Garante per la protezione dei dati personali (Italy) - 9771142

From GDPRhub
Garante per la protezione dei dati personali - 9771142
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law:
Art. 4 (1)(f), 13, 23, 28, 37, 38, 161, 162 (2bis), 163, 164bis (2) Codice Privacy
Type: Investigation
Outcome: Violation Found
Started: 21.02.2019
Decided: 24.03.2022
Published: 19.05.2022
Fine: 4.240.000 EUR
Parties: Uber B.V.
Uber Technologies Inc.
National Case Number/Name: 9771142
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: sabrina_salmeri

The Italian DPA fined Uber a total of €4,240,000 for violations relating to 1,500,000 data subjects in Italy, including lack of transparency and consent and failure to notify the DPA of a personal data breach.

English Summary

Facts

The Italian DPA launched an investigation into Uber B.V., with registered office in Amsterdam, and Uber Technologies Inc., with registered office in San Francisco, after the US parent company made public a data breach in 2017. The DPA found that the Dutch company Uber BV and the US company Uber Technologies were joint controllers, each responsible for violating the Italian Privacy Code (the Italian implementation of EU Directive 95/46/EC) against data subjects in Italy.

During their inspections carried out at Uber Italy srl, the DPA found several violations, including inadequate privacy notice, personal data processed without consent and failure to notify the DPA about the data breach.

The security incident, which occurred before the GDPR came into effect, involved the data of around 57 million data subjects worldwide, and had been sanctioned by the Dutch and British DPA on the basis of their respective national regulations. The personal data processed by Uber concerned personal and contact data (name, surname, telephone number, and e-mail), access credentials to the app, location data (those that appeared at the time of registration), and relations with other data subjects (sharing trips, introducing friends, profiling information).

The controllers had also, without having obtained valid consent, processed the data of approximately 1,379,000 data subjects by profiling them on the basis of the so-called 'fraud risk', assigning them a qualitative rating (e.g., 'low') and a numerical parameter (from 1 to 100). Finally, the controllers had not complied with the obligation to notify the DPA of the processing of personal data for geolocation purposes, as required by the legislation in force before the GDPR came into effect.

Holding

The DPA found violations related in particular to the inadequate privacy notice provided to data subjects (insofar as it lacks an indication of joint ownership of the processing) and 'formulated in a generic and approximate manner' with 'unclear and incomplete information' and 'not easy to understand'. Purposes of the processing were not well specified, the references to the rights of the data subjects were vague and incomplete, and it was not clear whether data subjects were obliged or not to provide their data, nor what the consequences of a possible refusal would be.

The DPA found the following violations:

1. Violation of article 13 Privacy Code, for failure to acquire the consent of the data subjects.

2. Violation of articles 37 and 163 Privacy Code, for failure to notify the DPA of the breach.

3. Violation of Article 164-bis (2) Privacy Code, because the violations committed relate to databases of particular relevance or size.

Consequently, the DPA fined Uber B.V. (Holland) and Uber Technologies Inc. (USA), €2,120,000 respectively (a total of €4,240,000), for violations relating to 1,5 million data subjects in Italy, including drivers and passengers.

In defining the amount of the sanctions, the DPA, in addition to the seriousness of the violations ascertained, also took into account the significant number of data subjects involved and the economic conditions of the company.

Comment

Although it does not involve current European legislation (GDPR), this decision is relevant with regard to the general principles on the data protection already contained in Directive 95/46/EC, harmonised in each EU Member State with national legislation: in Italy this legislation is represented by the 'Privacy Code'.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Injunction Order against Uber B.V. and Uber Technologies Inc. - 24 March 2022

Register of Measures
No. 101 of 24 March 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

AT TODAY'S MEETING, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;

HAVING REGARD TO Article 1, paragraph 2, of Law No. 689 of 24 November 1981, pursuant to which the laws providing for administrative sanctions apply only in the cases and for the time periods considered therein

