Uber Is Fined €10 Million by CNIL

Uber, the global taxi giant, has recently found itself on the wrong side of data protection regulations, resulting in huge fines and a stern reminder about the importance of transparent information. The French data protection authority, CNIL, collaborated with its Dutch counterpart to investigate a collective complaint lodged by La Ligue des droits de l'Homme, representing over 170 drivers on the Uber platform.

The Dutch Data Protection Authority discovered several lapses in Uber's data protection practices. Uber B.V. and Uber Technologies, deemed jointly responsible, were found to have failed in their obligations in various aspects.

Access Request Complications

The DPA found that Uber had needlessly complicated the process for drivers to request access to their personal data. Although the app contained a form for such requests, it was strategically buried within the app's depths, spread across various menus. This placement made it challenging for drivers to locate and navigate their data, which is not in line with the principles of user-friendly data access.

In addition, Uber's method of handling access requests contributed to the complexity. Personal data was stored in files without a clear organisational structure, making interpretation difficult. This approach not only obstructed drivers' access to their data but also violated their right to privacy.

Lack of Transparency 

Uber's privacy terms and conditions lacked transparency regarding the retention period for drivers' personal data and the security measures employed when transmitting this information to non-European Economic Area (EEA) entities. This omission raised concerns about data security and adherence to privacy regulations. Instead of facilitating drivers in their right to privacy, Uber created obstacles, contrary to the established legal framework.

Considering the scale of Uber's operations and the gravity of the breaches, the DPA imposed a fine. At the time of the infringements, approximately 120,000 drivers were working for Uber in Europe. Uber, however, has lodged a notice of objection to the DPA's decision. Notably, the DPA acknowledged that Uber has since implemented improvement measures to address the identified infringements.

Uber Technologies, Inc. and Uber B.V. are facing a €10 million fine from the Dutch Data Protection Authority (AP). This penalty is a consequence of Uber's failure to fully disclose the retention periods for data related to European drivers and the omission of naming non-European countries with whom they share this data. The CNIL has communicated its decision to the complainants, emphasising the significance of transparent information provision and the need to uphold the rights of data subjects. 

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.