Some of the major names in the development of the gig economy − such as Deliveroo, Pimlico Plumbers and Uber − may be about to find that the General Data Protection Regulation (GDPR) interferes with core operations within their businesses, writes Seddons solicitor Harry Abrams.
Two of the most talked about issues in organisations recently has been GDPR and the status of individuals operating within the gig economy. Independent Workers Union of Great Britain’s (IWUGB) general secretary Jason Moyer-Lee’s recent comments have managed to bring the two together.
Moyer-Lee argues that Deliveroo will be unable to satisfy the test for self-employment and remain compliant with GDPR.
Gig economy and data protection
The “gig economy” is defined as “a labour market characterised by the prevalence of short-term contract or freelance work as opposed to permanent jobs”.
There are typically three classifications of employment status; employee, worker and self-employed, each with varying rights and obligations to those that fall within each category.
The current focus is on how one can distinguish between a worker and self-employment. Historically, the contentious area was the contrast between employee and worker.
Classification of service providers
It can be critical to companies’ business models that there is certainty over the classification of their service providers. For example, if a company works on the understanding that their service providers are self-employed, but they are later deemed “workers”, the company will be liable for national minimum wage, paid holiday (including retrospectively) and working time limits, while these individuals will also have the right to seek compulsory trade union recognition and have a right not to suffer detriment following a whistle blow.
Further, there would be implications for the individual worker too, including a potentially increased tax burden if they switched between the two HMRC classifications of employee and self-employed. There is no “worker” status for tax purposes.
Recent case law indicates that one of the ways in which the balance of a working relationship will point towards self-employed (rather than worker), is the degree of freedom that the individual has to substitute themselves for another to perform the work.
This originates from the understanding that to be a worker one had to undertake to personally perform the work. If there was a right to substitute there could be no such undertaking and therefore one was unlikely to be deemed a worker. However, this view has been muddied over the years as the issue became more about whether such a right to substitute was triggered regularly and whether the right was unfettered.
The recent case involving Pimlico Plumbers concluded that while an unfettered right to provide a substitute was inconsistent with an undertaking to provide work personally, if a substitute was only used if the contractor was unable to carry out the work (rather than simply not wanting to) personal service may still apply.
In addition, if the company needed to provide its consent to the use of the substitute or if there was a defined pool from which the substitute could be selected from, “worker” status may still be present.
Therefore, although it remains very fact-sensitive as to whether an ability to substitute will prevent an individual being self-employed, what is apparent is that the more autonomy the individual has to appoint their substitute, the greater the likelihood that they will be deemed self-employed. It is consequently clear from this perspective that Deliveroo would want to present the individual as being as unfettered as possible. However, as discussed below, that may not sit well with Deliveroo’s GDPR obligations.
GDPR came into force on 25 May 2018 and increases obligations on companies who are data controllers. As a data controller, these companies must carry out their obligations in accordance with the data protection principles. This includes controlling data with integrity while retaining confidentiality and accountability.
However, if an individual is unfettered in appointing a substitute, will the company be able to ensure these principles are satisfied without having control over the third party? In addition, if the drivers are deemed “data processors”, GDPR states that a processor shall not engage another processor without the prior specific or general written authorisation of the controller.
It may be that Deliveroo tries to argue that their drivers are not “data processors” by pointing to ICO guidance which discusses relatively analogous mail delivery service contractors who are deemed to be not processors but mere conduits between the data controller and the end-user.
Deliveroo may also argue that, by ensuring the individuals “ensure that substitutes have the relevant skills and training” and that any acts of the substitute will be as if done by the individual (as per their data policy), this satisfies the data protection principles as the liability still lies with the individual just as it would without a substitution. Whether this satisfies Deliveroo’s obligations under GDPR is yet to be seen.
To conclude, Deliveroo’s dilemma is that for GDPR compliance the company appears to need to show a high degree of control over the data it controls, while to satisfy the courts and tribunals that it has genuinely and correctly classified its service providers as self-employed means it needs to, in essence, downplay such control. This is why it may be that Deliveroo (and others) may not be able deliver their cake and eat it in respects GDPR and employment status.