The Dutch data protection authority (DPA) has fined Uber a record 290 million euros ($324 million) for allegedly failing to comply with European Union (EU) data protection standards when sending sensitive driver data to the US
“The Dutch DPA found that Uber transferred the personal data of European taxi drivers to the United States (US) and failed to adequately protect the data in relation to these transfers,” the agency said in a statement. said.
The data protection watchdog said the move was a “serious” breach of the General Data Protection Regulation (GDPR). In response to this practice, pick-up, courier and food delivery services were discontinued.
Uber is alleged to have collected sensitive driver information and stored it on US servers for more than two years. This included account details and taxi licences, location data, photographs, payment details and identity documents. In some cases, it also contained the criminal and medical data of the drivers.
The DPA accused Uber of transferring data without using it appropriate mechanismsespecially considering that the EU repealed the EU-US Privacy Shield in 2020. A replacementknown as the EU-US Data Privacy Framework, was announced in July 2023.
“As Uber no longer used standard contractual clauses from August 2021, the data of EU drivers was insufficiently protected, according to the Dutch DPA,” the agency said. “Since late last year, Uber has been using a successor to Privacy Shield.”
In a statement provided to Bloomberg, Uber said the fine is “completely unjustified” and that he intends to challenge the decision. It goes on to say that the cross-border data transfer process is GDPR compliant.
Earlier this year, DPA fined Uber has been fined €10 million for failing to fully disclose data retention periods on European drivers and non-European countries to which it transfers data.
“Uber has made it unnecessarily difficult for drivers to submit requests to view or obtain copies of their personal data,” the DPA said in January 2024.
“Furthermore, they have not specified in their privacy terms how long Uber keeps its drivers’ personal data or what specific security measures it takes when sending that information to organizations outside the (European Economic Area).”
This is not the first time US companies have come under the crosshairs of EU data protection authorities due to the lack of equivalent US privacy protections for data transfers to the EU, raising concerns that European users’ data could be exposed to US surveillance programs.
Back in 2022, Austrian and French regulators managed that the transatlantic movement of Google Analytics data was a breach of GDPR laws.
“Think of governments that can use data on a large scale,” said DPA chairman Aleid Wolfsen. “Businesses are therefore generally required to take additional measures when they store the personal data of Europeans outside the EU.”
