CNIL Issues Decision Against Uber for Breaches of GDPR

The French data protection authority, known as the Commission nationale de l'informatique et des libertés (CNIL), has recently received a collective complaint from the association La Ligue des droits de l'Homme. This association represents more than 170 drivers on the popular transportation platform, Uber.

In their complaint, the association raised concerns over difficulties encountered by Uber drivers in exercising their rights. The CNIL has launched an investigation into these claims and has found that the company has failed to fulfill its obligations under the General Data Protection Regulation (GDPR).

Cooperation between authorities was necessary during this investigation as Uber is headquartered in the Netherlands. The CNIL has worked closely with its Dutch counterpart, known as the Dutch Data Protection Authority, throughout the procedure. This collaboration was essential for checks and analysis of evidence and later when examining the draft decision under the one-stop shop procedure.

The breach of GDPR regulations identified by the Dutch Data Protection Authority includes failure on behalf of Uber B.V. and Uber Technologies, which are jointly responsible, to provide transparent information and ensure that the rights of data subjects are respected.

In accordance with RGPD provisions, the CNIL has informed the complainants of this decision. This decision serves as a reminder of the importance of fulfilling obligations regarding transparent information and respecting the rights of data subjects.