Presentation
The end of 2018 was marked by an exemplary sanction from the CNIL (French Data Protection Authority) against the ride-hailing giant. Uber was indeed fined €400,000 for a data breach, following a ruling issued on December 19th.
GDPR: A “Data Leak” Concealed by Uber
In 2016, two individuals successfully breached Uber’s computer network and stole the personal data of 57 million users of its services, including more than one million in France.
Dara Khosrowshahi, appointed CEO of the company in 2017, revealed the existence of this breach more than a year after it occurred. His predecessor, Travis Kalanick, the company’s founder, paid the hackers $100,000 to destroy the stolen data, then chose to keep the incident secret from both the victims and the authorities.
Uber: Major shortcomings in the security of personal data
During its investigation, the CNIL (French Data Protection Authority) found that the hackers used credentials found on the GitHub collaborative development platform:
- “The company should have required its engineers to log in to the GitHub collaborative development platform using strong authentication (for example, a username and password followed by a secret code sent to a phone);
- It should not have stored credentials allowing access to the server in plain text within the GitHub platform’s source code;
For access to the Amazon Web Services S3 servers containing user data, it should have implemented an IP address filtering system.”
Data breach: International sanctions against Uber
Since the GDPR was not yet applicable during the period in question, Uber was able to avoid a penalty of up to 4% of its global revenue.
This penalty follows a series of sanctions imposed by the Article 29 Working Party (the group of European data protection authorities) against Uber, which has been fined several times in recent months for data protection breaches and failure to inform users:
- September 2018, United States: €126 million following an amicable settlement.
- November 2018, Netherlands: €600,000
- November 2018, United Kingdom: €425,000
Update – Uber has been convicted several times for breaches of personal data protection
Since this initial sanction, Uber has been condemned again by the independent authority for further breaches of the GDPR and personal data protection rules.
September 2020. A complaint, part of a class action lawsuit filed by the LDH (Human Rights League) in the summer of 2020, representing around one hundred drivers, denounces Uber’s refusal to grant drivers access to a significant amount of their personal data. Specifically, they deny drivers the right to access their data if they are “disconnected” and the “inability to object to the commercial sale of their data.”
The stakes are high, as this type of data constitutes important evidence in labor disputes against the platform, which are generally associated with the reclassification of their contracts as employment contracts.
Below you will find a comprehensive overview of the litigation concerning the employment relationship between the Uber platform and its independent drivers:
- Uber and intermediary platforms: California and independent contractor status
- Intermediation: Uber caught up by the Labor Code
- Intermediation platforms in search of an independent legal framework
