Dutch court clarifies the limits to the right of access

The Court of Amsterdam rendered on 11 March 2021 the decision in a proceeding initiated against Uber for an alleged failure to observe the data subjects’ right of access (Article 15 of the GDPR). The Court for the most part accepted that Uber was not obliged to grant the data subjects access to their personal data.

Background

Uber runs applications for connecting the private drivers with passengers who demand rides. Through the applications, Uber processes numerous categories of the drivers’ data as well as the data pertaining to the passengers.

Ten Uber drivers approached the company with a request for access to their data in order to use those data for employment-related purposes. As the files that Uber provided to the drivers did not include all the requested information, the drivers brought the matter before the Court.

Right of access applies even if the purpose includes gathering evidence

The Court rejected Uber’s argument that the drivers abused their right of access by requesting the data for purposes other than those for which the GDPR grants that right. The drivers sought the data to strengthen their collective bargaining power and their evidence in proceedings against Uber. Recital 63 of the GDPR states that a data subject should have the right of access in order to be aware of, and verify, the lawfulness of the processing. In the Court’s opinion, requesting access may constitute an abuse of the right if the purpose does not include at all checking whether personal data is processed correctly and lawfully. However, when that is present, the right of access may be used in order to achieve other, additional, goals of the data subjects.

In the case at hand, the fact that the drivers intend to use their data for additional, employment-related purposes does not constitute the abuse of their right of access. Uber is obliged to respect this right.

Right of access is not applicable to opinions pertaining to data subjects

The Court does not find the right of access applicable to opinions of Uber’s employees about the drivers, because the Court does not consider the opinions to be personal data. The Court reasons that opinions cannot be checked for accuracy, so in relation to the opinions an individual cannot exercise his rights to verify that his or her personal data are correct, to rectify, to erase, or to block the data. In support of its stance, the Court invoked the relevant case law of the Court of Justice of the EU (CJEU) and the Dutch Supreme Court. Unlike the opinions, facts on which the opinions are based do belong to the category of personal data so the right to access is applicable to them.

Accordingly, the Court rejected the drivers’ request for access to internal notes that Uber made about them. Court considered such notes not to fall into the category of personal data, as the notes reflect opinions of Uber’s employees who made assessments of the drivers’ behavior. The Court established that Uber was only obliged to provide access to the data that form the factual basis of the notes.    

Under certain conditions, controller is entitled to require from the data subjects to specify the data they want to access  

According to the Court, Uber has the right to ask the drivers to specify the data to which their requests for access pertain. This is due to the fact that Uber processes a large amount of data pertaining to the driver and it has previously granted the drivers access to some of their data based on their previous requests. It may be inferred from this that where the data controller processes a limited amount of data about an individual, such individual has the right to access all the data about him or her.

Exercise of the right of access may not jeopardize rights and freedoms of others   

The Court took a stance that Uber should provide the ratings (feedbacks) of passengers to the drivers. However, in order to protect the rights and freedoms of others in accordance with Article 15(4) of the GDPR, the data should not include the names of passengers.

Access to information on automated decision-making applies if the decisions significantly affect the individual

The Court rejected the drivers’ request for obtaining information on automated decision-making that Uber carries out as result of the use of applications. The Court established that automated processing of data by means of the applications served only for the allocation of rides to the drivers. The decisions about the allocation of rides did not produce legal consequences to the drivers nor otherwise significantly affected them. Because the right of access applies, under Article 22 of the GDPR, only if the controller adopts a decision (based solely on automated processing) which produces legal effects concerning him or similarly significantly affects him, in the given case the right of access does not apply.

Comment

The judgement of the Amsterdam Court may be understood as a reality check on the interpretation of the GDPR as an instrument siding with data subjects almost by definition and irrespective of the context.

Where the judgment raises questions is in the treatment of opinions about the data subject: the judgment makes it less than clear when such opinions are personal data, and when they are not.  The Court states that opinions of the Uber employers about the drivers are not personal data and that passengers’ feedbacks about the drivers are personal data. As those feedbacks also reflect personal opinions,  the Court’s stance might lack in consistency.

In fact, inconsistency regarding the status of opinions as personal data goes beyond the Court of Amsterdam. The CJEU concluded in the case Y.S. v Minister voor Immigratie, Integratie en Asiel, Minister voor Immigratie, Integratie en Asiel v. M. (joint cases C – 141/12 and C – 372/12 C-141/12) that facts on which opinions are based are personal data, but opinions (i.e. legal analyses) are not. However, in its more recent case, Nowak (Case-434/16), the CJEU took the position that opinions do belong to a category of personal data.


[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]