The Dutch Information Safety Authority (DPA) has fined Uber a report €290 million ($324 million) for allegedly failing to adjust to European Union (E.U.) information safety requirements when sending delicate driver information to the U.S.
“The Dutch DPA discovered that Uber transferred private information of European taxi drivers to america (U.S.) and didn’t appropriately safeguard the info with regard to those transfers,” the company mentioned.
The information safety watchdog mentioned the transfer constitutes a “severe” violation of the Common Information Safety Regulation (GDPR). In response, the ride-hailing, courier, and meals supply service has ended the apply.
Uber is believed to have collected drivers’ delicate info and retained it on U.S.-based servers for over two years. This included account particulars and taxi licenses, location information, pictures, fee particulars, and identification paperwork. In some circumstances, it additionally contained legal and medical information of drivers.
The DPA accused Uber of finishing up the info transfers with out making use of acceptable mechanisms, particularly contemplating the E.U. invalidated the E.U.-U.S. Privateness Defend in 2020. A substitute, generally known as the E.U.-U.S. Information Privateness Framework, was introduced in July 2023.
“As a result of Uber now not used Customary Contractual Clauses from August 2021, the info of drivers from the E.U. had been insufficiently protected, in keeping with the Dutch DPA,” the company mentioned. “For the reason that finish of final yr, Uber makes use of the successor to the Privateness Defend.”
In a press release shared with Bloomberg, Uber mentioned the wonderful is “fully unjustified” and that it intends to contest the choice. It additional mentioned the cross-border information switch course of was compliant with GDPR.
Earlier this yr, the DPA fined Uber a €10 million penalty for its failure to reveal the total particulars of its information retention intervals regarding European drivers, and the non-European international locations to which it shares the info.
“Uber had made it unnecessarily difficult for drivers to submit requests to view or obtain copies of their private information,” the DPA famous in January 2024.
“As well as, they didn’t specify of their privateness phrases and circumstances how lengthy Uber retains its drivers’ private information or which particular safety measures it takes when sending this info to entities in international locations outdoors the [European Economic Area].”
This isn’t the primary time U.S. corporations have landed within the crosshairs of E.U. information safety authorities over the shortage of equal privateness protections within the U.S. with regard to E.U. information transfers, elevating issues that European person information could possibly be topic to U.S. surveillance packages.
Again in 2022, Austrian and French regulators dominated that the transatlantic motion of Google Analytics information was a breach of GDPR legal guidelines.
“Consider governments that may faucet information on a big scale,” DPA chairman Aleid Wolfsen mentioned. “That’s the reason companies are often obliged to take further measures in the event that they retailer private information of Europeans outdoors the European Union.”