On July 5, 2021, the Italian Supervisory Authority (“Garante”) announced that it has fined Foodinho S.r.l. (“Foodinho”) 2.6 million EUR for its use of performance algorithms in connection with its employees. The authority held Foodinho in breach of the principles of transparency, security, privacy by default and by design, and held it responsible for not implementing suitable measures to safeguard its employees’ (i.e., riders’) rights and freedoms against discriminatory automated decision making. The Garante’s decision is the first of its kind in the realm of the algorithmic management of gig workers. According to the Garante, Foodinho’s management violated Article 22(3) of the GDPR.

In its decision, the Garante explains that Foodinho carries out two types of automated processing activities: one within the framework of the “excellency system”; the other as part of the system that assigns orders using an internal algorithm known as “Jarvis”. According to the Garante’s decision:

  • The “excellency system” is the internal scoring system that Foodinho uses to assign delivery slots to its riders (usually, one-hour time slots). Foodinho assigns each rider a score through the “excellency system”. Riders with higher scores are prioritized in the assignment of delivery slots. In practice, this causes the “less excellent” riders to be excluded from slot assignment if all available delivery slots are already taken up by the “more excellent” riders. The “excellency score” is assigned through an automated mathematical formula mostly based on feedback from customers and business partners and delivery rates. However, negative feedback carries more weight than positive feedback and the system penalizes riders who do not reach certain delivery thresholds.
  • The algorithm used to assign orders (“Jarvis”) uses data including the riders’ geographical positions taken from their GPS device, the pick-up location, delivery address, specific order requirements, and the type of vehicle used by the rider. Jarvis processes this data and assigns orders on a fully automated basis. However, Foodinho did not clarify to the Garante precisely how this algorithm interacts with the excellency system.

The Garante held that Foodinho violated Article 22(3) of the GDPR for the following reasons:

  1. First, because Foodinho made decisions about its riders based solely on automated decision making, by analyzing or predicting aspects of their professional performance, behavior, and their location and movements. The decisions taken on the basis of this data significantly affected the riders, including by excluding some riders from work opportunities (i.e., delivery slot assignment).
  2. Next, because Foodinho did not adopt any measures that would allow the riders to exercise their rights (e.g., the activation of dedicated channels such as chats or emails, etc.) nor did it inform the riders of the possibility to exercise such rights.
  3. Lastly, because Foodinho did not adopt any technical and organizational measures aimed at periodically verifying the accuracy of the results of its algorithmic system, nor the accuracy, relevance, and adequacy of the data used by this system in relation to the purposes pursued. In addition, Foodinho did not adopt measures aimed at reducing the risk of distorted or discriminatory effects in the context of both the scoring system (i.e., the excellency system) – where feedback accounts for 20% of the total score – and the orders assigning system (i.e., Jarvis) – where riders receive fewer work opportunities in case of low or sporadic deliveries.

The Garante ordered Foodinho to make certain changes to the way it operates in the market within 60 days of being notified of the decision. Specifically, the Garante ordered Foodinho to:

  • bring its processing operations into compliance with the GDPR;
  • identify the necessary measures to protect the rights and freedoms of its riders against decisions taken solely by automated means, including profiling, and to guarantee the riders the right to obtain human intervention by the controller, to express their opinion and contest the decisions taken;
  • verify periodically the accuracy and relevance of the data generated by its algorithms; and
  • identify the measures necessary to prevent the improper or discriminatory use of reputational mechanisms based on customers and business partners’ feedback, and to repeat this exercise every time the algorithm is modified.

Foodinho is required to brief the Garante on the measures taken pursuant to these orders within 90 days from the notification.

In addition to violating Article 22(3) of the GDPR, the Garante found Foodinho in breach of Articles 5(1)(a) (c) and (e); 13; 25; 30(1)(a), (b), (c), (f) and (g); 32; 35; 37(7); and 88 of the GDPR and Article 144 of the Italian Privacy Code. The authority published an English language summary of these findings on its website.

Print:
EmailTweetLikeLinkedIn
Photo of Helena Milner-Smith Helena Milner-Smith

Helena Milner-Smith helps clients navigate international HR-legal compliance issues. Her practice includes implementing global employment contracts, policies and codes of business conduct, managing multi-country reviews and projects, advising on the employment aspects of large-scale corporate reorganisations, handling disciplinary and grievance matters and dismissals…

Helena Milner-Smith helps clients navigate international HR-legal compliance issues. Her practice includes implementing global employment contracts, policies and codes of business conduct, managing multi-country reviews and projects, advising on the employment aspects of large-scale corporate reorganisations, handling disciplinary and grievance matters and dismissals, and negotiating settlement agreements. She has successfully defended clients in the UK employment tribunal. Ms. Milner-Smith has also gained valuable in-house experience while on secondment at three large multinational corporations, including a pharmaceutical company.

Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.