On July 5, 2021, the Italian Supervisory Authority (“Garante”) announced that it has fined Foodinho S.r.l. (“Foodinho”) 2.6 million EUR for its use of performance algorithms in connection with its employees. The authority held Foodinho in breach of the principles of transparency, security, privacy by default and by design, and held it responsible for not implementing suitable measures to safeguard its employees’ (i.e., riders’) rights and freedoms against discriminatory automated decision making. The Garante’s decision is the first of its kind in the realm of the algorithmic management of gig workers. According to the Garante, Foodinho’s management violated Article 22(3) of the GDPR.

In its decision, the Garante explains that Foodinho carries out two types of automated processing activities: one within the framework of the “excellency system”; the other as part of the system that assigns orders using an internal algorithm known as “Jarvis”. According to the Garante’s decision:

  • The “excellency system” is the internal scoring system that Foodinho uses to assign delivery slots to its riders (usually, one-hour time slots). Foodinho assigns each rider a score through the “excellency system”. Riders with higher scores are prioritized in the assignment of delivery slots. In practice, this causes the “less excellent” riders to be excluded from slot assignment if all available delivery slots are already taken up by the “more excellent” riders. The “excellency score” is assigned through an automated mathematical formula mostly based on feedback from customers and business partners and delivery rates. However, negative feedback carries more weight than positive feedback and the system penalizes riders who do not reach certain delivery thresholds.
  • The algorithm used to assign orders (“Jarvis”) uses data including the riders’ geographical positions taken from their GPS device, the pick-up location, delivery address, specific order requirements, and the type of vehicle used by the rider. Jarvis processes this data and assigns orders on a fully automated basis. However, Foodinho did not clarify to the Garante precisely how this algorithm interacts with the excellency system.

The Garante held that Foodinho violated Article 22(3) of the GDPR for the following reasons:

  1. First, because Foodinho made decisions about its riders based solely on automated decision making, by analyzing or predicting aspects of their professional performance, behavior, and their location and movements. The decisions taken on the basis of this data significantly affected the riders, including by excluding some riders from work opportunities (i.e., delivery slot assignment).
  2. Next, because Foodinho did not adopt any measures that would allow the riders to exercise their rights (e.g., the activation of dedicated channels such as chats or emails, etc.) nor did it inform the riders of the possibility to exercise such rights.
  3. Lastly, because Foodinho did not adopt any technical and organizational measures aimed at periodically verifying the accuracy of the results of its algorithmic system, nor the accuracy, relevance, and adequacy of the data used by this system in relation to the purposes pursued. In addition, Foodinho did not adopt measures aimed at reducing the risk of distorted or discriminatory effects in the context of both the scoring system (i.e., the excellency system) – where feedback accounts for 20% of the total score – and the orders assigning system (i.e., Jarvis) – where riders receive fewer work opportunities in case of low or sporadic deliveries.

The Garante ordered Foodinho to make certain changes to the way it operates in the market within 60 days of being notified of the decision. Specifically, the Garante ordered Foodinho to:

  • bring its processing operations into compliance with the GDPR;
  • identify the necessary measures to protect the rights and freedoms of its riders against decisions taken solely by automated means, including profiling, and to guarantee the riders the right to obtain human intervention by the controller, to express their opinion and contest the decisions taken;
  • verify periodically the accuracy and relevance of the data generated by its algorithms; and
  • identify the measures necessary to prevent the improper or discriminatory use of reputational mechanisms based on customers and business partners’ feedback, and to repeat this exercise every time the algorithm is modified.

Foodinho is required to brief the Garante on the measures taken pursuant to these orders within 90 days from the notification.

In addition to violating Article 22(3) of the GDPR, the Garante found Foodinho in breach of Articles 5(1)(a) (c) and (e); 13; 25; 30(1)(a), (b), (c), (f) and (g); 32; 35; 37(7); and 88 of the GDPR and Article 144 of the Italian Privacy Code. The authority published an English language summary of these findings on its website.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Helena Milner-Smith Helena Milner-Smith

Helena Milner-Smith helps companies navigate complex international HR-legal compliance issues.

Helena advises clients across a range of industries on all aspects of UK and international employment law, including the HR aspects of privacy compliance and human rights regulation.

Helena has particular expertise advising…

Helena Milner-Smith helps companies navigate complex international HR-legal compliance issues.

Helena advises clients across a range of industries on all aspects of UK and international employment law, including the HR aspects of privacy compliance and human rights regulation.

Helena has particular expertise advising on the HR-legal aspects of multi-jurisdictional transactions. She also regularly assists clients seeking to protect their business and increase international compliance by designing and implementing global policies, employment contracts and restrictive covenants.

Helena has been recognised by Legal 500 UK for her “exceptional service” and “responsive and practical” advice.

In addition, Helena has gained valuable in-house experience while on secondment at three large multinational corporations – a pharmaceutical company, an oil company and a leading investment bank

Giulia Romana Mele

Working on life sciences and data protection issues, Giulia Romana Mele supports pharmaceutical, food, and biotech companies in EU and Italian regulatory compliance, and assists clients in negotiating a rapidly-changing regulatory landscape affecting the use of existing and new technologies.

Giulia helps emerging…

Working on life sciences and data protection issues, Giulia Romana Mele supports pharmaceutical, food, and biotech companies in EU and Italian regulatory compliance, and assists clients in negotiating a rapidly-changing regulatory landscape affecting the use of existing and new technologies.

Giulia helps emerging and leading companies in the life sciences industry achieving their regulatory and commercial goals, identifying potential issues and developing risk-minimization solutions.

She further provides strategic advice to global companies on complying with EU, UK, and Italian data protection laws, with a focus on emerging issues in the AdTech environment.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.