GHAMS - 200.295.747/01
From GDPRhub
| GHAMS - 200.295.747/01 | |
|---|---|
 | |
| Court: | GHAMS (Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 15(1)(h) GDPR |
| Decided: | 04.04.2023 |
| Published: | 04.04.2023 |
| Parties: | |
| National Case Number/Name: | 200.295.747/01 |
| European Case Law Identifier: | ECLI:NL:GHAMS:2023:796 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Rechtspraak.nl (in Dutch) |
| Initial Contributor: | Anton Ekker |
A Dutch Court of Appeal ordered Uber to provide drivers with access to their personal data and information about automated decision-making. The Court subjected the controller to a penalty of €4,000 per day until compliance.
English Summary
Facts
This decision is the result of an appeal (and incidental appeals) filed against a decision from the District Court of Amsterdam (available on GDPRhub). The District Court ordered Uber to provide its drivers with information regarding the their rating by passengers but rejected several other requests for information under Article 15.
The different drivers had different requests in appeal. This included information about device data, driver's profile (i.e. an internal note Uber employees use to transfer customer service requests from drivers to other Uber employees), tags (labels in the custumer service system), reports per journey (reports based on passengers' feedback), individual ratings per passenger, upfront pricing (automated system that calculates the price for a ride in advance based on various factors) and batched matching system (automated system which links drivers to passengers).
Under Article 15, they also requested information about the recipients, the processing purposes, categories of personal data and existence of automated decision-making referred to in Article 22. Some drivers also requested portability within the meaning of Article 20.
Uber argued among other things that the qualification as personal data depended on whether the information in question was or not intended for internal consultation and deliberation.
Holding
The Court assessed each request to determine if they fell into the scope of Article 15(1). Its assessment can be summarized as follows.
For the access to the driver's profile, the Court considered that it contains a representation of the driver's specific request. The driver's profile constituted personal data and therefore falls within the scope of Article 15(1).
Concerning access to the tags, the Court stated that it contained information about the relevant driver and therefore also falled within the scope of Article 15(1).
Regarding the reports per journey and the individual ratings, they are both based on feedback by passengers about the relevant driver. Uber had already provided excel documents with anonymized passenger feedback about drivers, taking into account the right of the passengers to not be traced back from their rating or comments. The Court held that the drivers did not have a sufficient interest to access to all reports without restrictions.
For the information about recipients, the Court referred to the CJEU Österreichische Post case in which the CJEU ruled that the information provided to the data subject under the right of access under Article 15(1)(c) should be as accurate as possible.
Concerning information about automated decision making, the Court firstly analysed the scope of Article 15(1)(h) and noted that the Dutch version of that article is not entirely clear. After comparing it with other language versions, it stated that the right of access contained in Article 15(1)(h) only relates to the form of automated decision making referred to in Article 22(1) to (4). This implied that under Article 15(1)(h), there is a right to information insofar as the controller subjects the data subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them. In this cases, 5 categories of automated decision making were distinguished and assessed :
- The batched matching system determines the amount of work of the drivers and therefore their income and therefore produces legal effects on the drivers.
- The upfront pricing system has financial consequences and determines the income of the drivers. It therefore also produces legal effects.
- The average rating of drivers can form grounds to deactivate drivers and therefore have significant effects on them.
- Concerning the cancellation costs and deactivation of driver's account, the Court considered that the drivers failed to explain their arguments.
For the batched matching system, upfront pricing system and average rating, the Court considered that these decisions are made solely on automated processing. It considered that Uber could not rely on an exception in that regard. Uber therefore wrongly rejected the requests for information regarding these three types of automated decisions. It should have provided the drivers with general information and in particular information on factors that influence the decision-making process.
Concerning the right to portability referred to in Article 20, the Court concluded that the requests based on Article 20 concerned data that were not eligible for allocation and rejected that request.
The Court decided to order Uber, within two months, to grant the requests to access information under Article 15(1), including driver's profiles, information about upfront pricing, batched matching system and average ratings. This order is subject to a penalty payment of €4,000 for each day Uber fails to comply.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
for the provision of copies of documents pursuant to Section 843a of the Code of Legal Procedure
(hereinafter: Rv), received at the registry of the court of appeal on 10 June 2021, lodging ten grievances,
appealed against a decision made by the District Court of Amsterdam (hereinafter: the District Court) on 11
March 2021 under the above-mentioned case/appeal number (hereinafter: the contested decision) in a
dispute between, among others, [appellant sub 1] et al. as applicants and Uber as respondent.
The notice of appeal strengthens, with amendment of the application, that the court should set aside the
contested order and, in summary, still make it provisionally enforceable:
- Uber will order, on pain of a periodic penalty payment, that the requests made by [appellant sub 1] et
al. under Articles 15 and 20 of the General Data Protection Regulation (hereinafter: AVG)1 still be granted.
- order Uber to disclose to [appellant sub 1] et al. in a commonly used electronic form, on pain of a periodic
penalty payment, (i) the categories of personal data referred to in subparagraph (d) of the operative part of
the order, (ii) information on the recipients or categories of recipients to whom personal data of [appellant
sub 1] et al. have been disclosed for 'legal reasons or in the event of a dispute' as well as the processing
purposes and categories of personal data concerned referred to in Article 15(1)(a), (b) and (c) AVG as well as
(iii) in the existence of automated decision making, including profiling referred to in Article 22(1) and (4), and
at least in those cases, useful information on the underlying logic, as well as the significance and expected
consequences of such processing for [appellant sub 1] et al.
- Uber will order, on pain of a periodic penalty, Uber to provide the personal data provided by
[appellant sub 1] et al to Uber in a structured, common and machine-readable form to [appellant sub 1]
et al and to forward such personal data directly to Platform Info Exchanges in accordance with Article
20(2) AVG.
- will rule that provision of data in pdf format cannot be regarded as provision in a 'structured, common and
machine-readable form' within the meaning of Article 20(1) AVG, or at least order Uber to provide the data in
question in a file format other than pdf format.
all this with a decision on the costs of proceedings.
In the (conditional) incident, [appellant sub 1] et al. requested the court to order Uber, pursuant to
Section 843a of the Dutch Code of Civil Procedure, to produce inspection, copies or extracts of the
documents and data held by Uber and recorded on a data carrier
- in which Uber has recorded in respect of which categories of personal data as mentioned in the
Guidance Notes Uber has granted or refused the access request of [appellant sub 1] et al. as
referred to in Article 15 (1) AVG and
- establishing whether Uber applied automated decision-making, including profiling referred to in Article 22(1)
and (4) AVG, in respect of [appellant sub 1] et al,
all this with a decision on the costs of proceedings.
On 13 October 2021, a statement of defence in conditional incident, also a statement of defence in the main
action and also a statement of appeal in cross-appeal was received at the registry of the court of appeal, on
the part of Uber. The statement of defence in the main case seeks to confirm the contested decision and to
reject the requests of [appellant sub 1] et al. In the cross-appeal, Uber, putting forward one ground of
appeal, requested that the court of appeal set aside the contested decision in part and still reject the
requests of [appellant sub 1] , [appellant sub 2] , [appellant sub 4] , [appellant sub 5] and [appellant sub 6],
with confirmation in all other respects. In the conditional incident, Uber sought its dismissal. In the principal
and
incidental appeal, as well as in the conditional incident, Uber finally requested that [appellant sub 1] et al. be
ordered to pay the costs of the appeal and incident proceedings, respectively, with post-judgment costs and
interest.
On 23 December 2021, a statement of defence in cross-appeal by [appellant sub 1] et al. was received at
the Registry seeking the dismissal of Uber's grievance, with a decision on costs.
