Mandated by 99 drivers, the LDH has just lodged a complaint against Uber for failure to comply with some of the provisions set out in the General Regulation on the Protection of Personal Data (RGPD). The second in a few months. In order to gain a better understanding of this complex case, we spoke to Jean-Guy de Ruffray, a lawyer specialising in RGPD at Altana.
On 12 June 2020, the Human Rights League, mandated by 99 drivers, filed a collective complaint against Uber before the CNIL. The American firm was accused of not respecting the right of access granted to the drivers by the RGPD to the data it collects on them.
Now, a second supplemental complaint has just been filed… following the discovery of two other major violations of the GMPR. This time, Uber is accused of refusing access to the data of “disconnected” drivers and of failing to provide for the possibility for drivers to oppose the commercial transfer of their data.
According to Jérôme Giusti, the LDH lawyer in charge of the case, these successive failures show that Uber “only does as he pleases”. In order to better understand the situation and its consequences, we spoke with Jean-Guy de Ruffray, lawyer specialized in personal data in the Altana law firm.
What do you think of this action against Uber?
We can see that there are more and more actions of this type against the major platforms. Uber’s a target, as Google could have been.. All companies whose operations are based on data, or on the implementation of an algorithm linked to data, are in the eye of the storm.
In Uber’s case, an element is added to all this: the social context.. It is clear that there is a kind of instrumentalization of the RGPD in the service of another objective.
The complaint of the League for Human Rights, mandated by the Uber drivers, is a substitute complaint that comes from add elements to a complaint filed in June 2020. In this case, it would seem that the objective of the Uber drivers is to better understand how the platform works and possibly challenge its principles.
Let us recall that the Court of Cassation recently for the first time requalified the contract of a Uber driver into an employment contractwith all that it implies in financial terms and so on. I think that this action, which aims to simplify access to driver data on behalf of the RGPD, is not unrelated to a “strategy” of requalifying Uber driver contracts as employment contracts?
What is your opinion on this instrumentalisation of the GDMP?
This instrumentality is not new. I’ve seen it before as a lawyer. There are, for example, more and more requests to salary access rights. In a contentious context with an employee, the employee will formulate a general access request to his employer to obtain the information he holds about him.
This is facilitated by the conditions under which the DPGR provides that the right of access must
practice. No wonder it can be used in a roundabout way.
Do you think we are moving towards a modification of the RGPD to better control these requests and prevent abuse?
The right of access should therefore be better regulated by the texts so as not to undermine the legitimate interests of data controllers. As it stands, it’s a very general right, which is very difficult to oppose. except in the case of abusive repetition of requests.
On the other hand, when it comes to a consumer who wants to know what data a company of which he is a customer holds about him, this right of access seems justified to me. And the same goes for the Uber drivers’ access request.
Remember that they are not salaried. Knowing that the volume of strokes they receive is linked to the operation of the algorithm, it is understandable they want to know what log-in information Uber has on them.
What do you think of Uber’s alleged failings in themselves?
It would appear that the main criticism is that they do not give a satisfactory response, or that they are not responding at all to access requests. From what I understand, it would not be simple for a driver to exercise his right of access, because the user path is very complex. So there is a lack of transparency.
The second thing they’re accused of is their lack of responsiveness. On this point, it seems that Uber hid behind the problem of containment, which would have delayed them. However, it is not certain that this could constitute a valid excuse, since the texts require a response within 30 days of receipt of the request.
The the nature of the data provided in case of an access request is problematic. According to the text, these data must be easily understandable and usable. From what we read, however, this would not be the case at all. The data would be provided in the form of many very long Excel files that would be incomprehensible to drivers exercising their right.
Furthermore, drivers do not seem to be able to oppose the commercial transfer of their data (which is a right). Finally, there seems to be a clause in the Uber conditions saying that they are not liable in case of a data security breach. This can be understood in a relationship between two companies, but in the case of individuals individuals as here it is true that it is questionable.
