Covid-19 and data protection in the European Union: a platform worker’s perspective, by Claire Marzo

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at

During the Covid-19 pandemic, platform workers were almost “key workers” delivering food and household essentials to the self-isolating masses (Open democracy). This rather new sector of platform work and collaborative economy faces multiple issues mostly related to its novelty and adaptation to a legal model which was not designed around its emerging features (digitalization, prosumers, etc). Beyond tax,  working  conditions, social protection, and competition law issues (EU Commission report), data protection must be examined.

If lessons cannot yet be drawn from platform workers’ data protection in light of the Covid-19 pandemic, platform work still represents an interesting specific showcase of the general problems raised by the pandemic in the field of data protection and more generally labour surveillance. We will see who platform workers are (1.) and the impact of the Covid-19 pandemic on them (2.), particularly in the field of data protection (3.).

1. Platform workers can be vulnerable

“Platform work is an employment form in which organisations or individuals use an online platform to access other organisations or individuals to solve specific problems or to provide specific services in exchange for payment” (Eurofound definition). In other words, paid work is organised through online platforms while jobs are broken down into tasks and services which are provided on demand. This definition covers numerous workers in different legal situations. Some of these workers are particularly vulnerable. It can be understood from an economic, a social and a legal point of view.

Economically, platform workers can be vulnerable. Some workers thrive in the collaborative economy, but if platform work is their only source of income, platform workers might be put in a situation of dependence towards the platform which becomes their only gateway to clients and earnings (Daugareilh,Degryse&Pochet).

Socially, some platform workers are vulnerable in the sense that, according to the WHO, they are to a certain degree, “unable to anticipate, cope with, resist and recover from the impacts of disasters”. Indeed, even if they do not suffer from a physical condition (Roman), their social conditions (gender, age, migration, language, etc) can put them in a precarious situation (like migrants, refugees or those suffering from poverty) (Pulignano&Mara).

Legally, their vulnerability comes from their blurred legal status. Often categorised as independent workers, they also sometimes have a specific status (France, California, etc). But mostly, they do not get as good a protection as employees in terms of labour rights, social protection and data protection (Van Den Bergh).

2. Platform workers can be impacted by the Covid-19 crisis

In the coronavirus crisis, the question was whether these workers could or had to continue to work. For instance, Amazon couriers kept delivering essential and less essential goods whereas other platform workers reduced or lost their activity (Uber drivers having fewer clients, cleaners unable to access their clients’ homes). Around the world, newspapers denounced the working conditions in the gig economy and reported deaths (for instance the Guardian in the UK or Libération in France). The difficulties platform workers faced were numerous and diverse, mostly regarding pay, working conditions, management as well as preventive and illness-related measures (ETUC).

For those who could not work, the question was what assistance they could get and from whom. For those who worked, the question of continuing work had to do with whether they had other sources of income and whether they could choose to withdraw from their work and with which kind of legal consequences. For instance, in France the Amazon warehouses had to temporarily close on judicial order because the degree of exposure to the virus of the employees was too high (Guardian).

The economic and legal responses to the Covid-19 have been massive in the EU Member States and in the European Union (EU) but not particularly focused on platform workers in the UK, France or the EU. The SURE (Support to mitigate Unemployment Risks in an Emergency) program in the EU aims to help national social support and should now be complemented by a broad recovery plan for Europe.

  1. Platform workers data protection issues

Platform workers data protection issues have been widened by the Covid-19 crisis. The EU has not provided a new or a specific answer for platform workers. They rely on the General Data Protection Regulation: GDPR, the e-privacy Directive, and for those providing online intermediation services, Regulation 2019/1150 (P2B). The tension remains between data movement and individuals’ privacy. The European Data Protection Board adopted proportionality Guidelines which were issued as a result of the pandemic. These guidelines do not specifically focus on platform work. The pandemic raises several data protection issues for platform workers which can be broadly classified into three categories.


