Cybersecurity

Uber Fined 10 Million Euros by Dutch Data Regulator

General Data Protection Regulation (GDPR) , Standards, Regulations & Compliance

Ride-Hailing Company Fined for Inadequate Data Transparency Practices Under GDPR

Uber Fined 10 Million Euros by Dutch Data Regulator
Uber must pay 10 million euros to the Dutch data protection authority. (Image: Andrew Caballero-Reynolds/AFP/Getty Images)

Uber must pay a fine of 10 million euros to the Dutch data protection authority after the agency found the ride-hailing app maker had not been transparent about how long it kept driver data and which employees outside of Europe had access to the data.

See Also: OnDemand Panel | Securing Operational Excellence: Thwarting CISOs 5 Top Security Concerns

Dutch data protection authority Autoriteit Persoonsgegevens on Wednesday imposed the fine on Uber for inadequate data access and retention practices, which the regulator said violated data processing and transparency requirements under the European General Data Protection Regulation.

The fine is the outcome of complaints lodged by 172 French Uber drivers and Paris-based civil society organization Ligue des Droits de l’Homme et du Citoyen or LDH.

The initial complaint was lodged with the French data regulator, but the Dutch regulator assumed jurisdiction since the company’s European headquarters is in Amsterdam.

“Uber users have the right to know how Uber handles their data. However, Uber did not explain this with sufficient clarity,” Dutch AP Chairman Aleid Wolfsen said. “This shows that Uber put all sorts of obstacles in place that blocked users from exercising their right to privacy, and that is prohibited.”

Among the issues brought before the privacy regulator was the difficulty in executing a “right to access data,” which is guaranteed by the GDPR.

An analysis by the regulator revealed that Uber had required users to go through six steps before they could request access to their personal data.

The agency also said the information that Uber provided was “too general” and that the company asserted that Uber will hold onto customer data for “as long as necessary for various purposes.” Although Uber changed its data duration to seven years, the Dutch data regulator said the company had not formulated it in “sufficient concrete terms.”

The analysis by the regulator also found that the privacy policy of the company had failed to provide details on what user data was being processed in which country.

The questionable practices dated from 2018 to February 2022, when the company adopted revised practices.

Previously, Uber was fined $1.2 million by the British and Dutch data regulators for weak security practices exposed by a 2016 hack that had resulted in a data breach affecting 57 million riders. The company also paid $148 million in 2018 to settle lawsuits that stemmed from the 2016 breach across the U.S.