Under the same conditions, these facts could have been blamed on any other company. Uber is targeted, but his practices are not out of the ordinary.
Another interesting element is that it is of a class action. The Human Rights League represents about 100 Uber drivers. This is a good illustration of this new procedure concerning personal data, which has not yet been used much.
The LDH reproaches Uber for “doing as he pleases”. What do you think of that? Do multinationals feel safe from the RGPD?
In 2018, Uber had already been fined 400,000 euros by the CNIL, and had also been condemned by the English and Dutch personal data protection authorities. They had been hacked, and had been accused of a data security breach.
The driver IDs were stored in clear text. on the collaborative platform they use to operate. A cyber attacker had been able to remotely access a server and gain access to the data of millions of users.
It was prior to the GDMP, so the penalties were not as high.400,000 fine was already very heavy at the time. If the LDH’s complaint goes to the end, it is quite possible that Uber will be condemned to such a heavy sentence.
I do not think that these sanctions should be disregarded, as may have been the case at the time of Google’s EUR 50 million condemnation by the CNIL. This remains substantial sums of moneyeven for actors of this stature. Especially since the impact on their reputation is very important.
If Uber’s convicted again, it’s likely to make them react. I’m thinking that… this conviction is still a means of pressure which may lead them to change their practices, if of course the criticisms made prove to be correct. I’m really not sure that the big American companies don’t care about the RGPD, but you’ll have to ask them directly?
Is it possible that the illegally collected data may be worth more to them than the cost of a GDMP fine?
Obviously, the algorithm that assigns the races is based on driver data. Some commentators say that this operation would be questionable and Uber would do well to conceal it.
That’s what we understand about complaints, but we don’t have no evidence, so I don’t want to accuse. Of course, when there is a lack of transparency, we think there is something to hide.
I don’t think in general that the amount of the DMPP fines should be increased. Let’s not forget that this text is not just for the big actors. On the contrary, in my view, the theoretical maximum fines are already extremely high. Rather, I think that we should leave small businesses alone on small infringements and focus on the most serious cases.
Generally speaking, is the DMPR perceived as a threat only by small businesses? Is there a sense of unfairness among your clients?
Yeah, it comes up a lot in speeches. A lot of societies feel that they’re being forced… very onerous obligations when we’d be better off dealing with the big players who have a more consistent use for the data.
More generally, the feeling is a relative illegibility of the text. In many situations, it is not clear what the supervisory authority or the European legislator expects from economic actors. Many rules are unclear.
This is the case for Privacy by Design, retention periods, information about people or transparency in user paths in the digital world. There are a lot of unknowns and that’s what pisses off the customers..
They feel they have a very high risk associated with the DMPR in terms of sanctionsbut they are not given the tools to comply. This is what my clients often say, and I totally agree with them.
To take a recent example, under VIDOC-19, many actors had to health data collection when it’s normally forbidden. The CNIL has given some recommendations, but it has forgotten many situations on which we have pulled our hair.
Similarly, the situation with the Privacy Shield is totally mind-boggling. The agreement was invalidated in July, but… we still don’t know what to do.. The only instruction is to conclude the European Commission’s standard contractual clauses.
However, these clauses have still not been amended to be consistent with the GDMP and still refer to the 1995 Directive. And yet this is the argument to show that the invalidation of the Privacy Shield did not create a legal vacuum .
It’s this lack of response to situations they’re facing that pisses off my clients the most. There’s a problem with the responsiveness of the regulators. We need more specific guidelines.
As lawyers, we are sometimes obliged to give advice and opinions and which intuitively seem to us to be the right ones.but for which we have no solid foundation to build on. It is therefore highly unsatisfactory.
My clients feel that they are at very high risk of being punished for certain
s, even though they are not given the tools to comply with the DP Regs. This is what they often say, and I totally agree with them. !