The oral hearing of the appeal took place on 18 May 2022, at which [appellant sub 3] , [appellant sub 4]
and [appellant sub 5] (the latter represented by [A] ) and Uber (represented by [B] ) appeared and were
assisted by their aforementioned lawyers. On that occasion, the lawyers spoke on the basis of notes
submitted to the court. Both parties submitted further documents. The submission of exhibits 20 to 25 by
Uber was objected to by [appellant sub 1] et al. The court rejected these productions. The parties
answered questions put by the court.
Both parties have offered evidence on appeal.
The hearing of the case was then closed and judgment determined.
2 Facts
In the contested final decision, the court stated the facts it took as a starting point under 2 (2.1 to 2.9). The
court takes those facts as its starting point, supplemented by other facts that have been established as, on
the one hand, alleged and, on the other, not or insufficiently disputed.
The case involves the following.
2.1 Uber is part of an international group that provides online services in the transport sector through a
digital platform. Uber links passengers to drivers via applications. Passengers use the Uber Rider app,
drivers the Uber Driver app.
2.2 [appellant sub 1] et al are (have been) employed as 'private hire drivers' (hereinafter: drivers) in the
United Kingdom using or having used the services of Uber. At the time of filing the appeal grievances, at
least [appellant sub 3] was still working as a driver for Uber.
2.3 [appellant sub 1] et al are members of the App Drivers & Couriers Union (hereinafter ADCU). ADCU is a
trade union representing the interests of 'private hire drivers' and 'couriers' in the UK. ADCU is affiliated to
the International Alliance of App Transport Workers (hereinafter: IAATW). Both organisations advocate for
the digital rights of platform workers.
2.4 ADCU is supported by Workers Info Exchange (hereafter WIE). WIE is a non-profit organisation
that aims, in part, to help workers and self-employed people in the information
economy to give access to personal data collected about them in the course of their work. Founder
and director of WIE is [appellant sub 5] [A] .
2.5 ADCU and IAATW intend to establish a database, which will be maintained by WIE. This
database will contain personal data of drivers.
2.6 Uber has issued a 'Privacy Notice' (hereinafter, the Privacy Notice) in which it has included general
information about processing personal data. This privacy notice (in the version dated 29 July 2020)
states about automated decision-making:
2. Safety and security. We use personal data to help maintain the safety, security and integrity of our
services and users. This includes:
(...) Using device, location, profile, usage, an other data to prevent, detect, and combat fraud or unsafe
activities
Using user ratings and feedback to encourage compliance with our Community Guidelines and as
grounds for deactivating drivers and delivery partners with low ratings or who otherwise violated such
guidelines in certain countries.
(...)
9. Automated decision-making
We use personal data to make automated decisions relating to use of our services. This includes: (...)
Deactivating users who are identified as having engaged in fraud or activities that may otherwise harm
Uber, its users, and others. In some cases, such as when a user is determined to be abusing Uber's referral
programme, such behaviour may result in automatic deactivation.
2.7 Furthermore, Uber applies so-called 'Community Guidelines'. These read, in so far as relevant here,
as follows:
Fraud
Deception can weaken trust and also be dangerous. Intentionally falsifying information or assuming
someone else's identity (or allowing someone else to assume your identity), for example when signing
in or undergoing a security check, is not allowed. It is important to provide accurate information when
reporting incidents, creating and accessing your Uber accounts, disputing charges or fees, and
requesting credits. Only request fees, charges or refunds that you're entitled to, and use offers and
promotions only as intended. Don't knowingly complete invalid transactions. (...)
How Uber enforces our guidelines
Losing access to the Uber apps may be disruptive to your life or to your business. That's why we
believe it is important to have clear standards that explain the circumstances in which you may lose
access to the Uber apps. If you violate any applicable terms of use, terms of the contractual
agreement you agreed to when signing up for an account with Uber or any of these Community
Guidelines, you can lose access to the Uber apps. (...)
2.8 [appellant sub 1] et al. each separately made at different times in June/July 2020 by e- mail or via the
Rider app and/or Driver app (i) requests for access as referred to in Article 15(1) chapeau AVG to their
personal data processed by Uber as well as (ii) requests for information as referred to in Article 15,
paragraph 1(a), (b) and (c) AVG, (iii) requests for information as referred to in Article 15 paragraph 1(h)
AVG read in conjunction with Article 22 AVG and (iv) a request for data portability within the meaning of
Article 20 AVG. With regard to the latter request, they specified their requests in more or less similar
terms as follows:
Copies of my personal data Article 20
For data falling within the right to data portability (GDPR, art 20), which includes all data I have
provided
and which have been indirectly observed about me and where lawful bases for processing include
consent or contract, I wish to have that data sent to me in commonly used, structured, machine-
readable format, such as a CSV file. A PDF file is not a machine- readable format. accompanied with an
intelligible description of all variables.
2.9 Uber provided several digital files to [appellant sub 1] et al in response to these requests. Uber
provided with the responses to [appellant sub 1] et al an explanatory note entitled 'Guidance Notes',
which provided an overview of 26 categories of personal data processing with a general description of
the personal data involved.
3 Review
Legal framework
3.1 The articles of the AVG relevant to this dispute are as follows:
Article 4 Definitions
(...)
1. "personal data" means any information relating to an identified or identifiable natural person ("the
data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an
online identifier or to one or more elements characterising the physical, physiological, genetic,
psychological, economic, cultural or social identity of that natural person.
(...)
4) "profiling" means any form of automated processing of personal data in which certain personal aspects
of a natural person are evaluated on the basis of personal data, in particular with a view to analysing or
predicting that person's occupational performance, economic situation, health, personal preferences,
interests, reliability, behaviour, location or movements; (...)
Article 15 Data subject's right of inspection
1. The data subject shall have the right to obtain from the controller a confirmation as to whether or not
personal data concerning him or her are being processed and, if so, to obtain access to that personal data
and to the following information:
a. a) The processing purposes.
b) the categories of personal data concerned.
c) the recipients or categories of recipients to whom the personal data have been or will be
disclosed, in particular recipients in third countries or international organisations.
(...)
(h) the existence of automated decision-making, including those referred to in Article 22(1) and
4, referred to profiling, and, at least in those cases, useful information on the underlying logic, as well as
the significance and expected consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or an international organisation, the data
subject has the right to be informed of the appropriate safeguards in accordance with Article 46 on the
transfer.
3. The controller shall provide the data subject with a copy of the personal data being processed. If the
data subject requests additional copies, the controller may charge a reasonable fee based on
administrative costs. Where the data subject submits its request electronically, and does not request any
other arrangement, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 is without prejudice to the rights and
freedoms of others.
Article 20 Right to data portability
1. The data subject has the right to obtain the personal data concerning him that he has provided
to a controller in a structured, common and machine-readable form, and he has the right to
transfer that data to another controller, without being impeded by the controller to whom the
personal data had been provided, if:
a. the processing is based on consent under Article 6(1)(a) or Article 9(2)(a) or on an agreement
under Article 6(1)(b); and
the processing is carried out through automated processes.
2. When exercising his right to data portability under paragraph 1, the data subject shall have the right
to have the personal data transferred, if technically possible, directly from one controller to another.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to
Article 17. That right shall not apply to processing which is necessary for the performance of a task
carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 is without prejudice to the rights and freedoms of others.
Article 22 Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated
processing, including profiling, which produces legal effects concerning him or her or significantly
affects him or her in any other way.
2. Paragraph 1 does not apply if the decision:
a. necessary for the establishment or performance of a contract between the data subject and a controller.
is permitted by a provision of Union or Member State law applicable to the controller which also provides
for appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
relies on the explicit consent of the data subject.
3. In the cases referred to in points (a) and (c) of paragraph 2, the controller shall implement appropriate
measures to protect the data subject's rights and freedoms and legitimate interests, including at least the
right to human intervention by the controller, the right to express his or her point of view and the right to
challenge the decision.
4. The decisions referred to in paragraph 2 shall not be based on the special categories of personal
data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and appropriate measures have
been taken to protect the data subject's legitimate interests.
