PARIS — French Uber drivers are increasingly frustrated with European regulators for failing to address their privacy complaints against the U.S. ride-hailing company.
A group of about 50 drivers on Tuesday participated in a demonstration in front of the French data protection authority’s building in Paris’ upmarket seventh district to pressure the French privacy regulator into dealing with their grievances.
Drivers have accused Uber of flouting European privacy rules for the last couple of years, but their complaints have stalled because of the General Data Protection Regulation’s one-stop-shop mechanism.
„We filed complaints and the [French authority] CNIL says it’s up to the Dutch data protection authority to take care of them,“ Brahim Ben Ali, secretary-general of the INV union and the protest’s organizer, shouted into a microphone as drivers booed the French regulator.
The protest was organized in November to celebrate the two-year anniversary of a massive strike, and more will be scheduled in the coming weeks. Since 2019, drivers‘ concerns have moved on from strictly labor conditions to include privacy issues.
Their impatience in France highlights a broader GDPR limit: Because Uber’s headquarters are in the Netherlands, it is regulated by the Dutch data protection authority. Over the past few years, the rules have led to frustration about privacy enforcement across the bloc.
Hundreds of drivers have reached out to the CNIL since the summer of 2020 in at least four separate complaints raising concerns about Uber, for issues ranging from access to personal information to personal data-based algorithmic management.
The CNIL said it had transferred the complaints to its Dutch counterpart under the GDPR’s one-stop-shop mechanism, and the Netherlands‘ regulator confirmed it had received them. Both authorities said they were working together on the case, but neither provided a timeline.
A spokesperson for Uber said the company provides data to drivers who ask for it. „Where we are unable to provide certain data, including for legal reasons, where it does not exist or its disclosure would infringe on another person’s rights under the GDPR, we will explain the reasons,“ the spokesperson added.
Complaints piling up
The first complaint was filed in June 2020 by the Human Rights League on behalf of drivers, arguing workers on the platform could not access their personal data — which is mandatory under the GDPR — or could only access incomplete and unusable information.
In September 2020, the organization launched another salvo against Uber on the grounds that the company prevented drivers disconnected from the platform from accessing their personal information. Drivers also had to consent by default to the commercial transfer of their data, the NGO argued.
A third issue arose in February this year after the EU’s top court struck down the transatlantic data flow agreement known as the Privacy Shield due to privacy concerns, as the Human Rights League wanted guarantees of Uber’s compliance with the ruling. The organization referred the issue to the country’s highest administrative court, the Council of State, when the CNIL did not take urgent action („en référé“) and sent the file to the Dutch regulator instead. The case is ongoing.
The latest development dates from summer 2021. The Human Rights League reached out a fourth time, noticing Uber drivers started being disconnected from the platform without warning or explanation in what they called an automated decision without human intervention.
Uber denies this. The company said that „Uber makes the decision to suspend or terminate a partnership with a driver in a proportionate, conscientious and thorough manner. Any such decision is made after a manual review by our team of specialists.“
France vs. Netherlands vs. Italy
While well aware of the GDPR’s enforcement rules, Uber drivers still want France’s regulator to deal with the complaints (or at least some of them) itself, feeling emboldened by recent decisions in other EU countries.
During Tuesday’s protest, drivers referred to an April decision by an Amsterdam court that required Uber to reinstate drivers disconnected from the platform by robot technology. In July, the Italian privacy regulator fined Glovo-owned Foodinho €2.6 million for its algorithmic management systems.
According to Jérôme Giusti, the Human Rights League’s lawyer, national regulators can deal with privacy issues themselves when the situation calls for it — and Uber drivers who are disconnected from the platform are out of a job, which qualifies as an „urgent“ situation.
„It should justify that the CNIL takes up certain elements, which it refuses to do,” he explained.
The GDPR does allow national regulators to take matter into their own hands „in exceptional circumstances.“ The CNIL did not reply to a follow-up question on whether it could deal with the complaints itself.
A recent statement by France’s regulator did not go down well with Ben Ali. In mid-November, the CNIL said it would work with its Polish and Lithuanian counterparts to assess Lithuania-based secondhand clothing online marketplace Vinted.
“Three privacy regulators are cooperating to scrutinize Vinted, and for Uber, [the CNIL] takes it to the Dutch authority: There’s a double standard,” Ben Ali said.
Vincent Manancourt contributed to this report.