Based on research carried out by Tracking Exposed (now rebranded into Reversing Works), privacy activists lodged a complaint before the data protection authority (DPA) of Italy. In November 2024, after a year-long investigation, the DPA fined Glovo EUR 5 Million, and demanded corrective action from the platform.
The foundations of this research and complaint go back to 2019, when some Glovo couriers in Turin had their accounts suspended after participating in a march/strike. Following this suspicious behaviour, which could potentially indicate surveillance and retaliation of workers, the Tracking Exposed team began to outline a broader strategy of three parallel paths to follow in order to actually obtain solid evidence.
Then two events in the summer of 2021 marked the beginning of the case.
In 2021, for unrelated reasons, the Italian data protection authority fined the Italian subsidiary of Glovo, Foodinho, EUR 2.6 million. Although Glovo is based in Spain, the Italian authority found the subsidiary guilty of data protection violations and also of some articles of labour law, and as an administrative court it was also entitled to consider these as part of the violations. The penalty consisted of a fine and corrective measures.
In 2021, a Tracking Exposed investigation revealed serious data breaches following a complex reverse engineering analysis.
Unlawful location monitoring of Glovo riders
Organisation Name
AI Forensics/Tracking Exposed (now Reversing.Works)
Country/Jurisdiction
Italy
Grant Amount
EUR 44,500
Current Status
Case won
Image credit: Piotr Baranowski on Pexels
Grant type
Litigation Track Support
Description
Based on research carried out by Tracking Exposed (now rebranded into Reversing Works), privacy activists lodged a complaint before the data protection authority (DPA) of Italy. In November 2024, after a year-long investigation, the DPA fined Glovo EUR 5 Million, and demanded corrective action from the platform.
The foundations of this research and complaint go back to 2019, when some Glovo couriers in Turin had their accounts suspended after participating in a march/strike. Following this suspicious behaviour, which could potentially indicate surveillance and retaliation of workers, the Tracking Exposed team began to outline a broader strategy of three parallel paths to follow in order to actually obtain solid evidence.
Then two events in the summer of 2021 marked the beginning of the case.
In 2021, for unrelated reasons, the Italian data protection authority fined the Italian subsidiary of Glovo, Foodinho, EUR 2.6 million. Although Glovo is based in Spain, the Italian authority found the subsidiary guilty of data protection violations and also of some articles of labour law, and as an administrative court it was also entitled to consider these as part of the violations. The penalty consisted of a fine and corrective measures.
In 2021, a Tracking Exposed investigation revealed serious data breaches following a complex reverse engineering analysis.
Tracking Exposed decided to turn this technical evidence into something that could be used to protect workers’ rights. In 2022, they submitted an informal warning to the DPA, but it was rejected on the grounds that the data submitted was too old and not usable. In 2023, Reversing.Works (spun off from Tracking Exposed closure) produced new evidence without additional legal work and sent a technical report that could be quickly validated by the DPA.
This time the evidence was validated and became part of a larger case. In 2024, when the investigation by the DPA was completed, as well as a fine of EUR 5 million against Glovo, Reversing.Works’s findings were taken into account in the case and the corrections of the serious violations mentioned in the list of corrective measures. The DPA also found elements relating to a GDPR Article 22 breach. The team believes that this is one of the first cases where the practices used to rank and penalise riders have been found to be unlawful. It is likely to be used as an example to judge many other platforms with analogous dynamics.
"In November 2024, after a year-long investigation, the DPA fined Glovo EUR 5 Million, and demanded corrective action from the platform"
Strategic Goals
- To show that GDPR could be helpful in protecting workers’ rights (even if it’s an individual right, the changes imposed on a piece of technology could affect a wider number of workers).
- To promote the use of reverse engineering for good causes, as such techniques are often ostracised by the legal system due to their association with industrial espionage and hacking. In the hope that other civil society organisations and trade unions will adopt similar approaches.