As a result of failing to disclose the duration for which it stores driver data and the identities of non-European personnel with access to said data, Uber has been ordered to pay a fine of 10 million euros to the Dutch data protection authority.
The Dutch data protection authority Autoriteit Persoonsgegevens issued a fine to Uber on Wednesday for insufficient data access and retention procedures. According to the regulator, these actions were in violation of data processing and transparency guidelines outlined in the European General Data Protection Regulation.
The fine results from complaints filed by 172 Uber drivers in France and the Parisian civil society group Ligue des Droits de l’Homme et du Citoyen, also known as LDH.
The initial complaint was filed with the French data authority, however, jurisdiction was transferred to the Dutch regulator due to the company’s European headquarters being located in Amsterdam.
According to Dutch AP Chairman Aleid Wolfsen, it is important for Uber users to be aware of how their data is handled. However, she notes that there was a lack of clear explanation from Uber on this matter. This suggests that Uber has implemented various barriers that prevent users from exercising their right to privacy, which is not allowed.
One of the concerns presented to the privacy regulator involved challenges in exercising the “right to access data” as outlined in the GDPR.
According to the regulator’s analysis, Uber had a six-step process in place for users to request their personal data.
In addition, the agency noted that Uber’s information was deemed “vague” and that the company claimed to retain customer data for “an appropriate amount of time” for multiple reasons. Despite adjusting their data retention to a period of seven years, the Dutch data regulator found Uber’s explanation lacking in specificity.
The controversial actions spanned from 2018 to February 2022, at which point the company implemented updated policies.
In the past, Uber was penalized a total of $1.2 million by both British and Dutch data regulators for inadequate security measures following a 2016 breach that compromised the personal information of 57 million riders. The company also reached a settlement of $148 million in 2018 to resolve lawsuits related to the same incident throughout the United States.