Wheely is a prominent ride-hailing app like Uber and Easy Taxi. It is being questioned by the Moscow Department of Transportation (MDOT) repeatedly on the rides being taken to Moscow. The problem is that the app cannot reveal such data under the GDPR without extracting the lawful consent of the passengers whose information it holds and before enabling the proper protection of the information expected to be shared.
The ride-hailing app has written to the UK’s Information Commissioner’s Office (ICO) that it is being pressured into what qualifies as potentially breaking European privacy law by handing over data related to its journeys to the Moscow Department of Transportation (MDOT).
The company has its headquarters in London. Last month it had its Russian subsidiary suspended from operating by a Moscow court for 90 days. This penalty was to further pressurise the company into giving away the data asked of it. After it refused to hand over the information, there was another attempt by the courts to remind the company that the data is required and expected of them.
The app argues that the data will lead to a breach of the privacy of individual customers which is not permissible under the GDPR law.
The case forces the app to have improved mechanisms in place where there is a good balance between regulating transport without breaching or compromising the customer privacy.
In the letter to the ICO, sent last month, the Wheely chief executive, Anton Chirkunov, stated: “We are very concerned that sharing the data with the MDOT would likely result in a high risk to the privacy rights and freedoms of the individuals to whom it relates, due to the sensitive (and very detailed) nature of the information sought.”
“We think it unlikely that we (or any other business established in the EU and operating a ride-hailing service in Moscow), would have a legal basis for the purposes of the GDPR [General Data Protection Regulation] to share the requested data with the MDOT.”
Wheely has asked the ICO to “urgently consider” the legal position and how “other European ride-hailing companies that operate in the Moscow market have complied with [the] requests … and take immediate action to ensure that any harm to the individuals concerned is prevented.”
A spokeswoman for MDOT mentioned: “According to the mayor’s decree, the Department of Transport and Road Infrastructure Development of Moscow requests a location of a car and a route it travels, as well as brief information about a driver – the absence of a criminal record, positive driving experience and other data to make sure that the service is carried out safely. Passengers’ personal data was never requested – neither name, nor payment method, nothing that could reveal personality.”
She also raised a point mentioning the competitors like Gett and Uber’s Russian joint venture with Yandex, who had provided the data and thus were not penalised. They are still operating in exchange for their information. Last year in LA a similar issue arose with Uber. Furthermore, other cities will be inclined to receive further data for surveillance and monitoring in state affairs as well which could be potentially problematic. The ICO is yet to take action though.