3.2 Recital 63 from the preamble of the AVG reads, in so far as relevant here, as follows:
(63) A data subject should have the right to access personal data collected about them, and to exercise
that right easily and at reasonable intervals, in order to be informed of the processing and to verify its
lawfulness. (...) Every data subject should therefore have the right to know and be informed of the
purposes for which the personal data are processed, if possible how long they are kept, who receives the
personal data, the logic underlying any automatic processing of the personal data and, at least when the
processing is based on profiling, the consequences of such processing. If possible, the controller should be
able to provide remote access to a secure system on which the data subject can directly access their
personal data. That right should not interfere with the rights or freedoms of others, including business
secrecy or intellectual property and, in particular, the copyright that protects software. However, those
considerations should not result in the data subject being deprived of all information. Where the
controller processes a large amount of data relating to the data subject, it should be able to request the
data subject, prior to the provision of information, to specify which information or which processing
activities the request relates to.
3.3 The provisions of the General Data Protection Regulation Implementing Act ("UAVG"),
relevant to this dispute, are as follows:
Article 34
A written decision on an application referred to in Articles 15 to 22 of the Regulation shall be made
within the time limits specified in Article 12(3) of the Regulation (...)
Article 35
1. If the decision on a request referred to in Article 34 was taken by a body other than an
administrative authority, the interested party may apply to the court with a written request to order
the controller to still grant or reject the request referred to in Articles 15 to 22 of the Regulation.
2. The petition shall be filed within six weeks of receiving the response from the controller. If the
controller has not responded within the time limits set out in Article 12(3) of the Regulation, the
submission of the petition shall not be subject to a time limit.
3. The court grants the application, insofar as it finds it well-founded. Before the court
decide, it shall, where appropriate, give interested parties the opportunity to submit their views.
(...)
5. The third section of the fifth title of the Second Book of the Code of Civil Procedure shall apply
mutatis mutandis. [court: third section: Of dwangsom; Art. 611a to 611 i Rv.].
(...)
Article 41 Exceptions to data subject rights and obligations of controller
1. The controller may disapply the obligations and rights referred to in Articles 12 to 21 and Article 34 of
the Regulation to the extent that this is necessary and proportionate to ensure:
a. (...)
i. the protection of the data subject or the rights and freedoms of others; (...)
3.4 The Article 29 Data Protection Working Party (now: the European Data Protection Board,
abbreviated as: EDPB) adopted in 2017 guidelines on automated individual decision-making and
profiling for the purposes of Regulation (EU) 2016/679. Chapter IV, paragraph A, of these
guidelines, as adopted on 3 October 2017 and last amended and adopted on 6 February 2018,
WP251rev.01 (hereinafter: the EDPB guidelines) read, in so far as relevant here, as follows:
A. "Decision based solely on automated processing"
Article 22(1) concerns decisions that are "solely" based on automated processing. This means that there
is no human intervention in the decision-making process.
Example
An automated process produces something that is in fact a recommendation concerning a data subject.
If a human evaluates the process and takes other factors into account when making the final decision,
that decision would not be "solely on automated processing".
The controller cannot circumvent the provisions of Article 22 by p r e e m p t i n g human intervention.
For example, if someone routinely applies automatically generated profiles to individuals without actually
influencing the outcome, this is still a decision based solely on automated processing.
To achieve actual human intervention, the controller must ensure that all monitoring of decision-making
is meaningful, and not just a token act. This intervention must be carried out by someone who is
competent and capable of changing the decision. He must include all relevant data in his analysis.
As part of its data protection impact assessment, the controller must identify and record the degree of
human intervention in the decision-making process and the stage at which it took place.
Chapter IV(B) of the EDPB Guidelines, so far as relevant here, reads as follows:
B. Decision having 'legal effect' or which 'otherwise significantly affects' the person concerned
The AVG recognises that automated decision-making, including profiling, can cause serious
may affect individuals. The AVG does not define a decision with "legal effects" or one that "otherwise
significantly affects" the data subject, but it is clear from the wording that Article 22 only refers to
serious, significant effects.
"Decision having legal effect"
A legal effect means that the decision, based solely on automatic processing, affects someone's legal
rights, such as freedom of association, the right to vote and the right to seek legal redress. A legal effect
can also be something that affects someone's legal status or their rights under a contract.
Examples of such a consequence are automated decisions about an individual that lead to:
• termination of an agreement.
• The right to or refusal of a particular social benefit granted by law, such as child benefit or housing
benefit.
• refusal of admission to a country or the granting of a nationality.
"Otherwise affects him to a substantial degree"
Even if a decision-making process does not affect a person's legal rights, it may still fall within the scope
of Article 22 if it has a consequence that otherwise significantly affects him.
In other words, even if nothing changes about his legal rights or obligations, the data subject may still
be affected to such an extent that protection under this provision is required. The AVG added the
word "otherwise" (not present in Article 15 of Directive 95/46/EC) to the wording "significantly affects
him". Thus, the threshold for substantial degree should be similar to the degree to which the data
subject is affected by a decision which has a legal effect.
Recital 71 mentions the following typical examples: 'automatic refusal of a credit application
submitted online' or 'processing of job applications via the internet without human intervention'.
Data processing affects someone significantly when the effects of the processing are large or important
enough to merit attention. In other words, the decision must have the potential to:
• significantly affect the circumstances, behaviour or choices of the persons concerned.
• have a long-term or lasting effect on the individual; or
• in extreme cases, lead to the exclusion of or discrimination against individuals.
It is difficult to define precisely what is considered serious enough to meet the threshold of significant
degree. However, the following decisions could fall into this category:
• decisions affecting a person's financial situation, such as their ability to qualify for a loan.
• decisions affecting a person's access to healthcare services.
• decisions that deny someone access to an employment opportunity or put them at a serious
disadvantage in the process.
• decisions affecting a person's access to education, for example admission to a university (...).
order that the order be served on [appellant sub 1] et al. in a commonly used electronic form within one
month,
I. give access to:
(i) any personal data relating to them that it processes, including personal data as listed in the
Guidance Notes, the 'Driver's Profile', including Uber employee notes, 'Tags' and 'Reports',
(ii) the processing purposes, the categories of personal data concerned, the recipients or categories of
recipients to whom the personal data have been or will be disclosed, and the retention period for these
data,
(iii) the appropriate safeguards implemented by Uber in accordance with Article 46 AVG regarding
transfer to a third country or an international organisation,
(iv) the existence of automated decision-making, including the profiling referred to in Article 22(1) and
(4) AVG, and at least in those cases, useful information on the underlying logic, as well as the
significance and expected consequences of that processing for [appellant sub 1] et al,
II. provide the personal data in a structured, common and machine-readable form, namely as a CSV file,
or by means of an Application Programming Interface (hereinafter: API), in such a way that such data can
be directly forwarded to another controller.
3.6 By the contested order, which is provisionally enforceable, the district court, insofar as relevant in this
appeal, ordered Uber to provide [appellant sub 1] et al. with copies of or access to the personal data
referred to in paragraph 4.52 of the contested order (the 'ratings' given by individual passengers) in
the manner stated therein (anonymised) and dismissed the more or less requested. The court
balanced the procedural costs between the parties in that each party would bear its own costs. The
court otherwise rejected the request of [appellant sub 1] et al.
