The Dutch Information Safety Authority (Autoriteit Persoonsgegevens, AP) has imposed a nice of €290,000,000 ($325 million) on Uber Applied sciences Inc. and Uber B.V. over GDPR violations.
The authority accuses Uber of transferring private information from the European Financial Space (EEA) to servers in the US with out enough safeguards, as outlined by Chapter V of the Basic Information Safety Regulation.
That is the third time the Dutch Information Safety Authority has imposed an administrative nice on Uber.
The primary was a €600,000 nice for poor information entry controls in November 2018. The second was a €10,000,000 nice imposed in January 2024 for Uber’s obscure information administration practices in regards to the dealing with of information from EU topics.
AP’s investigation into Uber’s information practices was triggered by complaints from French drivers and escalated to the AP by the French information safety authority (CNIL).
The problem arose after the Schrems II ruling by the Courtroom of Justice of the European Union invalidated the EU-U.S. Privateness Defend because of inadequate information safety requirements within the US.
Regardless of the ruling, Uber allegedly continued to switch private information to the US with out implementing Commonplace Contractual Clauses (SCCs), or different safeguards, thus violating GDPR Article 44, which mandates that information transfers to 3rd nations should guarantee an equal stage of safety as inside the EU.
This is identical violation for which the Irish Information Safety Fee (DPC) imposed an enormous $1.3 billion nice on Meta (Fb). Extra just lately, 4 corporations have been fined $1.1 million by the Swedish Authority for Privateness Safety (IMY) for related violations induced by way of Google Analytics.
Uber’s response
Uber argued that Chapter V of the GDPR didn’t apply as a result of Article 3 of the GDPR already prolonged the regulation’s safety to their processing actions within the US.
Moreover, the tech agency contends that no information switch happens, as outlined beneath GDPR, since drivers present their information on to Uber’s US-based servers via the app.
The AP rejected these arguments and proceeded to impose the huge. Extra particulars about AP’s investigation and ultimate choice might be discovered within the supporting doc.
Responding to our request for a remark, an Uber spokesperson informed BleepingComputer that they discover the ruling unjustified and plan to enchantment the choice.
“This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.” – Uber spokesperson
Uber maintains that its information dealing with practices, as these are specified by its privateness discover, adhere to GDPR. As well as, it sees information flows between customers in addition to customers and Uber as a elementary and inherent part of its companies.
The enchantment course of can take as much as 4 years, throughout which the nice will likely be suspended.