The first issue is about safeguard guarantees related to the collection of data. Regardless of the Covid-19 pandemic, all platform workers (whether they perform online or on-location work, whether they are low- or high-skilled) have accepted to give the platforms access to their personal data (Silberman&Johnston). Defined as “information that relates to an identified or identifiable individual” (Article 4.1 GDPR, ICO), the notion of personal data has been interpreted broadly by the CJEU (Nowak case) and in opinion adopted by the European Data Protection Board (EDPB). Personal data can include name, age, gender, skills, bank account details, telephone number, email address, home address and many other data such as location, behavioural or health data. Platform workers accept this harvesting of data in order to access work (on the legal ground of the execution of the contract between them and the platform, Article 6-1-b GDPR). But there is often a power imbalance between the platform and the worker because the worker cannot imagine what the data are used for (Hatzopoulos).

The question becomes even trickier with the pandemic, as health data might be collected. For instance, some platforms measured the temperatures of the workers or asked them to fill in health questionnaires. The processing of these data might be lawful on grounds of execution of the contract between the platform and the worker, but if it is not part of the contract, it might require consent (Article 6-1-a GDPR) or need be justified by a legal obligation (Article 6-1-c GDPR) such as labour law or a health authority request (but these measures tend to be interpreted in a restrictive way since they infringe fundamental rights and specifically privacy). As a response to these requests, some workers chose to hide their contamination (Guardian) while others declared it to get help from the platform (insurance or financial support, see Uber policies and ETUC). If employers might find recommendations and regulations regarding their employees’ data protection (CNIL in France or elsewhere, Deloitte), platforms are not given similar information about their rights and obligations.

The second issue pertains to the proportionality of surveillance measures. Platform workers, like any natural persons, have the right to the protection of their own personal data (Article 1-1 GDPR). This means that, the exception to the right to privacy being interpreted narrowly, any technology will need to respect the principles of lawfulness, transparency, proportionality and their limitations (the purpose limitation principle, Article 5-1-b and the storage limitation principle, Article 5-1-e, see press release). These elements seem quite straightforward but this is a learning process: it is not so long ago that Uber concealed a massive data protection breach (BBC and ICO). Necessity and proportionality mean that platform workers cannot be asked more information than necessary to allow for the functioning of the app and in the least disruptive way, but the reality is difficult to assess: while Uber cannot function without monitoring the location of its drivers, is geo-localisation necessary to manage couriers’ deliveries? The collaborative economy is deemed to be intrusive in the lives of platform workers in no way comparable with traditional working relationships (EU Commission report, p. 97). In the light of the Covid-19, the degree of intrusiveness does not improve: for instance, reassuring customers by sharing with them data relating to the temperatures of the platform workers they are interacting with goes beyond necessary public interest considerations (Fairwork Project report, p. 10).


The third issue is related to the processing and monitoring of data. Platforms exert a continuous monitoring called “algorithmic management” or automated or semi-automated decision-making. For example platform workers do not know how their pay rates are calculated and ride-hail drivers cannot control how an algorithm assigns their rides (Burrell). In legal terms these workers should have a right not to be subject to automated decisions without human involvement where it produces legal effects (Article 22-1 GDPR) but there are exceptions (where it is necessary for entering into, or performance of, a contract between the data subject and a data controller, Article 22-2a GDPR).

Uber drivers have brought a legal action against Uber in the UK. After having filed a first case about labour law, they claimed that their right to access their personal data had been infringed (article 15 GDPR). They also wanted to access their performance data including personal data concerning the deactivations of their accounts or suspensions from the platform, which would enable them to understand how their performance was monitored and managed over time. This case is now pending.

The worry with Covid-19 is that workers’ health data might be used to give or not give them work. One is able to understand and assess the rationale of human management of “twenty-nine platforms [who] announced that they would temporarily suspend the accounts of workers diagnosed with Covid-19” (Fairwork Project report, p. 10). But dehumanized management could be more difficult to grasp and judge (Pandey&Caliskan).

In this uncertain context, the struggle for platform workers to survive, to keep their jobs, to earn their living often prevails over data protection considerations.

Claire Marzo (Lecturer in Paris East University –

For more information on the context of this e-conference

and the other papers see here

Don’t miss the next paper on The Political Life of COVIDSafe Contact Tracing in Australia, by Jake Goldenfein on  Monday 27th July 2020 at 12 p.m. (GMT+1). 

Votre commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:


Vous commentez à l’aide de votre compte Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Connexion à %s

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur la façon dont les données de vos commentaires sont traitées.