The latest suit over privacy violations will see infamous ride-hailing group Uber face 20 years of audit submissions as a result of failing to adequately protect both customers’ and drivers’ personal data. The settlement reached with the US Federal Trade Commission (“FTC”) will require Uber to submit audits of its privacy and security systems every two years for 20 years, and could see Uber facing fines if it is found misrepresenting its privacy practices in the future.
The FTC’s investigation began in 2014 after reports surrounding a mapping tool, ‘God view’, which allowed Uber employees to watch customers’ rides in real time, and access customers’ information. Uber felt the wrath of ‘God view’ when the location of Silicon Valley author and former investor, Peter Sims, was revealed during a journey across Manhattan on a map at a company launch in Chicago. Despite Uber insisting that it had strict policies in place to protect customers’ information and prevent employees from accessing rider data, the FTC complaint alleges Uber ignored internal warnings about potential misuse of customer information for more than nine months. 
Uber also failed to adequately protect drivers’ personal data from hackers when it allowed an intruder access to a file that contained sensitive personal information belonging to Uber drivers, including over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers. Additional private information such as Uber drivers’ physical addresses, email addresses and mobile device phone numbers were also contained in the file. It was almost five months after the hack before the affected drivers were notified. This timeframe far surpasses the breach notification window of 72 hours which will be in force under the forthcoming General Data Protection Regulation (“GDPR”). Under GDPR, all breaches will be required to be reported to the relevant Member State supervisory authority within this timeframe unless the data was anonymised or encrypted.
While Uber state they have taken steps to improve their data privacy programme since the breaches in 2014 by hiring a chief security officer, it is crucial they provide adequate protection to riders’ and drivers’ personal data. With the requirement to submit audits every two years, Uber will find themselves stalling at every checkpoint should they fail to maintain a secure system for data retention and processing.
Should this case spring concerns to individuals who are passengers of Uber vehicles, with a sense that a “Big Brother” type system is in place, the Data Protection Commissioner has provided helpful guidance for both individuals and organisations on the processing and collection of Location Data which may be found at - https://www.dataprotection.ie/docs/09-08-2016-Data-Protection-Office-issues-Guidance-on-Location-Data/1588.htm