A group of 169 VTC drivers seized the Council of State to request the immediate end of the transfer of their data to the United States. It is on behalf of the League of Human and Citizen’s Rights (LDH), as an association, that the appeal was filed.
Despite the invalidation of the Privacy Shield, a text that facilitated the transfer of data across the Atlantic, Uber continues to send the data of its drivers there and thus violates the General Data Protection Regulation (RGPD), details Jérôme Giusti, l lawyer for the plaintiffs, in a statement. He also wishes to obtain “access to personal data “ drivers to make sure they are not “misused against their rights in the United States“.
In reality, the appeal is not directly directed to Uber. The LDH asks the Council of State to annul a decision of December 17, 2020 taken by the National Commission for Informatics and Freedoms (Cnil) which had opposed the opening of urgent proceedings. If the administrative judge decides in this direction then the association will be able to attack Uber directly.
Protect data from US authorities
Even though the Privacy Shield no longer exists, companies can still transfer personal data to the United States thanks to standard contractual clauses. These model contracts are signed by the parties involved in the transfer and must contain protective mechanisms.
This could be the implementation of end-to-end encryption, for example, according to the European Data Protection Board (EDPS). The goal is always the same: American authorities must not be able to arbitrarily access Europeans’ data. LDH would like to know if Uber’s transfer contract meets this requirement.
Uber repeatedly condemned
This is not the first time that Uber has been accused of mismanaging data. In December 2018, the Cnil had imposed a fine of 400,000 euros against the Californian company for insufficiently securing the information of users of its VTC service. The Dutch data protection authority also fined the company 600,000 euros for failing to notify the data breach.
Uber is also accused of opacity in relation to its race planning algorithms. Four drivers entered a court in Amsterdam, a European city where Uber’s international headquarters are located, to access data on this subject. They are represented by the App Drivers and Couriers Union which claims that Uber has “secret profiles of drivers with work-related performance classifications.” Uber defends itself by claiming that it cannot provide this data because this disclosure could violate the GDPR.