The Dutch Information Safety Authority (DPA) has fined Uber a report €290 million ($324 million) for allegedly failing to adjust to European Union (E.U.) knowledge safety requirements when sending delicate driver knowledge to the U.S.
“The Dutch DPA discovered that Uber transferred private knowledge of European taxi drivers to america (U.S.) and did not appropriately safeguard the info with regard to those transfers,” the company mentioned.
The info safety watchdog mentioned the transfer constitutes a “critical” violation of the Common Information Safety Regulation (GDPR). In response, the ride-hailing, courier, and meals supply service has ended the apply.
Uber is believed to have collected drivers’ delicate data and retained it on U.S.-based servers for over two years. This included account particulars and taxi licenses, location knowledge, photographs, fee particulars, and identification paperwork. In some circumstances, it additionally contained prison and medical knowledge of drivers.
The DPA accused Uber of finishing up the info transfers with out making use of applicable mechanisms, particularly contemplating the E.U. invalidated the E.U.-U.S. Privateness Protect in 2020. A substitute, often called the E.U.-U.S. Information Privateness Framework, was introduced in July 2023.
“As a result of Uber now not used Customary Contractual Clauses from August 2021, the info of drivers from the E.U. have been insufficiently protected, based on the Dutch DPA,” the company mentioned. “Because the finish of final yr, Uber makes use of the successor to the Privateness Protect.”
In a press release shared with Bloomberg, Uber mentioned the advantageous is “fully unjustified” and that it intends to contest the choice. It additional mentioned the cross-border knowledge switch course of was compliant with GDPR.
Earlier this yr, the DPA fined Uber a €10 million penalty for its failure to reveal the total particulars of its knowledge retention durations regarding European drivers, and the non-European international locations to which it shares the info.
“Uber had made it unnecessarily difficult for drivers to submit requests to view or obtain copies of their private knowledge,” the DPA famous in January 2024.
“As well as, they didn’t specify of their privateness phrases and circumstances how lengthy Uber retains its drivers’ private knowledge or which particular safety measures it takes when sending this data to entities in international locations outdoors the [European Economic Area].”
This isn’t the primary time U.S. corporations have landed within the crosshairs of E.U. knowledge safety authorities over the shortage of equal privateness protections within the U.S. with regard to E.U. knowledge transfers, elevating issues that European consumer knowledge could possibly be topic to U.S. surveillance packages.
Again in 2022, Austrian and French regulators dominated that the transatlantic motion of Google Analytics knowledge was a breach of GDPR legal guidelines.
“Consider governments that may faucet knowledge on a big scale,” DPA chairman Aleid Wolfsen mentioned. “That’s the reason companies are often obliged to take further measures in the event that they retailer private knowledge of Europeans outdoors the European Union.”
