August 26, 2024 at 07:00AM
The Dutch Data Protection Authority fined Uber €290 million for allegedly failing to protect drivers’ personal information in EU-US data transfers. Uber plans to appeal the decision, citing compliance with GDPR and a period of uncertainty after the invalidation of the Privacy Shield, while highlighting the significance of data transfers in its services.
The Dutch Data Protection Authority has imposed a significant fine of €290 million on Uber for alleged failure to protect drivers’ personal information during EU-US data transfers. Uber has strongly refuted the decision and intends to file an appeal, highlighting that their data transfer process was GDPR compliant during a time of uncertainty between the EU and US. The appeal process is expected to take up to four years, during which the fine will be suspended.
The DPA in the Netherlands accused Uber of not appropriately safeguarding European drivers’ data when transferring it to the United States, labeling it as a serious violation of the EU’s General Data Protection Regulation. The watchdog stated that Uber collected various personal data from drivers and transferred it to its US headquarters for more than two years without using the proper tools to ensure its protection.
The fine on Uber stemmed from a complaint filed by French drivers, overseen by the Dutch DPA due to Uber’s European headquarters being located in the Netherlands. The uncertainty around data transfers between the EU and the US, following the invalidation of the Privacy Shield framework, has been highlighted by Uber as a significant challenge during the investigation.
Uber claims that it continued to safeguard driver data in line with GDPR even when Privacy Shield was no longer in force. It also emphasized that it reached out to the Dutch data protection watchdog to ensure GDPR compliance and did not receive any indication of non-compliance. Additionally, Uber states that no changes to its data transfer process were required following the adoption of the Data Privacy Framework.
The inherently global and interconnected nature of Uber’s services has been pointed out, underscoring the fundamental role of data transfers within its operations. Several organizations, including the Computer & Communications Industry Association, have supported Uber and warned about the potential legal uncertainty and implications if retroactive fines for data transfers are imposed.
It’s notable that this is not the first time Uber has faced fines from the Dutch DPA, with previous penalties imposed for lack of transparency in handling drivers’ personal information. These developments echo broader regulatory actions taken against tech companies, such as Meta and Amazon, indicating a growing emphasis on data protection and privacy enforcement.