With the recent fine decision of the Dutch Data Protection Authority (AP) of December 11, 2023, the supervisory authority is sending a clear signal: “Take the privacy rights of those involved seriously and arrange things well, not just a little well”.
The AP has fined Uber €10 million for violations of the GDPR regarding transparency. Uber has violated Article 12 of the GDPR (which concerns the provision of transparent information and the exercise of the rights of the data subject) and Article 13 of the GDPR (which concerns the content of the information provided to the data subject). The two violations each carry a fine of €5 million.
This blog briefly discusses Uber’s violations, the amount of the fine and the lesson that can be learned from the fine decision.
What was going on?
As we often see, in this case too, the supervisor’s enforcement process started with complaints from those involved. In this case, French Uber drivers had filed a complaint with a human rights organization about the requests for access and data portability via Uber’s driver app and about Uber’s privacy statement. The human rights organization then filed a complaint on behalf of the drivers with the French privacy regulator (CNIL). Because Uber’s head office is located in the Netherlands, the AP was the lead supervisory authority and the competent authority in this case.
The fine was imposed because the Dutch Data Protection Authority found the following:
- Uber drivers found it difficult to exercise their privacy rights, and exercising their rights was made unnecessarily complicated and difficult for drivers.
- The app for drivers contained a digital form to request access or data portability, but it was not in a logical place. It was deep and too spread out in all kinds of menus.
- Uber handled a request for access by putting information in a CSV file, in which the personal data was not always structured and was therefore difficult to interpret.
- The French drivers were only offered English guidance notes with further explanations about the CSV files.
- The information about retention periods in Uber’s privacy statement was not specific enough.
- In the privacy statement, Uber does not specifically mention the names of the countries to which data is transferred or the specific protection measures.
- Uber does not explicitly mention the right to data portability in its privacy statement.
Requests for access and data portability
The Dutch Data Protection Authority ruled in the fine decision that Uber set too high a threshold for the drivers involved to exercise the right to access or data portability. The digital form that allowed drivers to exercise their right of access and data portability was not easily accessible in the driver app because too many steps had to be completed and the wording of the steps did not intuitively lead to the form. Also, the information provided by Uber was not provided in an easily accessible form and in understandable language. The guidance notes that the drivers received with the CSV file were a 26-page document in English with an explanation of the various very specific table values, such as telematic data and various device data. This goes beyond the level of a very short and simple text.
Uber did not sufficiently facilitate its drivers in exercising their privacy rights and, in the opinion of the AP, thus violated Article 12 first and second paragraph of the GDPR.
Privacy statement
Uber has not specifically stated the retention periods for the drivers’ data in its privacy statement, which, according to Uber, would lead to a privacy statement that would be pages long. However, the Dutch Data Protection Authority is of the opinion that merely stating in a general sense that personal data will be retained for as long as necessary for certain purposes (as Uber does) cannot be equated with stating criteria for determining the retention period. Data subjects must be able to determine the retention periods for their personal data, and the information provided by Uber is therefore too general in nature.
In the privacy statement, Uber does not mention the countries outside the EEA to which the transfer of personal data takes place and which specific measures have been taken for this. This does not give data subjects the opportunity to determine which guarantees may be relevant to them and what exactly these guarantees entail (by being able to consult the applicable guarantees).
Uber has not explicitly mentioned the right to data portability in the privacy statement, although Uber is obliged to inform data subjects about the right to data portability when providing personal data.
In the opinion of the AP, Uber has thus violated Article 13(2)(a) and (2)(b) of the GDPR and Article 15(1)(d) of the GDPR.
The amount of the fine
A fine of €10 million is a high fine, certainly, but in the case of Uber this amount requires some nuance. Uber has violated both Article 12 and Article 13 of the GDPR, the maximum fine for each of the violations is 4% of global turnover. At Uber, global annual revenue in 2022 (the fiscal year to look at) was €29.750 billion. This means that the maximum fine for each of the violations is €1.19 billion.
However, the Dutch Data Protection Authority has imposed a much lower fine for each violation, namely €5 million, which is 0.0168% of global turnover. The Dutch Data Protection Authority has qualified the level of seriousness of the infringements as “low”, meaning that the starting amount of a fine according to the Guidelines[1] must be determined at a point between 0 and 10% of the maximum fine. The Dutch Data Protection Authority subsequently assessed the seriousness of the infringements as “minor”.
Lessons from the fine decision
With this fine decision, the Dutch Data Protection Authority shows that the privacy rights of those involved must be taken seriously. A data subject must have control over his or her data and must be able to control what an organization does with his or her data. If you do not take the privacy rights of those involved seriously, the supervisory authority can start an investigation. An investigation often starts as a result of a complaint, as in the case of the Uber fine decision of December 11, 2023.
Of course, the violations of the GDPR are not very serious in themselves, but they do constitute violations of the GDPR that can also be fined. Fines are therefore also imposed if you have already arranged things well for those involved (employees, customers), but not yet completely as required by the GDPR.
What we also read in this fine decision is that the willingness to always cooperate with the supervisor and constantly working on improving services is no reason to consider a fine disproportionate. After all, both complying with the GDPR and cooperating with the AP in exercising its powers are legally required.
It is wise to take another critical look at the procedures you have in the organization for facilitating the privacy rights of those involved. Can all those involved easily exercise their privacy rights? What information do they receive when a request for access is made? Is this written in understandable language and tailored to the target group? The same applies to the privacy statements; are they easy to find for those involved and written in understandable language? Is it still correct what it says about, for example, third parties to which personal data is passed on or retention periods and is the information specific enough?
Do you have any questions or would you like to know what we can do for you? We are happy to serve you! Feel free to call or email 070 392 22 09 or info@duthler.nl.
[1]Guidelines 04/2022 on the calculation of administrative fines under the GDPR