Oops! Veezu's DSAR mask slips
With a turnover of £150 mio per annum & operating across 21 UK cities, Veezu is probably the biggest UK Uber competitor you've never heard of. Like Uber, it fashions itself as a technology company rather than the transport company it really is.
Veezu is the UK’s leading private hire technology platform. We are a tech driven on-demand mobility service that supports our hyper-local communities, helping them thrive.
Recently we made a data subject access request to Veezu owned Amber Cars of Leeds on behalf of a driver working for Veezu who is also an active local trade union organiser. One week after we made the request we received an email titled "Strictly confidential briefing note" from Veezu's, Desmond Broster, National Director for Safeguarding & Licensing.
The note may have been originally intended for internal consumption but for some unknown reason we were copied in on the correspondence anyway. Perhaps not incidental is the fact that Mr. Broster is the former Head of Taxi & Private Hire Licensing at Leeds City Council. This is the authority responsible for licensing the local Veezu operator and the data subject driver in this case.
In the email Broster discusses the profile of the data subject as a trade union organiser in considering the response. He characterises the data subject's trade union activity as somehow 'bullying' because of threatened strike and legal action to secure basic worker rights.
There is an indication that Veezu staff also discussed the data subject's trade union activity with Leeds City Council licensing authorities, Mr. Broster's former employer. This raises the question of a potential data breach and inappropriate profiling of trade union organisers by both Veezu Leeds City Council together which, if confirmed, amounts to an Article 11 interference.
Broster writes of Veezu's "concern about preempting a worker status claim" and that the data subject access request "may well be around the worker status issue". He goes on: "I spoke with Nia yesterday evening and she would like you to pull together all of the information and explore any relationships there might be in the request for her." Nia Cooper is Veezu's Chief Legal and People Officer.
This seems to suggest that Veezu is at least vetting the personal data for any evidence of an employment relationship before providing access to the data subject. According to Section 173 of the Data Protection Act it is an offence for a data controller to "alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive."
Finally, Broster says Veezu would have "preferred to disengage but had a concern about preempting a worker status claim as we progress with the Sefton case." This illustrates the weakness of enforcement of GDPR where a data controller can countenance just completely ignoring a lawful access request.
The so called Sefton case refers to an upcoming High Court action where Veezu and other operators are opposing a proposed legal declaration that it is unlawful for gig economy platforms to misclassify themselves as an agent of the driver rather than the principal in the contract for transport with passengers. If Veezu are unsuccessful in blocking the declaration they will be forced to contract directly with passengers recognize the driver as subordinate. This exposes Veezu and others to potential VAT and worker rights obligations.
In the end, the data subject in this case was provided a partial response but it is incomplete and unsatisfactory.
The Veezu leak illustrates, once again, the asymmetry of power between platforms and their individual workers. In the gig economy, data and algorithmic management plays a formidable role in imposing, yet concealing, the control of an employment relationship without attendant rights.
Unfortunately, the UK government's Data Protection and Digital Information Bill now seeks to further weaken access rights, strip out protections from unfair automated decision making at work and to remove the obligation of employers to consult workers on sensitive or risky processing of personal data.
With key digital rights protections removed from workers, platform companies like Veezu can more easily hide the dead hand of management control to block worker rights. At the very moment the EU is strengthening digital rights at work for gig workers through the proposed platform work directive, the UK is heading in the complete opposite direction.