The Dutch Information Safety Authority (DPA) has fined Uber a report €290 million ($324 million) for allegedly failing to adjust to European Union (E.U.) information safety requirements when sending delicate driver information to the U.S.
“The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States (U.S.) and failed to appropriately safeguard the data with regard to these transfers,” the company mentioned.
The info safety watchdog mentioned the transfer constitutes a “serious” violation of the Common Information Safety Regulation (GDPR). In response, the ride-hailing, courier, and meals supply service has ended the apply.
Uber is believed to have collected drivers’ delicate info and retained it on U.S.-based servers for over two years. This included account particulars and taxi licenses, location information, photographs, fee particulars, and identification paperwork. In some circumstances, it additionally contained felony and medical information of drivers.
The DPA accused Uber of finishing up the information transfers with out making use of applicable mechanisms, particularly contemplating the E.U. invalidated the E.U.-U.S. Privateness Protect in 2020. A substitute, often called the E.U.-U.S. Information Privateness Framework, was introduced in July 2023.
“Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the E.U. were insufficiently protected, according to the Dutch DPA,” the company mentioned. “Since the end of last year, Uber uses the successor to the Privacy Shield.”
In an announcement shared with Bloomberg, Uber mentioned the fantastic is “completely unjustified” and that it intends to contest the choice. It additional mentioned the cross-border information switch course of was compliant with GDPR.
Earlier this 12 months, the DPA fined Uber a €10 million penalty for its failure to reveal the total particulars of its information retention durations regarding European drivers, and the non-European nations to which it shares the information.
“Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data,” the DPA famous in January 2024.
“In addition, they did not specify in their privacy terms and conditions how long Uber retains its drivers’ personal data or which specific security measures it takes when sending this information to entities in countries outside the [European Economic Area].”
This isn’t the primary time U.S. corporations have landed within the crosshairs of E.U. information safety authorities over the dearth of equal privateness protections within the U.S. with regard to E.U. information transfers, elevating issues that European consumer information may very well be topic to U.S. surveillance applications.
Again in 2022, Austrian and French regulators dominated that the transatlantic motion of Google Analytics information was a breach of GDPR legal guidelines.
“Think of governments that can tap data on a large scale,” DPA chairman Aleid Wolfsen mentioned. “That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”