Uber Fined €290 Million by Dutch Regulator for GDPR Violations in Data Transfers to U.S.

Uber was fined a record €290 million ($324 million) by the Dutch Data Protection Authority (DPA) for allegedly sending private driver data to the US in violation of EU data protection laws. Uber has been hit with a record fine of €290 million ($324 million) by the Dutch Data Protection Authority, which claims the company violated EU data protection laws by sending private driver data to the US.

According to the DPA, Uber failed to sufficiently protect the personal information of European taxi drivers when transferring it to the United States. The data protection watchdog claims that this action is a “serious” violation of the General Data Protection Regulation (GDPR). Uber has stopped doing this as a result.|Uber was found by the Data Protection Authority (DPA) to have failed to adequately protect European taxi drivers’ personal data when it was transferred to the United States. A serious breach of the General Data Protection Regulation (GDPR) was thought to have occurred here. Since then, Uber has discontinued this practice in light of the research.

Uber is thought to have gathered and kept sensitive driver data on servers located in the United States for more than two years. Account information, taxi license information, location data, images, payment details, and identity documents were all included in this data. In some instances, it also included the drivers’ criminal and health histories.|It has been reported that Uber collected and stored drivers’ private information on US servers for longer than two years. The data included a variety of personal information, including account information, identification documents, taxi licenses, location history, photos, and payment details. In certain cases, it also included medical records and criminal histories of drivers.

Uber was accused by the DPA of transferring data without using the proper safeguards, particularly in light of the European Union’s 2020 revocation of the EU-US Privacy Shield. In July 2023, a substitute known as the E.U.-U.S. Data Privacy Framework was unveiled. Uber has come under fire from the DPA, especially in light of the EU’s 2020 decision to revoke the EU-US Privacy Shield. A revised set of guidelines for transatlantic data transfers was subsequently provided by the establishment of a new framework in July 2023, known as the EU-US Data Privacy Framework.

The agency adds that “Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the E.U. were insufficiently protected, according to the Dutch DPA. Since the end of last year, Uber uses the successor to the Privacy Shield.” Uber’s decision to discontinue using Standard Contractual Clauses as of August 2021, according to the Dutch DPA, led to insufficient data protection for drivers operating in the EU. Since the end of last year, Uber has been using the Privacy Shield’s replacement.

Uber said that the fine is “completely unjustified” and that it plans to challenge the ruling in a statement that was shared with Bloomberg. The business added that it followed GDPR regulations in its cross-border data transfer procedure. Uber told Bloomberg that they intend to appeal the decision because they think the fine is unjust. Additionally, they maintained that their cross-border data transfer practices complied with GDPR guidelines.

Uber was hit with a €10 million fine by the DPA earlier this year for not disclosing all of the information about its data retention policies for European drivers and the non-EU nations with which it shares data. Uber was fined €10 million by the DPA earlier this year for failing to disclose to its full extent the length of time it retains driver data from Europe and the non-European nations with which it shares the data.

“Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data,” the DPA said in January 2024. Furthermore, Uber did not make clear in its privacy terms and conditions how long it keeps the personal information of its drivers on file or what security precautions it takes when sending it to organizations outside of the [European Economic Area].”Uber was chastised by the DPA in January 2024 for unduly complicating access to and copies of drivers’ personal data. In addition, the company’s privacy policy omitted information about how long it keeps drivers’ personal data in storage and the special precautions it takes when sending that data to nations outside the European Economic Area.

Due to the absence of comparable privacy protections in the United States for data transfers within the European Union, U.S. companies have previously been the target of scrutiny from E.U. data protection authorities. This raises concerns about the possibility that U.S. surveillance programs may be utilizing user data from users in Europe. Prior to now, US corporations were singled out by the EU’s data protection watchdogs for not offering sufficient protections for European data, raising concerns that US intelligence agencies might be able to intercept personal data belonging to EU citizens.

Authorities in France and Austria declared in 2022 that the transatlantic transfer of Google Analytics data was illegal under GDPR regulations.In 2022, regulatory authorities from Austria and France jointly decided that using Google Analytics for cross-border data transfers violated the General Data Protection Regulation (GDPR) of the European Union.

“Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union,” Aleid Wolfsen, chairman of the DPA, said. Businesses frequently need to put additional safeguards in place when they hold personal information of Europeans outside of the European Union because governments have access to large amounts of data, according to DPA chairman Aleid Wolfsen.