Uber, right to access and data portability Summary In 2018, a group of Uber drivers from the United Kingdom Right to data portability submitted requests to access their data to Uber. The drivers required Uber to provide the personal data The drivers were affiliated with the App Drivers & specifically in a CVS file. Couriers Union (ADCU), a trade union representing In summary, the Court had to decide on the following: the interests of private hire drivers and couriers in the • If different types of information were personal data. UK. ADCU was affiliated with the International Alliance If so, whether Uber had to grant access to this of App Transport Workers (IAATW), which sought to information establish a database to ensure the trustworthiness of data for gig workers. • Whether Uber had properly complied with the However, Uber denied to provide the full information requests for data portability about the drivers, which led them to sue Uber in the • If the processing of personal data about the drivers District Court of Amsterdam, where Uber had its carried out by Uber constituted an automated headquarters. decision within the meaning of GDPR, Article 22 Uber argued, in its defense, that the drivers were The decision of the Court of Amsterdam abusing the law within the Dutch Civil Code by Request for access (GDPR, Article 15) requesting access to the data. Uber claimed that the applicant would misuse the right to access to establish The Court of Amsterdam ordered Uber to provide a database containing data from drivers, and that the access to the drivers in accordance with the findings in database would serve as unlawful means of retaliation the case. The specific data were evaluated as follows: in the case against Uber. • Driver’s profile: Uber’s internal referrals and reports Request for access to customer service employees did not qualify as ”profiles” under GDPR, Article 4(4) and did not Overall, the drivers wanted to know how Uber used contain verifiable personal data, thus not subject to their personal data and how the company’s algorithms GDPR access requests. made decisions about their work. This included an • Tags: The Court defined a tag as a description used assessment of eight different types of data. by Uber to assess driver behavior that cannot be Automated decision verified by the data subject and, therefore, is not Based on their request for access, the drivers wanted subject to access requests. to establish that they were subjected to automated • Passenger feedback reports: The Court deemed decisions within the meaning of GDPR, Article 22, so that these as personal data but required anonymization they would be entitled to receive information about how to protect the rights of others under GDPR, Article the automated decision was made. 15(4), and Uber did not have to provide further Uber used automated data processing to allocate access to the passengers’ details based on the available rides through the “batch matching contractual relationship. system”. The system grouped the nearest drivers and • Start and end location of a trip: The Court found passengers in a batch and determined the optimal Uber’s overviews of journey times and locations match within that group between a driver and a sufficient for access requests, preventing potential passenger. privacy rights infringements. Published: 18-01-2022, Journal number: 200.297.497_01 Tags: 03 Right to erasure and rectificatio Published: 11-03-2021, Journal number: C/13/687315 / HARK 20-207 Tags: 02 Request for access and obligation to provide information 37