Imagine your employer knew where you were at all times. They would register how slowly or how quickly you worked, whether you took breaks, how closely you followed instructions. And they would collect all these data for an indeterminate amount of time.
This is no dystopia. It’s daily routine in the brave new world of delivery services.
For this reason, the BigBrotherAward 2022 in the Workplace category goes to Lieferando and the companies behind this brand, the yd.yourdelivery GmbH and Takeway Express GmbH, both located in Berlin. For simplicity I will refer to both of them by the name “Lieferando”.
Lieferando is awarded the BigBrotherAward 2022 for their use of the Scoober App, which permits them to comprehensively monitor the riders who work for them, while forwarding the riders’ personal data to a number of internet trackers.
We believe that Lieferando is only the tip of the iceberg: the iceberg of platform- or gig-economy companies who offer employment on the condition that workers relinquish a vast range of personal data. In Germany, almost six percent of the workforce rely on so-called platform labour for at least part of their income.1 These people are not working for companies like Lieferando for fun, they do so because they need to make a living.
Who is behind the BigBrotherAward recipient?
The companies behind Lieferando belong to the the Amsterdam-based publicly traded corporation Just Eat Takeaway.com N.V. The Dutch parent company also owns rights to the “Takeaway.com” brand name. Takeaway.com is listed in both Android and Apple app stores as “developer” of the Scoober App.
The use of the Scoober App is required to make deliveries for Lieferando. Riders install the app on their smartphones and use it to signal that they are “ready for service”. The Scoober App then uses their location to automatically assign to them restaurants with orders to collect. It tells them where to deliver the order, the scheduled delivery time, and registers when the delivery has been completed. This information is required for the delivery process – it is not the reason for the BigBrotherAward.
The award is due to the fact that the Scoober App processes additional personal data which are not required for delivery. An investigation by the regional public broadcaster in Bavaria, Bayerischer Rundfunk, last year showed that for each delivery, 39 individual items of data are recorded and processed.2 These include delays in arrivals at a restaurant or delivery address, and the continuous logging of riders’ locations via GPS, recorded every 15 to 20 seconds. The riders’ personal location data is sent to Lieferando.
Transparent delivery riders
These GPS data can be assembled to form a comprehensive profile of individual work habits: If a rider is riding too fast for Lieferando, or too slow; when they might diverge from predetermined routes (perhaps because they know a better or a safer way that might constitute a detour); if they are riding the wrong way down a one-way street; whether they are taking breaks for no apparent reason. The GPS data are retained after the delivery has been made, without the need to do so. There are indications that Lieferando has saved more than 100,000 individual data points on full-time employees in one year.3
The data protection commissioner4 in the Federal State of Baden-Württemberg has performed an initial assessment of the Scoober App. He concludes: “The extremely dense surveillance of the user (relay of the GPS location every 15 to 20 seconds to Scoober) constitutes unnecessary and thus unlawful employee surveillance (based on § 26 section 1 Federal Data Protection Act, and Art. 88 GDPR)”.5
This illicit total surveillance of the riders by GPS would enough grounds for a BigBrotherAward 2022 in the Workplace category. However, we are conferring this award to Lieferando also because the software feeds personal data to a number of internet trackers. These trackers include:
Google Firebase Analytics
Google Tag Manager
Why such data transfers should be required to make food deliveries is not explained to the employees. Baden-Württemberg’s data protection commissioner states: “The user tracking lacks both effective consent and sufficient user information, and is thus unlawful.”6
We have nothing to add.
Alone in the deep dark forest
If riders want to understand how the Scoober App uses their data before they download it, they will find a link in the app stores whose title is the German word for “privacy statement”. This link leads to an English text named “Privacy Statement for Applicants”7. In case of conflict, one is given to understand, this text will be legally binding. For anyone who is not proficient in English legal terminology, reading on will feel like being “all alone in a deep dark forest”.
Beneath the headline that reads “What data is processed in the Scoober App”, one finds that such data include “live GPS location data”. On what legal grounds? These are specified merely as: “The legal ground for this purpose is the performance of our contract with you.” Then, not much further on, one finds that “Motion data are processed via the App by default but will not be registered or used by us.” So, motion data are processed, but not registered or used? If you take this claim seriously, GPS data are being processed essentially without purpose. You could simply call this “data retention”.
The obvious course of action, that the data be deleted after a food delivery has been completed, is not found in the provisions of the “Privacy Statement”. One would search for it in vain.
Guiding principle: “Make a wish”
About tracking, the “Privacy Statement” is couched in vague and formulaic terms. It confines itself to the information that all processing of riders’ data entails the use of tracking technologies: “All of our uses of your data make use of tracking technologies on your device.” There is no mention of a legal basis for such processing of personal data.
Moreover, the “app analysis” performed via the Scoober App is claimed to be admissible based on simple “legitimate interest”, which the company assumes to have with respect to the riders – “unless your consent is necessary according to the applicable law.”
A hint to Lieferando: European data privacy legislation is founded on the premise that “everything which is not allowed is forbidden” – the guiding principle is expressly not to just “make a wish”. In addition, someone who would claim “legitimate interest” must first assess to what extent their own interests are countered by the affected parties’ legitimate interests, their basic rights and basic liberties. This has nothing to do with consent.
