France: Issued CNIL ruling in investigation into Cityscoot over alleged illegal geolocation practices

On 16 March 2023, the Data Protection Commission (CNIL) concluded its investigation into Cityscoot over illegal geolocation practices and imposed a EUR 125'000 fine. The CNIL found that the scooters were tracking the user's data, specifically GPS position, every 30 seconds when connected to an account and every 15 minutes if the scooter was parked. Cityscoot argued that it requires the retention and processing of such data to provide customer support, handle theft cases, and evaluate breaches by customers. The CNIL found that Cityscoot violated Articles 5.1.c and 28.3 of the General Data Protection Regulation (GDPR), including the principle of data minimisation. The data collected was deemed excessive for the purposes stated. Furthermore, CNIL noted that Cityscoot did not have data protection standards in contracts with subcontractors and third parties. Finally, Article 82 of the Data Protection Act was also found to have been violated since the log-in and password retrieval that Google provides receives the data for analysis without first informing the user or acquiring his/her consent.