The CNIL has just condemned the self-service electric scooter rental company Cityscoot to a 125,000 euros fine for failing to comply with the GDPR.

Indeed, the scooters are equipped with electronic boxes including a SIM card and a GPS geolocation system. These boxes collect position data from the scooters every 30 seconds when they are active. When they are not running, this collection takes place every 15 minutes. This data feeds a database specific to the scooter including GPS position, battery status, seat sensors, etc. The rental company has two other databases on reservation and customer data. 

Given these facts, the french Data Protection Authority (the CNIL) considers that the data can be cross-checked with others, particularly through the reservation number present in each of the databases, by having an extended and simultaneous access to the databases.

However, Cityscoot is contesting its 125.000€ fine.

The company believes that the CNIL did not consider every aspect of the case. Cityscoot claims that it does not collect geo-location data in a disproportionate manner. "On the contrary, we collect it for specific purposes, and only in limited cases because Cityscoot needs it to provide its service and manage its fleet of scooters," the company explains. 

This geo-location data allows the reimbursement of unused minutes. 

In addition, Cityscoot wants to emphasize that it has put in place necessary privacy protection measures. The company cites the fact that the scooters' position data is kept in a separate database from the user data. "The CNIL itself recognizes that this is a 'privacy by design' choice of computer architecture,".

What is your opinion about this case? To discuss, head to our community: