A Dutch data protection authority has ordered ride-hailing app Uber to pay a fine of 10 million euros for its inadequate transparency and data practices. The oversight by the regulator discovered that Uber failed to disclose how long it retained driver data and which employees outside of Europe had access to the data, thereby violating the data processing and transparency requirements of the European General Data Protection Regulation (GDPR). The fine comes as a result of complaints lodged by 172 French Uber drivers and Paris-based civil society organization Ligue des Droits de l’Homme et du Citoyen.
According to the Dutch Data Protection Authority, Uber was found to have put up unnecessary barriers for users exercising their right to privacy. They made it difficult for users to request access to their personal data, requiring them to navigate through six steps to do so. Additionally, the data the company provided was considered too general, and while Uber stated that it would retain customer data for “as long as necessary for various purposes,” the regulator claimed that this was not detailed enough. Uber had since altered the data duration to seven years; however, the Dutch data protection authority maintained that the company had still not formulated it in sufficiently specific terms.
This is not the first time that Uber has faced regulatory action over its data and security practices. In a separate incident, the company was fined $1.2 million by British and Dutch data regulators due to weak security practices that were exposed by a 2016 hack, resulting in a data breach affecting 57 million riders. Furthermore, Uber paid $148 million in 2018 to settle lawsuits arising from the 2016 breach across the U.S.
The data protection authority in the Netherlands has made it clear that companies such as Uber must adhere to the GDPR with regards to data processing and transparency when operating within the European Union. This latest action against Uber exemplifies the increased regulatory scrutiny faced by tech companies and other organizations when it comes to their data protection practices.
The Dutch data protection authority’s findings and subsequent fine against Uber showcase the growing emphasis on the need for companies to be transparent and responsible in their data practices. With data protection and privacy regulations becoming increasingly stringent globally, organizations are under pressure to ensure that they comply with regulatory requirements. This holds especially true in the European Union, where the GDPR has set a high benchmark for data protection standards.
Uber’s ordeal also serves as a stark reminder to other companies that failing to adhere to data protection regulations can lead to significant financial penalties and damage to a brand’s reputation. The Dutch data protection authority’s actions against Uber underscore the necessity for companies to prioritize data protection measures and compliance with privacy regulations, especially in an era where data privacy and security are paramount concerns for individuals and regulators alike. As such, Uber’s case should serve as a lesson for others to ensure that their data practices are in line with the evolving global regulatory landscape, especially within the European Union.