The amended appeal request
3.7 On appeal, [appellant sub 1] et al. amended their application as set out at margin 1 of this judgment. At
the hearing, they also reduced their request in the main action. They now apply in the main action for a
decision to be declared provisionally enforceable:
I. order Uber to grant the requests of [appellant sub 1] et al. for access to the personal data and
information listed below or to provide access in a commonly used electronic form within one
month of service of the order, on pain of a penalty:
a) to [appellant sub 1] et al. in the personal data hereinafter referred to:
- from the 'Guidance Notes: the remaining missing personal data as specified in production 2 in category
'12 Driver detailed device data',
- From the Driver's Profile category,
- From the 'Tags' category,
- from the 'Reports per trip' category
- from the 'Individual ratings per passenger' category
b) to [appellant sub 3] in the personal data processed under 'upfront pricing',
c) to [appellant sub 1] et al. about the recipients or categories of recipients to whom personal data of
[appellant sub 1] et al. were disclosed for 'legal reasons or in the event of a dispute', as well as the
processing purposes and categories of
personal data, as referred to in Article 15(1)(a), (b) and (c), AVG,
d) to [appellant sub 1] et al as regards the existence of automated decision-making, including profiling
referred to in Article 22(1) and (4) AVG, and at least in those cases, useful information on the underlying
logic, as well as the significance and expected consequences of such processing for [appellant sub 1] et
al,
e) to [appellant sub 1] et al in any other personal data relating to [appellant sub 1] et al that
it processes.
II. Order Uber, on pain of a periodic penalty payment, to disclose to [appellant sub 1] et al. the
personal data provided by [appellant sub 1] et al. to Uber, including the data referred to in the
petition, in a structured, common and machine-readable form to [appellant sub 1] et al. and to
transmit such personal data directly to Platform Info Exchanges in accordance with Article 20(2) AVG.
III. rule that provision of data in PDF format cannot be regarded as provision in a 'structured,
common and machine-readable form' within the meaning of Article 20(1) AVG, or at least order Uber
to provide the data in question in a file format other than PDF format.
The incidental appeal
Admissibility of [appellant sub 1] , [appellant sub 2] , [appellant sub 4] , [appellant sub 5] and
[appellant sub 6]
3.8 Uber addresses its grievance on incidental appeal against paragraphs 4.4-4.23 of the contested order,
in which the court, in brief, ruled that [appellant sub 1] , [appellant sub 2] , [appellant sub 4] ,
[appellant sub 5] and [appellant sub 6] were admissible in their requests. Uber argues that these
drivers filed their (revised) petition too early, namely before Uber had answered their requests.
According to Uber, under Article 35(2), first sentence, UAVG, [appellant sub 1] could not file a petition
until 5 September 2020, [appellant sub 2] and [appellant sub 4] on 1 November 2020,
[appellant sub 5] on 21 July 2020 and [appellant sub 6] on 10 October 2020. Indeed, Uber first
requested further details of their requests from them (on 1 July 2020, 22 July 2020, 7 August 2020, 16
August 2020 and 21 July 2020 respectively). This was necessary in view of [appellant sub 1] et al's
generally worded requests for inspection and the large amount of data. This is also in line with what
was considered in paragraph 63 of the preamble to the AVG. In paragraphs 4.9 and 4.10, the court
erred in ruling that the time limit to file the petition already started to run immediately after this
request for clarification. Indeed, that request cannot be seen as a dismissive response within the
meaning of Article 35 (2) UAVG read in conjunction with Article 12 (3) AVG, Uber argued. Uber added
that as far as [appellant sub 5] was concerned, it was entirely clear that he was too early with his
petition: Uber only responded to his request on 19 and 20 July 2020, while he submitted his petition
on 20 July 2020.
3.9 [appellant sub 1] et al. put forward the defence that Uber relied on incorrect data, namely dates on
which Uber sent messages to [appellant sub 1] et al. entirely on its own initiative, in response to the
petition submitted by them. A response in response to the petition cannot count as a response to
the preceding access request. Moreover, the original access requests were already clear and
complete and no further explanation was necessary. With the responses Uber subsequently sent to
[appellant sub 1] et al, the request for inspection had been fully answered.
3.10 This defence of [appellant sub 1] et al. succeeds. The following is conclusive in this respect. It can be
seen from the productions that [appellant sub 1] et al submitted their initial requests to Uber on the
following dates:
[appellant sub 1] : 15 July 2020 (production 2A to petition) [appellant
sub 2] : 23 June 2020 (production 3A to petition) [appellant sub 4] : 10
July 2020 (production 6A to petition) [appellant sub 5] : 20 June 2020
(production 8A to petition) [appellant sub 6] : 23 June 2020 (production
9A to petition)
3.11 [appellant sub 1] et al. have substantiated their claim (namely with reference to productions 2A, 3A
and 6A to the application, respectively production 6 to the statement of defence at first instance,
respectively production 9A to the application) that [appellant sub 1] , [appellant sub 2] , [appellant
sub 4] , [appellant sub 5] and [appellant sub 6] on 7 August 2020 and 22
July 2020, 7 August 2020, 19 July 2020 and 21 July 2020 received decisions on the access requests.
Uber did not sufficiently substantiate the dates it relied on and did not sufficiently dispute the dates
cited by [appellant sub 1] et al. with reasons. Exhibits 12A, 13A, 15A, 16A and 17A submitted by Uber
on appeal do not support its contentions. For example, Uber's reply of 30 October 2020 to [appellant
sub 4] (production 15a), submitted by Uber on appeal, shows that this is a spontaneous (and
supplementary) reply by Uber to [appellant sub 4]'s initial request, to which Uber had already replied
on 7 August 2020. [appellant sub 4] was therefore entitled to assume that his request had been
decided on when he submitted the (supplementary) petition on 21 August. In view of this, the court
assumes the dates mentioned by [appellant sub 1] et al. With regard to [appellant sub 5] in particular,
in view of production 6 to the defence at first instance, it is sufficiently established that he received a
decision from Uber on his initial application on 19 July 2020. The incidental appeal is therefore
unsuccessful.
The principal appeal
3.12 Grounds 2 to 7 in the main appeal relate to the requests for access by [appellant sub 1] et al. to
specific categories of personal data. The court will first discuss these grievances, after which the court
will address grievance 9 in the main appeal, which concerns the information request of [appellant sub
1] et al. within the meaning of Article 15 (1) (a), (b) and (c) of the AVG. Ground 1, which relates to
access to all other personal data, will be dealt with next.
Finally, grievance 8 (on the information request under Article 15(1)(h) AVG) and grievance 10 (on the
portability request under Article 20 AVG) will be dealt with.
Beforehand, the court notes that it is established between the parties that [appellant sub 1] et al are to be
regarded as data subjects within the meaning of Article 4(1) AVG and that in this context Uber acts as a
data controller within the meaning of Article 4(7) AVG.
Requesting access to a particular category from the Guidance Notes
3.13 Ground 2 is directed against paragraph 4.38 of the contested decision, in which the court held that
the request of [appellant sub 1] et al. regarding access to the personal data mentioned in the
Guidance Notes was rejected. At the hearing, [appellant sub 1] c.s. reduced their request and limited
it to the personal data still missing in category 12, Driver detailed device data, as described in
production 2 to the notice of appeal.
3.14 Uber disputes [appellant sub 1] c.s.'s assertion that the categories of data from the Guidance Notes
specified by [appellant sub 1] c. s . have not yet been fully accessed. However, Uber fails to provide a
sufficiently concrete explanation of this dispute with regard to the category of personal data
mentioned by [appellant sub 1] e t a l . The mere reference by Uber to sections 2.4.1 to 2.4.6 of the
statement of defence on appeal does not provide any conclusive information in this respect. For this
reason, the court of appeal assumes [appellant sub 1] c.s.'s assertion that Uber has not yet complied
with [appellant sub 1] c.s.'s requests on this point and deems
court allowed the request of [appellant sub 1] et al. to that extent. The grievance therefore succeeds.
