Ubeeqo International has been fined by the CNIL, which accuses it of having disproportionately violated the privacy of its customers, in particular through geolocation data.
The Commission Nationale Informatique et Libertés (CNIL), which closely monitors the new uses of geolocation data related to mobility, recently inspected the company Ubeeqo International, which specializes in car sharing and which is known to rent vehicles for a short period. . The authority wanted to ensure that the data collected, the security measures, the retention periods defined and the information provided to people complied with the regulations. The data policeman finally identified three main breaches of the GDPR and sanctioned the company with a fine of 175,000 euros. Let’s see what was wrong with the CNIL.
A “quasi-permanent” geolocation, which encroached on the privacy of Ubeeqo users
During its inspection, the CNIL noticed that the company collected the geolocation data of the vehicle rented by an individual every 500 meters once this vehicle was in motion, when the engine was on or when the doors were opened and were closing. For the authority, this practice constitutes a breach of the obligation to ensure the minimization of data, sacred by article 5.1.c of the GDPR.
For its part, Ubeeqo indicates that this data was collected to ensure the proper maintenance and performance of its service (by ensuring in particular that the car is returned to the right place), to find the vehicle in the event of theft and to provide assistance. to customers who suffer or cause an accident.
The CNIL has in turn rejected these three arguments, which for it ” do not justify such fine geolocation data collection “. The data constable evokes a practice “ very intrusive in user privacy “, tracked in their movements or their frequented places. The authority is convinced that Ubeeqo could offer an identical service without having to geolocate its customers almost permanently.
Excessive data retention period
The second breach is due to the history of certain geolocation data collected, for an excessive period of time, which is a breach of Article 5.1.e of the GDPR. The CNIL noted that this data was kept for the duration of the commercial relationship with a customer, but especially three years after the end of the rental of the vehicle.
Such a retention period is excessive according to the CNIL, because it does not meet a need of the company in the management of its fleet of vehicles, neither to find a stolen car, nor to provide assistance to the customer. During its investigation, the authority even discovered, in the database of the company, personal information belonging to users who had nevertheless been inactive for more than eight years on the platform.
Finally, the CNIL noted a breach of the obligation to inform people (article 12 of the GDPR), since by registering on the Ubeeqo application, the information relating to data processing was not sufficiently accessible to users. .
Source : CNIL
2