NOTING that the Office of the Guarantor, by deed No. 6254/96792/124735 of 21 February 2019 (notified by registered mail), which is to be deemed herein fully referred to, challenged Uber B.V., in the person of its pro-tempore legal representative, with registered office at Meester Treublan No. 7, Amsterdam (The Netherlands), and Uber Technologies Inc, in the person of its pro-tempore legal representative, with its registered office at 1455 Market Street No. 1455, San Francisco, California, the violations provided for in Articles 161, 162, paragraph 2-bis, 163 and 164-bis, paragraph 2, of the Personal Data Protection Code (Legislative Decree 196/2003, hereinafter referred to as the "Code", in the wording prior to the amendments made following the entry into force of Legislative Decree 101/2018), in relation to Articles 13, 23 and 37 of the same Code;

NOTING that, upon examination of the records of the sanctioning proceedings, initiated with the above-mentioned notice of objection, it emerged that:

- following a data breach, which occurred in the autumn of 2016 and involved the data of approximately 57 million users worldwide, including Italian users, the Garante initiated a complex preliminary investigation against Uber B.V. (hereinafter UBV) and Uber Technologies Inc. (hereinafter UTI) aimed at acquiring elements of assessment regarding the domestic scope of the security incident that had occurred, sending, in this regard, a request for information to Uber Italy s.r.l. (note of 23 November 2017) and subsequently carrying out an inspection at the premises of Uber Italy s.r.l, in Milan, on 9 and 10 April 2018. From the examination of the overall documentation acquired, it emerged that the data breach concerned: personal and contact data (first name, surname, telephone number and e-mail), access credentials to the app, location data (as they appeared at the time of registration), relations with other users (i.e. sharing trips, introducing friends and some profiling information). On the Italian territory, the violation concerned data of 295,000 interested parties (52,000 drivers and 243,000 passengers);

- as a result of the preliminary investigation carried out by the Office, on 13 December 2018, the Garante adopted Order No. 498 (available at www.gpdp.it, web doc. no. 9069046, hereinafter 'Order'), to which reference is made in full;

- in the aforementioned provision, the Garante declared that the roles played by UBV and UTI, framed in the owner-manager relationship, were not correctly qualified, since the elements acquired during the preliminary investigation and during the inspections carried out at the premises of Uber Italy s.r.l., made it possible to classify the companies UBV and UTI as joint controllers of the processing, each responsible for the processing operations of the personal data of the Italian users (drivers and passengers) which took place in breach of the provisions of the Code

- in particular, on the basis of what was established in the measure, it was ascertained that the information notice provided to the users, pursuant to Article 13 of the Code, was unsuitable, in that it was 'formulated in a generic and approximate manner, containing unclear and incomplete information, not easy to understand for the interested parties and liable to generate confusion on the various aspects of the processing

- it was also ascertained that with reference to the specific purpose qualified as 'fraud risk indicator', no information had been provided nor valid consent acquired from the data subjects, pursuant to Articles 13 and 23 of the Code

- finally, it was found that the processing of data disclosing the geographical location of users was carried out without prior notification to the Garante, as required by Articles 37 and 38 of the Code;

NOTING that, by the aforementioned act of 21 February 2019, the two companies were charged, in their capacity as joint controllers of the processing pursuant to Articles 4(1)(f) and 28 of the Code:

- the administrative violation provided for by Article 161 of the Code, in relation to Article 13, with reference to the issuance of an unsuitable information notice;

- the administrative violation provided for by Article 162, paragraph 2-bis, of the Code, in relation to Article 23, with reference to the failure to obtain consent;

- the administrative violation provided for in Article 163 of the Code, in relation to Article 37, for failure to notify the Garante;

- lastly, the breach provided for by Article 164-bis, paragraph 2, of the Code, with reference to the circumstance that the breaches committed relate to databases of particular relevance or size;

HAVING NOTED from the report prepared by the Office pursuant to Article 17 of Law No. 689/1981 that no reduced payment has been made in respect of the breaches referred to in Articles 161, 162, paragraph 2-bis, and 163 of the Code

HAVING CONSIDERED the defence briefs, sent pursuant to Article 18 of Law No. 689/1981 on 3 April 2019, which refer in full to the pleadings submitted to the Civil Court of Rome, in opposition to the Garante's order, in which the party has, in summary

