Ubeeqo, car-sharing specialist, convicted of collecting geolocation data

Startup Ubeeqo, acquired by Europcar in 2015, was fined €175,000 by the National Commission for Computing and Liberties (CNIL) for illegally collecting and storing geolocation data from its customers. The decision was made on July 7, but published only now.

Ubeeqo offers a short-term car rental service. Reservations are made through a special mobile application. The vehicle is unlocked using the telephone. At the end of use, it must be returned to its original parking space. The car sharing platform is aimed at both individuals and professionals.

Excessive data collection

After the verification mission, CNIL identified several violations of the General Data Protection Regulation (GDPR). During a car rental by an individual, Ubeeqo was found to be collecting data regarding the geolocation of the rental car every 500 meters when it was in motion, when the engine was turned on and off, or when the doors were opened and closed. .

Ubeeqo has justified this collection of sensitive data in order to ensure the maintenance and performance of the service (verify that the vehicle is returned to the correct location, monitor the status of the fleet, etc.), locate the vehicle in case of theft, and provide assistance to customers in the event of an accident. According to the Commission, none of these goals justifies “the collection of geolocation data as thorough as the collection carried out by the company.” This practice is particularly intrusive because it can expose users’ movements, their frequent visits, or even all the stops they made during their journey.

Saving beyond what is necessary

This geolocation data was kept for the duration of the commercial relationship with the customer and then for three years after the end of the car lease. Which is too long, according to CNIL, because the duration does not meet “the strict necessity of a company that collects geolocation data in order to manage a fleet of vehicles, find a car in the event of a theft, or deliver a customer.” In addition, the company’s databases continued to contain personal data relating to users who had not been active for “more than eight years.”

Finally, when registering, people were not sufficiently informed about the processing of their personal data. Ubeeqo has since brought the registration form in line with this clause, CNIL notes.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.