The request for access to the Driver's profile
3.15 By ground 3 [appellant sub 1] c.s. challenge paragraph 4 .41 of the order under appeal in which the court
rejected the request to inspect the Drivers Profile. This ground of appeal is successful. In this respect the
Court of Appeal considers as follows. Uber has explained that the driver's profile is a note or a kind of
summary or transfer message by which Uber employees transfer requests from drivers to customer
service to other U b e r employees. In light of the judgment of the Court of Justice of the EU ("CJEU") in
the Nowak case2, the court held that such a note or handover notification must be regarded as personal data
within the meaning of Article 4(1) AVG. After all, this note or transfer notification contains information
about the driver who approached customer service, namely a reflection of the driver's specific request and
possibly already a (preliminary) assessment thereof, or at least, in Uber's words, a certain streamlining
thereof, which may have e f f e c t s for the driver. Not qualifying it as 'personal data' would deprive such
information entirely of the protection of the principles and safeguards on personal data, including the
rights of access, rectification and opposition of the data subject provided for in the AVG, and of the
supervision provided for in the AVG. Contrary to Uber's argument, the AVG does not make the
qualification of the term 'personal data' depend on whether the information in question is intended for
internal consultation and deliberation. The access requested by [appellant sub 1] et al. concerning the
Driver's Profile therefore falls within the scope of Article 15 (1) chapeau AVG. Uber has not substantiated
on what ground from the AVG the drivers' right to access it, as contained in Article 15 (1) AVG, can be
restricted. The request by [appellant sub 1] et al. therefore qualifies for grant to that extent.
Requesting access to the 'tags' (labels in the customer service system)
3.16 With ground 4, [appellant sub 1] c.s. challenge paragraph 4.44 of the contested order in which the court
rejected the request concerning access to the 'tags'. This ground of appeal succeeds. As considered by the
court and not disputed by the parties, a tag is an indication by an Uber employee of a notification. Uber
has not disputed that these tags contain information
about the relevant driver who made a request or notification. With regard to this category of data,
therefore, the same reasoning applies as set out above (in 3.15), with reference to the Nowak judgment,
with regard to the Driver's Profile. The request of [appellant sub 1] et al. therefore qualifies for grant to
that extent.
Requesting access to 'reports' per trip and 'individual ratings' per passenger.
3.17 Grievance 5 is directed against paragraph 4.46 of the contested order, in which the court concluded
that Uber need not provide further access to the 'reports' than it has already done. 'Reports', it is
established between the parties, are based on feedback reports that passengers have given about the
driver in question regarding, among other things, 'navigation' and 'professionalism'. In response to the
inspection requests, Uber provided Excel statements in which passengers' feedback about drivers was
anonymised.
With grievance 6, [appellant sub 1] turn against paragraph 4.52 of the contested decision, in which
the court ruled that Uber is obliged towards [appellant sub 1] et al. to provide limited access to the
individual ratings concerning them.
[appellant sub 1] c.s. argued with regard to both the reports and the ratings that Uber could not
refuse the request for access to this personal data in part with a general reliance on the rights and
freedoms of others. According to [appellant sub 1] c.s., Uber should have assessed in respect of each
data subject separately whether the obligations and rights in the UAVG should be disapplied and
whether this is necessary and proportionate to safeguard the interests referred to in Article 41 (1)
UAVG. Moreover, the
drivers does matter, because of the potential major consequences of the reports and ratings, to know
who made the statement. [appellant sub 1] et al. also have an interest in inspection in order to be able
to exercise their right to rectify incorrect personal data concerning them.
3.18 Grounds 5 and 6 are unsuccessful. In the opinion of the Court of Appeal, the District Court was right to
consider that Uber, when providing information that includes the personal data of [appellant sub 1] et al,
is obliged, pursuant to Article 15 (4) of the AVG, to respect the rights and freedoms of others and is
therefore entitled to anonymise the reports and ratings in the sense that, in order to protect those rights
of third parties, it ensures that the statements about the drivers cannot be traced back to the person who
made the statements. It may be true that in a specific, concrete case the conflicting legitimate interests of
the various data subjects must be weighed against each other in order to determine whether there is an
overriding interest that justifies a refusal to grant the data subject access to the personal data of a third
party, but in this case [appellant subsection 1] et al. have requested access to all the reports and ratings
concerning them without any restriction. This involves very large numbers of reports and ratings. In the
opinion of the Court of Appeal, in the event of such a broad request for access to personal data that also
concern third parties, the controller cannot be required to ascertain for each report and rating which
interest prevails. [appellant subpara 1] et al. did not mention any concrete report or concrete individual
rating and therefore did not give any concrete reasons as to why their interest in obtaining full access to
these (i.e. including the personal data of a third party) outweighs the third party's right to protection of its
personal data. The court therefore correctly held that Uber must respect passengers' rights when
providing the requested data and that Uber was able to do so by providing this data in such a way that it is
not traceable to the passenger who gave the rating and/or made the comments.
3.19 [appellant sub 1] et al. have also argued that they are entitled to inspection as independent controllers
by virtue of their own contractual relationship with the customer but this argument does not stand up.
After all, the subject of these proceedings is the request by [appellant sub 1] e t a l . as data subjects to
Uber as the data controller processing their personal data based on Article 15 of the AVG. The AVG does
not provide for a right to access personal data of others. The court therefore rejects this argument.
The request for access to the 'upfront pricing system'
3.20 By ground of appeal 7, [appellant sub 1] c.s. challenge paragraph 4 .59 of the contested decision in so
far as the district court rejected [appellant sub 3]'s request for access to personal data concerning him in
the 'upfront pricing system'. This is the automated system by which Uber calculates the price for a ride in
advance on the basis of objective factors such as the length and expected duration of the requested ride,
the ratio of supply and demand at that time, expected traffic patterns and the date.
3.21 This grievance succeeds. Contrary to the court's consideration, it is irrelevant whether [appellant sub
3] wishes to inspect this personal data in order to verify the correctness and lawfulness of its
processing, as the right of inspection contained in Article 15(1) chapeau of the AVG does not impose
such a condition. Uber has not submitted any valid ground that could justify a refusal of this access
request. The request by [appellant sub 1] et al. is therefore admissible in so far as it concerns the
initial request for inspection submitted by [appellant sub 3].
The request for information on recipients or categories of recipients
3.22 By ground 9, [appellant sub 1] et al. challenge paragraph 4.70 of the contested decision, in which
the court assumed, given the further information provided by Uber in its defence and the
information contained in the relevant sections of the privacy statement, that this part of the
inspection request had been adequately answered. [appellant sub 1]
et al argue that Uber has not provided any information on how it has disclosed personal data
concerning [appellant sub 1] et al to 'recipients or categories of recipients' within the meaning of
Article 15(1)(c) AVG 'for legal reasons or in the event of a dispute'. That Uber processes data for this
purpose is apparent from the Privacy Policy under point 7, they argue.
3.23 The grievance succeeds. Uber argued, without any further explanation, that under Article 23(1)(c), (d)
and (h) AVG it is not obliged to provide information about the recipients in question. Without further
explanation, it is not clear why the interests referred to in these provisions (in brief: public security,
prevention and detection of criminal offences, and the exercise of official authority) could be relevant in
this context, apart from the fact that Article 23 AVG(1) requires for the invocability of these interests that
their safeguarding is laid down in Union law or national provisions. It is not clear which Union law or
Dutch provision Uber is referring to. To the extent that Uber intended to invoke Article 41 opening words
(i) UAVG in this context, it did not explain. The request by [appellant sub 1] et al. for access to information
about the recipients or categories of recipients to whom personal data of [appellant sub 1] et al. were
disclosed for 'legal reasons or in the event of a dispute', as well as the processing purposes and categories
of personal data concerned, as referred to in Article 15 (1) (a), (b) and (c) of the UAVG, is therefore
admissible. In this regard, the court also refers to the Österreichische Post judgment,3 in which the CJEU
held that the information provided to the data subject under the right of access laid down in Article
15(1)(c) AVG must be as accurate as possible.
