(1)(f) GDPR (para. 86).

Data collection for quality and productivity assessment to reassign or train employees (Breach of Article 5(1)(c) GDPR)

Amazon with all the aforementioned data creates important datasets relating to each warehouse worker. The company claims that this way it can monitor the best performers (which items scanned, frequency, total per hour or day until 31 days) and the ones that need more training. According to this assessment, workers are assigned and retrained if necessary. Reassignments can happen in real time if the employee is not pacing well with the flow; or can happen later re-training sessions (para. 91). The DPA acknowledges that optimizing working processes through reassignment of employees in real time or through training is a legitimate interest of Amazon. However, having such a wealth of data for each employee for the last 31 days on direct tasks is disproportionate (para. 96). In fact, with the very same data Amazon can draft weekly statistics and accordingly evaluate and train each employee through aggregated data. If, by chance, real time monitoring during operation is necessary, the 31 days data retention according to the DPA is still excessive and not justifiable (para. 100). According to the French Authority the principle of data minimization under Article 5(1)(c) GDPR has not been implemented by the company (para. 101). Amazon during the proceedings announced that it will reduce the data retention period to 7 days, yet, as in the previous cases, such measure wasn’t enforced at the time of inspection, therefore a breach of Article 5 (1)(c) GDPR occurs.  

Data collection for work planning and employee evaluation (Breaches of Article 5(1)(c) and Article 6(1)(f)) GDPR)

The 31 days retained data are used also to plan work. In fact, Amazon with such data matches expertise, abilities and experience of employees on a given task. They aim to create best teams possible on specific tasks. The DPA, also in this case, finds that there is no need to keep individual refined statistics for a month. Planning work and evaluate employees efficiently can be equally achieved with weekly aggregated data about each employee (item processed, time spent on a task) that actually allows the company to see who masters which task. The DPA concludes that Article 5(1)(c) and Article 6(1)(f)) GDPR are violated because the minimization of data is not respected to reach the work planning purpose (para. 108-110, 119) and there is no legitimate interest in evaluating performance through working time monitoring (see the case of idle time) or disproportionate warning such the case of awareness letters. Employees’ evaluation can be reached with much less aggregated data (para 120-121). The DPA makes an explicit example: if an employee commits the same quality error due to a scarce training, this will clearly result from the weekly performance assessment (para. 119).

  1. Data minimisation as an organisational model: a bright future for workers (and the GDPR)?

Much ink has been spilled on the effectiveness of the GDPR to protect workers’ rights. The prevailing criticism, with which I agree, is that the data protection offered by the European regulation is excessively tilted towards individual empowerment. This clashes with employment subordination, where the economic and social dependence of the employee make the rights of data subjects (Articles 12-22 GDPR) tools akin to those actively seeking to defend themselves – even at the cost of challenging their hierarchical superiors. This decision by the French DPA instead proposes an intervention reminiscent of a Labour Inspectorate. In 2019, the DPA physically inspects warehouses and, following the procedure, fines Amazon for not meeting ‘digital hygiene’ requirements in the workplace. This is a noteworthy approach that admittedly requires considerable effort on the part of a DPA in terms of inspecting, investigating, and prosecuting. However, it overcomes the problem of individual empowerment in subordinate employment and imposes on the company a contextualised application of the GDPR informed by the dynamics of subordination.

The interpretation offered on data minimization in relation to the company’s organizational model is, in fact, relevant. The DPA delves into minute details, discussing how – even in the presence of legitimate economic and organizational interests – certain objectives (evaluation, reorganizations, and employee training) can still be achieved through data aggregation. In paragraphs 167-168, the DPA goes so far as to make general considerations about the surveillance developed by Amazon: the processing of employee data is so precise that it causes a change of scale compared to ‘classical activity monitoring methods’. Surveillance becomes a pressing and pushing statement from the company, confirmed by the fact that following awareness letters, disciplinary sanctions to employees actually occur. You may be retrained even after 1 day of underperformance (para. 168).

The second element of fundamental interest is that the DPA builds a notion of what can be considered a legitimate surveillance interest under Article 6 of the GDPR (para 58). To achieve this, the Authority refers to the French labour code (Article 1121-1), which stipulates that no restriction on individual or collective rights is justified unless required by the nature of the task and must be proportionate. It also draws upon relevant case law from the Court of Cassation (Cass. Soc., June 23, 2021, no. 19-13.856). Such reference is complemented by the definition of legitimate interest discussed inOpinion no. 6 of 2014 on legitimate interest of the data controller by the Article 29 Working Party (page 37). According to this definition, in understanding a data controller’s legitimate interest, all the interests of data subjects must be taken into account, including moral repercussions, fears, and anxieties that may arise from the loss of control exercised by the individual over their personal information. The DPA directly links these concepts to the negative consequences experienced by Amazon employees under such tight surveillance (para. 55).

In conclusion, this application and interpretation of the GDPR provides a brighter future for both the regulation itself and European workers. The French authority, in fact, has taken the trouble to analyse in detail – albeit without explicit references – the limits to the economic freedom in the European Union imposed by the data protection framework in employment contexts. It has done so by translating a definition of legitimate interest informed by labour law considerations and challenging Amazon’s current organizational model. According to the DPA, Amazon’s organizational structure has been specifically designed to collect more data than necessary, with the intent of pushing employees to expedite their operations. Throughout the procedure, as mentioned, Amazon announced several measures such the reduction of data retention to 7 days and the increasing of idle times to 30 minutes. Hopefully, this nearly immediate corrective action by Amazon is likely to have a ripple effect on other Amazon subsidiaries in Europe. We will see if and how in the near future other DPAs will promote a similar consistent approach to data minimisation and legitimate interests in workplace surveillance in European companies.

This page as PDF

Leave a Reply

Your email address will not be published. Required fields are marked *