Dutch Authority Imposes €290 Million Penalty on Uber for Breaching GDPR Rules in Data Transfers to the U.S.
A substantial fine of €290 million ($324 million) has been imposed on Uber by the Dutch Data Protection Authority for purportedly flouting European Union (EU) data protection regulations in the process of transferring sensitive driver data to the United States.
Citing a statement from the agency, it was revealed that the Dutch DPA detected instances where Uber disclosed personal information of European cab operators to the U.S. without implementing adequate safeguards for the data during these transfers.
The regulatory body emphasized that such actions amount to a “severe” breach of the General Data Protection Regulation (GDPR). Following the finding, the transportation network service, courier, and food delivery company ceased the said practice.
Reports suggest that Uber amassed critical details of drivers and stored them on servers based in the U.S. for a period over two years. The dataset included account specifics, taxi permits, geo-location information, images, financial data, and identity papers. Moreover, the dataset also encompassed criminal records and medical details of the drivers in some cases.
The Dutch DPA accused Uber of executing these data transfers without leveraging appropriate mechanisms, particularly in light of the EU’s nullification of the EU-U.S. Privacy Shield arrangement in 2020. A substitute agreement, called the EU-U.S. Data Privacy Framework, was introduced in July 2023.
As per the agency, Uber’s discontinuation of the use of Standard Contractual Clauses since August 2021 led to inadequate protection of the data of EU-based drivers. The DPA noted that Uber switched to the successor of the Privacy Shield at the conclusion of last year.
In a statement given to Bloomberg, Uber denounced the penalty as “completely baseless” and expressed its intention to challenge the verdict. The company asserted that its cross-border data transmission process was in compliance with GDPR regulations.
Earlier this year, the DPA slapped Uber with a €10 million fine for failing to divulge comprehensive information about its data storage durations concerning European drivers and the foreign nations with which the data is shared.
“Uber made it unnecessarily complex for drivers to request access to their personal data or obtain copies of it,” the DPA pointed out in January 2024.
Additionally, failure to specify the durations for which Uber retains driver data and the specific security measures taken while transmitting this information to entities outside the European Economic Area was also highlighted.
This incident isn’t the first time U.S. companies have faced scrutiny from EU data protection authorities due to inadequate privacy safeguards in the U.S. for EU-related data transfers, raising apprehensions over potential surveillance programs in the United States that could impact the data of European users.
In 2022, Austrian and French authorities issued rulings declaring that the transatlantic transfer of Google Analytics data violated GDPR regulations.
“Imagine governments having access to data on a large scale,” remarked DPA chairman Aleid Wolfsen. “Hence, businesses typically have a responsibility to implement additional precautions when handling personal data of European individuals outside the EU.”
About Author
