Compliance with data protection regulation

Compliance with applicable data protection regulation is an essential part of successful and responsible platform work and should be considered by both platform operators and platform clients. Many people are intimidated by the apparent complexity of data protection regulation, but compliance does not need to be complex or burdensome.

While data protection legislation is evolving in many jurisdictions and its application to platform work is still being clarified, FairTube is in dialogue both with legal experts and with the platforms who have signed the Crowdsourcing Code of Conduct on this topic. Here we outline briefly our current understanding of some commonly arising data protection questions specific to platform work, especially those relating to compliance with GDPR (the General Data Protection Regulation), the EU’s main data protection legislation.

for platforms and clients irgendwo bei rechtlichen fragen
  • Platform workers and clients are “data subjects” under GDPR, and platform operators are “controllers.” Clients may also be “controllers” if they make decisions that affect workers, such as payment decisions and work evaluations.
  • If a worker is located in the EU, they have the rights provided by GDPR to data subjects (right to information, right of access, right to rectification, rights regarding automated decision making, etc.), and the platform and/or client has the corresponding responsibilities. This is the case even if the platform or client is located physically or legally outside the EU.
  • All data and decisions stored or taken within a labor platform with respect to a worker or submitted work are “personal data” as long as the worker they are associated with can be identified. This means that payment decisions, work evaluations, qualifications, and access decisions such as account suspension or closure are the worker’s “personal data.”
  • GDPR specifies that personal data must be processed “fairly and in a transparent manner” with respect to the data subject and must be accurate (Art. 5), and that data subjects have a right to receive a copy of data about them (Art. 15). In the context of labor platforms, this means that workers have a right to a copy of all data about them, including evaluations of their work and of them as a worker, qualifications, and payment decisions. Additionally, the processing that produces this data must be fair and transparent with respect to the worker.
  • GDPR provides a right to rectify inaccurate data (Art. 16). In the context of labor platforms, this means that workers likely have a right to contest work evaluations, payment decisions, qualifications, and other decisions such as account closure.

Platform clients concerned with platform workers’ rights should not only ask a platform, “Do you comply with GDPR?” but what the platform believes their responsibilities under GDPR to be — and then what steps the platform takes to meet them.

A few other questions from platform operators

How can I reduce the administrative burden of compliance with EU data protection law?

The short answer to this question is: You can automate, to the extent possible, the processes involved in the exercise of the rights provided by GDPR to data subjects.

To oversimplify a bit, there are two approaches to data protection compliance. The first approach is to put a boilerplate data protection statement on the website with an email address that workers and others can write to (or, at best, a web form that they can fill out) if they have inquiries related to data protection. Then a human being has to read and answer the emails individually. This is costly and time consuming.

The second approach is to systematically consider which data being created and processed on the platform are likely to be considered “personal data” under data protection law. Data such as evaluations of work, workers, and clients (i.e., reviews and ratings), qualifications, and classifications of a worker’s skills or of content are all very likely to be considered personal data. Once it is established that a certain category of data is personal data, the workflows that should be created in order to allow workers and clients and clients to exercise their rights with respect to this data can be inferred clearly from the GDPR. For example, a data subject has a right of access to all personal data about them. Therefore, logged in users should be able to see all of the information stored about them by the platform. Enabling this via a page within the platform (for example, in the user’s account settings) allows the platform operator to reduce the number of “free form” GDPR-related inquiries that must be answered “by hand.”

As a further example, GDPR establishes a right to have inaccurate or incomplete data corrected. Therefore if many inquiries involve correction of inaccurate data, the platform can reduce the number of these inquiries by adding a link “request correction/review” at the appropriate place in the platform interface. Manual review is still necessary, but the process can be streamlined by eliminating the handling of the unstructured data protection inquiry.

What about the California Consumer Privacy Act? How does it differ from EU data protection law?

While the interpretation of this relatively new California legislation is still being clarified, our understanding is that the scope of what is considered “personal information” under California privacy law is similar to what is considered “personal data” under EU data protection law, at least within labor platforms. Therefore data relating to, for example, worker or customer performance or activities on a labor platform, such as reviews of workers or customers, are probably “personal information” under California law. Our current understanding is that under California law, users have a right of access to personal information being processed about them, but not necessarily a right to have inaccurate personal information corrected.

Data protection compliance is too expensive and annoying. Can I just ban workers from the EU and California from working on my platform and call the problem solved?

You could do that. However, our experience is that data protection compliance does not have to be as expensive and annoying as many people fear. As noted above, the expense and effort can be reduced significantly through good design and automation. Additionally, consider that many other jurisdictions, including US states other than California and countries all over the world, are in the progress of expanding or updating their data protection legislation, and the European and Californian examples have “set the bar” for these efforts. Therefore it’s likely that if you adopt a strategy of avoiding compliance and limiting your worker pool to jurisdictions with more “relaxed” data protection standards, your worker pool may shrink over time.