A warning for employers: regulators getting tough over excessive employee monitoring

Amazon France Loqistique (AFL) has recently been fined €32 million by the French data protection regulatory authority for using ‘excessively intrusive’ systems to monitor their employees, as well as using video surveillance without providing adequate information or having sufficient security measures in place.

AFL manages the Amazon Group’s warehouses in France, where it receives, stores, then prepares items for delivery to consumers. Each warehouse employee has a scanner which tracks the real-time performance of certain tasks. The data obtained through the scanner is then stored and provides insights into the employee’s productivity, quality and inactivity levels.

As a result of media reports and employee complaints, the French regulator conducted an investigation into AFL’s surveillance and monitoring systems. AFL was found to have committed a number of breaches of EU GDPR, in particular:

• Article 5.1c: failure to comply with the principle of data minimisation by keeping scanner data for 31 days and using the detailed data to create work schedules, assess employees and identify training needs, when such detailed data was not required.
• Article 6: failing to ensure lawful processing by using illegal indicators – for example, using an ‘idle time’ indicator which signals periods when the scanner has not been used for 10 minutes or more and using an indicator which signals an error when an employee scans an item “too quickly”.
• Article 12 & 13: not providing access to the privacy policy for temporary workers, and not providing sufficient information to employees and visitors regarding video surveillance.
• Article 32: failing to ensure the security of personal data by not having strong enough passwords to access security footage, and also that access being shared with multiple users.

The regulator ruled it was “illegal to set up a system measuring work interruptions with such accuracy, potentially requiring employees to justify every break or interruption”. AFL disagreed with the findings, stating they were factually incorrect and reserved its right to appeal.

The monitoring of employees is a matter which is likely to attract the interest of regulators globally. In the UK, the Information Commissioner’s Office (ICO) has released guidance which contains practical advice regarding the monitoring of employees lawfully, in accordance with UK GDPR and the Data Protection Act 2018. Employers would be well-advised to review the guidance to ensure they are complying, as any failure comes with reputational and financial risk.

The rapid evolution of technology enables employers to gather a far greater volume and nature of employee data than ever before, whether through scanners similar to those used by AFL, CCTV, keystroke and email monitoring, location monitoring devices and even technology which reports on how frequently a worker appears to be “absent” on Teams.

Many monitoring technologies also capture (whether directly or incidentally) special category data i.e. data which relates to matters such as racial origin, religious beliefs, health or sexual orientation and biometric data. These technologies present even greater risks to individuals and employers must take even greater care to ensure that the additional conditions for lawful processing of special category data are met before making a decision to implement a new system. Technologies which use workers’ biometric data (such as facial, fingerprint and voice recognition technology) are of particular concern as this data is unique to an individual and misuse of biometric data can result in significant risks – you can’t reset an individual’s face or fingerprint as you can re-set a password (see our article about biometric data). The ICO has now also produced guidance in the use of biometric technology for time and attendance control and monitoring.

In terms of enforcement action in the UK, the ICO’s order against Serco Leisure to stop using facial recognition and fingerprint scanning technology to monitor attendance or risk a fine of up to £17.5 million is a clear example of the challenges presented by use of biometric technology. Serco’s position was that technology was introduced to make clocking-in and out easier for its workers, but they were using it to monitor attendance and to determine workers’ pay. The technology turned workers’ photos into a biometric map based on their facial features and Serco held this information alongside names and ID numbers. The ICO ordered Serco to stop processing biometric data on the basis that the workers had not been offered a clear alternative or means of opting out. Due to the power imbalance between Serco and its workers, the ICO thought it was unlikely that workers would feel able to oppose the requirement. The ICO said that a less intrusive means could have been used to verify attendance, such as ID cards or key fobs and ultimately Serco failed to show why it was necessary or proportionate to collect biometric data.

As well as the data protection considerations, employers need to be mindful that excessive or disproportionate monitoring of employees, and/or a lack of transparency about surveillance, could not also only be a breach of privacy, but may undermine the mutual duty of trust and confidence between an employer and employee. Such practices are likely to lead to significant employee engagement issues, which could impact employee well-being as well as affect retention and recruitment. Indeed, in the AFL case, the French regulator considered the pressure put on employees as a result of monitoring, as well as the impact on their wellbeing/morale, when reaching its conclusions. In serious cases, it could lead to a fundamental breach of contract resulting in an employee resigning and claiming constructive unfair dismissal. There are also risks from a discrimination perspective if employees feel they have been unfairly targeted by the surveillance, or if the monitoring (or the data obtained as a result of the monitoring) has a disproportionate impact on employees with a protected characteristic.

Overall, AFL’s hefty fine and the ICO’s action against Serco are timely reminders that employers must ensure any current monitoring/surveillance practices are legally compliant. As well as financial sanctions, employers who are not acting lawfully could face employment tribunal and other court claims, industrial action, and reputational damage.

To discuss any of the issues raised in this article, please contact Robert Forsyth (Employment) or Anne Todd (Commercial, Technology and Data Protection).