Italy: Foodinho delivery service must pay €5 million fine
The Foodinho delivery service must pay a €5 million fine in Italy after unlawfully processing the personal data of thousands of delivery workers. The Italian data protection authority (Garante per la protezione dei dati personali) has imposed the penalty.
Foodinho is a food delivery service that is part of the Glovo group. Based in Spain, Glovo was itself bought by the German company Delivery Hero in 2022.
As the Italian data watchdog announced last Friday, the company unlawfully processed personal data belonging to more than 35,000 “riders,” as its delivery workers are known.
The authority determined that Foodinho recorded its riders’ location data and shared it with third-party companies – without informing the riders themselves. As a rule, delivery workers who work for delivery services like Foodinho use a smartphone app which assigns them orders. According to Italy’s data protection authority, the app also collected and shared location data when the riders weren’t working.
The authority has now ordered the company to redesign the app to include a symbol that indicates that the user’s location data is being actively collected. In the future, if the app is running in the background, collection of location data must be deactivated.
Additional GDPR violations
The authority also determined that the company employed automated systems to assign a so-called “Excellence Score” to riders. Based on this metric, riders might be given preference in receiving certain shift assignments – but the practice did not follow the guidelines of the EU’s General Data Protection Regulation (GDPR). For one, riders were not able to request a review of their score by a human evaluator.
The Italian authority also barred Foodinho from using facial recognition technology to process its workers’ biometric data for identify verification purposes. The company had used such a procedure since July 2022.
The delivery service must also revise the notifications that it sends to workers to alert them that their account has been deactivated or locked – previously, these notices did not provide workers with options to dispute the decision or restore access to their account.
Criticism of the rider app
The Italian data watchdog launched its investigation in the wake of media reports and investigations by IT experts. In 2022, media reported on a rider who was killed in a traffic accident during his shift – the following day, the company sent him a termination notice by email, stating that he had violated the company’s terms and conditions. Riders reportedly receive such notifications when they fail to complete deliveries.
Experts at Algorithm Watch also investigated the Foodinho rider app and found several data privacy infringements. The 2023 investigation showed that the app collected location data from riders even when they weren’t working – and shared this data, together with “personal and identifiable information,” with Google and other third parties.
Experts cheered the Italian authority’s decision, calling it a success for worker rights in the gig economy.
Earlier fines for data privacy violations
Italy’s data protection authority first fined Foodinho in July 2021 to the tune of €2.6 million. At the time the authority sanctioned the company for employing algorithms to assign orders without ensuring their accuracy or fairness. The automated decision-making process could result in riders being assigned no orders at all – but riders themselves were unable to request an evaluation of the process.
Companies use similar technologies in other countries as well: in the UK, for example, a delivery worker successfully sued Uber Eats after the facial recognition feature in the company’s driver app repeatedly failed to recognize him – and locked him out of his account.
The EU recently adopted a new directive “on improving conditions in platform work.” The measure includes regulations on the use of algorithms. Member states now have two years to incorporate the directive in their national legislation. (js)