Italy’s DPA fines Glovo-owned Foodinho $3M, orders changes to algorithmic management of riders

Algorithmic management of gig workers has landed Glovo-owned, on-demand delivery firm Foodinho in trouble in Italy where the country’s data protection authority issued a €2.6 million penalty (~$3M) yesterday after an investigation found a laundry list of problems.

The delivery company has been ordered to make a number of changes to how it operates in the market, with the Garante’s order giving it two months to correct the most serious violations found, and a further month (so three months total) to amend how its algorithms function — to ensure compliance with privacy legislation, Italy’s workers’ statute and recent legislation protecting platform workers.

One of the issues of concern to the data watchdog is the risk of discrimination arising from a rider rating system operated by Foodinho — which had some 19,000 riders operating on its platform in Italy at the time of the Garante’s investigation.

Likely of relevance here is a long-running litigation brought by riders gigging for another food delivery brand in Italy, Foodora, which culminated in a ruling by the country’s Supreme Court last year that asserted riders should be treated as having workers rights, regardless of whether they are employed or self-employed — bolstering the case for challenges against delivery apps that apply algorithms to opaquely micromanage platform workers’ labor.

In the injunction against Foodinho, Italy’s DPA says it found numerous violations of EU privacy legislation — including GDPR principles of transparency, notification, lawfulness of processing, security, privacy by design and more [an English extract of the injunction has now been published here] — as well as a risk of discrimination against gig workers based on how Foodinho’s booking and assignments algorithms function, in addition to flagging concerns over how the system uses ratings and reputational mechanisms as further levers of labor control.

Article 22 of the European Union’s General Data Protection Regulation (GDPR) provides protections for individuals against being solely subject to automated decision-making including profiling where such decisions produce a legal or similarly substantial effect (and access to paid work would meet that bar) — giving them the right to get information on a specific decision and object to it and/or ask for human review.

But it does not appear that Foodinho provided riders with such rights, per the Garante’s assessment.

In a press release about the injunction (which we’ve translated from Italian with Google Translate), the watchdog writes:

“The Authority found a series of serious offences, in particular with regard to the algorithms used for the management of workers. The company, for example, had not adequately informed the workers on the functioning of the system and did not guarantee the accuracy and correctness of the results of the algorithmic systems used for the evaluation of the riders. Nor did it guarantee procedures to protect the right to obtain human intervention, express one’s opinion and contest the decisions adopted through the use of the algorithms in question, including the exclusion of a part of the riders from job opportunities.

“The Guarantor has therefore required the company to identify measures to protect the rights and freedoms of riders in the face of automated decisions, including profiling.

The watchdog also says it has asked Foodinho to verify the “accuracy and relevance” of data that feeds the algorithmic management system — listing a wide variety of signals that are factored in (such as chats, emails and phone calls between riders and customer care; geolocation data captured every 15 seconds and displayed on the app map; estimated and actual delivery times; details of the management of the order in progress and those already made; customer and partner feedback; remaining battery level of device etc.).

“This is also in order to minimize the risk of errors and distortions which could, for example, lead to the limitation of the deliveries assigned to each rider or to the exclusion itself from the platform. These risks also arise from the rating system,” it goes on, adding: “The company will also need to identify measures that prevent improper or discriminatory use of reputational mechanisms based on customer and business partner feedback.”

Glovo, Foodinho’s parent entity — which is named as the owner of the platform in the Garante’s injunction — was contacted for comment on the injunction.

A company spokesperson told us they were discussing a response, so we’ll update this report if we get one.

Update: Glovo has now sent this statement:

“In light of the decision taken by the Italian Data Protection Authority, regarding the processing of courier data through our application, our legal team is currently evaluating next steps and assessing all available options, including an appeal. We are committed to maintaining the privacy and trust of our couriers and we use a range of measures to ensure that the results of our processes are fair and that all personal data is safe and secure. We take compliance with data protection regulations very seriously and will improve any of our processes that are considered to not be fair or equitable.”

