Rb. Amsterdam - C/13/687315 / HA RK 20-207
|Rb. Amsterdam - C/13/687315 / HA RK 20-207|
|Court:||Rb. Amsterdam (Netherlands)|
|Relevant Law:||Article 4(1) GDPR|
Article 4(4) GDPR
Article 5(1)(a) GDPR
Article 12(3) GDPR
Article 12(6) GDPR
Article 15 GDPR
Article 15(1)(h) GDPR
Article 15(1) GDPR
Article 15(4) GDPR
Article 20 GDPR
Article 20(1) GDPR
Article 22 GDPR
Article 22(3) GDPR
Article 35 GDPR
Article 41(1) GDPR
Article 3(1) Rome I Regulation
Article 4 Brussels I (Recast) Regulation
|National Case Number/Name:||C/13/687315 / HA RK 20-207|
|European Case Law Identifier:||Zoekresultaat - inzien document ECLI:NL:RBAMS:2021:1020|
|Original Source:||Rb. Amsterdam (in Dutch)|
The District Court of Amsterdam (Rb. Amsterdam) rejected several requests (except one) for further information under Article 15 GDPR. The requests were made by Uber Drivers against the controller, Uber, after they former claimed that Uber had insufficiently given effect to their right of access. The court clarified a question of the format for the right to data portability (Article 20 GDPR).
English Summary[edit | edit source]
Facts[edit | edit source]
The 10 plaintiffs are or were engaged to drive with the app of the defendant, Uber, in the United Kingdom. The plaintiffs are part of the App for Drivers and Couriers Union (ADCU) which protects their interests as private drivers and couriers in the UK. ADCU is itself a member of International Alliance of App Transport Workers (IAATW). ADCU and IAATW want to create a database of the personal information of drivers at Uber.
The plaintiffs have made requests by email or via the Uber Driver App to access the data processed by Uber concerning them. Uber provided digital files in response to these requests.
The plaintiffs asked the court to review the digital files provided and to order Uber to provide explanation on a series of questions relating to the files given. The plaintiffs claimed that the files given were not complete as the data given did not contain the full information that they were entitled to.
The plaintiffs also claimed that the decision was automated within the scope of Article 22 and therefore Article 15(1)(h) applies.
They also claimed to have a right to data portability under Article 20(1) GDPR and that information should be provided in a structured, commonly used and machine-readable format. They claim that Uber only provided a small part of the data in the required format.
Dispute[edit | edit source]
The plaintiffs asked the court to order Uber to:
I. a) provide, within one month of notification and in a standard electronic form, access to:
(i) personal data which Uber processes, such as the "Driver’s Profile" including the records of Uber employees, "Tags", and "Report",
(ii) the purposes for processing, the categories of personal data, recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations and the storage period
(iii) in the event of transfer to a third country or to an international organisation; the appropriate safeguards applied by Uber pursuant to article 46 GDPR Uber
(iv) the existence of automated decision-making, including those laid down in Articles 22(1) and 22(4) GDPR (at least meaningful information about the logic underlying it, and the significance and the envisaged consequences of such processing).
II. provide personal data in a structured, common and machine-readable form, (e.g. as a CSV file or through an Application Programming Interface/"API"), in such a way that some of this data can be directly transmitted to another controller.
III. the foregoing and, under penalty of a fine of $10,000 for each day or part of a day that Uber fails to fully comply with one or more of the I and II and above.
Holding[edit | edit source]
Jurisdiction and applicable law[edit | edit source]
The district court of Amsterdam held that Dutch courts has jurisdiction. It considered that this was the case as Uber is based in Amsterdam and therefore Article 4 Brussels I (Recast) Regulation applies. The court found that law applicable is the law of The Netherlands under Article 3(1) Rome I Regulation.
Inadmissibility of the plaintiffs?[edit | edit source]
The Court outlined that the plaintiffs need to have made an access request to Uber and also requested for their data to be ported before seeking a court procedure. Additionally, the court outlined that a month should have passed as per Article 12(3) GDPR. The plaintiffs have a right to filed a complaint before a court as per Article 35 GDPR.
On that matter, the court found that Uber still has to responded to the access request by email after the plaintiffs had filed a petition before the court. It also held that the plaintiffs could not assess whether Uber had properly responded to their request as they had not received an answer at the time of filing the original petition in July 2020 (even if Uber had responded before the revised/ additional petition filed by the plaintiffs one month later - August 2020). Based on the dates of the email exchanges between the individual plaintiffs and Uber, the court found that the requests of Plaintiffs 1, 2, 3, 4, 5, 6, 8 and 9 were admissible.
However, the court found that Plaintiff 7 and 10's applications were inadmissible as the two plaintiffs had not responded to the request for identity verification (required under Article 12(6) GDPR). The court held that this was why the two plaintiffs (7 and 10) had not received a reply from Uber as required by Article 12(3) GDPR and hence, why they did not have the opportunity to submit their request to the court on the date of filing the procedure.
Interest in the application / abuse of the law?[edit | edit source]
The court held that, contrary to Uber's argument, an individual does not need to justify their access request. An individual can exercise this right under the GDPR without clarifying their particular interest. The only requirement for an access request is that the individual's personal data is processed. In any case, the court considered that the individual's wish to check the accuracy and lawfulness of their personal data to exercise further rights is a sufficient interest. There was no abuse of the law in this context.
