Uber faces legal action for GDPR non-compliance
Uber drivers are threatening to take legal action over claims the company has refused to disclose personal information it holds on them under the General Data Protection Regulation (GDPR).
Four drivers claim the company is simply failing to comply with EU data disclosure obligations.
They say the driver hailing app has failed to disclose the personal information that it holds on them and they are in breach of Article 15 of GDPR, which guarantee them the right to know whether or not personal data concerning them is being processed and to have access to any data held on them.
According to Personnel Today, the drivers and data access campaign group Worker Info Exchange say that Uber is “withholding” GPS, rating and profiling data, and has failed to explain how it uses their personal data in its work allocation algorithms.
The drivers have been requesting data since July 2018 and said they had only received “delayed, inconsistent, incomplete, piecemeal and mostly unintelligible disclosures”.
Following pressure from lawyers, Uber sent them some data it holds in April, but the drivers claimed this did not include information relating to:
- how Uber profiles its drivers
- an explanation of how personal data is used in automated decision-making when allocating work
- GPS data for when drivers are logged off with the app open; logged on and waiting for work; and en-route to collect a passenger
- daily overall driver ratings and individual trip ratings, and
- the personal data held by various Uber entities in the UK, Ireland and the Netherlands.
James Farrar, founder and director of Worker Info Exchange and co-lead claimant in the Uber workers’ rights case said: “On the week that Uber floats on the stock exchange as a public company it is outrageous that it continues to flout important EU and UK data protection laws.
“Uber has automated the management function and hidden it in algorithms behind the digital curtain while insisting drivers are their own bosses.
“Drivers are suspended and fired at will without due process, right of an appeal or even an adequate explanation. Drivers will never have access to worker rights protections while Uber withholds personal work data. We intend to fight this until Uber complies with the law.”
Last year, Uber escaped a major fine over a UK customer data leak as incident happened before GDPR rules came into force.
The tech giant Uber was fined £385,000 by the Information Commissioner’s Office (ICO) after it tried to quietly pay-off hackers who had stolen the personal details of around 2.7million UK users.
This sum was small compared to the $148m (£112m) the company agreed to pay US regulators over the major breach, which saw hackers steal the sensitive details of 57 million Uber users and 600,000 drivers worldwide.
The discrepancy in the UK and US fines is due to the fact the ICO investigated the breach under the Data Protection Act 1998, which only allows for a maximum fine of £500,000.
The new EU-wide GDPR law which came into force last May, now allows the watchdog to fine companies up to €20 million (£17.7 million) or four percent of turnover.