CNIL fined Amazon France Logistique and Yahoo for GDPR Breaches

/ blog / By

CNIL fined Amazon France Logistique!

Introduction

On December 27, 2023, the French Data Protection Authority (CNIL) fined AMAZON FRANCE LOGISTIQUE €32 million. This was due to the company’s use of excessively intrusive technology to monitor employee activities and performance. Furthermore, the corporation was penalised for using video monitoring without giving necessary information or security safeguards.

 

Allegations

As part of their responsibilities, every warehouse employee is given a scanner to document the completion of certain tasks allocated to them in real-time. These chores include operations such as storing or removing objects from shelves, packing or putting items away, and so on. 

Every time an employee scans an item, the information is recorded and saved. This data is then utilised to produce a variety of indicators that offer information on the employee’s productivity, job quality, and times of inactivity.

 

According to the CNIL, the monitoring system was deemed excessive for several reasons. 
 
  • The CNIL found that implementing a system that precisely tracks work interruptions or inactivity exceeding 10 minutes (idle time) is illegal as it requires employees to justify each break or interruption. 
  • Second, the CNIL determined that the mechanism for evaluating the speed with which things were scanned was likewise excessive. “Stow machine guns” determine if an item was scanned in less than 1.25 seconds after the previous one, based on the idea that scanning objects too rapidly increases the likelihood of inaccuracy.
  • Finally, the CNIL said that it was excessive to retain all of the data acquired by the system, as well as the resultant statistical indicators for all employees and temporary workers, for 31 days.

The company had several thousand employees, and the system believed to have constraints employees through computer monitoring contributed to the company’s economic gains, giving Amazon an edge over other online sales companies. However, this instead put employees under constant pressure.

 

Fine

The CNIL, the regulatory authority in charge of enforcing fines, has fined Amazon France Logistics €32 million. This fine represents around 3% of the company’s yearly sales, which was 1.1 billion euros in 2021. Amazon France Logistique also reported a net profit of 58.9 million euros.

 

GDPR Violations

  • Data Minimization Principle (Article 5.1.c): Amazon France Logistics failed to comply with the data minimization principle by allowing excessive access to quality and productivity metrics acquired by scanners. The restricted committee believes that real-time help or work reassignment does not require extensive access to a month’s worth of employee data.
  • Unlawful Processing (Article 6): The restricted committee considers three metrics handled by the corporation, including the “Stow Machine Gun,” “idle time,” and “latency under ten minutes,” unlawful. Despite accepting the necessity for accurate monitoring, the committee maintains that these indications, which lead to excessive surveillance and possible reasons for interruptions, cannot be founded on legitimate interest.
  • Data Minimization Principle (Article 5.1.c): The restricted committee discovers violations in the work schedule and employee assessment, stating that access to every detail of scanner data reported in the previous month is unnecessary. It implies that statistics per employee summed weekly, are sufficient for measuring mastery, team creation, and identifying training requirements. 
  • Failure to Provide Information and Transparency (Articles 12 and 13): Until April 2020, temporary workers were not fully informed about scanner data collecting privacy practices, which violated GDPR duties.
  • Failure to ensure security of personal data (Article 32): The restricted committee observes that employees and external visitors are not given enough information about video surveillance devices. Furthermore, the absence of security in video surveillance software, with weak passwords and shared access accounts, raises worries about data security and traceability.

CNIL fined Yahoo! €10 million

Introduction 

On December 29, 2023, the French Data Protection Authority (CNIL) fined Yahoo EMEA LIMITED €10 million for infringing Internet users’ privacy rights. The corporation did not comply with the choice of users who denied cookies on its “Yahoo.com” website. Furthermore, they did not allow users of the “Yahoo! Mail” messaging service to readily withdraw their agreement to cookies.
 

Complaints

The CNIL (French data protection body) received 27 complaints about Yahoo failing to comply with user cookie choices and the difficulty in revoking consent. The CNIL conducted internet investigations against Yahoo.com and Yahoo! Mail between October 2020 and June 2021. 
 
The examination discovered that Yahoo EMEA Limited did not comply with Article 82 of the French Data Protection Act. As a consequence, the CNIL’s restricted committee, which is in charge of awarding fines, decided that Yahoo EMEA Limited had breached its responsibilities.
 

Allegations and GDPR Violations: 

  • Cookies Deposited Without User’s Consent. As part of its investigation, the French CNIL, determined that Yahoo EMEA Limited placed around twenty cookies for advertising purposes on the “Yahoo.com” website without specific consent. The cookie banner, which was supposed to seek consent, proved ineffectual in preventing unauthorised cookie insertion.
  • Incentive Not to Withdraw Consent. The committee discovered that Yahoo EMEA Limited made it difficult for users to revoke their permission to cookies on the “Yahoo! Mail” messaging service. Users who sought to do so were informed that they would lose access to the company’s other services, including its messaging service.
  • Lack of Alternative Options and Freedom of consent exercises. The committee has emphasised that, while it is appropriate to ask users to register cookies to access a service, such permission must be supplied voluntarily. Yahoo EMEA Limited provided no alternative choices to consumers who refused to grant their consent. 

These users had just one option: give up their ability to utilise the texting service. 

The limited committee claimed that the withdrawal of permission, which had a direct impact on consumers’ ability to use their messaging service, could not be regarded as freely provided.
 
  • Email Address as a Privacy Element. The committee emphasised the value of email addresses in consumers’ personal life. Email addresses facilitate communication, networking, and the preservation of critical discussions. Users find it challenging to transition to similar services since email addresses are irreplaceable.
Conclusion:
Yahoo EMEA Limited was found to have breached GDPR principles. The corporation failed to secure explicit consent for cookie deposits and did not provide consumers with an easy way to withdraw their consent without consequence. This is a big concern because email addresses are considered personal information. The CNIL has the jurisdiction to investigate and penalise corporations that set cookies on Internet users’ devices in France. The GDPR’s “one-stop shop” system does not apply to cookie-related operations, which come under the “ePrivacy” Directive, as translated in Article 82 of the French Data Protection Act. Yahoo France is an establishment of Yahoo EMEA Limited on French territory, hence territorial jurisdiction is warranted under Article 3 since cookies are utilised in its operations.
Author
Harmanpreet Kaur, Fourth Year Law Student and Legal Intern Data Privacy and Digital Law at EU Digital Partners