- contested the applicability of Italian law to the present case. This is because, according to Article 5 of Legislative Decree No. 196/2003, in the wording prior to the amendments introduced by Legislative Decree No. 101/2018, and taking into account Opinion No. 8/2010 rendered by the Art. 29 Group, the Italian law would be applicable "only if Uber Italy's processing activities in Italy were deemed to be carried out by an establishment of UBV and in the context of Uber Italy's activities (and not UBV)". Instead, it is undisputed that Uber Italy acts only as a data processor on behalf of UBV, providing mere customer support and marketing services, as was documented in the course of the investigation. The Garante, which had been aware since 2015 (on the occasion of an initial invitation to provide information addressed to the company) of Uber Italy's role as data controller, considered, in any case, the Italian legislation (and not the Dutch one) to be applicable "without any justification resulting in the Decision being vitiated by an absolute lack of motivation";

- in the notice of appeal in opposition to the decision, it is amply argued that UBV acts as data controller with regard to the processing of the personal data of the users of the Uber app outside the United States, including those of the users of the Uber app in Italy; in this regard, it is stated that 'UTI acts as UBV's data controller with regard to the data of the users of the Uber app outside the United States', as regulated in the Data Processing Agreement. Consequently, the conclusions reached by the Garante, in the contested measure, as to the co-ownership of the processing of the personal data of UBV and UTI are not correct and constitute a premise for upholding the unfounded nature of the complaint relating to the inadequate information;

- in particular, with regard to the infringement of Article 13 of the Code, the party, in its notice of appeal, argued at length that the objections raised in the Provvedimento concerning the unsuitability of the information provided were unfounded. In fact, not only the privacy policy (which is constantly updated by the company), but all the documents and forms made available to the user, provide detailed information on the purposes of the processing, the mandatory nature of the provision of certain information, and the exercise of the rights of the data subjects. Among other things, the information notice that the Garante deemed 'generic and approximate' was available online and, therefore, knowable to the Authority at least since 2015. Nonetheless, the Authority, on the occasion of its previous contacts with the company, has never questioned Uber's practices concerning the information provided, which, among other things, does not appear to have been challenged by the interested parties through reports or complaints;

- as regards the failure to obtain the consent of the data subjects in relation to the processing carried out for the so-called 'fraud risk' purpose, the company pointed out that Uber had not used the 'fraud risk indicator' for more than two years. In any case, under Dutch law (applicable to the processing activities carried out by Uber) consent is not required for such processing operations, as the company showed that it had a legitimate interest in protecting its platform;

- the failure to notify the Garante in relation to the processing of geolocation data cannot be contested, as this is conduct of which the Authority was aware as early as 2015. Therefore, 'if the Garante really had considered that Uber's conduct was in breach of some rule, the Garante could and should have informed Uber of this in 2015', which never happened;

- finally, there are no grounds for the application of the sanction referred to in Article 164-bis, paragraph 2, of the Code, given that the company has always acted in good faith and cooperated proactively with the Italian Authority since 2015, providing all the information requested also during inspections, as well as with the Dutch Authority in order to ensure compliance with the applicable law, regarding the processing of personal data;

READ the minutes of the hearing of 8 October 2019, pursuant to Article 18 of Law No. 689/1981, in which the party referred to what it had already argued in its defence briefs and in the appeal filed to challenge the Measure. In particular, it pointed out that it had notified the processing of geolocation data to the Dutch Authority and not to the Italian Authority as well, considering, in good faith, that the Italian legislation was not applicable. The party therefore requested that, where it was considered that the conditions for proceeding with the dismissal of the sanctioning proceedings did not exist, the sanctions be applied to the extent of the minimum edict, taking into account the criteria laid down in Article 11 of Law No 689/1981;

CONSIDERED that the arguments put forward are not suitable to exclude the liability of the party in respect of the contested charges.

