A major privacy violation has landed Uber companies fined by Italian DPA, Garante, €2 million and €120,000 respectively.
A privacy violation affecting over 1.5 million individuals has landed Uber two fines of 2 million and 120 thousand euros each, from Italian DPA Garante, according to this report. The company, Uber BV has a European office in Amsterdam, and Uber Technologies Inc (UTI), has a registered office in San Francisco. Both of these offices were held responsible for the privacy violation affecting over 1.5 million Italian users, including drivers and passengers. During an investigation carried out at Uber Italy following a privacy violation made public by the company’s US leader in 2017, the Italian DPA found Uber had committed several violations including processing data without consent, and failure to notify the Authority of a privacy violation.
Uber had previously been fined by two other authorities in Europe for a similar violation.
A privacy violation which occurred before the full application of the GDPR, resulted in Uber being fined by both the Dutch and UK authorities on the basis of their respective national regulations. The personal information processed by Uber included personal and contact information (name, phone number and email), app access credentials, location data, relationships with other users (sharing trips, introducing friends, profiling information).
The Italian DPA fined both Uber BV and Uber Technologies Inc for multiple privacy violations.
In recent times, the Italian Authority has sanctioned the Dutch company Uber BV and the US company Uber Technologies Inc, as joint controllers. Both companies were found responsible for violations of Europe’s privacy law affecting Italian users. The sanctions concern inadequate information given to users (the information related failed to communicate to the co-controllership of the data), which according to the Authority, was “formulated in a generic and approximate way” with “unclear and incomplete information” and “not easy to understand”.
According to the Italian DPA, the purposes of the processing were not properly specified in the information, the references to the rights of the data subjects were vague and incomplete, and it was not clear whether or not users were obliged to provide their data, nor whether there were consequences to a possible denial. In addition, without having valid consent, the company processed the data of approximately 1,379 passengers, and went on to profile them on the basis of their so-called “fraud risk”. Finally, the company also failed to notify the Authority of the processing of data for geolocation purposes, as was required by the legislation which existed prior to the new GDPR.
The Authority decided on two fines; one for €2 million and another for €120,000.
In deciding on the amount of the fines, the Authority considered the seriousness of the violations, and also the number of people affected as well as the economic conditions of the society. The Authority decided on two fines, with a total of €2 million and €120 thousand euros to both Uber BV and Uber Technologies Inc.
