Dutch fine on Uber.. Is it justified?

The Dutch protection authority recently imposed a fine of Euro 10 million on Uber technologies for failure to disclose the full details of its retention periods to the drivers.

In this context one has to question the decision from the point of view of whether the “Uber Driver’s Data” is “Personal Data” or “Business Data” . If it is considered as “Business Data” then it should not come under the GDPR restrictions.

To answer this question, one has to see what is the relationship between a Uber driver and Uber. If the driver is under an employment contract then he would be treated as any other employee.

Otherwise if he is sharing a business commission, it is difficult to accept that the relationship is any thing other than B2B. The driver as an individual is doing business with Uber and in India we recognize him as a taxable entity different from the same individual for personal tax of non business nature.

The data of the driver that comes with the driving license should therefore be considered as “Business Contact Data” and “Mandatory statutory data to be retained under law”. As a Business contact data it is outside the scope of GDPR/DPDPA.  It could be considered as a mandatory data to be collected and  bound by the terms of agreement as a contract.

Any data collected by the driver of the passengers for the journey is data collected on behalf of Uber and it belongs to Uber and not the driver. The driver is a processor in this context.

DPDPA 2023 recognizes “Business Contact Data” as a concept in the context of the DPO and hence it accepts that a “personal looking data” may actually be shared for the “Business Purpose” which can be considered different from personal data shared for processing for a service.

For example, an Uber driver hiring another Uber car for reaching home is a customer of the second driver and his information shared is for the purpose of travelling and is like personal data. But his own data with the  Contract department is to be considered as “Business Data”. It is possible that Uber may run some welfare measures to the drivers “. In this context it may be considered similar to employee’s personal data.

The classification of data as “Personal” and “Non Personal” may therefore depend on the context and purpose. This needs to be identified during compliance. The process oriented classification of data under DGPSI addresses this.

Please let me know your views.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.