Uber, a ride-hailing company, has been hit with a €10 million fine by The Dutch Data Protection Authority (DPA) for violating data protection law regarding the privacy of its drivers in Europe.
The Dutch Data Protection Authority announced the fine via a statement, saying the sanction was in response to Uber’s failure to disclose the full details of its retention periods for data concerning European drivers or to name the non-European countries in which it shares this data.
“Drivers have the right to know how Uber handles their personal data. However, Uber did not explain this with sufficient clarity. It should have informed its drivers better and more diligently in this regard,” Aleid Wolfsen, chairman of DPA, said while emphasising the rights of drivers working on Uber platforms.
He said transparency is a fundamental part of protecting personal data. “If you don’t know how your personal data is being handled, you can’t determine whether you are being put at a disadvantage or treated unfairly. And you can’t stand up for your rights.”
Wolfsen said the DPA found that Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data. He noted that although the app for drivers contained a form for requesting access to their data, it was located deep within the app and spread across various menus, and could have been placed in a more logical location.
He said: “Uber dealt with access requests by placing information in a file, in which personal data was not always arranged in a clear manner, thereby making it difficult to interpret.
“In addition, they did not specify in their privacy terms and conditions how long Uber retains its drivers’ personal data or which specific security measures it takes when sending this information to entities in countries outside the EEA.
“This shows that Uber put all sorts of obstacles in place that blocked drivers from exercising their right to privacy, and that is prohibited. In fact, Uber should be facilitating drivers in their rights. This is laid down by law.”
To determine the amount of the fine, the DPA said it considered the size of the organisation and the severity and gravity of the infringements. At the time of the infringements, about 120,000 drivers were working for Uber in Europe.
Uber has lodged a notice of objection to the DPA’s decision. The Dutch Data Protection Authority noted that Uber has now taken improvement measures in respect of the infringement.