“Article 22 of the GDPR concerns “Automated individual decision-making, including profiling”. And it is here that Uber is likely breaking the law. Under this legislation, people “have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”.
“While this does not apply “if necessary, for entering into, or performance of, a contract between the data subject (Uber drivers) and a data controller (Uber)”, the entering of a contract is not good enough reason for negatively affecting an individual where special categories of personal data are involved. According to the GDPR, biometric data – such as facial images – constitutes a ‘sensitive’ category of personal data.
“In short, the processing of biometric data, and the use of automated individual decision-making, including profiling, are only justified in very explicit circumstances. By discriminating against BAME drivers and automatically making decisions that harm them, Uber’s technology is not GDPR compliant. The latest judgement should serve as a stark warning to organisations using technology in this way.”