A five million euros fine and corrective measures imposed by the Data Protection Authority today
Milan, 22 November 2024 – Reversing.Works, an innovative project dedicated to exposing abuses within gig economy platforms, uncovered significant labour law violations within Glovo’s algorithmic management system and provided critical evidence for an investigation by the Italian Data Protection Authority. After a year-long investigation, the DPA fined Glovo 5 Million €, and demanded corrective action from the platform. A success for the protection of workers in the gig economy. Below we explain the rarity of such an event and the backstory that led to this multidisciplinary success.
Glovo’s Privacy Violations: Exploiting Workers in the Gig Economy
Glovo’s algorithmic management system was found to have misused workers’ personal data in ways that violated labour law, including monitoring workers’ movements outside of their work shifts, keeping hidden scores on workers, and sending detailed monitoring of their work to third parties outside the scope of their contracts. This was a mixed violation of both Italian labour law and the General Data Protection Regulation (GDPR). Reversing.Works’ investigation, using sophisticated reversing engineering techniques, sheds light on the hidden mechanics that drive the platform’s model of operation, and perhaps additional business dynamics.
The processing of workers’ data by Glovo without adequate transparency, or respect for their rights, represents a troubling example of unchecked digital management. This practice is indicative of a broader trend within the gig economy, whereby platforms prioritize the tracking and control of workers over their well-being.
“Glovo’s behaviour is not an isolated incident. Taken in the context of the wider ecosystem of mobile apps, these findings illustrate the extent to which companies that have emerged in the context of ‘surveillance capitalism’ are subject to the same technical stack as all other apps. If this is a recognised problem in the context of data, privacy, and GDPR, it’s a terrible starting point for creating something that fits within labour law. Some of the standard practices inherited from Silicon Valley and data exploitation hardly fit in the realm of labour law, which has been strengthened by years of collective action and trade unionism,” says Claudio Agosti, the strategist behind the research.
“It’s surprising that unions never used a tool like this,” says Gaetano Priori, the lead investigator at Reversing.Works. “Privacy is an individual right, so it hasn’t been seen as a tool for labour struggles. But it has potential in digitally-intermediated labour because one violation could affect all the workers in all the regions in which a company operates.” Reversing.Works has shown how GDPR and tech-enabled investigation can help expose bad practices and create fairer working conditions. This case is a call to action for all gig workers, showing that existing legal tools can be used for the collective good. Priori adds, “This should be a wake-up call for all workers managed by technology. With GDPR and tech, we have the means to challenge unfair practices.”
Reverse Engineering: A Pathway to Digital Justice
Reverse engineering is a complex method of software analysis. In this context, it is used to understand the behavior of software built to be opaque. Glovo’s application, like many other worker control tools, does not want to be scrutinized by external auditors like the Reversing.works analysis team. Despite the challenge, it’s possible to remove one defense after another from the software. It becomes possible to observe the amount of personal data sent by the app to the server when the worker is using the app. One of the main arguments brought forward by trade unions is that workers should not be profiled based on personal behavior: the tool must work in the same way for everyone. For Glovo, it is not the case, considering also the presence of a hidden ranking mechanism, and two previously undisclosed third-party companies, being aware of every action of the worker, of consumers buying the goods, and somehow mapping the neighborhood, the restaurant, the product. The app turns the worker into a probe. Agosti says, “Reverse engineering is a tool that can be used to achieve justice – and it is being used that way. With a few days of effort and the right investigative lead, a hacker or security expert can turn a skill into a practical way to help hundreds of thousands of workers around the world. Reversing Works has set up an online channel to collect volunteers and partners, to replicate this case in other European countries and abroad.”
Building Momentum: Strengthening Worker Protections Across Europe
Reversing.Works invites labor unions, workers, and advocates concerned about digital labor practices to connect and collaborate. By joining forces, we can establish new protections for workers in the gig economy and beyond, in this online form https://fossil-milk-962.notion.site/13c5e1c20ecd80c59b7cc8ad3405ff75?pvs=105
For more details on the technical and legal aspects of our findings, see the following resources:
- Data Protection Authority press release: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10074840
- Technical Presentation at the Chaos Communication Congress 2023: https://reversing.works/posts/2023/12/mobile-reverse-engineering-to-empower-the-gig-economy-workers-and-labor-unions/
- Research Published by the European Trade Union Institute: https://www.etui.org/publications/exercising-workers-rights-algorithmic-management-systems and the explanatory video https://youtu.be/GStSL6pT_38
- Italian article https://www.today.it/economia/perche-garante-privacy-sanziona-glovo-algoritmo-diritti-rider.html
For inquiries please reach out to the team at staff [@] reversing.works