The Italian Guarantor for the protection of personal data has investigated violations committed by Uber BV and Uber Technologies Inc. These violations impacted 1.5 million Italian users including drivers and passengers.
In 2017 the companies experienced a data breach that involved about 57 million users worldwide. This violation concerned the data of 295,000 interested parties; 52,000 drivers and 243,000 passengers. On top of this the companies were found to also have violated GDPR.
The data breach of 2017 involved personal information such as:
- Personal and contact data
- Name
- Surname
- Telephone number
- App access credentials
- Location data
- Relationships to other users
- Shared trips
- Friend introductions
- Profiling information
GDPR Violations
There were further violations committed by both companies. The investigation found that the privacy notice for both companies gave the user unsuitable information. This included:
- Co-ownership of the processing of their personal data
- Information formulated in a generic and approximate way, with “unclear and incomplete information”
- The purposes of processing were not well specified in the information
- References to the rights of the data subject were vague and incomplete
- It was not clear whether users were obliged to provide their data, nor what the consequences of a possible denial.
It was also found that the companies had profiled approximately 1,379 passengers on the basis of a so-called fraud risk. However, this was done without acquiring valid consent from the users.
Under the EU regulation, GDPR, any company processing data for geolocation purposes had to notify the relevant authority. Neither company did this as they should have done.
Outcome
While taking into account the seriousness of the violations, the significant number of people involved and the economic conditions of the company, the DPA decided to fine €2,120,000 for each company. This was despite a protestation that Uber Technologies should not be considered a processor and only a controller of data. But it was proven that with the autonomous decision-making power on technical and organisation security measures that Uber Technologies Inc had they were not just a controller.
