Uber Technologies, Inc. and Uber B.V. have recently found themselves in hot water as the Dutch Data Protection Authority (AP) imposed a substantial fine of €10 million in response to privacy violations. Uber has been penalised for failing to disclose comprehensive details about its data retention practices concerning European drivers and for hindering drivers’ rights to privacy.

One of the primary reasons behind the hefty fine is Uber’s failure to transparently communicate the full scope of its data retention periods for European drivers and the countries outside of Europe with which it shares this data. The AP found that the company’s lack of clarity put drivers at a disadvantage, as they were unable to fully comprehend how their personal data was being handled.

The Dutch Data Protection Authority discovered that Uber had created unnecessary hurdles for drivers attempting to exercise their right to privacy. The app designed for drivers included a form for requesting access to personal data, but the inconspicuous placement within the app and complexity across various menus made it challenging for drivers to navigate. Additionally, Uber’s handling of access requests by placing information in an unclear file further obstructed drivers from understanding and interpreting their personal data.

Uber’s privacy terms and conditions also came under scrutiny for lacking specifics regarding the duration of data retention for drivers and the security measures in place when transferring this information to non-European Economic Area (EEA) countries. The absence of crucial details in the terms and conditions further compromised drivers’ ability to make informed decisions about their privacy.

The fine was prompted by over 170 French drivers who complained to the French human rights organisation Ligue des droits de l’Homme et du citoyen (LDH). LDH subsequently submitted a complaint to the French data protection authority, which, due to Uber’s European headquarters being in the Netherlands, was forwarded to the Dutch Data Protection Authority. In determining the amount of the fine, the DPA considered the organisation’s size and the severity of the infringements. At the time of the violations, approximately 120,000 drivers were working for Uber in Europe.

Uber has objected to the DPA’s decision and lodged a notice of objection. However, the DPA noted that Uber has taken corrective measures to address the infringements. This case highlights the impact of global complaints on multinational corporations and the role of data protection authorities in holding companies accountable for privacy breaches.