The Dutch Data Protection Authority has imposed a penalty on Uber

January 16, 2019 | Blog

It imposed this penalty on the group of companies for having failed to notify the Authority and the relevant data subjects of a data breach within 72 hours of discovery. Uber also paid hackers to conceal the breach.

The Dutch Data Protection Authority (the "Authority") has imposed a EUR 600,000 penalty on Uber B.V. ("UBV") and Uber Technologies Inc. ("UTI") (jointly: "Uber"). It imposed this penalty on the group of companies for having failed to notify the Authority and the relevant data subjects of a data breach within 72 hours of discovery. Uber also paid hackers to conceal the breach.

Data breach details
The data breach occurred in 2016 and was caused by unauthorised access to drivers' and customers' personal data. It affected more than 57 million users worldwide, 174,000 of whom were Dutch users. The data included names, contact details, vehicle registration numbers, payment information, and scores and ratings.

An interesting aspect in the Authority's decision is that it qualified Uber as joint controllers, despite Uber's view to the contrary.

Dutch Personal Data Protection Act
At the time of the data breach and on the date of the notification, the statutory provisions of the Dutch Personal Data Protection Act ("PDPA") applied, including the data breach notification obligation laid down in Section 34a.

At the time, the PDPA applied to the processing of personal data by or on behalf of a controller who is not established in the European Union and who makes use of equipment, automated or otherwise, situated in the Netherlands, unless such equipment is used only for purposes of the transit of personal data.

The PDPA ceased to apply upon the entry into force of the General Data Protection Regulation ("GDPR"). Since penalties can be imposed on processors directly under the GDPR, the distinction has lost some of its importance but is still relevant.

Joint controllers
UTI is the ultimate parent company of UBV. On 31 March 2016, the parties agreed that UBV would be the controller for the processing of personal data it collects and processes of data subjects outside the United States and that UTI would process those data for UBV as a processor. The data of drivers and users of the Uber app are also forwarded from the Netherlands to, and saved on, UTI's servers in the United States for backup purposes.

Uber took the position that UTI had to be considered the processor in respect of UBV and had also concluded an internal data processing agreement to that end.

However, the Authority believed that UBV and UTI had to be regarded as joint controllers, considering that UBV and UTI jointly determine the purposes and means of the processing of personal data. Although contracts may provide which party formally and legally has control, they are not decisive for the question whether such a party is the sole controller, according to the Authority.

When assessing the parties' capacities as controller or processor, the Authority indicated in respect of UTI that it decided based on the following four factors that UTI would be regarded as a joint controller rather than a processor:

1. The joint determination of the purpose of the data processing; uniform privacy policy

The drafting of the privacy statement was a joint effort by UBV and UTI. It also follows from the privacy statement that it applies to personal data collected both in the US and elsewhere, which means that it has a global scope of application. Backups of personal data that Uber processes are stored in the US. Making backups of personal data is part of Uber's regular operations and as such is regarded as part of the normal services provided to Uber app users.

The Authority then concluded that UBV and UTI jointly determine the purpose of the data processing and that they are joint controllers on this basis alone.

2. Determination of information security policy

In the Authority's opinion, UTI also determines the means of the processing. A party that merely determines the means may already be a controller, according to the Authority, if these are material means. Uber applies a global information security policy, adopted by UTI, to which all Uber entities are subject. Furthermore, this policy shows that UTI is responsible for all aspects of information security, including personal data.

In its view, Uber argued that Uber BV determines how and why personal data will be processed. The fact that a processor has a certain margin of discretion concerning the details of implementation do not make it a controller, according to Uber BV.

The Authority noted in this regard that the adoption of security policy cannot be considered details of the implementation of the processing.

3. Decisions on the storage of the personal data

UTI takes major decisions concerning the storage of the personal data and has a substantial degree of control in this. The decision states that this is more than just a supporting role.

In its view, Uber noted in this regard that the data processing agreement provides that UTI is permitted to store personal data and to engage a subprocessor. UTI ensured that the obligations applicable between UTI and the subprocessor engaged are the same as those between UBV and UTI.

The Authority stated that although UTI had these powers under the data processing agreement and a processor may also engage a subprocessor, it independently made storage decisions without consulting UBV.

4. The development and the offering of the Uber app and the running of updates.

Uber offers its services through the well-known Uber app. App users are matched with a driver. The driver, in turn, may accept customers through another app, the Uber Driver app. In essence, the service provided through these specially designed applications is Uber's core service. The decision mentions that:

  1. UTI has developed the Uber app;
  2. UTI has licensed UBV to market the Uber app;
  3. UTI runs the Uber app updates;

UTI is the party that offers the Uber app in the Apple store and the Google Play Store.

Uber has noted in this regard that it is UBV that is responsible for adding new functionalities. The Authority, however, believes that this does not alter the aforementioned points of view and that, in fact, this underlines their joint responsibility. The circumstance that UTI is the party developing and offering the Uber app and the party running the updates remains one of the relevant components for the question whether UBV and UTI can be regarded as joint controllers.

The Authority subsequently concluded, by adding the facts and circumstances discussed above, that UBV and UTI are joint controllers.

The Authority's decision shows that considering a party the formal and legal controller or the formal and legal processor on paper is not decisive for the assessment of the relationship between the parties. The specific facts and circumstances between the parties are of overriding importance. In this case, of course, it was relevant that UTI as the parent company logically had a big finger in the pie in respect of the organisation of processing operations. If it is important to avoid a situation where a party is regarded as a joint controller, the actual option of the parties to determine the purpose and means of the processing must also be a specific point of focus. In any event, in practice processors (or at least the parties that are generally regarded as the processors, e.g. all sorts of SAAS providers) are given a lot of room with regard to the means.

Read the full publication here.

Sign up for our newsletters