In our latest privacyespressso episode, we offer an expert analysis on a significant GDPR compliance case involving Uber in the Netherlands. Stephan Mulders from Van Diepen Van der Kroef, PrivacyRules Dutch law firm member, provides a detailed examination of the Dutch Data Protection Authority’s actions and the broader implications for privacy law.
On 11 december 2023 the Dutch DPA slapped Uber with a € 10 million fine for violating its transparency obligations vis-à-vis its drivers. It is by far the highest fine of the Dutch DPA so far (in 2022 the DPA fined the Dutch government for € 3.7 million).
The investigation was started after a complaint by the French NGO Ligue des Droits De L’homme Et Du Citoyen on behalf of 172 Uber drivers. The Dutch DPA is competent because of the one-stop-shop mechanism.
The DPA found five GDPR infringements:
1. The digital Data Subject Access Request (DSAR) form is not easely accessible in the drivers App (art. 12(2) GDPR)
Note: according to the DPA, the drivers need to click through 6 menus in the “help section” to file the request. Uber ended this violation by placing the form under the privacy section and reducing the number of steps to four.
2. Upon a DSAR Uber does not provide the information in an easily accessible form and the guidance notes are in Englisch, which is not an understandable language for French drivers
Note: Uber provided the information in comma separated value (CSV) without providing instructions on how to open these files. Furthermore Uber provided information only in English and could not demonstrate that all drivers speak English (even though the app is English and all drivers have to take an English test).
3. Uber’s privacy statement is not sufficiently clear on the retention periods (art. 13 (2)(a) and 15(1(a) GDPR)
Note: It stated that all information is retained for as long as there is an account and that Uber can retain information longer is necessary for security purposes. In a later version Uber stated that it retained information for as long as necessary. Uber claims that the privacy statement would be too long if all retention periods are named. However, the DPA counters that Uber then should at least mention the criteria to determine the retention periods
4. Uber’s privacy statement does not contain all the names of the countries to which data is transferred outside the EEA and also not the specific protection measures (art. 13(1)(f) and 15(2) GDPR)
Note: Uber just stated that there are data transfers, but provided no additional information. According to the DPA that is insufficient
5. Uber’s privacy statement does not explicitly mention the right to data portability (art. 13(2)(b) GDPR)
Note: Uber did not explicitly use the term “data portability”, but used “receiving data”
The amount of the fine
The DPA applied the EDPB guidelines 04/2022 on calculation of administrative fines under the GDPR, as follows:
1. Starting point:
a. 2 different violations (plurality of action),
b. not a very serious violation, which means that the fine should be between 0 and 10 % of the maximum (1,19 billion) € 5 million each, which is 0,42% of the maximum
2. no alleviating circumstances
3. effectivity, proportionality
a. cooperation and improvement is a legal duty, thus does not make the fine unproportional
Listen now to equip yourself with professional insights that could be critical to your organization’s data protection strategy 👉 https://bit.ly/4bXD51m