Amsterdam Judgement concerning GDPR access request and rights of driver data processed via a smartphone app

29 Mar 2021

Background

A recent Judgment of the Amsterdam District Court (11 March 2021) addressed data access requests covering personal data processed by Ola’s Driver App. The case also involved transfer of data to Worker Info Exchange (WIE), a non-profit organization whose goal is to provide information economy employees with access to personal data collected about them during their work and App Drivers & Couriers Union for the purposes of setting up a data trust.

The Court ultimately ordered access to certain data and rejected other claims, which were not sufficiently established by the applicants. Below a summary of key aspects of the Court’s reasoning concerning data access and other rights pursuant to the GDPR.

Interest of access and abuse of rights

A data subject does not in principle have to motivate or substantiate why he or she is making a request for access under the GDPR. In exercising his or her right of access, the data subject does not have to show any particular interest or state the goal that he or she wants to achieve. The mere fact that data about them is being processed is sufficient. This does not mean that a request for access can never constitute anabuse of power, which could be the case if the right is only used for a purpose other than checking whether personal data are processed correctly and lawfully.In this case, the Court accepted the ground of verifying the lawfulness of processing and the exercise of data protection rights as sufficient, as it was not established that access was intendedto serve exclusively an ulterior purpose.

Detail and specificity of the access request

In principle, the right of access under the GDPR is unconditional. Under certain circumstances, further requirements may be imposed on a request for access. Where a controller processes a large amount of data concerning the data subject, pursuant to Recital 63 GDPR, the controller may request the data subject, prior to the provision of information, to specify which information or which processing activities the request relates to.

In this case, the applicants argued their access request on the general basis of the principle of transparency. The Court found that requesting access to all personal data processed by the controller, relying on the principle of transparency, was not sufficient, as the controller processes a large quantity of data and had already provided data to the applicants. The applicants’ request was therefore deemed too general, not sufficiently specific and was rejected as such.

Data format required

The applicants made a request to receive their personal data falling under the right to data portability (article 20 GDPR) in the form of a CSV file, or by means of an API or a TTP, so that the data could be transferred to the WIE database. Article 20 GDPR only requires a format that is machine-readable, allowing interoperability of data. In referring to the Article 29 Working Party’s Guidelines on the right to data portability and Directive (EU) 2013/37, the Court recalls that in the absence of a specific industry format, common public formats, such as XML, JSON and CSV, can be assumed and that “machine readable” entails a file format structured in such a way that software applications can easily identify, recognize and extract specific data, including individual factual statements.

The Court however concludes that article 20 GDPR does not automatically impose an obligation to provide personal data in a CSV file or by means of an API.

Customer transactions, booking cancellation history and booking acceptance history

The applicants also required access to the categories of data“customer transactions, booking cancellation history and booking acceptance history”, which they deemed not adequately provided by the data controller, given that other relevant data was missing.

The Court rejected this claim on grounds that relevant data was in fact available, while passengers’ details were not provided in accordance with their data protection rights. The Court also noted that those data are not relevant for the assessment of the lawfulness of processing.

Ratings

A rating or assessment of a driver constitutes personal data within the meaning of Article 4(1) GDPR, asit constitutes information linked to a specific person because of its content, and may bereasonably identifiable. The data controller must therefore provide access to the requested rating data insofar as this data cannot be viewed in the application, subject to the conditions that the passengers’ data protection rights are respected (for instance, by providing data in an anonymous form).

Automated decision-making and profiling

Concerning requests of data relating to fraud probability scores, earning profiles, imposing discounts and fines, the Court found that these practices fall within the scope of article 22 GDPR, constituting automated decision-making practices and in the case of earning profiles, profiling.

The Court therefore concludes that the data controller must provide the applicants with information concerning the choices made, data used and assumptions on the basis of which the automated decision is made transparent and verifiable. It must also communicate the main assessment criteria and their role in the automated decision, to allow the applicants to understand the criteria on the basis of which the decisions were taken and enable them to check the correctness and lawfulness of processing.