Preliminary to any other observation on the merits of the case, is the question relating to the rules applicable to the case in question. On this point, the Authority considers that there are all the prerequisites to assert the competence of the Italian legislation to the processing of personal data carried out by Uber, on the basis of the provisions of art. 5, par. 1, of the Code, of art. 4, par. 1, lett. a), of the Directive 95/46/EC, (applicable at the time when the facts occurred), as well as of what was clarified by the Art. 29 Group in its Opinion no. 8/2010 of 16.12.2010 on the subject of applicable law. In particular, the application of the Italian national law to the case under consideration rests on the clear assumption that Uber Italy s.r.l. represents a stable organisation of Uber on the national territory and that the processing activities carried out by that entity are 'inextricably linked' to the processing carried out by UBV and UTI, i.e. carried out 'in the context of the activities of the establishment' of the data controller. In this regard, the circumstance that Uber Italy s.r.l. acts as data controller (rather than as data owner) is not relevant, since it is established that the activities carried out by the latter are aimed at enabling the data subjects, whose personal data are collected on the national territory, to take full advantage of the service offered by the group, by providing the support activities (to customers and drivers) necessary for the correct and regular performance of the service. The Art. 29 Working Party in its above-mentioned Opinion No. 8/2010 noted that 'in order to determine whether one or more laws apply to the different stages of processing, it is important to bear in mind the overall picture of processing activity: a set of operations carried out in a number of different Member States, but all intended to serve a single purpose (...)'. The Garante, therefore, making use of this contribution, already on previous occasions, has had the opportunity to clarify that the applicable law is not that of the Member State where the data controller resides, but that of the country where the processing activities are actually carried out, also taking into account the persons to whom they are actually addressed (see, in this regard, injunction order against Facebook Ireland Ltd and Facebook Italy s.r.l., provv. no. 134 of 14.06.2019, in www.garanteprivacy.it, web doc no. 9121486; injunction order against Yahoo Emea Limited, prov. no. 144 of 8.3.2018, web doc no. 9072702). It is also worth recalling the judgments of the Court of Justice of the EU on the cases "Google Spain and Google" (Case C-131/12 of 13 May 2014) and "Weltimmo" (Case C-230/14 of 1 October 2015), which affirm the principle that, when processing is carried out in the context of the activities of an establishment of the data controller in the territory of a Member State, the national law of that Member State is applicable pursuant to Art. 4(1)(a) of Directive 95/46/EC; therefore, the supervisory authority of that Member State may exercise, pursuant to Art. 28(1) and (3) of the Directive, all the powers which that right confers on it vis-à-vis that establishment in order to ensure compliance with the data protection rules in that territory, and this irrespective of the fact that the data controller also has establishments in other Member States (in this sense, see also the Article 29 Working Party, Opinion No. 179 - "Update of the Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain"-, of 16 December 2015).

That being said, it follows that the arguments put forward by the party with regard to the inapplicability of the Italian regulations to the various aspects of the processing of personal data, carried out by the company, are unfounded, including the observations made with reference to the fact that the processing is carried out solely by UBV. In this respect, it should be noted that the elements gathered during the preliminary investigation phase, also by means of inspections, provided a representation of the roles of UBV and UTI that did not correspond to what was described by the company. The Garante considered that the ownership of the processing should be attributed to both UTI and UBV on the basis of a series of elements that were adequately reported in the measure of 13 December 2018. These included, in particular, the decisions taken with respect to the purposes and means of the processing, which were not prepared solely by UBV; instead, it emerged that the policies relating to the operation and management of the service were prepared solely by UTI, in its capacity as parent company. On this point, the company pointed out, in the course of the preliminary investigation, that the choice of entrusting the management of the policies and the adoption of technical and organisational security measures to a single entity (in this case, the UTI) was aimed at guaranteeing the same level of protection of personal data within the group, similarly to what was done by other companies operating globally. In the case at hand, however, it appears that UTI exercises an autonomous decision-making power on such aspects that cannot be considered merely formal, as, inter alia, also confirmed by Uber, in its note of 30 April 2018, in which it states that 'UBV has instructed its data controller, UTI, to decide and implement the technical and organisational security measures necessary for the protection of personal data relating to Italian (and other non-US) passengers and drivers'. It is worth emphasising that the issue of the ownership of the processing of personal data was the subject of in-depth analysis and was at the centre of similar investigations carried out by the Authorities of the other EU countries that were involved in the examination of the data breach occurred to the company. The conclusions reached by the Authorities concerned were, in this respect, unequivocal, all agreeing on the co-ownership of the processing of personal data by UBV and UTI (in this regard, the Délibération n°SAN-2018-011 adopted by the CNIL on 19.12.2018, the Decision adopted by the Dutch PA on 8.11.2018 and the Decision of the ICO on 26.11.2018).

