On March 24, 2022, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali – “Garante”) issued a controversial decision that included two separate administrative pecuniary sanctions against Uber B.V. and Uber Technologies Inc., in their capacity as joint controllers, in the amount of EUR 2,120,000.00 each (the “Decision”).
Background
The proceeding stemmed from a data breach that occurred in 2016 and involved around 57 million users of the Uber service worldwide. Since the data breach involved Italian users, the Garante initiated a complex investigation vis-à-vis Uber B.V. (“UBV”) and Uber Technologies Inc. (“UTI”) aimed at understanding the implications of the data breach in the national territory. From the documentation acquired, it emerged that the data breach involved circa 295,000 users in the Italian territory.
In light of the aforesaid investigation, on December 13, 2018, the Garante adopted Resolution No. 498, which determined that:
- The privacy roles played by UBV and UTI, in light of which UBV was qualified as a data controller and UTI as a data processor, were not correctly framed. In fact, according to the Garante, based on the documentation acquired, UBV and UTI qualified as joint controllers;
- The information notice provided to the data subjects was not compliant with the requirements set forth under Article 13 of the Italian Data Protection Code applicable at the time (Legislative Decree No. 196/2003), as it was “generic and vague, containing unclear and incomplete information, which was not easily understood by data subjects and was also liable to generate confusion about the different aspects of the processing activities undertaken”;
- No information notice was provided in relation to the “fraud prevention indicator” purpose of processing;
- The processing of geolocation data of users was undertaken without prior notification to the Garante, as expressly required under Articles 37 and 38 of the Italian Data Protection Code applicable at the time.
In light of the foregoing, the Garante ascertained that the processing activities undertaken by UBV and UTI were unlawful and reserved the right to assess the contestation of administrative infringement identified above with an autonomous proceeding.
That autonomous proceeding was concluded four years after Resolution No. 498 was adopted through the Decision.
The Garante’s Findings in the Decision
(I) On the applicable law
On a preliminary basis, the Garante upheld the applicability of the Italian Data Protection Code in the case at hand, which had been challenged by UBV and UTI.
In doing so, the Garante argued that the application of Italian national law to the case at hand relied on the clear condition that Uber Italy S.r.l. (“Uber Italy”) represented a stable arrangement of Uber in the national territory and that the processing activities undertaken by said entity were inextricably linked with the processing activities undertaken by UBV and UTI and, therefore, were “carried out in the context of the activities of an establishment of the controller” under the meaning of Article 4(1)(a) of Directive 95/46/CE. In addition, the Garante also pointed out the irrelevance of Uber Italy’s qualification as data processor, given that it was ascertained that the activities undertaken by said entity were aimed at allowing data subjects whose personal data were collected in the national territory to take full advantage of the service offered by the group, providing the support activities (to customers and drivers) necessary for proper and smooth operation of the service.
(II) On UBV’s and UTI’s qualification as joint controllers
According to the Garante’s reasoning, UBV and UTI qualify as joint controllers for the processing activities carried out in the provision of the Uber service. The Garante reached this conclusion in consideration of the fact that, contrary to the arguments raised by the companies, the purpose and the means of processing were not determined exclusively by UBV. Indeed, based on the elements acquired during the investigation phase of the proceeding, it emerged that the policies related to the functioning and management of the service were actually arranged exclusively by UTI in its capacity as parent company. UTI argued that the choice to entrust policy management and the adoption of technical and organizational security measures to a single entity (in this case, UTI) was designed to ensure the same level of protection for personal data—similar to what other companies operating globally were doing. In the present case, however, according to the Garante, the autonomous decision-making power exercised by UTI with reference to such purposes and means of processing could not be considered merely formal and, therefore, both entities were acting under a joint controllership.
Of relevance, the same conclusion with respect to UBV’s and UTI’s qualification as joint controllers was reached by other local data protection authorities (CNIL, AP, and ICO).
(III) On the information notice
The Garante also found that the information notice, provided across the board to drivers and passengers, presented several critical issues under Article 13 of the Italian Data Protection Code. Indeed, since it was provided to both types of data subjects, it indistinguishably represented the processing activities carried out and the related purposes and means of processing. In addition, the Garante also ascertained that the information notice provided only generic information on the purposes of the processing activities with reference to categories of personal data collected—it did not indicate the mandatory nature of the provision of personal data, with reference to the various purposes, nor did it indicate the consequences data subjects could incur if they failed to provide the personal data. Lastly, it did not provide adequate information to ensure that data subjects could exercise their rights.
(IV) On the infringements of past legislation
Since the rules applicable to the at-issue proceeding were those prior to the entry into force of the GDPR, the Garante ascertained additional infringements under then-applicable law. Specifically, the Garante found that the companies had failed to acquire specific consent for processing relating to “fraud risk” prevention purposes and had not notified the Garante of processing activities related to geolocation data, which was required under Article 37(1)(a) of the Italian Data Protection Code.
In light of the foregoing, the Garante imposed two administrative pecuniary sanctions amounting to EUR 2,120,000.00 each to UBV and UTI.
* * *
The decision is relevant for several reasons. One is that sanctions were issued quite a long time after the first proceeding was opened and refer to legislation effective before the GDPR. In addition, the Garante issued sanctions against both the joint controllers, without clearly allocating responsibilities between them.
