French supervisory authority (CNIL) has imposed a fine (32 million euros) on Amazon for having set up an excessively intrusive system for monitoring the activity and performance of employees. The company is also sanctioned for video surveillance without information and insufficiently secure.

The CNIL considered that the system for monitoring employee activity and performance was excessive, in particular for the following reasons:

• Indicators measuring the inactivity time of employee scanners were put in place. The CNIL ruled that the implementation of a system measuring interruptions of activity so precisely and leading to the employee potentially having to justify each break or interruption was illegal.
• The CNIL judged that the system for measuring the speed of use of the scanner when storing items was excessive. Indeed, based on the principle that articles scanned very quickly increased the risk of error, an indicator measured whether an object had been scanned in less than 1.25 seconds after the previous one.
• More generally, the CNIL considered it excessive to keep all the data collected by the system as well as the resulting statistical indicators, for all employees and temporary workers, by keeping them for 31 days.

Click here to find out more.

***

Also, CNIL has published two fact sheets to inform organizations consuming cloud computing services on the use of encryption and security and performance tools.

CNIL offers a detailed analysis of the different types of encryption applied to a cloud computing service :

• Encryption at rest, which is most often put forward. The sheet sets out in detail the different possible encryption methods, depending on the architecture chosen, which can make the customer more or less dependent on the cloud computing service provider.
• Encryption in transit, to secure communication channels.
• Encryption in processing, which raises particularly complex issues when it comes to preserving the confidentiality of data, particularly with regard to the service provider.
• Finally, end-to-end encryption, which constitutes a particularly protective method of data encryption, but which is only applicable in a limited number of situations.

Click here to find out more. 

***

As IAPP reports, “Two unofficial versions of consolidated text on the proposed EU Artificial Intelligence Act leaked online Monday, indicating progress on the major legislation continues in earnest. Journalist Luca Bertuzzi posted, that given “the massive public attention to the (AI Act), I’ve taken the rather unprecedented decision to publish the final text.” Shortly after Bertuzzi’s post, European Parliament Senior Advisor Laura Caroli shared a consolidated 258-page document online”.

Click here to find out more.

***

The European Data Protection Board (EDPB) has published the one-stop-shop case digest on security of processing and data breach notification. 

According to the official press release, “The case digest offers valuable insights on how DPAs have interpreted and applied GDPR provisions in diverse scenarios, such as hacking, ransomware, or accidental data disclosure. Case handlers working within DPAs now have a rich pool of analyses of security incidents, along with the corresponding security measures found to be appropriate or not in the specific context. The summary and analysis of these decisions are useful for organisations (both controllers and processors) when assessing whether their security measures are appropriate, both before and following a data breach”.

Click here to find out more.