Uber faces a 10 million euro fine from the Dutch data protection authority, Autoriteit Persoonsgegevens, for violating transparency requirements under the European General Data Protection Regulation (GDPR). The penalty follows complaints from 172 French Uber drivers and the civil society organization Ligue des Droits de l’Homme et du Citoyen. The company was found to be non-transparent about the duration of data retention and the access granted to employees outside of Europe. The Dutch regulator criticized Uber for hindering users’ privacy rights and failing to explain clearly how the ride-hailing platform handles their data.
The fine addresses concerns raised by the privacy regulator, including difficulties in executing the “right to access data” guaranteed by the GDPR. Uber’s requirement of users to navigate through six steps before accessing their personal data was deemed obstructive. The regulator also highlighted that Uber’s information was too general, and the company’s assertion of holding customer data for “as long as necessary for various purposes” lacked specificity even after the data retention period was revised to seven years. The regulator’s analysis revealed shortcomings in Uber’s privacy policy, as it failed to detail the processing of user data in different countries.
The Dutch data regulator’s investigation focused on practices from 2018 to February 2022 when Uber revised its approach. The chairman of Autoriteit Persoonsgegevens, Aleid Wolfsen, emphasized that Uber’s actions demonstrated a disregard for users’ privacy rights. This is not the first time Uber faces a significant fine; previously, it was fined $1.2 million by British and Dutch regulators for security lapses related to a 2016 data breach affecting 57 million riders. In 2018, Uber settled lawsuits stemming from the same breach, paying $148 million in the U.S. This recent fine underscores ongoing challenges for Uber in adhering to data protection regulations and maintaining transparency in its data handling practices.
Reference:
