Ride-hailing company, Uber, has been hit with a €10 million fine for violating data protection law regarding the privacy of its drivers in Europe.
The Dutch Data Protection Authority (DPA), which announced the fine via a statement, said the sanction was in response to Uber’s failure to disclose the full details of its retention periods for data concerning European drivers or to name the non-European countries in which it shares this data. The DPA said it also found that Uber had obstructed its drivers’ efforts to exercise their right to privacy.
The DPA further disclosed that it imposed the fine after more than 170 French drivers complained to the French human rights organisation Ligue des droits de l’Homme et du citoyen (LDH), which in turn submitted a complaint to the French data protection authority. As Uber has its European headquarters in the Netherlands, the complaint was forwarded to the DPA.
Drivers’ right to know
Emphasizing the rights of drivers working on Uber platforms, the DPA Chairman, Aleid Wolfsen, said:
- “Drivers have the right to know how Uber handles their personal data. However, Uber did not explain this with sufficient clarity. It should have informed its drivers better and more diligently in this regard.
- “Transparency is a fundamental part of protecting personal data. If you don’t know how your personal data is being handled, you can’t determine whether you are being put at a disadvantage or treated unfairly. And you can’t stand up for your rights.”
Uber’s offences
Wolfsen added that the DPA found that Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data. He noted that although the app for drivers contained a form for requesting access to their data, it was located deep within the app and spread across various menus, and could have been placed in a more logical location.
- “Uber dealt with access requests by placing information in a file, in which personal data was not always arranged in a clear manner, thereby making it difficult to interpret.
- In addition, they did not specify in their privacy terms and conditions how long Uber retains its drivers’ personal data or which specific security measures it takes when sending this information to entities in countries outside the EEA. This shows that Uber put all sorts of obstacles in place that blocked drivers from exercising their right to privacy, and that is prohibited. In fact, Uber should be facilitating drivers in their rights. This is laid down by law,” Wolfsen said.
To determine the amount of the fine, the DPA said it considered the size of the organization and the severity and gravity of the infringements. At the time of the infringements, about 120,000 drivers were working for Uber in Europe.
Uber has lodged a notice of objection to the DPA’s decision. The DPA noted that Uber has now taken improvement measures in respect of the infringement.
As technology advances, authorities all over the world are now taking the issue of data protection seriously. Several countries have been coming up with data protection laws and regulations fashioned after Europe’s General Data Protection Regulation (GDPR), which came into force in 2018.
Nigeria has also taken a bold step in this regard by signing the Nigerian Data Protection Act, which established the Nigeria Data Protection Commission (NDPC) to protect the data of the country’s citizens. Last week, the NDPC headed by Dr. Vincent Olatunji, announced that it was actively investigating 17 major cases of data breaches across various sectors, including finance, technology, education, consulting, government, logistics, and gaming/lottery.