Geolocation of rental scooters: CITYSCOOT fined €125,000

The context

In 2020, the CNIL partly focused its investigations on several priority thematic areas related to the everyday concerns of the French, including geolocation for local services.

In this context, the CNIL carried out investigations on the company CITYSCOOT, which rents scooters for a short period. The investigations focused in particular on the data collected as well as on the information and consent obtained from users before processing technical information on their mobile phone or computer.

As part of the investigation, the CNIL found that during the rental of a scooter by a private individual, the company collected data relating to the geolocation of the vehicle every 30 seconds. In addition, the company kept a record of these journeys.

On the basis of these findings, the restricted committee – the CNIL's body responsible for issuing sanctions – imposed a fine of €125,000 on CITYSCOOT, which was made public. This decision was taken in cooperation with the Spanish and Italian data protection authorities, as CITYSCOOT also offers these services in these countries.

The amount of the penalty takes into account the company's turnover, the number of users (about 250 000 in 2022) and the seriousness of the breaches identified, but also the measures taken by the company to remedy them during the procedure.

The infringements

Failure to comply with the obligation to ensure data minimisation (Article 5.1.c of the GDPR)

The company was collecting vehicle geolocation data for various reasons:

• processing of traffic offences;
• processing of customer complaints;
• user support (to call for help if a user falls);
• management of claims and thefts.

After having analysed the use of geolocation data for each of the purposes (objectives) put forward by CITYSCOOT, the CNIL considers that none of these purposes justifies the collection of geolocation data in such detail as that carried out by the company.

Such a practice is, in fact, very intrusive in the private life of users, insofar as it is likely to reveal their movements, their places of frequentation or even all the stops made during a journey.

The company could offer an identical service without geolocating its customers almost permanently. CITYSCOOT has therefore failed to comply with the principle of data minimisation: data must be adequate, relevant and not excessive in relation to the purpose for which they are collected and used.

Failure to comply with the obligation to provide a contractual framework for the processing operations carried out by a processor (Article 28.3 of the GDPR)

The CNIL noted that three contracts concluded with CITYSCOOT's processors did not contain all the information required by the GDPR.

Indeed, these contracts must include a minimum set of clauses, for example on the data collected, the security measures to implement or the fate of the data in the event of termination of the contracts.

Failure to inform the user and obtain his or her consent before writing and reading information on his or her personal device (Article 82 of the French Data Protection Act)

CITYSCOOT used a reCAPTCHA mechanism, provided by GOOGLE, when creating an account on the mobile application as well as when logging in and for the forgotten password procedure on the website. This mechanism works by collecting hardware and software information (such as device and application data).

While the data collected is transmitted to GOOGLE for analysis, the company did not provide any information to the users and did not obtain their prior consent, either to access the information stored on their equipment or to write information on it.

The company indicated, during the procedure, that it would cease to use this mechanism.