Requirement for plain language
The GDPR contains the requirement that mandatory information to the data subject concerning the legal use of their data be given “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. A data privacy guideline addressed to employees in English, when this is not their native language, constitutes a failure to provide information that is “easy to understand”. Even for native English speakers, the use of undefined legal terms and open formulations such as “necessary”, “compatible with the original purpose”, and “same level of protection and confidentiality” is not very likely to provide clarity.
Add to this that delivery services such as Lieferando employ a large number of immigrants, some of whom do not understand any English – or also people in precarious circumstances whose title of residence is linked to their employment. They will think twice before they assert their privacy rights, jeopardising their stay in Germany.8
Permanent surveillance is a no-go
Germany’s Federal employment court (Bundesarbeitsgericht) has ruled that the permanent surveillance of employees generally amounts to an impermissible encroachment on their personal rights.9 This applies in particular to frequent and continuous monitoring of their location. This form of total control using GSM/GPS transponders is permitted only in rare exceptions, for example to secure a cash transport, or professional firefighters as they enter a burning building.
In the case of Lieferando, continually monitoring the location of the riders could be permissible, by way of exception, if a client were to order for their guests a large shipment of gold-plated steaks. For all “standard deliveries” however, the collection and processing of these data is an infringement of industrial law.
Even employees’ consent to the practice would not make a difference, given that the voluntary nature of such consent would be highly doubtful. Which food delivery employee would freely give their employer continuous access to their their precise location, speed and any idle times?
The live GPS tracking not only infringes on the riders’ right to informational self-determination. It also constitutes a danger for Lieferando’s riders’ health.
Continuous and comprehensive controls exert increasing pressure on employees – especially when the speed with which they complete their assignments directly affects their pay. This leads to an increased risk of accidents for delivery service riders – an experience shared by Lieferando riders, as a report on 1 April of this year in the magazine supplement of the German daily “Süddeutsche Zeitung” confirmed. Sadly, this was not an April fool’s day joke.
The report elaborates that riders accept increased personal risks in order to make deliveries within the allotted time frame. For Lieferando, 1135 persons are reported to have been injured in 2021. Lieferando denies this. According to the company, the correct figure is “only” 1081 injured persons.
In this light, it is especially alarming to discover what riders are being threatened with in the Privacy Agreement: “We really need your GPS location to provide you with App’s core services and turning this off means that the App cannot notify you of delivery opportunities, which will impact your ability to make money and may be contrary to the terms of your employment.”
Individually turning off tracking via the Scoober App could impact an employee’s pay and violate their employment contract.
Where does all this lead?
Hopefully, the BigBrotherAward 2022 will assist in alerting the appropriate data protection authorities to the urgency of addressing how employee data is processed via the Scoober App. If the initial assessment of the data protection offical from Baden-Württemberg is confirmed, a monetary fine would become due which should be effective, proportionate and deterrent. It would be possible to levy up to 4% of the entire corporation’s previous year’s revenue. Considering that the 2020 revenues of Lieferando’s Dutch parent company ran to approximately 2.4 billion Euro, the eventual file could amount to 96 million Euros.10
It is in this spirit that I say: Congratulations Lieferando, congratulations yd.yourdelivery GmbH and Takeway Express GmbH in Berlin, and congratulations also to the Netherlands, to Just Eat Takeaway.com N.V., for the BigBrotherAward 2022 in the Workplace category.
1 Cf. spiegel.de: Ausgeliefert – Arbeitsbedingungen bei Gorillas, Flink, Lieferando (German) (Web-Archive-Link)
2 Cf. https://www.tagesschau.de/investigativ/br-recherche/ueberwachung-lieferando-101.html of 21.5.2021 [Content no longer available]
3 Cf. ibid.
4 German title: Landesbeauftragter für den Datenschutz und die Informationssicherheit
5 Cf. Scoober initial assessment: Scoober-App (Version 2.7.0 | Android) des Landesbeauftragten für den Datenschutz und die Informationsfreiheit des Landes Baden-Württemberg vom 26.3.20221, Seite 7
6 Cf. ibid., page 7
7 Scoober App in the German Apple App Store (Web-Archive-Link) – on this page, the English text https://www.thuisbezorgd.nl/en/courier/privacy is linked as “Datenschutzerklärung” (German for privacy statement). Quotes from the statement were current as of 22 April 2022 (Web-Archive-Link)
8 Cf. journalistico.com: Die Welt der Lieferdienste: Oben bestellt, unten bezahlt (German) (Web-Archive-Link) and https://www.tagesschau.de/wirtschaft/unternehmen/lieferdienste-bringdienste-arbeitsbedingungen-bezahlung-101.html [Content no longer available]
9 Cf. generally rulings such as Bundesarbeitsgericht of 28 March 2019 – 8 AZR 421/17, and on the permissibility of surveillance measures, of 14 Dec 2004 – 1 ABR 34/03
10 Cf. https://www.tagesschau.de/investigativ/br-recherche/ueberwachung-lieferando-101.html of 21.5.2021 [Content no longer available]