Wheely wins federal case over summer suspension
We stood firm for our passengers, following our belief that sensitive personal data should never be subject to government overreach. And this week a cassation court agreed.
On 25 November 2020 we received a favourable ruling against the Moscow Department of Transportation (MDOT), who had demanded that we join our competitors in turning over real-time passenger location data. We refused, leading a lower court to suspend our Russian subsidiary for 90 days (a decision that the cassation court has now rebuked). Though we were able to keep that suspension from affecting our platform, this is still a meaningful win for consumer rights.
While the larger fight is not quite over (we are still pursuing the formal invalidation of two anti-privacy decrees in various federal courts), every transportation authority that has attempted to pass similar laws has failed, and we are confident that anti-consumer agencies will not gain a foothold here.
How was there no interruption to Wheely’s platform?
Wheely is not dependent on its Russian entity, which only existed to process local payments. When news of the suspension came down, we began routing those payments through our global entity, in line with our practices in other markets like Paris. We are still in full compliance with all relevant laws and still pay all appropriate taxes as we did before, the only difference being a modest increase in transaction costs in exchange for protection from this sort of arbitrary ruling.
What did MDOT ask Wheely to provide?
They demanded that we transmit live passenger location data for all our journeys. (While this data is pseudonymous in the sense that it doesn’t contain passenger names or phone numbers directly, the concern is how easily a passenger’s identity can be worked out from contextual clues and via combination with other datasets.)
Why does Wheely not want to share live location data?
- It’s a dangerous precedent. If MDOT had succeeded in legally forcing us to provide it, other transportation authorities such as Transport for London would have noticed and felt emboldened to push for more. This would be bad for consumers everywhere, which is why we have escalated the matter to the European Data Protection Board (EDPB) and the UK Information Commissioner Office (ICO).
- The global practice is that ride-hailers will vehemently oppose requests like this, which has worked well so far against attempts in Spain, France, and Egypt. (Though Uber dropped this fight in Russia as part of their deal in selling local operations to Yandex Taxi, the latter of which does provide this data to MDOT for every passenger journey.)
(We don’t even want access to that information ourselves. We’re working to develop options that would keep it out of our hands too, ensuring that no external party could ever seize or steal it.)
Why is MDOT requesting this data?
MDOT doesn’t appreciate the difference between regulating yellow taxis and ride-hailers:
- In the taxi market, consumers have limited choice, and almost no insight into trustworthiness. Commuters generally just take the first available taxi at a rank, else hail the first one that passes. So they are trusting some external authority to regulate accordingly to ensure they don’t have to think about it.
- In the ride-hailing market, a trusted operator (like Wheely) supervises the transaction in a way that solves for all the vulnerabilities of the taxi market. There’s a paper trail, a separate payment channel, a pre-negotiated/enforced rate, a clear route, transparent reviews, driver-specific ratings, and several other safety mechanisms.
(MDOT already made Musovites less safe when they forced Uber to drop UberX in favour of just dispatching existing yellow taxis. This was also bad for drivers, who are forced to pay rental fees to fleet owners instead of using their own vehicles. So MDOT’s interference has already resulted in less competition and less economic freedom and opportunity for drivers.)
Is it possible to re-identify users from location data?
Yes. The Institute for Transport Economics and Transport Policy Studies at the Higher School of Economics has concluded that it is possible to re-identify users by cross-referencing it with other datasets, many of which are publicly available. Paul Ohm (a law professor and privacy researcher at Georgetown University) went so far as to say that the only data harder to truly anonymize is DNA itself.
How does GDPR apply here?
When a parent company is established in the UK/EU, GDPR applies to all personal data they collect, regardless of where that data is processed or whether it concerns EU citizens.
GDPR’s definition of personal data, which is broad, includes anonymized human movement. And any recipient’s lack of immediate means of deanonymizing it doesn’t change this categorization.
A city decree can also never override a ride-hailer’s GDPR-based responsibility to protect personal data. Only a federal law from an EU member state could. But said law would have to itself be consistent with other EU governing laws, which includes GDPR.
What’s happening with the other legal cases?
There are two Moscow decrees that we’re still working to get formally invalidated:
- The real-time passenger location-sharing decree from June. Our position is that a local transportation authority cannot compel us to share data where that sharing would itself violate federal laws that demand consumer data protection. This case is progressing from the Moscow city court (friendly to the local government) to more impartial federal courts where we expect our argument to be emphatically supported.
- A personal driver data-sharing decree from September. While prior MDOT decrees (like the June one) required that chauffeurs consent to sharing their own name and date of birth as part of the real-time datastream for each trip, the September decree went further in trying to bypass chauffeur consent altogether (based on dubious security arguments).
MDOT, in partnership with the District Attorney, is also trying to block Wheely’s website across Russia, arguing that internet companies can only operate via local subsidiaries. This is obviously untrue, as this logic would make the likes of Apple, Google, and Netflix all illegal. Indeed the Russian government specifically passed a tax reform bill in 2018 that allows internet businesses to pay local taxes without having to operate their platform through a local subsidiary.
All said, we expect reason to prevail in this cases, and we will continue to hold firm in our support of our passengers and their right to the highest levels of privacy.