Glovo acquired the Italian food delivery company Foodinho back in 2016, making its first foray into international expansion. The Barcelona-based business went on to try to build out a business in the Middle East and LatAm — before retrenching back to largely focus on Southern and Eastern Europe. (In 2018 Glovo also picked up the Foodora brand in Italy, which had been owned by German rival Delivery Hero.)

The Garante says it collaborated with Spain’s privacy watchdog, the AEDP — which is Glovo’s lead data protection supervisor under the GDPR — on the investigation into Foodinho and the platform tech provided to it by Glovo.

Its press release also notes that Glovo is the subject of “an independent procedure” carried out by the AEPD, which it says it’s also assisting with.

The Spanish watchdog confirmed to TechCrunch that joint working between the AEPD and the Garante had resulted in the resolution against the Glovo-owned company, Foodinho.

The AEPD also said it has undertaken its own procedures against Glovo, pointing to a 2019 sanction related to the latter not appointing a data protection officer, as is required by the GDPR. The watchdog later issued Glovo with a fined of €25,000 for that compliance failure.

However it’s not clear why the AEDP has seemingly not taken a deep dive look at Glovo’s own compliance with the Article 22 of the GDPR. (We’ve asked it for more on this and will update if we get a response.)

It did point us to recently published guidance on data protection and labor relations, which it worked on with Spain’s Ministry of Labor and the employers and trade union organizations, and which it said includes information on the right of a works council to be informed by a platform company of the parameters on which the algorithms or artificial intelligence systems are based — including “the elaboration of profiles, which may affect the conditions, access and maintenance of employment”.

Earlier this year the Spanish government agreed upon a labor reform to expand the protections available to platform workers by recognizing platform couriers as employees.

The amendments to the Spanish Workers Statute Law were approved by Royal Decree in May but aren’t due to start being applied until the middle of next month, per El Pais.

Notably, the reform also contains a provision that requires workers’ legal representatives to be informed of the criteria powering any algorithms or AI systems that are used to manage them and which may affect their working conditions — such as those affecting access to employment or rating systems that monitor performance or profile workers. And that additional incoming algorithmic transparency provision has evidently been factored into the AEPD’s guidance.

So it may be that the watchdog is giving affected platforms like Glovo a few months’ grace to allow them to get their systems in order for the new rules.

Spanish labor law also of course remains distinct to Italian law, so there will be ongoing differences of application related to elements that concern delivery apps, regardless of what appears to be a similar trajectory on the issue of expanding platform workers rights.

Back in January, for example, an Italian court found that a reputation-ranking algorithm that had been used by another on-demand delivery app, Deliveroo, had discriminated against riders because it had failed to distinguish between legally protected reasons for withholding labour (e.g., because a rider was sick; or exercising their protected right to strike) and other reasons for not being as productive as they’d indicated they would be.

In that case, Deliveroo said the judgment referred to a historic booking system that it said was no longer used in Italy or any other markets.

More recently, a tribunal ruling in Bologna found a Collective Bargaining Agreement signed by AssoDelivery, a trade association that represents a number of delivery platforms in the market (including Deliveroo and Glovo), and a minority union with far-right affiliations, the UGL trade union, to be unlawful.

Deliveroo told us it planned to appeal that ruling.

The agreement attracted controversy because it seeks to derogate unfavorably from Italian law that protects workers and the signing trade body is not representative enough in the sector.

Zooming out, EU lawmakers are also looking at the issue of platform workers rights — kicking off a consultation in February on how to improve working conditions for gig workers, with the possibility that Brussels could propose legislation later this year.

However platform giants have seen the exercise as an opportunity to lobby for deregulation — pushing to reduce employment standards for gig workers across the EU. The strategy looks intended to circumvent or at least try to limit momentum for beefed up rules coming a national level, such as Spain’s labor reform.