Italian DPA’s €5M fine against Glovo marks milestone for workers’ rights
The Italian data protection authority (DPA) recently fined Foodinhio, a subsidiary of Glovo, €5 million for serious breaches of the General Data Protection Regulation (GDPR) and labour law. This decision sets a milestone for the use of the GDPR to protect workers' rights across Europe.
Seeking European Partners to Amplify Impact
We are reaching out to partners across Europe, particularly trade unions and other organisations concerned with workers’ rights and privacy. Our strategy is to work with organisations in the countries where Glovo operates – for example, Germany, Spain, Romania, Portugal, Serbia and Croatia – as each of these countries can use the Italian decision without having to repeat the investigation and enforce new remedies if the data protection authorities find that Glovo subsidiaries have violated their labour laws.
We believe that this decision could facilitate future actions in the EU. Together, labour laws and GDPR can challenge unfair practices and strengthen protections for gig economy workers, but also for anyone else forced to use closed-source applications, invasive surveillance and other problematic practices in their workplace. Read more to understand the findings and the tools adopted.
A Landmark Victory for GDPR in Protecting Labour Rights
The Italian data protection authority (DPA) recently fined Foodinhio, a subsidiary of Glovo, €5 million for serious breaches of the General Data Protection Regulation (GDPR) and labour law. This decision sets a milestone for the use of the GDPR to protect workers’ rights across Europe. The decision is exemplary for several reasons:
- The violation of Article 22 GDPR on the gamification of work shifts, dismissals without an appeal mechanism, and how biased rankings should not be used to classify and organise workers.
- Illegality of using biometric data without adequate compliance measures.
- Monitoring of workers’ movements when the application is in background mode, outside working hours. This was discovered by pretending to be a worker (a food delivery courier) and using a special version of the Android mobile operating system to inspect the hidden behaviour of the application.
- Sharing workers’ movements and activities with undisclosed third parties: found using sophisticated network traffic analysis, probably not even performed by the company until investigators asked the reason for such a data breach.
The Glovo app is offered to the subsidiary operating in the member state. The authority’s investigation revealed a pletora of different problems and also confirmed our technical discovery (see our presentation at the Chaos Communication Congress 2023). Now privacy authorities in other member states could use the same investigation and findings to see if this is also illegal in their country.
They’re not obliged to do so, so we need your help: as a trade union, as a workers’ collective, as a digital rights NGO, or as an activist that know how to shape the right email. Pressure your DPA to read the Italian DPA decision ([10074601], Registro dei provvedimenti n.675 del 13 novembre 2024).
Reverse Engineering: An Effective Tool for Accountability
Reversing.Works, played a crucial role in uncovering points 3 and 4, as well as pointing out other problems.
It’s a rare success due to the technical complexity, and these abuses have gone unchecked for a long time. We have solid evidence that similar problems exist in many other applications.
These behaviours can be dangerously more common than a simple mistake because the mobile app ecosystem is designed to benefit surveillance capitalism and most of the default settings for app developers are incompatible with workers’ rights.
Reverse engineering has proven to be an effective technique for exposing unethical practices by platforms like Glovo. This method should be adopted by trade unions and NGOs focused on platform accountability, and it requires appropriate legal protections to protect those who use it.
The cost of such research is quite high, so we’re working to make such analysis easier, but not only that. Here we invite you to join us in a legal, Europe-wide strategy to reinforce this victory in other member states.
Join Us: Collaborate and Take Action
We invite all interested individuals and organizations to collaborate with us. If you’re keen to challenge unfair digital labour practices, please contact us through this online form.
And if you simply want to support this cause, we encourage you to:.
- Contact trade unions and NGOs involved in protecting workers’ rights.
- Engage with policy makers involved in the transposition of the Platform Directive into national law.
- Advocate for the protection of reverse engineering as a legitimate tool for holding companies to account.
The overwhelming power of surveillance capitalism demands innovative and courageous ideas. Only through collective effort can we establish new protections for workers in the gig economy and beyond.
A united front against the digital abuse of workers
The strength of surveillance capitalism is tremendously overwhelming, and only by uniting can we make a difference. We need to support innovative approaches like reverse engineering to hold platforms accountable.
Let’s work together to ensure that labour laws keep pace with technological advancements. Your involvement is crucial in turning the tide against unfair practices in the gig economy.
- Data Protection Authority Press Release, Reversing Works Press Release
- Technical Presentation at Chaos Communication Congress 2023
- Mobile reverse engineering to empower the gig economy workers and labor unions
- Research Published by the European Trade Union Institute
- Exercising workers’ rights in algorithmic management systems
- Italian Article, Spanish Article, German Article, English Article.