Requesting access to all other personal data
3.24 Ground 1 is directed against paragraph 4.35 of the contested order. In it, the court held that the
request for access to all personal data that Uber processes about the applicants is too general and so
lacking in specificity that it is rejected as insufficiently determined. [appellant sub 1] et al argue, first
of all, that the right of inspection under the AVG is unqualified and that further requirements may
only be imposed on it under special circumstances. Secondly, the court's opinion is based on an
incorrect interpretation of recital 63 of the AVG. Indeed, Uber did not request further clarification
prior to the provision. Thirdly, they argue, Uber failed to
when responding to the requests, to communicate in an orderly manner which parts of their request were
granted and rejected, respectively. This allowed [appellant sub 1]
c.s. also fail to specify their request. Fourth, [appellant sub 1] c.s. put forward that they do not know
what data Uber has. Fifth, the court wrongly took into account that [appellant sub 1] c . s. had already
received a large number of personal data, and sixth, [appellant sub 1] c.s. have only submitted a
request for inspection once, and not several times, [appellant sub 1] c.s. For all these reasons, their
general request should still be granted, they argue.
3.25 It has been established between the parties that Uber processes a particularly large number of
personal data of [appellant sub 1] et al. It has also been established that [appellant sub 1] et al. had
already specified a considerable number of categories of personal data in their initial request for
inspection, with the comment that this was not an exhaustive list. The court agrees with the district
court that it should have been up to [appellant sub 1] c . s. to further specify or expand their initial
inspection request (by means of a new or additional initial inspection request). The argument of
[appellant sub 1] et al. that it was factually impossible for them to specify their inspection request
does not stand. The court points out that [appellant sub 1] c.s. could have asked Uber, under Article
15 (1) (b) AVG, for information about the categories of personal data concerned that are processed by
Uber. Based on that answer, they could have submitted a new or additional request for access to
Uber. At
this way, Uber as data controller would have had the opportunity to decide on it, before this further
specification or, as the case may be, extension of the access request became the subject of legal
proceedings. [appellant sub 1] et al have not claimed that they submitted an information request (on the
categories of personal data concerned) to Uber within the meaning of Article 15(1)(b) AVG. In this respect,
[appellant sub 1] e t al have wrongly placed the initiative with Uber. That the data controller, such as Uber,
must first have had the opportunity to decide on an access or information or portability request before that
request becomes the subject of a judicial
procedure, also stems, in the opinion of the court of appeal, from the legal procedure prescribed by
Article 35 UAVG. That article provides that the interested party (in this case: [appellant sub 1] et al.) may
apply to the court with a written request to order the data controller (in this case: Uber) to still grant or
refuse the request as referred to in Articles 15 to 22 of the regulation. In these application proceedings,
therefore, the court must rule on the initial (access or information or portability) request of [appellant
sub 1] et al. as they submitted it to Uber in 2020. Should the interested party be allowed to amend or
extend this initial (access c . q . information c . q . p o r t a b i l i t y ) request in the (judicial) proceedings,
this would deprive the data controller of the opportunity to make an out-of-court decision on the
admissibility of that amended request. In the opinion of the court of appeal, both Article 35 UAVG and
due process oppose this. Ground 1 is therefore unsuccessful.
The request for information on automated decision-making
3.26 The court also rejected the request of [appellant sub 1] et al. insofar as their request was based on
Article 15(1)(h) AVG (right to information about the existence of automated decision-making). To this
end, the court considered, inter alia, in para.
4.67 of the contested decision, that [appellant sub 1] et al. have not sufficiently explained to what
extent Uber has made decisions about them on the basis of automated decision-making as referred to
in Article 22 AVG. This requires that there must also be legal consequences or that the data subject is
otherwise significantly affected. The court added that, where the request relates to anti-fraud
processes, [appellant sub 1] et al have not explained that Uber has concluded with regard to them
that they are guilty of fraud.
3.27 This part of the rejection and the grounds on which it was based are challenged by [appellant sub 1] et
al. in ground 8. First, they argue that Uber itself should have checked whether it had applied automated
decision-making against [appellant sub 1] et al. For [appellant sub 1] et al, it is factually impossible to
prove this. Therefore, [appellant sub 1] e t al cannot be required to specify their request on this point.
Second, they point to paragraph 9 of the privacy statement in which various forms of automated decision-
making as referred to in Article 22 AVG are mentioned. All these forms of automated decision-making,
according to [appellant sub 1] c.s., affect their rights and affect them significantly, for example with regard
to the amount of work they can do through Uber and thus for their income.
Uber raises a defence, which will be discussed below.
a) The scope of Article 15(1)(h) AVG
3.28 The Court will first address the scope and conditions of application of Article 15 (1) (h) AVG, as this
provision forms the basis of the request made by [appellant sub 1] et al. In this respect, the Court notes
that the Dutch version of Article 15 (1) (h) AVG is not entirely clear with respect to the reference therein
to Article 22 AVG. This is important, because the debate between the parties focuses on the question
whether Article 22 AVG is of
applies to the decisions mentioned by [appellant sub 1] et al. that Uber has taken in relation to them.
[appellant sub 1] et al believe it does and Uber believes it does not.
3.29 Read to the (Dutch) letter, the right to information contained in Article 15(1)(h) AVG covers any form of
automated decision-making, 'including profiling as referred to in Article 22(1) and (4)', and thus also, for
example, decision-making that is not exclusively but only partly based on automated decision-making.
However, in the English and French versions of this provision respectively, the right to information is
limited to 'the existence of automated decision-making, including profiling, referred to in Article 22(1) and
(4)' and 'l'existence d'une prise de décision auomatisée, y compris un profilage, visée a l'article 22,
paragraphes 1 et 4' respectively. Judging from these texts, the court assumes that the right to information
contained in Article 15(1)(h) refers only to that form of automated decision-making referred to in Article
22(1) and (4) of the AVG. Such an interpretation (which thus deviates from the letter of the Dutch text)
also argues that the reference, in the Dutch version of Article 15(1)(h) AVG, to the profiling referred to in
Article 22(4) cannot be correct, as that fourth paragraph does not contain the concept of profiling. Finally,
for this interpretation
find support in the EDPB Guidelines. Chapter IV, paragraph E, subparagraph 2 of those guidelines also states
in so many words that the right to information contained in Article 15(1)(h) of the AVG refers to information
about 'exclusively automated decision-making'.
3.30 The foregoing means that a right to information exists under Article 15(1)(h) AVG to the extent that the
controller 'subjects' the data subject to 'a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her or significantly affects him or her in any other
way'.
3.31 In the EDPB Guidelines (see above under 3.4), Chapter IV, Section B, discusses, among other things,
what is to be understood by a decision that 'otherwise significantly affects' the data subject. Herein, it
is noted that the wording shows that Article 22 AVG 'only refers to serious, significant effects' and
further that the threshold for 'significantly affected' should be 'comparable to the extent to which the
data subject is affected by a decision which has a legal effect'.
b) Does the request for information concern decisions which have legal consequences for [appellant sub
1] et al. or otherwise affect them significantly?
3.32 [appellant sub 1] et al focused their grievance against the rejection of their information request on five
categories of decision-making, which will be discussed successively below.
3.33 First, [appellant sub 1] c.s. want information about the so-called 'batched matching system': this is the
automated system by which Uber matches drivers to passengers. This system first groups the nearest
Uber drivers and passengers into a batch (group) and then determines the optimal match (pairing) within
this group. The aim of this is to minimise waiting times for the entire group of drivers and passengers.
Uber has uncontested that a driver can enter personal preferences in the Driver app, which are taken
into account by Uber in the pairing process. At the same time, Uber has acknowledged that this system
also takes into account a low rating by a passenger, which prevents that particular passenger from being
paired with that driver.
In the opinion of the court of appeal, the automated ride distribution by means of the batched matching
system affects the drivers, on the whole, to a considerable extent. After all, this distribution leads to the
matching of supply and demand and can also lead, as [appellant sub 1] et al. have argued and Uber has
not disputed, to a driver not receiving an offer or receiving it less often. This automated decision-making
thus determines the amount of work that drivers can perform through Uber and thus for their income.
