Driver data pose legal headaches for Uber

Members of Uber’s fleet in Britain are coming together to mount a legal challenge against the ride-hailing service following accusations that the company has ridden roughshod over EU data protection laws.

Legal action is now being taken by four drivers who say Uber is not doing enough to comply with GDPR standards.

Under the new laws which came in in May last year, individuals can issue Subject Access Requests (SARs) in order to get hold of any information an organisation holds on them, including employers. Firms issued with SARs have 30 days in which to respond to such a request, whether that request is made in writing or verbally.

Drivers at the centre of the controversy sent a letter to Uber this week, saying that their employer had fallen short of GDPR standards by continually failing to pass on relevant private information. The time drivers spent logged on to their company platform, trip ratings and individual GPS data were among the key details not being delivered.

One of the drivers concerned, Mr James Farrar, told CNBC that his mission to obtain his data from the company had taken him “back and forth” since the summer, before alleging that Uber was concealing GPS information that would otherwise highlight “dead mileage” that Mr Farrar had accumulated while at the wheel – data that is vital to enabling the driver to work out his hourly pay.

“I can only calculate the hourly pay that they want me to. They’ve given me trip information that includes start to finish location points, fares and durations for individual journeys, but providing all of my GPS data and log on and off times would allow me to calculate my hourly pay,” Mr Farrar said, before underlining his certainty that his employer was holding back the data on purpose.

“Giving us the data will help drivers understand if they can get a better deal or not. I also see lots of drivers being deactivated from the platform for little or no reason and because they’re self-employed there’s no need for due process – if we’re given access to our data we can begin to challenge that,” he continued.

An Uber spokesperson told CNBC:

“Our privacy team works hard to provide as much information as we can, including explanations when we can’t provide certain data (because) the data doesn’t exist or disclosing it would infringe on the rights of another person under GDPR. Under the law, U.K. citizens also have the right to escalate their concerns by contacting Uber’s Data Protection Officer or the ICO for additional review.”

Representing one of the drivers, lawyer Ravi Naik said that his clients had made “numerous requests” for their data.

“It is regrettable that our clients have had to seek legal advice to assert their rights, rather than Uber simply complying with the law. How they now respond will be a stress-test of Uber’s commitment to data protection,” he said.

Worker Info Exchange, an entity founded by Farrar, is backing the legal action being taken by the drivers. The organisations campaigns for employees to be provided with the data that employers collect.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/