On 7 July 2022, the French supervisory authority (CNIL) imposed a EUR 175,000 fine on Ubeeqo International (Ubeeqo), a car rental service provider. Ubeeqo was found to be collecting customers’ geolocation data constantly and thus infringed the privacy of its customers. CNIL also found that Ubeeqo was storing the data on its customers for an excessive period.
Failure to comply with the obligation to ensure data minimisation (Article 5.1. c of the GDPR)
During the rental of a vehicle by an individual, Ubeeqo collected geolocation data every five hundred meters during the vehicle movement, when the engine turned on and off, and when the vehicle doors opened and closed.
Ubeeqo tried to justify the collection of geolocation data by saying that the data was collected for three different purposes: (i) to ensure the maintenance and performance of the service (checking that the vehicle is returned to the right place, monitoring the state of the fleet, etc.); (ii) to find the vehicle in case of theft; and (iii) to assist customers in the event of an accident.
(i) Maintenance and performance of the service
In reliance on the Guidelines on Data Protection Impact Assessment adopted by Article 29 Data Protection Working Party in 2017 (p. 9 and 10) and European Data Protection Board’s Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications (p. 15 and 16), CNIL reiterated that geolocation is a category of data of a highly personal nature, even if it is not a special category of data within the meaning of Article 9 of the GDPR, Geolocation may reveal sensitive information such as religion, through locating the place of worship, or sexual orientation, through locating places frequented by the user. Therefore, the data controllers should collect the data only if it is absolutely necessary for achieving the purpose of processing.
CNIL did not dispute that Ubeeqo may need geolocation data to manage the start and end of the rental, but that such collection is not justified over the entire rental period, i.e., every five hundred meters of the journey. Ubeeqo tried to justify the processing by explaining that it does not know in advance the end time of rental and that customers may end the rental simply by returning the vehicle to the departure station. Therefore, for Ubeeqo, geolocation at regular intervals would be the only way to find out the rent end time. However, CNIL did not agree and concluded that Ubeeqo can find out that the rent of the vehicle ended in other ways: by geolocating the vehicle when it stops at a place where it had departed, combined with the information that the vehicle was not subsequently switched on.
CNIL rejected Company’s arguments that it used geolocation to determine whether the vehicle is used against the general conditions of vehicle use, i.e. outside roads suitable for use by motor vehicles and outside the national territory. CNIL held that Ubeeqo failed to provide any specific information concerning the use of geolocation for these purposes and gave no explanation of the actions Ubeeqo implements when the vehicle leaves the national territory. In any event, the use of regular geolocation to identify the movement of a rented vehicle outside roads suitable for use by motor vehicles would raise questions of proportionality.
(ii) Fight against vehicle theft
Ubeeqo argued that 60% of the thefts are committed by the customer itself, and that geolocation is, therefore, necessary because the customer certainly will not report himself. But CNIL explained that in the cases where the user steals the vehicle Ubeeqo has the information about the identity of the user, which allows Ubeeqo to take steps to address the theft. Therefore, the processing should not be performed because the purpose – pursuing the thief in court – may reasonably be achieved by other means (recital 39 of the GDPR). Also, Ubeeqo could use other security measures to prevent vehicle theft (such as by providing a security deposit by the customer).
(iii) Assisting the customer in the event of an accident
Regarding the collecting geolocation of the vehicle in the event of an accident, CNIL said that processing for this purpose could only take place after a “triggering event”, such as a request for assistance by the customer, and not by default.
Failure to define and respect a proportionate data retention period (Article 5.1.e of the GDPR)
A customer enters into a separate contract with Ubeeqo for each rental of a vehicle. Ubeeqo kept geolocation data for the duration of the whole commercial relationship with the client and then for three years from the date of the last user activity.
CNIL considered that such a retention period was excessive as it did not correspond to the strict need of Ubeeqo that collected the geolocation data for any of the alleged purposes. Firstly, for the management of the fleet and of the rental contracts, the geolocation was no longer necessary once the vehicle was returned and the rental ended. Secondly, in the event of the theft of the vehicle, geolocation data would only be necessary while the judicial authorities examined the case, or so long as Ubeeqo needed to fulfill its legal obligation to retain the data, or so long as the geolocation data could constitute evidence in the event of litigation (until the statute of limitation expired). Thirdly, regarding the purpose linked to the assistance of users in the event of an accident, the geolocation data could be necessary until the end of the provision of assistance.
Geolocation data are data of a highly personal nature and may reveal sensitive information such as religion, or sexual orientation. Therefore, the data controllers should collect the data only if it is necessary for the achievement of the purpose of processing. If the purpose may be achieved in any other manner, the data controllers should avoid collecting and using geolocation data.
When determining the retention period of geolocation data, the period should be strictly linked to the purpose of processing. The decision of CNIL is useful as a demonstration of how to apply that general rule to specific circumstances examined in the case.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU and EFTA member states may therefore serve as an instructive guidance for compliance with local regulations.]