3.34 Secondly, [appellant sub 1] c.s. request information on the so-called 'upfront pricing system': this is the
automated system by which Uber calculates the price for a ride in advance based on objective factors
such as the length and expected duration of the requested ride, the ratio of supply and demand at that
time, expected traffic patterns and the date. In addition or thereby, Uber also uses dynamic fares when
determining the fare. In the opinion of the court of appeal, [appellant sub 1] et al. have sufficiently
substantiated their claim and Uber has not sufficiently substantiated their dispute that the outcome of
these decisions, taken as a whole, affects the drivers to a considerable extent. This system is applied to
every passenger they carry. These are therefore successive decisions, each with financial consequences
that determine the income they can earn.
3.35 Thirdly, [appellant sub 1] c.s. want information on the determination of (average) ratings of drivers:
Uber has explained that ratings are given by passengers, not by Uber, and that Uber only combines those
ratings to arrive at an average rating of the driver. The privacy statement (see above, 2.6) shows that the
combined ratings may constitute grounds for deactivating drivers. As such, these combined ratings, albeit
indirectly, may, in the court's view, produce significant effects for the drivers. The determination of those
average ratings therefore affects the drivers to a significant extent.
3.36 Fourth, [appellant sub 1] et al. requested information about charging cancellation fees to the driver
and, fifth, deactivating the drivers' accounts. Uber explained that it may decide not to charge the
cancellation fee that a passenger would normally have to pay if they have requested and then cancelled
a ride anyway, and therefore not pay it to the driver. This decision is made, according to Uber, if some
form of cancellation fraud occurs.
However, the Court of Appeal notes that [appellant sub 1] et al. failed to explain their grievance on this
point in their notice of appeal, even though it would have been in their power to do so. For instance, they
did not make it concrete that cancellation fees had been charged in their regard, nor did they explain
when and how the accounts of [appellant sub 1] , [appellant sub 2] , [appellant sub 4] and [appellant sub
6] were deactivated. Thus, they have failed to adequately explain on appeal their assertions regarding
these two categories. Of importance here is that the district court also considered that [appellant sub 1]
et al. had failed to explain that Uber had concluded with regard to them that they were guilty of fraud
and that no grievance was directed against that consideration. In this case, unlike in case 200.295.742/01,
in which the court is also ruling today, the court of appeal therefore does not get to the other questions
that need to be answered in order to be able to conclude whether decision-making within the meaning of
Article 22 (1) of the AVG has taken place with regard to these two categories (charging cancellation fees
and deactivating accounts).
c) Are the decisions cited by [appellant sub 1] et al based solely on automated
processing?
3.37 Since it was concluded above (in paragraphs 3.33-3.35) that the decision-making by means of the
'batched matching system' and the 'upfront pricing system' respectively, whether or not in combination
with the use of dynamic fares as well as the determination of average ratings, significantly affects the
drivers, the question to be answered is whether this decision-making is based solely on automated
processing. In respect of all three of these categories, Uber has not contested, or has not sufficiently
substantiated, that this is the
case. These are therefore decisions that fall within the scope of Article 22(1) AVG, and therefore within
the scope of Article 15(1)(h) AVG.
d) Can Uber rely on an exception to the right to information contained in Article 15(1)(h) AVG?
3.38 In its defence at first instance (paragraphs 90-91), Uber put forward the defence that the
information requested by [appellant sub 1] et al contains trade secrets concerning its anti-fraud
processes. If it were to provide [appellant sub 1] et al with information about this, it could lead to
circumvention of those processes and competitors could take advantage of it. Effective fraud
prevention is of great importance to Uber, partly because TfL can impose sanctions if Uber fails to do
so. Uber believes that under Article 15(4) AVG and Article 41(1)(i) UAVG, it is entitled to refuse the
information requested by [appellant sub 1] et al.
3.39 The court first notes that Article 15(4) AVG only contains an exception to the data subject's right to
receive a copy of personal data contained in Article 15(3) AVG. The exception does not concern the right
to information about the existence of automated decision-making contained in Article 15(1) introductory
sentence and subparagraph (h) of the AVG. In contrast, Article 23(1)(i) AVG provides that the scope of the
obligations and rights set out in, inter alia, Article 15 AVG may, under certain conditions, be limited by
Member States if such limitation is necessary and proportionate to safeguard the protection of the rights
and freedoms of others. In Dutch law, such a restriction is laid down in Article 41(1)(i) UAVG. In the
opinion of the court of appeal, however, this provision does not provide sufficient grounds for the opinion
that Uber is entitled to reject the information requests of [appellant sub 1] et al. in their entirety. This is
because a complete rejection of those requests is not in accordance with the proportionality and necessity
required by Article 41(1)(i) UAVG, or at least Uber has not sufficiently argued for the opinion that a
complete rejection would be proportionate and necessary with a view to protecting its trade secrets. For
the sake of completeness, the court refers to paragraph 63 in the preamble to the AVG, which considers
that considerations relating to the rights or freedoms of others should not result in the data subject being
deprived of all information. This defence by Uber in defence of its rejection of the information requests is
therefore rejected by the court.
e) How should an information request referred to in Article 15 1(1)(h) AVG be acted upon?
3.40 The conclusion is that Uber wrongfully rejected the requests for information from [appellant sub 1]
et al. concerning the 'batched matching system' and the 'upfront pricing system' respectively,
whether or not in combination with the use of dynamic rates as well as the determination of
(average) ratings. The grievance succeeds to that extent.
3.41 To the extent that Uber believes that a reference to its website is sufficient to explain this category of
decision-making, the court notes that such a reference cannot suffice. After all, Article 15(1)(h) AVG
requires that the data subject has the right to information about the existence of automated decision-
making (as referred to in Article 22 AVG), including profiling, and, if so, 'useful information on the
underlying logic, as well as the significance and expected consequences of that processing for the data
subject. Of relevance here is that the information should be 'useful information', i.e. such information as to
enable the data subject to make an informed decision as to whether or not he or she wishes to exercise his
or her rights guaranteed by the AVG, such as the right to rectification or access or the right to seek judicial
remedy.4 As required by the EDPB guidelines, under Article 15(1)(h) AVG, the controller must provide the
data subject with general information useful for challenging the decision, in particular information on
factors considered in the decision-making process, and their respective 'weighting' at an aggregate level.5
The information provided should be complete enough for the data subject to understand the reasons for
the decision. However, it also follows from that guidance that it need not necessarily be a complex
explanation of the algorithms used or an exposition of the full algorithm. This latter limitation, in the
opinion of the court, adequately takes into account the interests of, in this case Uber, as regards the
trade secrets it has mentioned. Uber has failed to show that the website it mentions complies with the
requirements arising from Article 15(1)(h) AVG, read in light of the EDPB guidelines. What matters is that
Uber at least explains on the basis of what factors and what weighting of those
factors Uber arrives at the ride-sharing decisions, fare decisions and average ratings, respectively, and
also provides [appellant sub 1] et al with other information necessary to understand the reasons for
those decisions.
The right to portability of certain data as referred to in Article 20 AVG
3.42 Article 20(1) AVG contains the data subject's right to obtain, under certain conditions, personal data
concerning him that he has provided to a controller in a structured, common and machine-readable form.
When exercising this right, Article 20(2) AVG provides that the data subject has the right to have the
personal data transferred directly from one controller to another, if this is technically possible. The
rationale behind this is that the data subject can take their data with them to, for example, another
service provider and, in principle, enforce cooperation from the original data controller to do so.
