Uber could face GDPR lawsuit or probes in UK over drivers' data requests

Uber Technologies has two weeks to hand over location and log data to a group of four drivers in the UK, or face legal action or data-protection complaints for breaching the EU's privacy rules.

The US ride-hailing company’s failure to fully disclose the information is preventing drivers from calculating the total time they’ve spent on the platform and whether Uber owes them money, one of the complainants told MLex today. They have threatened to complain to regulators or file a court case if it doesn’t hand over their data.

"Uber's responsibility is to give me all my data, not to cherry-pick the bits it wants to give me and hold back what it wants to hold back in order to advantage itself," James Farrar said in a telephone interview.

Farrar is also the lead claimant in an employment-rights case against Uber, which has reached the UK's Supreme Court. 

"It's quite clear that everybody has the right to know what data there is and to have access to it," under Article 15 of the EU’s General Data Protection Regulation, he said.

Farrar, who was an Uber driver in London for two years, said he had been trying to obtain his data from the company since last July.

He is seeking all his GPS data to calculate the distance he traveled and the costs he incurred, as well as information about when he logged in and out of Uber's platform. So far, Uber has disclosed only partial data, such as one month's worth of GPS data, he said.

"Both [types of data] together are important," Farrar said. "In the employment case against Uber, the judge said that we should be paid for every hour on the platform — for all of the time that we're available for Uber — not just the time when we're doing our job for Uber."

Farrar said that he and three other Uber drivers addressed a pre-action protocol letter yesterday to Pein van Noort, the company's legal director — privacy for Europe, the Middle East and Africa. The letter gives Uber two weeks to hand over the data voluntarily.

If it fails to meet that deadline, the claimants will then either file data-protection complaints with the privacy regulators in the UK, the Netherlands and Ireland, or file a lawsuit with London's High Court, said Farrar, who has previously worked at German software company SAP.

He said Uber is supposed to tell the drivers, as part of the data request under the GDPR, which of its entities — those in the UK, the Netherlands or Ireland — are handling their personal information. "It hasn't done that," he said.

Responding to the allegations, Uber told MLex that it strives to disclose as much information as it can.

That includes "explanations when we can’t provide certain data, such as when the data doesn't exist or disclosing it would infringe on the rights of another person under the GDPR," a spokeswoman said.

"Under the law, UK citizens also have the right to escalate their concerns by contacting Uber's Data Protection Officer or the [UK Information Commissioner's Office] for additional review,” she added.

Other breaches

Even if Uber complies with the data requests, it could face further challenges from the complainants based on other rights in the GDPR.

"Once we see the data, we could begin to ask more questions about fairness and processing and transparency," Farrar told MLex.

He explained that under Uber's terms, drivers lose their job if they get an average rating of less than 4.4 out of 5 stars from passengers. It would be important to see how Uber handles ratings, especially when they are unfair due to factors beyond drivers' control, such as traffic, or deliberately negative reviews.

"I should have the right to challenge and the right to rectification," Farrar said. 

Violations of the GDPR can result in fines of up to 4 percent of a company’s annual global turnover or 20 million euros ($23 million), whichever is higher.