The Dutch Knowledge Safety Authority (DPA) has fined Uber a report €290 million ($324 million) for allegedly failing to adjust to European Union (E.U.) information safety requirements when sending delicate driver information to the U.S.
“The Dutch DPA discovered that Uber transferred private information of European taxi drivers to america (U.S.) and didn’t appropriately safeguard the information with regard to those transfers,” the company mentioned.
The information safety watchdog mentioned the transfer constitutes a “critical” violation of the Normal Knowledge Safety Regulation (GDPR). In response, the ride-hailing, courier, and meals supply service has ended the apply.
Uber is believed to have collected drivers’ delicate data and retained it on U.S.-based servers for over two years. This included account particulars and taxi licenses, location information, pictures, cost particulars, and id paperwork. In some instances, it additionally contained prison and medical information of drivers.
The DPA accused Uber of finishing up the information transfers with out making use of acceptable mechanisms, particularly contemplating the E.U. invalidated the E.U.-U.S. Privateness Defend in 2020. A substitute, often known as the E.U.-U.S. Knowledge Privateness Framework, was introduced in July 2023.
“As a result of Uber now not used Customary Contractual Clauses from August 2021, the information of drivers from the E.U. had been insufficiently protected, in accordance with the Dutch DPA,” the company mentioned. “For the reason that finish of final yr, Uber makes use of the successor to the Privateness Defend.”
In a press release shared with Bloomberg, Uber mentioned the nice is “utterly unjustified” and that it intends to contest the choice. It additional mentioned the cross-border information switch course of was compliant with GDPR.
Earlier this yr, the DPA fined Uber a €10 million penalty for its failure to reveal the complete particulars of its information retention durations regarding European drivers, and the non-European international locations to which it shares the information.
“Uber had made it unnecessarily sophisticated for drivers to submit requests to view or obtain copies of their private information,” the DPA famous in January 2024.
“As well as, they didn’t specify of their privateness phrases and circumstances how lengthy Uber retains its drivers’ private information or which particular safety measures it takes when sending this data to entities in international locations exterior the [European Economic Area].”
This isn’t the primary time U.S. corporations have landed within the crosshairs of E.U. information safety authorities over the shortage of equal privateness protections within the U.S. with regard to E.U. information transfers, elevating considerations that European consumer information could possibly be topic to U.S. surveillance packages.
Again in 2022, Austrian and French regulators dominated that the transatlantic motion of Google Analytics information was a breach of GDPR legal guidelines.
“Consider governments that may faucet information on a big scale,” DPA chairman Aleid Wolfsen mentioned. “That’s the reason companies are normally obliged to take extra measures in the event that they retailer private information of Europeans exterior the European Union.”