3.43 In their requests, [appellant sub 1] et al requested Uber, relying on Article 20 AVG, to provide the
personal data covered by this provision. In responding to [appellant sub 1] c . s.'s requests, Uber
provided most of the requested information in CSV or similar form, or at least [appellant sub 1] c.s.
did not dispute this assertion by Uber (paragraph 141 of the appeal defence). For some of the
requested information, Uber has done so in other format, such as PDF. That concerns the categories
'zendesk tickets', 'invoices', 'driver safety complaints' and 'driver documents'.
3.44 With ground 10, [appellant sub 1] c.s. challenge paragraph 4.81 of the contested decision. In it, the
district court ruled that there was no reason to order Uber to still provide the categories provided in PDF
format in a CSV format (or comparable format) to [appellant sub 1] et al. In the absence of a dispute by
[appellant sub 1] et al. the court of appeal concurs with the court's opinion that the categories 'zendesk
tickets', 'driver complaints' and 'invoices' do not fall within the scope of Article 20 AVG because these data
were not provided to Uber by the applicants themselves, either actively and knowingly or through the use
of the Uber Driver app. With regard to the 'driver documents', Uber reasoned that it can only provide
these documents provided by the drivers themselves, such as a copy of a driving licence, in the format in
which the driver himself provided the document. [appellant sub 1] et al have not disputed that. Also in
light of the
wording 'if technically possible', as contained in Article 20(2) AVG, which admittedly refer to transmission
from one controller to another, the court assumes that the right contained in Article 20(1) AVG does not
require the controller to do the technically impossible. A starting point for this can also be found in recital
68 of the preamble to the AVG, which considers, with regard to the right contained in Article 20 AVG: 'The
data subject's right to transmit or receive personal data concerning him should not create an obligation
for the controller to set up or maintain technically compatible data processing systems.' All this leads the
court to the conclusion that the request of [appellant sub 1] et al. based on Article 20 AVG, which on
appeal still only concerns the
'send desk tickets', 'driver complaints', 'invoices', and 'driver documents', does not qualify for adjudication.
The grievance is unsuccessful.
3.45 On appeal, [appellant sub 1] et al. sought a further declaration of law in connection with their
application based on Article 20 AVG, to the effect that provision of data in PDF format does not
qualify as provision within the meaning of Article 20 (1) AVG.
In this regard, the court points to the
The judgment of the Supreme Court of 31 March 2000, ECLI:NL:HR: 2000:AA5319, paragraph 3.2.2. It may
be deduced from this that the court may, on an application made for that purpose, make a declaration of
law concerning a statutory provision, provided that it remains within the limits of the said statutory
provision and is limited to determining the legal relationship in dispute between the applicant and the
defendant. Since, in the present legal relationship between [appellant sub 1] et al. and Uber, the request
based on Article 20 AVG does not qualify for granting, the conditions set by the Supreme Court are not
met and the request for a declaration of law should be rejected.
The penalty payment requested
3.46 [appellant sub 1] et al, citing Article 35(5) UAVG, request the imposition of a penalty payment in
the amount of €6,000.00 for each day or part thereof that Uber fails to comply with the order to be
issued.
The court will award it up to €4,000.00 per day or part of a day, in line with the penalty payment as
awarded in the aforementioned case 200.295.742/01 (brought by other drivers against Uber), also to be
decided today.
Executable by stock?
3.47 Uber has requested that, if the request of [appellant sub 1] et al. is granted, the order should not be
declared provisionally enforceable. In this regard, the court of appeal refers to the basic principle to be
observed that a judgment to be pronounced must be enforceable and can be enforced. Deviation from this
principle can be justified by circumstances that mean that the interest of the convicted person in
maintaining the existing situation as long as no decision has been made on an appeal lodged by him
outweighs the interest of the person who obtained the conviction in the judgment to be declared
provisionally enforceable. What Uber has put forward in support of its request for the declaration of
provisional enforceability not to be granted, namely that the inspection would essentially give access to its
anti-fraud processes, is irrelevant as the parts of the request that have been granted do not relate to this.
The request by [appellant sub 1] et al to declare the decision provisionally enforceable will therefore be
granted.
The incidental requests
3.48 In the (conditional) incident, [appellant sub 1] et al. requested the court to order Uber, pursuant to
Section 843a of the Dutch Code of Civil Procedure, to produce inspection, copies or extracts of the
documents and data held by Uber and placed on a data carrier
- in which Uber has recorded in respect of which categories of personal data as mentioned in the
Guidance Notes Uber has granted or refused the access request of [appellant sub 1] et al. as
referred to in Article 15 (1) AVG and
- establishing whether Uber applied automated decision-making, including profiling referred to in
Article 22(1) and (4) AVG, in respect of [appellant sub 1] et al.
These incidental applications were filed conditionally. Since grievance 2, concerning the
Guidance notes, and grievance 8, regarding automated decision-making, succeed, the condition under
which the incidental applications were filed is not met and the court does not get to assess them.
Final sum
3.49 Uber's grievance on incidental appeal and [appellant sub 1]'s grievances 1, 5, 6 and 10
c.s. in the main appeal fails. Grounds 2, 3, 4, 7, 8 and 9 of the principal appeal are wholly or largely
successful. The Court will grant the related requests in the manner as yet to be stated. The incidental
request will be dismissed, as will Uber's request that the order not be declared provisionally enforceable.
Uber shall be ordered to pay the costs of the incidental and principal appeal proceedings and the
proceedings at first instance as the party largely unsuccessful. [appellant sub 1] et al. shall be ordered to
pay the costs of the incidental proceedings.
4 Decision
The court:
Annuls the contested decision insofar as it rejected the request of [appellant sub 1] et al. concerning:
a. a) the initial request by [appellant sub 1] et al, based on Article 15(1) chapeau of the AVG, for access
to the personal data relating to them (i) as described in production 2 to the notice of appeal and
belonging to category 12 of the Guidance Notes, entitled 'Driver detailed device data', (ii) as contained
in the Driver's profile and (iii) as contained in the 'tags'.
b) [appellant sub 3]'s initial request, based on Article 15(1) chapeau AVG, for access to personal data
concerning him in the 'upfront pricing' category.
c) the initial request by [appellant subsection 1] c.s., based on Article 15(1)(a), (b) and (c) of the AVG, for
access to information on the recipients or categories of recipients to whom personal data of [appellant
subsection 1] c.s. have been disclosed for 'legal reasons or in the event of a dispute', as well as the
processing purposes and categories of personal data concerned.
d) the initial request by [appellant sub 1] et al. based on Article 15(1)(h) AVG for information on the existence
of automated decision-making within the meaning of that provision insofar as that request relates to the
'batched matching system', the 'upfront pricing system' whether or not in combination with the system of
dynamic fares used by Uber as well as the determination of (average) ratings.
and to that extent re-adjudicated:
orders Uber, within two months of service of this order, to grant the requests referred to above under (a) to
(c) as well as the request referred to above under (d) in the manner described in paragraph 3.41, on pain of
forfeiture of a penalty payment in the amount of €4,000.00 for each day or part thereof that Uber fails to
comply with this order.
otherwise upholds the order under appeal in so far as the judgment of the court of appeal
subjected.
order Uber to pay the costs of the main appeal and the incidental appeal and of the proceedings at first
instance and, in so far as they have fallen to date on the side of [appellant subsection 1] et al, set the amount
of those costs at EUR 338 in disbursements and EUR 3,342 in wages on appeal and at EUR 304 in
disbursements and EUR 1,126 in wages at first instance.
order [appellant subsection 1] et al. to pay the costs of the incident and estimate these costs, in so far as Uber
has been ordered to pay them to date, at € 0 in disbursements and € 1,114 in salary and at € 163 for additional
salary, to be increased by € 85 for additional salary and by the costs of the writ of summons, in the event that
the order(s) pronounced by this order have not been complied with within fourteen days and service of this
order has not been effected, and to be increased by statutory interest.
declares this order provisionally enforceable.
Dismisses the more or otherwise requested.
