General Data Protection Regulation (GDPR) , Standards, Regulations & Compliance

Uber Fined 10 Million Euros by Dutch Data Regulator

Ride-Hailing Company Fined for Inadequate Data Transparency Practices Under GDPR
Uber Fined 10 Million Euros by Dutch Data Regulator
Uber must pay 10 million euros to the Dutch data protection authority. (Image: Andrew Caballero-Reynolds/AFP/Getty Images)

Uber must pay a fine of 10 million euros to the Dutch data protection authority after the agency found the ride-hailing app maker had not been transparent about how long it kept driver data and which employees outside of Europe had access to the data.

See Also: Stronger Security Through Context-aware Change Management: A Case Study

Dutch data protection authority Autoriteit Persoonsgegevens on Wednesday imposed the fine on Uber for inadequate data access and retention practices, which the regulator said violated data processing and transparency requirements under the European General Data Protection Regulation.

The fine is the outcome of complaints lodged by 172 French Uber drivers and Paris-based civil society organization Ligue des Droits de l’Homme et du Citoyen or LDH.

The initial complaint was lodged with the French data regulator, but the Dutch regulator assumed jurisdiction since the company's European headquarters is in Amsterdam.

"Uber users have the right to know how Uber handles their data. However, Uber did not explain this with sufficient clarity," Dutch AP Chairman Aleid Wolfsen said. "This shows that Uber put all sorts of obstacles in place that blocked users from exercising their right to privacy, and that is prohibited."

Among the issues brought before the privacy regulator was the difficulty in executing a "right to access data," which is guaranteed by the GDPR.

An analysis by the regulator revealed that Uber had required users to go through six steps before they could request access to their personal data.

The agency also said the information that Uber provided was "too general" and that the company asserted that Uber will hold onto customer data for "as long as necessary for various purposes." Although Uber changed its data duration to seven years, the Dutch data regulator said the company had not formulated it in "sufficient concrete terms."

The analysis by the regulator also found that the privacy policy of the company had failed to provide details on what user data was being processed in which country.

The questionable practices dated from 2018 to February 2022, when the company adopted revised practices.

Previously, Uber was fined $1.2 million by the British and Dutch data regulators for weak security practices exposed by a 2016 hack that had resulted in a data breach affecting 57 million riders. The company also paid $148 million in 2018 to settle lawsuits that stemmed from the 2016 breach across the U.S.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing gdpr.inforisktoday.com, you agree to our use of cookies.