Employee surveillance and cookie policies: CNIL’s enforcement Actions

The French National Commission on Informatics and Liberty (CNIL) has recently undertaken significant enforcement actions against two major corporations, highlighting the importance of compliance with personal data processing regulations.

In its landmark ruling (Deliberation SAN-2023-021, December 27, 2023), the CNIL identified several violations by AMAZON FRANCE LOGISTIQUE, a subsidiary managing the extensive warehouse operations of the Amazon group in France. The company was fined 32 million euros, primarily for breaches related to employee privacy monitoring.

The CNIL recognized Amazon's need for efficiency in e-commerce order processing. However, it found the company's practice of long-term storage and extensive access to warehouse employees' scanner data as excessive. According to the CNIL, periodic data feedback, either real-time or weekly, would be adequate. Amazon's current practice contravenes the data minimization principle outlined in Article 5.1.C of the General Data Protection Regulation (GDPR). Additionally, utilizing such data for employee evaluation and training was deemed as overstepping the minimization principle.

Furthermore, Amazon's collection of data like scanner inactivity times or scanning speeds was seen as a violation of the lawfulness principle. Such practices could unduly pressure employees to justify their activities, making it excessively intrusive. Amazon also fell short in its duty to inform employees about its privacy policies, breaching its obligations for transparency and information dissemination.

The CNIL also found lapses in Amazon's handling of its video surveillance systems. These systems were not adequately communicated to employees and visitors, nor were they sufficiently secured.

In a separate action (Deliberation SAN-2023-024, December 29, 2023), the CNIL imposed a 10 million euro fine on YAHOO EMEA LIMITED. An inspection in October 2020 revealed that Yahoo.com's website, despite displaying a cookie consent banner, placed approximately twenty advertising cookies on users' devices regardless of consent. This practice contravenes Article 82 of the French Data Protection Act, which requires explicit consent for such cookies.

Additionally, Yahoo was penalized for its method of dissuading users from withdrawing consent on the YahooMail service. Users attempting to withdraw consent were warned of losing access to the service and their mailboxes. The CNIL emphasized that service access linked to cookie usage must not penalize users for withholding consent.

Our IT Contracts, Data & Compliance department is equipped to assist in managing personal data effectively and compliantly within your business operations.

For further inquiries or assistance, please feel free to contact us.