Alpine, Ocon, and a GPDR Park
According to Marcin Budkowski, who was an Alpine executive until 2002 and is now an analyst for Viaplay Poland (translated by Nischay Rathore at The Sportsrush), Esteban Ocon's attempt to join Williams mid-season was allegedly thwarted (at least in part) by use of the GPS system on his company car. Specifically, Marcin stated that an Alpine employee spotted the GPS tracker for his company car was in the Williams car park for 5 hours. The implications of this are interesting.
Despite Brexit, GPDR remains law in the UK, via the Data Protection Act 2018. This controls how personal data is used. Under this law, the data becomes personal if anyone can be individually identified by it. If Alpine had a pool of company cars and the system was to lend each one out ad hoc at need, the fact a given car has GPS, along with all the data it collects, is not personal information and thus not protected. GPDR would only become involved in that example once Alpine added the information about who had borrowed which car to the dataset. Since racing drivers generally need their company car across the season, and company cars themselves are most often a consistent perk rather than provided at need in the UK, it is more likely that Alpine provided a specific car to each staff member requiring one. This would mean the personal element was there from the beginning. If one receives anything from an employer, even if it is as trivial as a pen, one should be aware that a UK employer can record information connected with it provided GPDR principles are followed. GPDR requires that all personal information kept by a third party must have a lawful reason. The most common reasons this is done for a GPS tracker are insurance and helping staff who get lost. Lots of UK employers provide a discount to people who are willing to add a dashcam to their cars. Some won't insure certain people without a dashcam. The insurer does this to make it easier to gather evidence if there is a claim, as well as to attempt predictive risk assessment (this is not always to the customer's advantage, but is helpful often enough that it is specifically legal for an insurer). Employers who accept such insurance are in turn permitted to collect employee information relevant to insurance requirements. However, the insurance company would not be authorised to pass on the location information to Alpine - unless a claim had arisen from being parked in the Williams car park. Given that such would have made the story more interesting, and was not mentioned, we can reasonably assume this didn't happen. I believe we can rule out insurance as the reason this information went through this process. Helping staff who get lost initially doesn't look promising. We can probably assume that Esteban was not in the Williams car park to ask for directions. However, it would give Alpine itself a reason to have the GPS information in a non-crisis situation. After all, this would allow it to check on people who are expected somewhere and ask proactively if they need assistance. It would also fold into another purpose - checking if the car has been stolen. (No, nobody is going to believe that a thief would be so incompetent as to take a car belonging to one team and dump it in a different team's car park. That would run too much risk of being caught for too little reward. It does, however, establish the basic framework that would legally permit Alpine to discover Esteban's whereabouts).
In a legal framework which only controlled acquisition of personal information, an unscrupulous employer would be able to use this as an excuse to interfere with people's personal lives. Partially in an attempt to curb this, GPDR also controls the use and revelation of legally-acquired personal information. In summary: - One cannot use information for a purpose that was not originally cleared, without the informed consent of the individual whose information is at issue, unless it is in a limited range of exceptions - One cannot reveal personal information unless the individual specifically consents or it is in the limited range of exceptions - One must secure personal information against unlawful revelation I am not convinced that all 3 of these were satisfied. GPS trackers would not normally be used to track people's movements in their personal lives. Had Esteban been "on the clock" (within working hours), then it would have made sense that finding out he was within the Williams car park would be actionable (this would be a disciplinary offence under "wasting company time" or "not available to work", which are a part of employment contracts across the UK and thus an exception). However, a contract that allows someone to spend half a working shift not working without prior authorisation would be quite strange (and with that authorisation, the only possible check would be to establish the reason given could have been true). It is unlikely that Alpine would have told the journalists this way had there been an actual employment infraction. Either it would have kept silent and handled discipline behind the scenes, or presented an official press release about it. Not provided a rumour to a specific analyst who works for a media outlet and hope news percolated through in the form it desired. Thus, at some point I suspect it would have become clear that Alpine did not have the right to process the information further by law. It is vitally important for people who handle personal information not to reveal it unless and until it is legally appropriate to do so. This is why all those Not Always Right stories are anonymised - many of them were revealed to the website administrators against GPDR and similar laws, so information has to be redacted in order to make the published versions compliant. Rumours cannot be guaranteed to be provided with reference to the source's requirements for information security. Part of the reason many companies provide information security training to staff handling personal information is to control the risk of rumours acting as a leak source. One reason journalists don't always reveal their sources is to avoid getting their sources into disciplinary or legal trouble for GPDR breaches. This is why I don't think everyone at Alpine was complying with GPDR on this matter. In this instance, it probably isn't going to have much effect - but it is a good time to remind everyone that GPDR is a thing.
