On 16 March 2023, the French supervisory authority (“CNIL“) imposed an administrative fine in the total amount of EUR 125,000 against Cityscoot, a company that provides electric scooter rental service. CNIL found that Cityscoot violated provisions of the GDPR, by collecting its customers’ geolocation data almost constantly.
Cityscoot failed to comply with the obligation to ensure data minimisation (Article 5(1)(c) of the GDPR)
Cityscoot collected geolocation data from its scooters every 30 seconds during the rental, i.e. when the vehicle was active, either in motion or ready to ride.
As a preliminary point, before assessing the relevance of the collection of geolocation data, CNIL stated that when a scooter is rented, the geolocation data associated with the vehicle are linked to the individual using it and represent personal data.
In addition, while geolocation data are not a special category of data within the meaning of Article 9 of the GDPR, CNIL considered such data “sensitive” as this term is commonly understood, because these data impact the exercise of a fundamental right (the freedom of movement) and enable one to infer the place of work and residence, as well as a driver’s centers of interest (leisure), and may reveal sensitive information such as religion through the place of worship, or sexual orientation through the places visited. Here, CNIL took into account the Guidelines on Data Protection Impact Assessment adopted by Article 29 Data Protection Working Party in October 2017 and the European Data Protection Board’s Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility-related applications (March 2021).
According to Cityscoot, this collection of geolocation data was necessary for the fulfilment of various purposes, specifically for: (i) processing of customer complaints, (ii) processing of traffic violations, (iii) theft management, and (iv) assisting users in the event of an accident.
(i) Processing of customer complaints related to overbilling
Cityscoot attempted to justify the collection of scooters’ position data every 30 seconds by arguing that such collection was necessary to prevent overbilling, in those instances in which the users fail to properly end the rental. Users frequently fail to engage with the company when ending the rental. By collecting position data every 30 seconds Cityscoot can go back in increments of 30 seconds to identify the time during which the scooter was stationary and to determine the overbilled time between the moment when the user wanted to end the rental and the time when the rental ended.
CNIL concluded that the geolocation data collected every 30 seconds from scooters do not make it possible to determine the user’s desire to end the rental. The static position of the scooter, on its own, does not demonstrate the user’s desire not to continue the rental. There are alternative and less intrusive mechanisms allowing the company to make sure that the user has indeed terminated the rental, or to get in touch (for example by SMS) with the user when the user encounters difficulty in terminating the rental. In any event, it is up to the user – not to Cityscoot – to ensure that the user has correctly terminated the rental, as provided by Cityscoot’s general conditions of use.
(ii) Processing of traffic violations
Cityscoot argued that the collection of geolocation data every 30 seconds was necessary to obtain information about the circumstances and context of traffic violations. It considered that the collection of scooter position data was necessary to be able to confirm or invalidate the presence of the scooter at the location referred to in the notice of violation and to determine the identity of the driver.
CNIL has determined that geolocation data collected from scooters cannot be used to identify the person responsible for any infringement, since it is not possible to determine whether the scooter was moved by the person who rented it or by a third party. To identify and prove the identity of a driver, it sufficed to determine the number and date of the notice of violation, the date and time of the start and end of the rental, and the date and time of the offense, and cross-reference that data with the license plate number of the scooter.
(iii) Theft management
Cityscoot clarified that the collection of geolocation data was necessary to locate stolen scooters. The last location indicated by the user at the time of the report may not always be reliable. In contrast, by collecting geolocation data every 30 seconds, the search area can be significantly reduced in case of theft, which makes it easier to recover the scooters.
According to CNIL, processing geolocation data of scooters, before any generating event, cannot be considered necessary for the pursuit of the purpose related to the risk of theft. Cityscoot was unable to provide statistics demonstrating the effectiveness of geolocation every 30 seconds. CNIL emphasized that “personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means” (recital 39 of the GDPR). Here, other and less intrusive means to achieve the same purpose do seem to exist. If the scooter is stolen when the user takes a break from his rental, the user may immediately contact the company as soon as the theft is observed at the end of the break. That will inform the company of the last position of the scooter.
(iv) Accident management
Cityscoot claimed that it was necessary to collect position data from scooters every 30 seconds and cross-reference it with user data to be able to contact and assist the user.
CNIL considered that collecting the geolocation of all the scooters every 30 seconds, before any information relating to an accident, was not necessary to assist a user. The geolocation data is only needed to assist the user after an accident has occurred.
CNIL had recently rendered a similar decision regarding the collection of geolocation data by Ubeeqo, a car rental service provider. CNIL has been consistent in its position that geolocation data represent sensitive data, as they impact the exercise of the freedom of movement and can reveal sensitive information, such as the religion or sexual orientation of users.
When collecting geolocation data, controllers should carefully evaluate whether the collection of such data is necessary to achieve the processing purpose. If such collection is not necessary, controllers should opt for less intrusive measures to avoid disproportionally invading the privacy of users.