Uber fined €10 million for infringement of privacy regulations

Themes:
Personal data
Privacy rights under the GDPR
Transfer within and outside the EEA

The Dutch Data Protection Authority (AP) is imposing a fine of €10 million on Uber Technologies, Inc. and Uber B.V. (‘Uber’). The fine is in response to the company's failure to disclose the full details of its retention periods for data concerning European drivers, or to name the non-European countries in which it shares this data. The DPA also found that Uber had obstructed its drivers’ efforts to exercise their right to privacy.

AP chairman Aleid Wolfsen: ‘Drivers have the right to know how Uber handles their personal data. However, Uber did not explain this with sufficient clarity. It should have informed its drivers better and more diligently in this regard. Transparency is a fundamental part of protecting personal data. If you don’t know how your personal data is being handled, you can’t determine whether you are being put at a disadvantage or treated unfairly. And you can’t stand up for your rights.’

Obstacles

The DPA found that Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data. Although the app for drivers contained a form for requesting access to their data, it was located deep within the app and spread across various menus, and could have been placed in a more logical location. Uber dealt with access requests by placing information in a file, in which  personal data was not always arranged in a clear manner, thereby making it difficult to interpret. 

In addition, they did not specify in their privacy terms and conditions how long Uber retains its drivers’ personal data or which specific security measures it takes when sending this information to entities in countries outside the EEA. Aleid Wolfsen: ‘This shows that Uber put all sorts of obstacles in place that blocked drivers from exercising their right to privacy, and that is prohibited. In fact, Uber should be facilitating drivers in their rights. This is laid down by law.’ 

Complaints from France

The DPA imposed the fine after more than 170 French drivers complained to the French human rights organisation Ligue des droits de l’Homme et du citoyen (LDH), which in turn submitted a complaint to the French data protection authority. As Uber has its European headquarters in the Netherlands, this complaint was forwarded to the DPA. 

To determine the amount of the fine, the DPA considered the size of the organisation and the severity and gravity of the infringements. At the time of the infringements, about 120,000 drivers were working for Uber in Europe. Uber has lodged a notice of objection to the DPA’s decision. The DPA noted that Uber has now taken improvement measures in respect of the infringement.