The access request[edit | edit source]
The court outlined the purpose of Article 15 GDPR and the broad definition of personal data according to the CJEU (referring to Nowak and YS and MS) as well as past Dutch court decisions. The court also outlined the conditions under which an access request may be refused (citing Articles 15(4) and 41(1) GDPR) - i.e. if it is necessary for the protection of the rights and freedoms of others.
The court rejected the plaintiffs' claim that they didn't need to substantiate their request for further access because Uber has to process it in a transparency manner under Article 5(1)(a). Instead, the court held that the transparency principle does not achieve this. As per Recital 63 GDPR, Uber is entitled to ask for specifications on the personal data that the data subject requires in their access request. Given that the plaintiffs already received very large sets of personal data from Uber, it is for the plaintiffs to further specify the data that they request in an access request. The court specified that the plaintiffs cannot request passenger information as a result of a contractual obligation between drivers and passengers and the need to respect the passenger's privacy.
The court assessed distinct categories of personal data to determine whether the plaintiffs had a right of access to them and whether Uber had sufficiently given effect to that request:
- Driver's profile: the court held the drivers profiles were not profiles within the meaning of Article 4(4) GDPR ('profiling'). These were internal referrals and reports to Uber customer service employees. These profiles did not contain information about the data subject that the latter could themselves verify. Therefore, Uber did not have to provide access to that information as it is not personal data within the scope of the GDPR.
- Tags (labels generated by Uber to assess the driver's behavior): the court took the dictionary meaning of the word tag to outline that a tag is a 'name or phrase that is used to describe a person or thing in some way'. Therefore, the court was of the view that this could not be verified by the data subject for correctness and therefore is not subject to the right of access.
- Reports (based on feedback from passengers): the court found that this constituted personal data within the meaning of Article 4(1) GDPR (linked to an identifiable individual because of its content). However, the court found that Uber must respect the rights and freedoms of others under Article 15(4) GDPR. Therefore, it considered that the reports by Uber should be anonymised. The court deemed that Uber did not have to provide further access to the passengers details on the basis of a contractual relationship between the driver and passenger.
- Start and end location of a trip: the court found that Uber provided overviews of the details on the journey times and location of the trip. It deemed that it was sufficient for the purpose of an access request as it would otherwise potentially infringe the privacy rights of the passenger.
- Individual ratings: the court found that Uber provided an overview of this data to the plaintiffs in an anonymised manner. Again, the court considered that Uber must provide this data in a way that preserves the right to privacy of the passengers (i.e. by anonymising the information to ensure the passenger is not identifiable). However, Uber must provide that anonymised information in a right of access request. Therefore, the court orders Uber to provide access to individual rating of the applicants in those conditions.
- Driving behaviour, use of phone in the journey and percentage of accepted journeys: the plaintiffs claimed that Uber did not receive the full extent of the information from Uber on that matter. However, the court considered that the plaintiffs' requests on this matter was too vague. The plaintiffs' claim that the information was incomprehensible due to lack of information was insufficient in the court's eyes. The request was rejected.
- Upfront pricing system: the plaintiffs requested an explanation of how the upfront pricing system works and how the algorithm calculates the price. The court considered that only one plaintiff (currently still an employee) was subjected to this new system. Therefore the others could not request information on this system under Article 15 GDPR as it did not concern their personal data.
- Information about automated decision-making and profiling (Article 15(1)(h) GDPR): The court agreed with Uber's argument that it does not use automated decision-making within the meaning of Article 22. The court outlined that, whilst it is agreed by the parties that automated decisions are made by Uber, these do not fall within the requirements of Article 22 as there was not legal or otherwise significant effects on the data subject. This was the case even if the batched matching system and upfront pricing systems have some impact on the performance of the agreement between Uber and the driver. Therefore, the court rejected the request for further information under Article 15(1)(h).
- Request for additional information: As Uber provided further information on processing purposes, categories of data, recipients of data, retention periods and appropriate safeguards applied if transferred to third countries in its defense, the court considered that the question was already resolved.
The request to transfer data in a CSV file (data portability)[edit | edit source]
The court established (or "assumed") based on the EDPB guidelines that data that the controller has derived from the data provided by the data subject falls outside of the scope of Article 20 GDPR. The data that falls under Article 20 is less than under Article 15 GDPR. The court also considered that the format of the data provided under Article 20 must be "interpretrable and provide the data subject with the greatest possible degree of data portability". This could be any common public formats such as XML, JSON or CSV.
The court found that there is no automatic obligation to provide the data in a CSV file or by means of an API as argued by the plaintiffs. The court held that Uber did provide personal data in a format that allows transmission of the data to another data controller, except where Uber sent PDF files. The court therefore confirmed that PDF files do not constitute the correct format for the purpose of Article 20 as it is not structured or descriptive enough for the reuse of the data. However, the court considered that there was no reason to order Uber to provide the data ("zendesk" tickets; driver complaints; and invoices) that was provided in the PDF format in a CSV format as these data did not fall within the scope of Article 20 (not provided data by the data subject).
This request under Article 20 was therefore rejected.
Conclusion[edit | edit source]
The court considered that Uber only had to provide access to personal data regarding the individual ratings in an anonymised format (as mention above). The rest of the requests under Article 15 GDPR were rejected.
No penalty was imposed.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
See Ekker Law for a brief summary, unofficial translations and the connected Uber decision.
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.