The Dutch Information Safety Authority (DPA) has fined Uber a document €290 million ($324 million) for allegedly failing to adjust to European Union (E.U.) information safety requirements when sending delicate driver information to the U.S.
“The Dutch DPA discovered that Uber transferred private information of European taxi drivers to the US (U.S.) and did not appropriately safeguard the information with regard to those transfers,” the company stated.
The information safety watchdog stated the transfer constitutes a “critical” violation of the Normal Information Safety Regulation (GDPR). In response, the ride-hailing, courier, and meals supply service has ended the apply.
Uber is believed to have collected drivers’ delicate info and retained it on U.S.-based servers for over two years. This included account particulars and taxi licenses, location information, pictures, fee particulars, and identification paperwork. In some instances, it additionally contained legal and medical information of drivers.
The DPA accused Uber of finishing up the information transfers with out making use of acceptable mechanisms, particularly contemplating the E.U. invalidated the E.U.-U.S. Privateness Protect in 2020. A substitute, often known as the E.U.-U.S. Information Privateness Framework, was introduced in July 2023.
“As a result of Uber now not used Customary Contractual Clauses from August 2021, the information of drivers from the E.U. have been insufficiently protected, in accordance with the Dutch DPA,” the company stated. “Because the finish of final 12 months, Uber makes use of the successor to the Privateness Protect.”
In a press release shared with Bloomberg, Uber stated the wonderful is “utterly unjustified” and that it intends to contest the choice. It additional stated the cross-border information switch course of was compliant with GDPR.
Earlier this 12 months, the DPA fined Uber a €10 million penalty for its failure to reveal the total particulars of its information retention durations regarding European drivers, and the non-European nations to which it shares the information.
“Uber had made it unnecessarily difficult for drivers to submit requests to view or obtain copies of their private information,” the DPA famous in January 2024.
“As well as, they didn’t specify of their privateness phrases and situations how lengthy Uber retains its drivers’ private information or which particular safety measures it takes when sending this info to entities in nations outdoors the [European Economic Area].”
This isn’t the primary time U.S. firms have landed within the crosshairs of E.U. information safety authorities over the dearth of equal privateness protections within the U.S. with regard to E.U. information transfers, elevating considerations that European consumer information may very well be topic to U.S. surveillance applications.
Again in 2022, Austrian and French regulators dominated that the transatlantic motion of Google Analytics information was a breach of GDPR legal guidelines.
“Consider governments that may faucet information on a big scale,” DPA chairman Aleid Wolfsen stated. “That’s the reason companies are normally obliged to take further measures in the event that they retailer private information of Europeans outdoors the European Union.”