At the outcome of the investigation conducted by the Office, in the context of which all the documentation inherent to the processing operations carried out by the company was acquired, it was found that the information provided to approximately 1,513,431 users (including drivers and passengers) was not suitable, not only with regard to the lack of indication of the co-ownership of the processing operations carried out, but also in other aspects that are decisive in guaranteeing the transparency and correctness of the processing operations themselves to the interested parties. Given that the same information notice was prepared in respect of the drivers and passengers, providing an indistinct representation of the processing operations carried out, their purposes and methods. Moreover, it was ascertained that the information notice described, in a generic and approximate manner, the purposes of the processing in relation to the categories of personal data collected; it did not indicate the compulsory nature of the provision of the data, in relation to the various operations carried out and the consequences of any refusal to provide them; the information notice was also unsuitable in relation to the exercise of the rights of the data subjects (with reference, for example, to the right to update and to object on legitimate grounds). These critical issues, assessed overall by the Office at the outcome of the preliminary investigation, are relevant regardless of the fact that no reports and/or complaints were filed by the data subjects in relation to an infringement of their rights.

With regard to the violations relating to the failure to obtain specific consent in relation to the processing carried out for the assessment of the so-called "fraud risk" and the failure to notify the Guarantor in relation to the processing of geolocation data, the additional arguments put forward by the company in its defence are not relevant, since, for both processing operations carried out, the applicable regulations (referring to Legislative Decree 196/2003 in force at the time when the violations occurred) provided for the fulfilment of certain obligations by the data controller that were not fulfilled. In particular, on the basis of the documents in the file, it appears that no consent "freely and specifically expressed in relation to a clearly identified processing operation" was acquired in relation to the pursuit of the purpose relating to the so-called "fraud risk" indicator, reported on the profiles of approximately 1,379,000 customers (passengers), and consisting in the assignment of a qualitative judgement (e.g. "low") and a numerical parameter (from 1 to 100).

Similarly, with respect to the processing of geolocation data, the rules applicable at the time of the inspection provided (Article 37(1)(a) of the Code) for the prior notification of the processing to the Garante, in accordance with the procedures set out in Article 38 below. Although the notification is no longer provided for in EU Regulation 679/2016, under the former legislation it constituted a particularly important fulfilment that required the data controller to communicate to the Garante a series of information relating to the processing that it intended to initiate and relating to the data controller itself; this was done in order to provide every guarantee for the protection of data subjects.

Finally, as regards the application of the sanction referred to in Article 164-bis, paragraph 2, of the Code, it should be noted that this was ordered in view of the significant number of data subjects (approximately 1,514,000 drivers and passengers, and approximately 1,379,000 passengers in relation to the failure to obtain consent) whose personal data were subject to the processing operations carried out by both companies in breach of the provisions of the Code. On this point, it should be noted that in a recent jurisprudential ruling, the Court of Cassation reiterated that the case provided for by Article 164-bis, paragraph 2, of the Code is not an aggravated hypothesis with respect to the other contested violations, but rather an entirely autonomous figure of unlawful conduct (Civil cassation, section II Ord., 03/09/2020, no. 18288);

TAKEN NOTE of judgement no. 11803/2019 R.G. issued by the Court of Rome on 29/11/2021 by which the opposition proposed by the two Companies against the Guarantor's Order no. 498 of 20/12/2018 was declared inadmissible. In particular, the judge held that "the substantive rules applicable ratione temporis are those in force prior to the entry into force of the RGPD, while those of a procedural and procedural nature, immediately applicable, are those subsequent to the entry into force of the Regulations and Legislative Decree no. 101/2018";

