The Dutch Data Protection Authority (AP) has issued a €10 million fine to ride-hailing giant Uber for failing to properly disclose data handling practices and hindering drivers' privacy rights.
The decision comes after an investigation triggered by complaints from French drivers regarding data retention periods, data transfer protocols, and access to personal information.
The investigation revealed that Uber's terms and conditions lacked clarity on how long driver data is retained and what security measures are taken when transferring data outside the European Economic Area (EEA). Additionally, the DPA found that Uber made it unnecessarily difficult for drivers to request access to their data, with the request form buried deep within the app and data provided in an unclear format.
The investigation arose from complaints filed by over 170 French drivers with the human rights organization Ligue des droits de l’Homme et du citoyen (LDH). The LDH submitted the complaint to the French data protection authority, which then forwarded it to the Dutch authority due to Uber's European headquarters being located in the Netherlands.
Uber has contested the AP's decision by filing a notice of objection. However, the authority also acknowledged that Uber has taken steps to address the identified infringements, including improving data access procedures and providing clearer information in its terms and conditions.