The Italian data protection authority issued a € 2.5 million fine against a food delivery company for GDPR violations arising from its riders’ data processing.
The challenges and grey areas that led to the Italian GDPR fine against the food delivery company
The Italian privacy authority, the Garante, challenged, among others, the following violations to the food delivery company
- Lack of sufficient details relating to modalities of processing of data concerning riders’ geographical position in the privacy information policy provided to riders ⚠️ It is unclear what benefit the riders would have gained, however, in knowing that their position was being tracked every 12 seconds;
- Lack of precise indication of retention periods and, in particular, lack of determination of the term and absence of an assessment of the adequacy of the retention period ⚠️ The question that arises is whether this assessment of adequacy can be performed in the pleadings relating to the proceedings;
- Lack of outline of the logic with which the algorithm through which the rider management app operates and in the adoption of measures aimed at guaranteeing the accuracy of the algorithmic results. In this context, the compliance with article 4 of the Italian Workers’ Statute referred to by the Privacy Code has also been contested on the absence of guarantees to protect workers, the failure to carry out a DPIA, the excessive access to rider data by operators ⚠️ The problem with the operation of algorithms stems from the need to balance transparency with the need not to disclose information that would allow the algorithm’s logic to be circumvented. Besides, if the DPIA had been provided as part of the process, would the penalty have been reduced?
- Lack of information in the record of processing activities and date of adoption, date of the last update, and execution ⚠️ Could the Garante’s adoption of a template of record of data processing help businesses?
In addition, the inspection at the company took place in 2019, but the proceedings have lasted until now. This timeframe is well beyond the maximum duration of administrative proceedings and will definitely be an argument that the company will make in the potential appeal.
Finally, there is a lack of clear guidance on the criteria for calculating the € 2.5 million sanction. If the proceedings before the data protection authority can last 3 years and companies do not have clear criteria for calculating the potential fine, it is not clear how companies can determine a possible balance sheet reserve, the information to be given to investors, and their own strategy and business risk.
My view on the food delivery case
This is the second sanction of a large amount issued by the Italian data protection authority against a food delivery company. The above objections present grey areas concerning the level of compliance required by the Garante.
Privacy rules are based on general principles. But they need to also comply with the general rule of certainty of legal obligations that need to also be feasible from a financial and business perspective.
Besides, some EU data protection authorities are not issuing fines if the contested breaches are cured during the challenged violation and the closure of the proceeding. This approach would better protect individuals’ privacy rights rather than just punishing companies when individuals did not suffer any actual harm. Indeed, unlike the previous regime, the GDPR grants a high level of flexibility in determining applicable fines, and I believe that data protection authorities should better exploit it.
On a similar topic, you can read “€ 2.6M GDPR fine for privacy breaches performed through the algorithm of a food delivery company“.