The Dutch data protection authority has fined Uber 10 million euros for violating the European General Data Protection Regulation (GDPR) due to inadequate data access and retention practices. The regulator found that Uber was not transparent about how long it kept driver data and which employees outside of Europe had access to the data. This fine is the result of complaints lodged by 172 French Uber drivers and Paris-based civil society organization Ligue des Droits de l’Homme et du Citoyen or LDH.
The initial complaint was lodged with the French data regulator, but the Dutch regulator assumed jurisdiction since the company’s European headquarters is in Amsterdam. Chairman of the Dutch AP, Aleid Wolfsen, emphasized that Uber users have the right to know how the company handles their data, and that the lack of clarity and the obstacles put in place by Uber violated users’ privacy rights.
Among the issues brought before the privacy regulator was the difficulty in executing a “right to access data,” which is guaranteed by the GDPR. An analysis by the regulator revealed that Uber had required users to go through six steps before they could request access to their personal data. The regulator also found that the information provided by Uber was “too general” and that the company did not specify how long it would hold onto customer data in “sufficient concrete terms.”
Additionally, the privacy policy of the company had failed to provide details on what user data was being processed in which country. The questionable practices dated from 2018 to February 2022, after which the company adopted revised practices.
This is not the first time Uber has faced fines and legal issues related to data protection. Previously, the company was fined $1.2 million by the British and Dutch data regulators for weak security practices exposed by a 2016 hack that resulted in a data breach affecting 57 million riders. Additionally, in 2018, Uber paid $148 million to settle lawsuits stemming from the 2016 breach across the U.S.
The Dutch data protection authority found that Uber’s inadequate data access and retention practices violated data processing and transparency requirements under the GDPR. The imposed fine of 10 million euros serves as a warning to companies that they must adhere to the data protection regulations, or they will face significant financial consequences.
Uber has not yet responded to the fine, but it is clear that data protection authorities are taking privacy violations seriously and are willing to take stringent actions against companies that do not comply with the GDPR. As data privacy concerns continue to grow worldwide, it is expected that regulatory authorities will continue to enforce strict penalties on companies that fail to protect and transparently manage user data.