With the Order of March 24th 2022, the Italian Data Protection Authority inflicted to Uber B.V. and Uber Technologies Inc. the total sanction of 4,240,000 Euro for the violation of the articles 13, 23 and 37 of the personal data protection Code.
The Italian DPA opened ex officio the proceeding against Uber after a data breach occurred in 2016. The documentation acquired showed that the data breach involved the data of around 57 million users of all over the world and in particular it concerned personal and contact data (name, surname, telephone number and e-mail), app access credentials, localization data and data related to relationship with other users, like sharing of trips, friends’ presentation and profiling information. On the Italian territory, the security incident under exam involved the data of 295.000 users (52.000 drivers and 243.000 passengers).
From the outcome of the preliminary investigation, the Italian DPA confirmed that the privacy policy given to the users, in accordance to art. 13 of the Code, was not suitable as “formulated in a generic and approximative way, containing information which was not sufficiently clear, incomplete, of not easy comprehension for the interested party as well as subject to generate confusion on different aspect of the processing”.
The DPA found that a same privacy policy was drawn up for drivers and passengers, providing an indistinctive representation of the processing carried out, of the related purposes and without even indicating the obligatory nature of the provision of the data with respect to the various operation of processing. Moreover, the roles played by Uber B.V. and Uber Technologies Inc., framed in the relation data controller-processor, were not correctly qualified, as both companies should have been qualified as data processors of the personal data of the users.
The Italian DPA then found out that the processing of data suitable to reveal the geographical position of the users had been carried out without a preventive notification to the DPA, a fulfillment required by the personal data protection code in the statement applicable at the time of the data breach, that is when the GDPR was not yet in force.
In brief, the policy was not only unclear, but also not suitable to allow the exercise of the rights of the interested party, such as, for example, the right to update or to oppose the data processing.
During the proceeding, Uber defended itself by stating that it has always provided to its users detailed information on the processing performed, both by constantly updating the privacy policy and by providing them with documents and forms. Moreover, Uber highlighted that it had contacts with the Italian DPA as early as 2015 and from that year it shared with the DPA the procedures followed and the policies provided. Nevertheless, the DPA had never questioned the procedures of Uber, nor interested parties made complaints or reports. Even with respect to the geo-localization data, Uber recalled that the DPA knew of this processing in 2015, but never contested it in any way.
The Italian DPA rejected the defensive argumentations, considering them not sufficient to overcome the identified problems.
The Italian DPA did not take expressly a position with respect to the alleged knowledge of the procedures followed by Uber, nor it motivated the absence of earlier complaints against the group. However, it stated that the shortcomings found in the privacy policy show under decisive aspects to guarantee to the interested party the transparency and the fairness of the proceedings, regardless the circumstance that no complaints and/or reports were submitted by the interested parties themselves.
The DPA disagreed with the defenses of the company even on the ground of the processing of the geo-localization data. Even if the notification to the DPA is no longer expected in the EU 679/2016 Regulation – and, therefore, today it would not be a violation of the GDPR – in the DPA’s opinion it constituted a fulfillment of particular importance on the basis of the previous norm and such fulfillment had not been respected.
On the basis of such considerations, the Italian DPA ordered Uber B.V. and Uber Technologies Inc. to pay, each, the sum of Euro 2.120.000,00 as pecuniary administrative sanction for the found violations.
Ilaria Feriti