The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “DPA”) imposed a EUR 10 million fine against Uber in December 2023 for multiple breaches of the General Data Protection Regulation (“GDPR”). The decision resulting from Uber's failure to comply with the GDPR's transparency requirements, highlights the importance of the data controller’s obligation to provide data subjects with clear, accessible, and comprehensive information about the processing of their personal data.
The investigation into Uber was initiated following a complaint filed by a French NGO in 2020 on behalf of Uber drivers. In coordination with international authorities, the DPA conducted a thorough investigation, uncovering multiple deficiencies in Uber's compliance with the GDPR’s requirements, particularly concerning transparency and the facilitation of data subjects' rights. The key identified GDPR breaches are outlined below.
The GDPR breaches discussed in the DPA’s decision are of relevance for the Serbian data controllers too considering that the Serbian Law on Protection of Personal Data is mostly aligned with the GDPR, and that the Serbian data protection authority generally follows the practice of its EU counterparts. In particular, the decision highlights practical challenges in applying the transparency principle – a fundamental requirement under the Serbian rules as well – making it pertinent to local data controllers.
1. Uber’s failure to facilitate the exercise of data subjects’ rights via its application
In the version of the Uber Driver App (“App”)assessed by the DPA, the following steps were required, in sequence, to access the form for submitting a request of access (“Form”): Menu > Help> Account and app issues > Legal concerns > Request your personal Uber data > Submit a privacy inquiry > Log in via “Sign in to get help” or “Submit a privacy inquiry without an Uber account”. Upon completion of these steps, the driver would then reach the Form.
The DPA found that this method was overly complex. In addition, the Form was not easily accessible in the App, requiring drivers to navigate multiple unintuitive steps to locate it. This created a barrier to exercising the data subject’s rights under the GDPR, breaching its Article 12(2), which mandates that data controllers must facilitate the exercise of data subjects' rights.
Uber argued that it has discretion in determining how to facilitate the rights of access, in accordance with Article 12(2) of the GDPR. Uber also argued that the GDPR does not specify the number of steps a data subject must take to access the relevant form, referencing the European Data Protection Board (EDPB) guidelines, which allow transparency obligations to be fulfilled through a “layered information structure”, similar to what Uber provided to drivers in the App. According to Uber, drivers can reasonably be expected to navigate through multiple steps given that they regularly interact with the App, meaning that they should be able to locate the Form without difficulty, even if it requires up to six clicks. It was also highlighted by Uber that the App is designed for smartphones with limited screen space, necessitating the use of a menu structure to avoid excessively long navigation paths. Finally, Uber claimed that the DPA unjustly disregarded the route linking from the App to the privacy statement on the website.
The conclusion of the DPA that Uber breached Article 12(2) of the GDPR was based on the following counter arguments:
· the primary interaction between Uber and its drivers occurs through the App; therefore, drivers must be facilitated in exercising their rights under Article 12(2) of the GDPR via the App, i.e., it is essential for the Form to be easily accessible right there;
· the DPA agreed with Uber's position that a layered information structure can facilitate the process of locating relevant information, particularly in applications commonly accessed via smartphones with limited screen space; however, the DPA emphasized that, even with a layered information structure, the ability of data subjects to access the relevant information must not be impeded by an excessive number of steps; and
· the language used in each step must be clear and accessible, ensuring that drivers are guided efficiently and seamlessly toward the appropriate request form; the use of precise and straightforward labelling is critical to meeting the obligation to facilitate the exercise of data subjects' rights – the DPA found that categorizing the request form under sections such as “Help”, “Account and app issues”, “Account” or “Legal Concerns” was not sufficiently intuitive; therefore, the DPA recommended that positioning the Form under a more direct and clear heading, such as “Privacy” would have been more suitable.
2. Insufficiently specific retention periods in Uber’s privacy statement
In its privacy statement, Uber indicated that personal data would be retained “for as long as necessary” for the fulfilment of various purposes (e.g., safety, security, fraud prevention, etc.). The DPA found this explanation overly vague and insufficient to meet the requirements under the GDPR. Specifically, Article 13(2)(a) of the GDPR requires that data subjects be informed of the exact retention periods, or, where not possible, the criteria used to determine these periods.
Uber argued that due to the complexity of its global operations and the fact that retention periods could vary depending on the country or category of data subjects, it was not feasible to provide specific retention periods for each type of personal data. Uber further contended that the GDPR only mandates providing retention periods “if possible”, and that offering specific details would lead to a privacy statement hundreds of pages long, which would conflict with the requirement for concise and understand able information under Article 12(1) GDPR.
The DPA acknowledged that providing exact retention periods may not always be possible. However, it emphasized that, in such cases, data controllers are still required to provide clear and specific criteria for determining retention periods. Simply stating that personal data is retained “for as long as necessary for the fulfilment of various purposes” is too general and does not meet the requirement of specifying the criteria to determine the retention period. According to the DPA, data subjects must be able to understand how long their personal data will be stored, and Uber’s general statements did not provide sufficient clarity in this respect.
3. Incomplete information on data transfers in Uber’s privacy statement
In its privacy statement, Uber failed to provide clear and specific information regarding the transfer of personal data outside the European Economic Area (EEA). The DPA found that Uber did not specify the countries to which personal data would be transferred, nor did it provide sufficient details about the safeguards in place for such transfers, thus violating Article 13(1)(f) and Article 15(2) of the GDPR.
Uber argued that Article 13(1)(f) of the GDPR does not explicitly require the naming of specific countries and that listing all 72 countries in which it operates in the privacy statement would neither be practical nor easily understandable. Uber also referenced its use of Standard Contractual Clauses (SCCs) as a protective measure, accessible via a link in the privacy statement.
Despite these arguments, the DPA concluded that Uber’s approach was insufficient. Article 13(1)(f) primarily requires data controllers to inform data subjects, where relevant, of the intention to transfer personal data to third countries. The DPA found that Uber's privacy statement failed to meet this requirement, as it only generally referred to data transfers to “third countries” without naming the specific countries. Additionally, Article 13(1)(f) mandates that controllers must indicate whether an adequacy decision by the European Commission exists or what other safeguards apply and must inform data subjects on how to obtain or consult copies of these safeguards.
The DPA emphasized that the requirements under Article 13(1)(f) of the GDPR are intended to ensure data subjects are provided with detailed information regarding the protection of their personal data during transfers. According to the European Data Protection Board (EDPB) guidelines, such information must be as meaningful as possible to data subjects, generally requiring the naming of the third countries to which personal data is transferred.
As Uber’s privacy statement only referenced general safeguards, such as its use of the SCCs, without specifying how to obtain a copy or where these safeguards could be consulted, the DPA concluded that Uber failed to provide data subjects with sufficient clarity on which safeguards applied to their data, depriving them of the opportunity to determine the relevance and scope of those safeguards.
4. Conclusions
The DPA’s decision against Uber highlights key areas where data controllers must exercise diligence in meeting the GDPR transparency requirements. Ambiguous statements regarding retention periods and data transfers, combined with the failure to provide specific information about applicable safeguards, fall short of the transparency requirements mandated by the GDPR. Furthermore, the overly complex design of Uber’s application, which impeded data subjects' ability to easily exercise their rights, demonstrates the critical need for clear, intuitive, and accessible processes for facilitating such rights, as required by the GDPR.
Data controllers must ensure that privacy statements are not only specific but also action able, providing data subjects with meaningful transparency about where their data is transferred, the safeguards in place, and the duration of data storage. This decision serves as a reminder that GDPR compliance is not merely a formal exercise but necessitates practical, user-friendly solutions that genuinely empower individuals to exercise their rights effectively.