Uber latest: GDPR and personal data access requests

Uber drivers asserting their GDPR rights may uncover information that could be deployed in ongoing employment status disputes

Uber is being challenged again, this time in relation to its handling of its drivers’ personal data. The minicab app giant has been beset by litigation over the past few years, with particular pressure on whether its drivers are self-employed contractors within the gig economy (as Uber contends) or workers with a wider range of employment rights. Only this week Uber drivers in the UK and US went on strike to demand better pay and conditions, timed deliberately to coincide with Uber’s listing on the New York Stock Exchange.

Some of those drivers – including two of the claimants in Uber’s recent loss in the Court of Appeal on the employment status of its drivers – are now asserting their right under the General Data Protection Regulation (GDPR) to access personal data they say Uber holds about them. Uber has already disclosed some information, but the drivers want access to the ratings given to them by customers, GPS tracing data and other driver profiling information, as part of the battle to define the edges of the gig economy. While right of access requests under the GDPR have become a common feature of employment disputes, this is one of the first examples of GDPR being used within that ongoing campaign.

Right of access requests under Article 15 of the GDPR provide individuals with the ability to know whether personal data about them is being processed by a data controller, and if so what that information is and why it is being processed. The individual is entitled to a copy of the personal data in question, which can often throw up further issues or add fuel to pre-existing grievances – think emails sent between a frustrated line manager and an unsympathetic member of HR.

It is difficult to see how Uber could justify refusing access to drivers’ own personal data. While both the GDPR and the UK’s Data Protection Act 2018 contain exemptions, these mostly focus on questions of public interest, such as the investigation of crime or the maintenance of effective regulatory regimes.

Some of those exemptions might at first blush appear open to Uber – for example, personal data does not need to be disclosed where it relates to negotiations, or in respect of corporate financing. But any exemptions are heavily qualified and it looks unlikely that any of the exemptions would justify a total refusal to provide access.

If Uber continues to refuse both the Information Commissioner’s Office (ICO) and the courts could be approached to force it to comply. The ICO is increasingly willing to impose regulatory fines, and recently has even obtained a criminal conviction after prosecuting a housing developer for ignoring a right of access request.

Of course, the GDPR issue does not directly relate to the continued tension between Uber’s business model and its drivers’ complaints about their terms and conditions. The right of access does not depend on whether someone is an employee, a worker or self-employed. But use of the GDPR may reveal information that could then be deployed in litigation, or uncover material that broadens the scope of any dispute.

It provides a salutary reminder of the range of tactics available for individuals in tribunal or other proceedings, whether in the gig economy or against an employer. Avoiding a casual approach to data protection, and careful and proper handling of right of access requests, are increasingly going to be required if claims are to be managed effectively. Failure to do so will not only create risks within litigation, but could also lead to poor PR – as seems to be the case for Uber.

John Goss is a barrister at 5 Essex Court