28 Jan The UBER case: the Italian Data Protection Authority initiates a sanctioning procedure

Introduction

Uber Technologies Inc. (hereinafter Uber) is a company with registered office in U.S.A., which provides a private car transport service through a mobile application that connects passengers and drivers.

On 21 November 2017 Uber, as reported by the Italian Data Protection Authority (hereinafter Authority), issued a statement related to a public a security incident, which occurred in the autumn of 2016, and resulted in a data breach affecting passengers’ and drivers’ personal data. The breach has involved about 57 million users worldwide, affecting, for the most part, identification and contact data (email address and mobile number) and information concerning the location, the account (username and password in “hashed” and “salted” format) and the driving license number (in the latter circumstance with exclusive reference to drivers).

In light of the circumstances, the Authority has deemed necessary to initiate an investigation in order to assess the impact of the data breach in Italy.

Main issues

The investigation has reported the following violations: incomplete information to data subjects, users’ personal data processed without a valid consent, and failure to notify the geo-location purpose as imposed by provision in force before the application of Regulation UE 2016/679 (GDPR).

In particular, the Authority assessed that:

1) the information notice was lacking a specification of the purposes of the processing, references to data subjects’ were generic and incomplete, and it was not clear whether users were obliged or not to provide their personal data, or what were the possible consequences in case of denial;

2) Uber has processed passengers’ personal data without an appropriate consent for profiling them on the basis of an indicator of fraud risk;

3) Uber has not complied with the obligation to notify the Authority of the processing of data for geolocation purposes, as provided for by the legislation in force before the GDPR (the now repealed Article 37, paragraph 1, lett. a), of Legislative Decree 196/2003 – the Privacy Code).

Furthermore, in relation to the subjective scope, the information notice refers erroneously only to Uber B.V as data controller for the processing of personal data of those user’s “residing outside the United States”. In more details, the Authority supports a different qualification of the relationship existing between Uber Technologies Inc. and Uber B.V., which should be regarded as a relationship between joint controllers, since they both participate determining the purposes and methods of the processing within the provision of Uber services. This configuration of relationship between Uber B.V. and Uber Technologies Inc. has immediate consequences in terms of compliance with the data protection legislation on the information that shall be provided to users. Therefore, the information notice provided to users is not correctly formulated as it should have provided the clear indication of the exact data circulation and of the joint controllership.

In more general terms, the information given to users is reported to be incomplete, formulated in a generic and approximate manner, not easily understood by the data subjects and which can generate confusion on the various aspects of the processing – including that of the geo-location purpose, which should have been notifies to the Authority.

Practical implications

Therefore, in light of the preliminary findings, the Authority has noted, pursuant to Article 58 of the GDPR the unlawfulness of the processing carried out under Directive 95/46 and the Privacy Code by Uber B.V. and Uber Technologies Inc., and reserves, with an independent procedure, to assess any imposition of administrative fines with regards to inadequate information (Articles 13 and 161 of the Privacy Code), failure to obtain a valid consent in relation to the data processed for the purpose of identifying the fraud risk index (Articles 23 and 162, paragraph 2-bis of the Privacy Code), as well as the failure to notify the Authority  the processing for geo-location purposes (Articles 37.1.a) and 163 of the Privacy Code).