NOTED, therefore, that UBV and UTI, in their capacity as co-processors pursuant to Articles 4(1)(f) and 28 of the Code appear to have committed the violations referred to in Articles 161, 162(2-bis) and 163 of the same Code, as indicated in the notice of objection No. 6254/96792/124735 of 21 February 2019, as well as the violation referred to in Article 164-bis(2) in relation to databases of particular relevance and size;

NOTED, moreover, that in relation to their status as joint data controllers, responsibility for the contested violations must be attributed separately to each of the companies;

CONSIDERED that, for the purposes of determining the amount of the pecuniary sanctions, it is necessary to take into account, pursuant to Article 11 of Law No. 689/1981, the work performed by the agent to eliminate or mitigate the consequences of the violation, the seriousness of the violation, and the personality and economic conditions of the offender

WHEREAS, in the case under consideration

- with regard to the aspect of seriousness, the elements relating to the intensity of the psychological element and the extent of the danger and harm must be assessed in view of the fact that the infringements were committed in relation to a significant number of persons concerned

- for the purposes of assessing the work performed by the agent, it must be pointed out that, in view of the new requirements laid down by the Regulation, changes have been made, especially with reference to the information

- with regard to the personality of the author of the violation, it must be considered that there are no previous sanctioning proceedings against UBV and IOUs;

- with regard to the economic conditions of the agent, the operating budget for the year 2019 was taken into consideration;

CONSIDERED, therefore, that it is necessary to determine, pursuant to Article 11 of Law no. 689/1981, the amount of the pecuniary sanctions, on the basis of the aforementioned elements assessed as a whole, in the amount of:

- euro 30,000.00 (thirty thousand) for the breach referred to in Article 161 of the Code, in relation to Article 13;

- euro 100,000.00 (one hundred thousand) for the breach referred to in Article 162, paragraph 2-bis, of the Code, in relation to Article 23;

- euro 100,000.00 (one hundred thousand) for the breach referred to in Article 163 of the Code, in relation to Article 37;

- Euro 300,000.00 (three hundred thousand) for the breach referred to in Article 164-bis, paragraph 2, of the Code;
for a total amount of Euro 530,000.00 (five hundred and thirty thousand);

CONSIDERING, moreover, that in consideration of the economic conditions of the offender, having regard to the data relative to the overall turnover and the number of users, the above mentioned fine is ineffective and must therefore be increased by four times, as provided by Article 164-bis, paragraph 4, of the Code, for a total amount equal to Euro 2,120,000.00 (two million one hundred and twenty thousand)

HAVING REGARD TO the documentation in the files

HAVING REGARD TO law no. 689/1981 and subsequent amendments and supplements

HAVING REGARD TO the observations of the Office formulated by the Secretary General pursuant to Article 15 of the Supervisor's Regulation No. 1/2000, adopted by resolution of 28 June 2000;

BE IT RESOLVED by Mr Guido Scorza, lawyer;

ORDERED

Uber B.V., in the person of its pro-tempore legal representative, with registered office at Meester Treublan No. 7, Amsterdam (The Netherlands), and Uber Technologies Inc., in the person of its pro-tempore legal representative, with registered office at Market Street No. 1455, San Francisco, California, to pay each the sum of EUR 2,120,000.00 (two million one hundred and twenty thousand) by way of administrative fine for the violations indicated in the grounds;

INSTRUCTS

the aforesaid companies to pay, each one, the sum of EUR 2,120,000.00 (two million one hundred and twenty thousand), according to the modalities indicated in the annex, within 30 days from the notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to Article 27 of law no. 689 of 24 November 1981.

Pursuant to Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, an objection to this measure may be lodged with the ordinary judicial authority, by lodging an appeal with the ordinary court of the place where the data controller resides, within thirty days from the date of notification of the measure itself, or sixty days if the applicant resides abroad.

Rome, 24 March 2022

THE CHAIRMAN
Stanzione

THE REPORTER
Scorza

THE SECRETARY GENERAL
Mattei