Appendix 2. ILO interviews with digital platform companies and analysis of terms of service agreements
5
X
Dispute resolution: Most information on the dispute resolution processes of both online web-based
and location-based platforms was collected from the terms of service agreements, which usually con-
tain entire sections dedicated to dispute resolution in which the governing law and jurisdiction are
clearly specied. In the case of online web-based platforms, such sections tend to be lengthier, given
that dispute resolution procedures usually take the form of arbitration proceedings, the conditions
of which are dened in detail by the platforms. In addition, online web-based platforms often include
dierent dispute resolution policies depending on the issue in question, and information on these
dierent policies is usually located on their websites. For instance, Upwork has dierent dispute reso-
lution procedures for hourly and xed-price contracts. Online web-based platforms also tend to have
separate dispute resolution processes for disputes concerning intellectual property. For location-based
platforms, the governing law and jurisdiction is usually that of the country where the services are being
provided, though in some cases it is that of another country, as is the case with certain countries where
Uber, Bolt and Glovo operate.
X
Data collection and usage: Obtaining information on the data that platforms collect and how they
process it was fairly straightforward, since such information is provided through privacy policies which
are uniformly structured. These policies, for both online web-based and location-based platforms,
clearly specify the kind of data collected, how it is collected, when and from where, as well as how they
use it and when and with whom they share it. Data can be collected directly (i.e. when users provide
it) or indirectly (i.e. by technological means such as cookies). Data collected directly from users varies
across platforms and can include a user’s contact and nancial details, specic identity documents,
criminal records, vehicle registration and insurance documents, or even more sensitive information
such as race, religion and marital status (the latter observed only for Grab).
Data collected indirectly also varies, and can include anything from usage data (such as browsing and
searching history, areas within the platform visited, duration of visits and number of clicks) and device
information (such as IP address, device identier and browser type), to data on communication between
users and other data stored in the user’s device (information from address books and calendars, or
even the names of other applications installed in the device). Such automatically collected information
also includes data relating to worker performance, such as their ratings and participation statistics,
while location-based platforms may even collect driving-related data such as real-time geolocation
and acceleration or braking data (as the privacy policies for Uber and Grab specify).
Apart from describing the kinds of data they collect, platforms’ privacy policies also outline the
various ways in which they use such data. For instance, they process user data to provide, enhance
and personalize their services, to understand how users use their services, to comply with the law, and
for automated decision-making (for instance the privacy policy of Uber species that it uses data to
match workers with clients, determine prices based on demand and suspend or deactivate accounts).
Although platforms may describe in detail the kinds of data they collect and the ways in which they
process it, they do not, however, clearly link data collection to data processing; in other words, it is not
always clear how a particular kind of data, such as location data, is used. Moreover, platforms share
user data with their business partners, with other users of the platform, and with an array of third-
party service providers including payment processors, insurance and nancial partners, advertising
companies, social networking services, cloud storage providers, research and marketing providers,
and law enforcement agencies. Privacy policies provide information on data protection, usually by
asserting that they abide by certain data protection laws, such as the European Union’s General Data
Protection Regulation, or that they ensure that any party with access to the platform’s data abides by
its privacy policy.